DOJ Okays Certain Data Sharing with Government to Promote Cybersecurity | Practical Law

DOJ Okays Certain Data Sharing with Government to Promote Cybersecurity | Practical Law

On May 9, 2014 the DOJ issued a white paper interpreting the Stored Communications Act as not prohibiting a communications service provider from sharing aggregated, non-content data with government entities, as long as that data does not reveal information about a particular customer or subscriber. 

DOJ Okays Certain Data Sharing with Government to Promote Cybersecurity

Practical Law Legal Update 5-567-9587 (Approx. 3 pages)

DOJ Okays Certain Data Sharing with Government to Promote Cybersecurity

by Practical Law Intellectual Property & Technology
Published on 13 May 2014USA (National/Federal)
On May 9, 2014 the DOJ issued a white paper interpreting the Stored Communications Act as not prohibiting a communications service provider from sharing aggregated, non-content data with government entities, as long as that data does not reveal information about a particular customer or subscriber.
On May 9, 2014, the Department of Justice (DOJ) issued a white paper providing its opinion that the Stored Communications Act (SCA) does not prohibit an electronic communication or remote computing service provider (collectively "communications service provider") from voluntarily sharing aggregated data with the government that would promote information systems protection (18 U.S.C. § 2701 et seq.). The aggregated data may not identify or otherwise provide information about any particular subscriber or customer.
The DOJ explained that federal law regulates whether and how communications service providers may divulge to the government information that is useful for cybersecurity purposes. Communications service providers are generally prohibited from disclosing:
  • The contents of communications.
  • A record or other information pertaining to a subscriber to or customer of such service.
The DOJ recognized that the SCA does not address whether the second prohibition forbids communications service providers from sharing aggregated data with the government. To answer this question, the DOJ analyzed the SCA’s:
  • Text.
  • Structure.
  • Purpose.
  • Legislative history.
The DOJ also reviewed:
  • The scope of two other federal statutes that regulate the disclosure of customer information by telecommunications companies.
  • Other federal agencies' interpretations of provisions aimed at protecting consumers' privacy.
The DOJ determined that these sources support its interpretation that the SCA does not prohibit a communications service provider from disclosing non-content information to the government that is in aggregate form, so long as that aggregated information does not provide information about a particular subscriber or customer.
The DOJ provided examples of characteristics of cyber threats that likely can be shared:
  • Characteristics of a computer virus or malicious cyber tool that do not divulge subscriber or customer-specific information, such as:
    • the associated file size;
    • protocol; or
    • port.
  • Information about internet traffic patterns if divulged in aggregate form, such as reporting an anomalous swell in certain types of internet traffic traversing its network or a significant drop in internet traffic.
  • The total number of customers served by an ISP.
  • Information representing a provider's network traffic flow and volume by the quantity of bytes and packets observed transiting the provider's networks.
The DOJ emphasized that determining when data does not pertain to a subscriber or customer will be a highly fact-specific inquiry. Nonetheless, the DOJ interprets the SCA as allowing the sharing of aggregated non-content data with governmental entities, as long as that aggregated data does not reveal information about a particular customer or subscriber.