Congress Cybersecurity & Tech

The Commerce Department's Stored Communications Act Problem

Richard Salgado, Robert S. Litt
Tuesday, April 23, 2024, 12:56 PM
A rule requiring that IAAS providers disclose customer records to the government without legal process bumps against federal law.
Herbert C. Hoover Building, United States Department of Commerce, Washington, D.C. (Ken Lund,; CC BY-SA 2.0 DEED,

Published by The Lawfare Institute
in Cooperation With

The Department of Commerce recently issued proposed regulations intended to “address the national emergency with respect to significant malicious cyber-enabled activities.” Propounded pursuant to Executive Orders 13984 and 14110, the proposed regulations impose wide-ranging “know your customer” requirements on providers of Infrastructure as a Service (IAAS) to identify and gather information about foreign customers. One aspect of the proposed regulation raises a legal concern that it does not address.

The proposed regulation defines IAAS as “a product or service offered to a consumer ... that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications.” The proposed regulation requires IAAS providers to identify which of its customers are foreign, and collect, verify, and retain identifying information from those customers.

As directed by Section 4.2(c)(i) of Executive Order 14110, the regulation also imposes reporting requirements on IAAS providers when they become aware of “[a] transaction by, for, or on behalf of a foreign person which results or could result in the training of a large AI [artificial intelligence] model with potential capabilities that could be used in malicious cyber-enabled activity.” The provider is required to report to the Commerce Department information including the identity and address of the foreign person, the means of payment, telephone and email contact information, and information about the AI training run. This information must be reported within 15 days after the provider learns of the transaction.

On its face, this requirement appears to conflict with federal statutory law, namely the Stored Communications Act (SCA). Congress enacted the SCA in 1986 to establish privacy protections for customer and user information held by providers of electronic communications services (ECS) and remote computing service (RCS), and to encourage development of new and innovative forms of computer technology. Among the protections provided by the SCA, the law prohibits ECS and RCS providers from disclosing to the government information pertaining to their customers without lawful process (such as a subpoena, court order, or search warrant), the consent of the customer, or in certain other narrowly defined circumstances—such as to prevent imminent loss of life or serious physical injury, a provision added by Congress after the Sept. 11 attacks.

The conflict arises because the SCA defines RCS as “the provision to the public of computer storage or processing services by means of an electronic communications system.” The definition of IAAS in the proposed regulation (providing “processing [or] storage”) very closely matches the definition of RCS in the SCA (providing “computer storage or processing services”). Thus, IAAS providers appear to be prohibited by statute from providing to the government the very information about foreign customers modeling AI that the proposed regulation requires them to provide.

Neither regulations nor an executive order, of course, can supersede a statute. The regulations and Executive Order 14110 are based on authorities granted to the president under the International Emergency Economic Powers Act (IEEPA). Under ordinary principles of statutory construction, however, the general provisions of this 1970s-era law do not override the specific and subsequent provisions of the SCA. Congress could have—but did not—provide an exception in the SCA for a presidentially declared emergency. 

The Commerce Department may have an explanation for how the proposed requirement can be harmonized with the apparently contrary statutory provision, but nothing in the proposed regulation or its accompanying explanatory material even acknowledges this issue, much less resolves it. In any event, the apparent conflict between the proposed reporting requirement and the prohibitions of the SCA must be addressed. 

Richard Salgado was Google’s Director of Law Enforcement and Information Security for 13 years, and a federal prosecutor before that. He teaches at Stanford Law School and Harvard Law School, and provides consulting services on national security, surveillance, and cybersecurity through Salgado Strategies LLC.
Robert Litt formerly served as the General Counsel to the Office of the Director of National Intelligence under the Obama administration.

Subscribe to Lawfare