The Stored Communications Act (SCA, 18 U.S.C. § 2701-2713), part of the 1986 Electronic Communications Privacy Act (ECPA), governs how the US government and private parties can compel disclosure of electronic communications and customer records held by service providers. The statute predates the modern internet by decades and contains structural distinctions (180-day rule, “electronic communications service” vs “remote computing service”) that produce inconsistent and often anachronistic protections.
What it means in practice
The headline rules. For content of communications held by an ECS for 180 days or less, the government must obtain a warrant. For content held longer than 180 days (or held by an RCS), the rules historically allowed disclosure on a subpoena with notice to the subscriber, though the Sixth Circuit’s United States v. Warshak (2010) held this provision unconstitutional under the Fourth Amendment, and most major providers now require a warrant regardless. For non-content records (subscriber information, transactional records), a subpoena suffices. The 180-day rule is the famous anachronism: it dates from when email was downloaded from a server and email left on a server for more than 180 days was treated as abandoned. Modern email is held indefinitely on the server, so the rule has no operational logic, but it remains in the statute pending congressional reform that has been pending for over a decade.
Who it affects, and how
Anyone whose electronic communications are stored with a US service provider. The “service provider” definition reaches email, cloud storage, messaging platforms, and most modern SaaS. The protections are weakest for: emails held longer than 180 days at providers who follow the statute literally rather than the post-Warshak constitutional standard, communications held by smaller providers without the legal resources to push back on overreach, and records held by providers in countries with weaker process-protection norms (the SCA reach extends through CLOUD Act partner agreements). For journalists, the reachability of source-contact metadata via subpoena (no warrant required) is the most consequential weakness; the protection of source-contact content under Warshak is meaningful but provider-dependent.
What you can change today
Two structural defenses. First, prefer providers that publicly require a warrant for all content disclosure regardless of 180-day status (Apple, Google, Microsoft, Meta all do; smaller providers may not). Second, route sensitive communications through end-to-end encrypted services where the producible content is ciphertext and the SCA debate becomes academic (Signal for messaging, Proton or Tutanota for email). The SCA was written for an era where the threat model was the government with a subpoena. The modern threat model includes the government with a CLOUD Act request, foreign governments with bilateral agreements, and civil litigants with subpoena power; the architectural defense scales across all three.
Related articles
- Digital security for lawyers: protecting client data in 2026.
- You don’t have to be a suspect. You just have to have been there.
- Digital security for journalists in 2026: the complete operational guide.
- A journalist was arrested in Kuwait for reposting a CNN video. The law used to charge him didn’t exist yet when he posted it.