Blog
Email snooping can be intrusion upon seclusion
Analysis could also affect liability of enterprises using cloud computing technologies.
Steinbach v. Village of Forest Park, No. 06-4215, 2009 WL 2605283 (N.D. Ill. Aug. 25, 2009)
Local elected official Steinbach had an email account that was issued by the municipality. Third party Hostway provided the technology for the account. Steinbach logged in to her Hostway webmail account and noticed eleven messages from constituents had been forwarded by someone else to her political rival.
Steinbach sued the municipality, her political rival and an IT professional employed by the municipality. She brought numerous claims, including violation of the Federal Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. She also brought a claim under Illinois common law for intrusion upon seclusion, and the court’s treatment of this claim is of particular interest.
The defendant IT professional moved to dismiss the intrusion upon seclusion claim under Fed. R. Civ. P. 12(b)(6)(for failure to state a claim upon which relief can be granted). The court denied the motion.
The court looked to the case of Busse v. Motorola, Inc., 813 N.E.2d 1013 (Ill.App. 1st. Dist. 2004) for the elements of the tort of intrusion upon seclusion. These elements are:
- defendant committed an unauthorized prying into the plaintiff’s seclusion;
- the intrusion would be highly offensive to the reasonable person;
- the matter intruded upon was private; and
- the intrusion caused the plaintiff to suffer.
The defendant presented three arguments as to why the claim should fail, but the court rejected each of these. First, the defendant argued that the facts allegedly intruded upon were not inherently private facts such as plaintiff’s financial, medical or sexual life, or otherwise of an intimate personal nature. Whether the emails were actually private, the court held, was a matter of fact that could not be determined at the motion to dismiss stage. Plaintiff’s claim that emails from her constituents were private was not unreasonable.
The defendant next argued that Steinbach had not kept the facts in the email messages private. But the court soundly rejected this argument, stating that the defendant failed to explain how Steinbach displayed anything openly. Plaintiff asserted that she had an expectation of privacy in her email, and defendant cited no authority to the contrary.
Finally, the defendant argued that the intrusion was authorized, looking to language in the Federal Wiretap Act and the Stored Communications Act that states there is no violation when the provider of an electronic communication services intercepts or accesses the information. The court rejected this argument, finding that even though the municipality provided the email address to Steinbach, Hostway was the actual provider. The alleged invasion, therefore, was not authorized by statute.
The court’s analysis on this third point could have broader implications as more companies turn to cloud computing services rather than hosting those services in-house. In situations where an employer with an in-house provided system has no policy getting the employee’s consent to employer access to electronic communications on the system, the employer – as provider of the system – could plausibly argue that such access would be authorized nonetheless. But with the job of providing the services being delegated to a third party, as in the case of a cloud-hosted technology, the scope of this exclusion from liability is narrowed.
Email ribbon photo courtesy Flickr user Mzelle Biscotte under this Creative Commons License
Is banning sex offenders from social networking sites constitutional?
Mashable and others are reporting on a law that the governor of Illinois signed earlier this week, banning use of social networking sites by convicted sex offenders. The big criticism of that law seems to be that it may be unconstitutional. That question is worth thinking about.
The most likely constitutional challenge will be that the law is too broad. For a law to prohibit certain speech and not run afoul of the First Amendment, it must be narrowly tailored to serve a compelling government interest. Clearly there is a compelling government interest in protecting children and other victims of sex crimes from perpetrators. So the real analysis comes from examining whether this restriction on the use of social networking sites is narrowly tailored to serve that purpose.
What the law says
Let’s back up and take a look at what the new law actually says. In short, it requires any sex offender that is on parole, supervised release, probation, conditional release or court supervision to “refrain from accessing or using a social networking website.” Note that the restriction is not a lifetime ban, but just a restriction to be in effect during the sentence.
There are a number of terms to unpack.
There is a prohibition on “accessing” and “using.” This is kind of redundant, because the statute defines “access” as “to use, instruct, communicate with, store data in, retrieve or intercept data from, or otherwise utilize any services of a computer.” (The redundant part comes from the fact that to “use” is part of the definition of “access”.)
The most important definition for our discussion is that of a “social networking website”:
“Social networking website” means an Internet website containing profile web pages of the members of the website that include the names or nicknames of such members, photographs placed on the profile web pages by such members, or any other personal or personally identifying information about such members and links to other profile web pages on social networking websites of friends or associates of such members that can be accessed by other members or visitors to the website. A social networking website provides members of or visitors to such website the ability to leave messages or comments on the profile web page that are visible to all or some visitors to the profile web page and may also include a form of electronic mail for members of the social networking website.
This is a tortured definition plagued by a couple of runon sentences, but in essence, a social networking website, as defined under Illinois law, is any site that has:
- profile pages that contain
- identifying information such as names, usernames or photographs, and which are
- linked to other profile pages of “friends or associates” that can be
- accessed by other members or visitors to the website, and
- provides the ability to leave messages or comments on the profile visible to others
In a rather strange style for legislative writing, the definition says that a social networking site “may also include” direct messaging. That’s weird to say in a statute — does it have to include direct messaging to be considered a social networking site? One could argue either way. So that part of the definition does nothing to assist.
How one can run afoul of the law
By merely accessing a social networking site, a sex offender violates this new law. He or she doesn’t have to actually use any of the social networking functionality, all that is necessary is to merely retrieve data from the computer on which the site is stored. Clearly it would be verboten to use MySpace and Facebook. But also off limits would be LinkedIn and Focus. Flickr? YouTube? No way, even if the offender is just going there to passively view content for completely benign purposes.
The constitutional problem
Remember, the law has to be narrowly tailored to meet the compelling state interest. That means that if there is some less restrictive alternative than the law as enacted to fix the problem, the law is too broad and therefore unconstitutional. It would certainly seem that there is something less restrictive than a prohibition on merely visiting a website with social media functionality. A good start would be more aggressively targeting the actual online conduct that might put people at risk — actual online interaction through social media.
But it is far from clear. The Seventh Circuit (which is the federal appellate court that would hear a constitutional challenge to an Illinois law) has held that a convicted sex offender can lawfully be prohibited from visiting a city park. See Doe v. City of Lafayette, 377 F.3d 757 (7th. Cir. 2004). In a city park there is plenty of conduct one can undertake which is not unlawful or does not threaten others. And the court held that restriction was not unconstitutional. There is plenty of conduct one can engage in on a “social networking site” as defined by the statute that is not harmful as well.
Is the comparison between a city park and a social networking site justified?
Keyboard image courtesy Flickr user striatic under this Creative Commons License.
Conviction for sending intimidating MySpace message overturned
Marshall v. State, 2009 WL 2243467 (Ind. App. July 28, 2009)
Gotta love the facts of this case from my home state of Indiana.
Marshall and Goodman traded cars with one another, but that deal went sour. Marshall then got into an altercation with Goodman’s mother (named Lee) and Marshall was arrested. She was also ordered to have no contact with either Goodman or Lee. Three days after her arrest, Marshall sent the following (redacted) private message through MySpace to Goodman:
Dont think that you are gonna get away from this s***. you can’t hide forever and one of these days when you are out and about … you know thy aint going to pin nothing on me. Cant prove s***. aint gonna and I am just waiting for that day. You want a war? ? ? Your gonna get it now f*****. I don’t know YET who told you the s*** in my blogs or was feedin you info on me but you can rest assured that I am gonna f*** them uptoo when I found out. And I WILL find out. The s*** aint done and you better know that. Its only a matter of time.
The b**** you know I can be.
(Ed. note: stay classy, Ms. Marshall!)
Based on this message, Marshall was convicted of felony intimidation against Lee. The prosecution had argued that Marshall committed this crime by communicating a threat to knowingly injure Lee, with the intent that Lee be placed in fear of retaliation for calling the police.
Marshall sought review of her conviction with the Indiana Court of Appeals. On appeal, the court reversed the conviction.
The court held that the prosecution failed to prove its allegations of intimidation against Lee, because the message was sent to Goodman’s ( and not Lee’s) MySpace account. Even though an intimidating communication may be indirect, the state had to prove that Marshall must have known or had reason to know that her communication would reach Lee. In this case, there was no such proof.
The MySpace message was not addressed to Lee, nor was she mentioned by name. Accordingly, there was no evidence that Marshall knew or had reason to know that Goodman would show the message to his mother.
Photo courtesy Flickr user subewl under this Creative Commons license.
Drinkin’ photos on MySpace send man to prison
Lesson of the day: don’t post pictures of yourself on MySpace holding a beer if the conditions of your probation don’t let you drink alcohol or use the internet.
Defendant Pressley pled guilty to some ugly crimes and was sentenced to a lifetime of probation. As part of the deal, he promised not “to consume or drink any substance containing alcohol,” and to “not possess, use or have personal access to any computer or similar equipment that has internet capability without prior written permission of [his] Probation Officer.”
In July 2007, Pressley’s probation officer paid him a visit. There in Pressley’s house was a vodka bottle two-thirds empty (or as I like to say, one-third full) and a laptop having a desktop icon with Pressley’s name. (It’s not clear what that icon was, but it sounds like a profile icon for Windows XP.)
The state filed a petition to revoke Pressley’s probation. The trial court granted the petition and sentenced him to ten years in prison. Pressley appealed. On review, the court affirmed the prison sentence.
The most intriguing argument that Pressley made to the appellate court was that the lower court erred in admitting photos of Pressley holding a beer. According to Pressley’s wife’s testimony, the photos came from her MySpace page. One of the other pictures had a caption, as if written by the defendant, that said, “Me and my wife.” The court found that these pictures were relevant to whether Pressley violated the terms of his probation.
Good thing you’d never see anything like this over at Sorry I Missed Your Party.
Was on CNN.com talking about Twitter
Great time today being on CNN.com Live talking about the recent lawsuit filed against a Twitter user for talking about mold in her apartment and an apparently uncaring management company. Video embedded below. (Or click through if it’s not showing up in the RSS feed).
What the Lori Drew acquittal should mean for service providers
You know the story of Lori Drew — the mom from Missouri who was accused of setting up a bogus MySpace profile impersonating an adolescent boy. Lori acted as this fake “Josh” to stir up romantic feelings in young Megan Meier who, after being dumped by “Josh,” took her own life.
A terrible thing of course. And someone needed blaming. So federal prosecutors chose to go after Lori Drew. The jury convicted her of violating the Computer Fraud and Abuse Act (the federal anti-hacking statute), but today the judge acquitted her. Seems like a good decision, as the theory on which the prosecution based its case — that Lori violated the site’s terms of service by saying she was someone other than she is and thereby exceeded her authority — was shaky at best. The big problem with that theory was that such a reading would make most of us criminals. I’m sure you don’t mean to tell me you’ve never signed up for an online service using something other than your real name or accurate contact information.
Most smart people can agree that the Computer Fraud and Abuse Act was not the right way to punish this “crime.” Various states have enacted legislation to handle cyberbullying and are already prosecuting people in state court. But the problem is not going to go away. People will still do foolish things on the internet.
And to the extent that foolishness is criminal, the individual should pay a criminal price. The individual.
Using the Computer Fraud and Abuse Act to go after this conduct put the contractual relationship between the end user and the provider (i.e., Lori Drew and MySpace) under the microscope where it did not belong. The court and jury had to scrutinize that contractual relationship and the resulting authority (or lack thereof). They had to do that because there was no other way the government was going to win a CFAA prosecution otherwise.
Focusing on that relationship in this context did not make sense. MySpace didn’t have anything to do with this other than being a passive intermediary. Why should the inquiry at trial have gone to those kinds of questions? Why should the intermediary have been bothered? It shouldn’t have.
The bad act was (I guess we have to again say “allegedly was” now that she’s been acquitted) between Lori Drew and Megan Meier. That’s the space where the factual focus and legal analysis belonged. Not in the legal relationship between Lori Drew and MySpace.
Now that we have a sensible legal outcome in this case, hopefully prosecutors will take some more principled approaches and leave the intermediaries out of it.
Unauthorized software downloads did not violate Computer Fraud and Abuse Act
Cassetica Software, Inc. v. Computer Sciences Corp, 2009 WL 1703015 (N.D.Ill. 2009)
Cassetica Software made an application available for download on the web and entered into a license agreement for that application with Computer Sciences Corporation (CSC). Cassetica alleged that CSC continued to download the application after the license agreement expired.
So Cassetica sued in federal court, alleging a number of causes of action, including violations of the Computer Fraud and Abuse Act, 18 USC 1030 et seq. (CFAA). CSC moved to dismiss pursuant to FRCP 12(b)(6) for failure to state a claim. The court granted the motion, finding that Cassetica did not plead either damage or loss as required by the CFAA.
What the CFAA requires
Interpreting the CFAA differently that at least one other judge in the Northern District of Illinois has (cf. Garelli Wong & Assoc. v. Nichols, 551 F.Supp.2d 704 (N.D.Ill. 2008)), Judge Kendall held that Cassetica was required to plead either damage or loss as such terms are defined in the CFAA. (In Garelli Wong, the court held that both damage and loss must be pled.)
Under the CFAA, “damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
Insufficient damage allegations
The bare allegations of damage in the complaint were not enough. The court found that Cassetica did not allege any facts that would plausibly suggest that the software downloads — authorized or not — caused a diminution in the computers or usability of [Cassetica’s] computerized data.” The court went on to observe that “[c]ritically absent from the Complaint are allegations that CSC’s downloads resulted in lost data, the inability to offer downloads to its customers, or that the downloads affected the availability of the software.”
Insufficient loss allegations
Cassetica’s complaint also failed to plead loss. The allegations primarily dealt with the lost fees Cassetica would have received had the alleged unauthorized downloading not taken place. Because Cassetica did not allege that it lost revenues as a result of an interruption in service caused by CSC, its claim for lost revenue fell outside the CFAA’s definition of “loss.”
Download picture courtesy Flickr user soren_nb under this Creative Commons license.
Record companies win $1.92 million in case against individual file sharer
There has only been one copyright infringement case filed against an individual accused of illegally sharing music files over the internet to actually go to trial. That’s the case of Capitol Records v. Jammie Thomas. In October 2007, a jury in the U.S. District Court for the District of Minnesota returned a verdict of $222,000 against Ms. Thomas. The court on its own motion vacated that judgment, and ordered a retrial. That retrial concluded on June 18, 2009, with a judgment of a whopping $1.92 million against Ms. Thomas.
Here is a growing collection of links on the topic:
Subscribe to RSS headline updates from:
Domain name not tangible property that could satisfy judgment
Palacio del Mar Homeowners Assn., Inc. v. McMahon, — Cal.Rptr.3d —, 2009 WL 1668294 (Cal. App. 4 Dist. June 16, 2009)
A California state court entered a $40,000 judgment against defendant McMahon in favor of plaintiff homeowners association. The homeowners association tried to collect the money from McMahon, seeking a “turnover” of property McMahon owned. Among the items the homeowners association sought was the domain name ahrc.com, registered in the name of McMahon’s wife.
The trial court permitted the domain name to be turned over to the homeowners association to satisfy the judgment. McMahon sought review with the California Court of Appeal. That court reversed and vacated the turnover order.
The court gave several reasons for reversing the lower court. The most interesting reason, however, dealt with the very nature of domain names. The provision in California law allowing turnover of property limits itself to tangible property that can be “levied upon by taking it into custody.” Looking to the case of Network Solutions, Inc. v. Umbro International, Inc., 529 S.E.2d 80 (Va. 2000), the court held that a domain name registration is not property, but merely supplies the intangible contractual right to use a unique domain name for a specified period of time. Even if the registration were property, it was not something that could be taken into custody.