Blog

June 15, 2009 Cybersquatting, Privacy

Scope of Electronic Communications Privacy Act may not be so narrow

Brahmana v. Lembo, No. 09-106, 2009 WL 1424438 (N.D. Cal. May 20, 2009)

Plaintiff former employee Brahmana sued his former employer Cyberdata, claiming that Cyberdata violated the Electronic Communications Privacy Act (at 18 U.S.C. 2511) (&#147ECPA&#148). Brahmana claimed that Cyberdata used a keylogger to intercept the username and password for Brahmana’s personal email account.

Cyberdata moved to dismiss the claim under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. The court denied the motion, finding that the determination of whether there was a violation of the ECPA would best be made after discovery.

The ECPA makes it unlawful for any person to intentionally intercept, among other things, any “electronic communication.” An “electronic communication” is defined in the ECPA as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system that affects interstate or foreign commerce.”

An important question in this case was whether the keystrokes allegedly captured by the keylogging device met this definition of electronic communication.

An earlier case from another district (United States v. Ropp, 347 F.Supp.2d 831 (C.D. Cal. 2004)) held that keystrokes gathered by a hardware keylogger attached between a computer’s keyboard and central processing unit were not electronic communications because the system transmitting the information did not affect interstate commerce.

But another case questioned that opinion’s holding, finding that though the keystrokes themselves did not travel in interstate commerce, they did “affect interstate commerce” and therefore fell within the ECPA’s definition.

This court avoided ruling on the legal question of whether intercepting electronic data being transmitted from one piece of local hardware to another might be an electronic communication as defined by the ECPA. One must remember that a Rule 12(b)(6) motion merely tests the sufficiency of the pleadings. The court does not consider evidence at that stage, but merely tests whether the facts alleged by the plaintiff could plausibly support the legal claim.

In this case, the court found that Brahmana’s allegations did not specify whether the particular means of monitoring affected interstate commerce, but were sufficient to render plausible the claim that communications were monitored in some way. “The issue of how any alleged monitoring took place,” the court found, “and whether it allegedly affected interstate commerce is better resolved after some discovery.”

The case instructs us that this court is not willing to read the definition of “electronic communication” as narrowly as the court did in Ropp. No doubt there will be some interesting evidence produced in discovery that shows how the keystrokes were allegedly intercepted. But at least we know at this early stage in the litigation that the court will consider whether the transmission of electronic data within a system — and not crossing state lines — may still affect interstate commerce.

I-Spy photo courtesy Flickr user Leo Reynolds under this Creative Commons license.

May 8, 2009 Section 230

Has Section 230 immunity passed its apex?

Barnes v. Yahoo!, Inc., No. 05-36189, 9th Cir. May 7, 2009

Yesterday’s decision from the Ninth Circuit in Barnes v. Yahoo is kind of a big deal. Jeff Neuberger observes that Section 230 took a hit. Characterizing it differently, Thomas O’Toole called it a nice win for online publishers. I’m thinking that the halcyon days of robust Section 230 immunity may be on the wane.

Barnes alleged that her ex-boyfriend did some pretty rotten things using various Yahoo services. Since I think my mom reads my blog I won’t elaborate on Prince Charming’s shenanigans. But if the allegations are true, one can understand why Barnes would be mad. Simply stated, they involved nude photos and men looking to cavort showing up where Barnes worked.

Barnes contacted Yahoo and asked it to take the offending content down. Folks there said they would. Months later, when the content remained online, Barnes sued Yahoo for negligent undertaking and promissory estoppel.

The district court dismissed Barnes’ claims, holding that 47 U.S.C. 230 protected Yahoo because, according to that section, “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

It’s no big surprise that the appeallate court affirmed the lower court on the question of negligent undertaking. Barnes’ claim was that Yahoo was negligent in undertaking to remove the content. Since the removal of content is one of the quintessential functions of a publisher, it would contravene Section 230 to hold Yahoo liable for that.

The more intriguing part of the case comes from the court’s reversal on the question of promissory estoppel. Yahoo’s breach of an alleged promise to remove the content was of a different nature than the act of removing the content. “Promising is different because it is not synonymous with the performance of the action promised.” Liability arising from failing to live up to that promise was outside the scope of Section 230. In other words, pursuing Yahoo for breaking its promise to take down the offending content did not treat it as the publisher or speaker of that content.

This holding seems to be another chip away at Section 230 immunity. Smart intermediaries (e.g. website operators) are likely to communicate less now with individuals who feel aggrieved, because the intermediary may fear that anything it says could be construed as a breakable promise putting it at risk for liability.

April 26, 2009 Privacy

Court allows Wal-Mart to subpoena Facebook and MySpace

Ledbetter v. Wal-Mart Stores, Inc., 2009 WL 1067018 (D.Colo. April 21, 2009)

A couple of electricians were severely burned when the electrical system they were working on in an Aurora, Colorado Wal-Mart shorted out. They sued Wal-Mart over their injuries. One of the plaintiffs’ wives brought a claim for loss of consortium.

During discovery, Wal-Mart sent subpoenas to Facebook, MySpace and Meetup.com seeking information about the plaintiffs. The plaintiffs filed a motion for protective order which would have prevented the social networking sites from providing the requested information. The plaintiffs claimed that the information should be protected by the physician-patient privilege or, as for the loss of consortium claim, the spousal privilege. The court denied the motion and allowed the subpoenas.

The court held that an earlier protective order entered in the case (to which the parties had agreed) protected the confidentiality of the information. And the plaintiffs had put the purported confidential facts, i.e., the extent of the injuries and the nature of the consortium, at issue by bringing the suit. Moreover, the information sought by the subpoenas was reasonably calculated to lead to the discovery of admissible evidence and was relevant to the issues in the case.

It’s worth noting that the court might have had other reasons to deny the motion for protective order that it did not mention. A privilege of confidentiality is usually destroyed when it is disclosed to a third party. How could information on Facebook or MySpace still be secret? Unless Wal-Mart was only seeking private messages sent either between the spouses or one of the plaintiffs and a doctor, it would seem that most everything these sites would have would not be confidential in the first place.

April 17, 2009 Copyright

The Pirate Bay verdict is no big deal

The big news story of the day is the guilty verdict from a Swedish court against the four guys behind The Pirate Bay. The judge sentenced them to a year in prison for facilitating copyright infringement and also ordered them to pay millions of dollars. The righteous indignation flows like akvavit.

I cannot see any reason why anyone outside the reach of Sweden’s laws should be all that concerned about this case. Sure, it’s grand spectacle to see an act of civil disobedience deliver its agents to purported martyrdom. But as for any legal significance outside Sweden, there is none. And does it teach us anything about the underlying interests that gave rise to the dispute? No. We have known for a long time that there are some who believe copyright law is too restrictive, and that those interests are pitted against the corporate and pecuniary interests of the big media companies.

So if one is to treat as news the fact that the RIAA and other content owners sometimes overreach, or that zealous advocates for copyright reform believe in their cause, please send me some of that sweet oblivion.

April 9, 2009 Contracts, Personal Jurisdiction

Website terms of service provide basis for exercise of personal jurisdiction

CoStar Realty Information, Inc. v. Field, — F.Supp.2d —-, 2009 WL 841132 (D.Md. March 31, 2009)

Personal jurisdiction cases — even ones that involve the internet — are generally not all that interesting. But the case of CoStar Realty Information, Inc. v. Field is worth noting because of the way the personal jurisdiction analysis was tied to a provision found in online terms of service.

CoStar provides its paying customers with access to a proprietary database via the web. It claimed that certain defendants, who were residents of Texas and Florida, accessed the database using another customer’s password. So CoStar sued these defendants in federal court in Maryland.

These defendants moved to dismiss arguing, among other things, lack of personal jurisdiction. The court denied the motion.

It found that in the four or so years that the defendants accessed the database without authorization, they would have been presented with the online terms of service from time to time. Those terms of service contained a clause which provided that any litigation over use of the database would be conducted in Maryland. The court found that the defendants assented to these terms, and that the forum selection clause was valid and enforceable.

Map photo courtesy Flickr user Marxchivist under this Creative Commons license

April 1, 2009 Ethics

Technology ethics: Seminar on responsible telephone use

As an attorney I feel an obligation to preach to you about what’s right and what’s wrong. People routinely trivialize this important duty by characterizing the subject matter as “ethics” or “professionalism.”

As a technology attorney, especially as one cool enough to use Twitter and be on Facebook, I feel a special obligation to instruct you on responsible use of social media. I’ll get to that.

First we need to address some of the basics concerning wise use of technology. Starting with the telephone.

In this downturned economy, I’m looking for every opportunity I can to supplement my income. So I’m offering a one day seminar called Telephone Ethics: Avoiding the Pitfalls Inherent in Voice Communications Technology. Registration is $995 dollars. Email me to sign up. But hurry, only a few seats are still available!

With the advent of the telephone, lawyers are threatened with almost certain peril and inevitable claims of malpractice. In this full day, in-depth course, we will look at the issues that arise each day as lawyers adopt this frightening intriguing technology. Subjects will include:

  • Diligence: Avoid violating Rule 1.3 — which requires a lawyer to be diligent in representing a client — by promptly returning phone calls.
  • Confidentiality: Oops! Did I just spill the beans and violate Rule 1.6 by forgetting to shut the door of that phone booth?
  • Polite Ambulance Chasing: What to say when phoning the victim of that bad accident you saw on the freeway. How to delicately let him know you’re a lawyer while navigating the Rule 7.3 minefield.
  • Much, much more!

And we’ll also have some fun. I’m lining up a special telephone expert TBA who will give some practical tips on how to better monetize your telephone use. That session will be called “Dialing for Profit: Let Your Fingers Do The Walking to a Successful Law Practice.” Check back at this Web page later for more details.

Future seminar topics will include Responsible Faxing: How to Keep the Disciplinary Committee Off Your Line, and Appropriate PowerPoint Obfuscation: Making Sure Your Bullet Points Aren’t Too Sparse.

CLE accreditation will be requested if there is sufficient interest. Heaven knows we need those ethics credits. Oh, and happy April 1.

Telephone photo courtesy Flickr user smudie under this Creative Commons license.

March 17, 2009 Computer Crime, Litigation

Facebook message was not witness tampering

Maldonado v. Municipality of Barceloneta, 2009 WL 636016 (D. Puerto Rico March 11, 2009)

Diaz was a defendant in a federal case in which Febus was a witness for the plaintiff. Diaz invited Febus to join a Facebook group, but Febus declined. Later Diaz sent a message through Facebook which, after translation, read as follows:

If you want to see the evidence that exists against the municipality let me know so that you can inform yourself well and please consult with a lawyer your civil responsibilities as far as defamation. Soon we will be filing a lawsuit and you could be included. My only request is that you are objective when mentioning my name.

Febus sought a protective order under the federal witness tampering statute, 18 U.S.C. 1512 which provides, in relevant part, that “[w]hoever knowingly uses intimidation, threatens, or corruptly persuades another …, or attempts to do so, … with [the] intent to … cause or induce any person to … withhold testimony … from an official proceeding[,]” is guilty under the statute.

The court denied the motion for protective order, finding that there was no evidence, neither raised by the plaintiff nor observable through inference, that Diaz intended to intimidate Febus. “This court can only see one threat in his Facebook message: the threat of future litigation. This is an insufficient basis for finding witness tampering.”

March 10, 2009 Cybersquatting, Trademarks

Cybersquatter hit with maximum penalty

Citigroup, Inc. v. Shui, 2009 WL 483145 (E.D. Va. Feb. 24, 2009)

Court enjoins use of citybank.org, orders defendant to pay $100,000 in statutory damages and to pay Citibank’s attorneys’ fees.

Defendant Shui registered the domain name citybank.org and established a site there promoting financial services, sometimes using the mark CITIBANK. The real Citibank, armed with its trademark registrations in over 200 countries and over 50 years of use of its CITIBANK mark, filed suit against Shui under the Anticybersquatting and Consumer Protection Act, 15 USC 1125(d) (“ACPA”).

Citibank moved for summary judgment on its ACPA claim and also asked the court to enter an injunction against Shui. Citibank also sought $100,000 — the maximum amount of statutory damages available under the ACPA, plus payment of Citibank’s attorneys’ fees. The court granted all of Citibank’s requested relief.

To prevail on the ACPA claim, Citibank had to show that (1) Shui had a bad faith intent to profit from using the domain name, and (2) that the domain name at issue was identical or confusingly similar to, or dilutive of, Citibank’s distinctive or famous mark.

Finding of bad faith

The court found Shui registered the domain name in bad faith because:

  • Shui did not have any trademark or other intellectual property rights in the domain name, and the registration of the domain name was not sufficient to establish any rights.
  • The domain name consisted of the legal name of Citibank (with one letter difference) and not the legal name of, nor any name that was otherwise used to identify Shui.
  • Shui had not engaged in prior use of the disputed domain name in connection with the bona fide offering of any goods or services prior to registering the domain name.
  • Shui’s use of the domain name was commercial in nature. Notably, some of the advertisements on Shui’s site were exact replicas of the marks CITIBANK and CITI. Each clickthrough provided Shui with advertising revenue, even though clicking on a link with Citibank in the title did not redirect the user to any website affiliated with the real Citibank.
  • Shui clearly intended to confuse, mislead and divert internet traffic from Citibank’s official website to his own in order to garner more clickthrough revenue from the misleading “citibank” advertisements.
  • Subsequent to the filing of the complaint, Shui sold the domain name for financial gain to a third-party in an apparent effort to avoid liability.
  • Shui registered other internet domain names which were identical or similar to Citibank’s marks, and the CITIBANK mark was distinctive and famous at the time Defendant registered the disputed domain name.

Confusing similarity

On the issue of confusing similarity, the court observed the strength of Citibank’s mark and the fact that the parties both offered financial services. Taking those facts in combination with the bad faith demonstrated by Shui, the court found the disputed domain name to be confusingly similar to Citibank’s marks.

The remedy

Accordingly, the court found in favor of Citibank on the ACPA claim. The court was stern in its remedy. It found that Shui’s registration of the confusingly similar domain name was “sufficiently willful, deliberate, and performed in bad faith to merit the maximum statutory award of $100,000 and an award of attorney’s fees.”

$100K photo courtesy Flickr user Ricardo (Kadinho) Villela under this Creative Commons license.

March 8, 2009 Anonymity, First Amendment

Maryland Court of Appeals addresses important question of internet anonymity

Independent Newspapers, Inc. v. Brodie, — A.2d —, 2009 WL 484956 (Md. February 27, 2009)

Maryland’s highest state court has issued a comprehensive opinion setting out the proper framework trial courts should use when evaluating whether a plaintiff should be permitted to learn the identity of an anonymous (or pseudonymous) internet speaker. After considering the varying standards courts across the country have applied in balancing the First Amendment right to anonymity against the right of a plaintiff to seek redress, the court adopted, in large part, the standard put forth in the New Jersey case of Dendrite, Int’l. v. Doe, 775 A.2d 756 (N.J. Super. Ct. App. Div. 2001) which requires, among other things, a prima facie showing by the plaintiff before compulsory discovery concerning the identity of an unknown defendant will be had.

One of the great things about the internet is that users can easily speak anonymously or through a pseudonym. This right to remain unidentified is a free speech right guaranteed by the First Amendment. But that right has limits which start to show when an anonymous speaker goes too far by venturing from the realm of protected speech into that of unprotected defamation.

An aggrieved party going after an unknown defamer must first figure out who the defendant is. This usually involves a subpoena to the operator of the service through which the offending content was transmitted, to the unknown John Doe’s internet service provider, or both. This use of compulsory judicial process to reveal the identity of an unknown speaker pits the speaker’s First Amendment right to anonymity against the defamation plaintiff’s right to seek redress for the tort that has been committed.

It is up to the courts to weigh the competing interests so that:

  • a defendant’s First Amendment right to anonymity is not violated by wrongful compelled disclosure in connection with an unmeritorious case; while
  • aggrieved subjects of harmful defamatory speech are not deprived of the remedies due to them in a civil society.

This weighing of competing interests illustrates why the scale is a good metaphor for justice.

The Brodie case

Plaintiff Brodie learned that certain participants in an online forum board were saying negative things about him. Three users identified as “CorsicaRiver,” “Born & Raised Here” and “chatdusoleil” engaged in an online public conversation about Brodie’s sale of an historic farmhouse. Two other users, who went by the monikers “RockyRaccoonMD” and “Suze” criticized the way Brodie ran the local Dunkin Donuts shop.

Brodie sued Independent Newspapers (the operator of the forum) and John Does CorsicaRiver, Born & Raised Here and chatdusoleil for defamation. Absent from the list of defendants were RockyRaccoonMD and Suze.

Independent Newspapers moved to dismiss, arguing, among other things, that it was immune from suit under 47 U.S.C. §230. It also moved to quash the subpoena Brodie had served, which sought the identities of CorsicaRiver, Born & Raised Here and chatdusoleil. The court dismissed Independent Newspapers from the case, but ordered it to identify those three pseudonymous posters.

Immediately thereafter, Independent Newspapers asked the court to reconsider its order directing that the pseudonymous speakers be identified. The court granted that motion and dismissed the portion of the case dealing with the discussion of the historic farmhouse. The claims relating to the Dunkin Donuts stayed in, and the court required Independent Newspapers to disclose information concerning that.

Notwithstanding the fact that the farmhouse defamation claims had been tossed, Brodie sent a subpoena to Independent Newspapers seeking the identity of CorsicaRiver, Born & Raised Here, chatdusoleil, RockyRaccoonMD and Suze. Brodie also conceded that the only posters responsible for discussions about the Dunkin Donuts were RockyRaccoonMD and Suze. Independent Newspapers filed another motion to quash this subpoena which the court denied.

The Maryland Court of Appeals granted certiorari to hear the case. (Here’s some trivia for you: in Maryland, the Court of Appeals is the highest court. For some reason they don’t call it the Supreme Court.) On review, the court reversed the denial of the motion to quash. It held that Brodie did not have a sufficient claim of defamation against any of the pseudonymous speakers to justify revealing their actual identities.

Which standard applied

The court gave thorough and comprehensive analysis on the question of when it is appropriate for a trial court to order that an unknown defendant be unmasked. It recognized the important interests that must be balanced, and observed that courts have applied various standards regarding what a plaintiff must show before discovery of an unknown speaker will be permitted.

For example, the Delaware Supreme Court in Doe v. Cahill put forth a rigorous requirement that in addition to providing notice of the discovery being sought, a plaintiff must come forward — at the pleading stage — with facts sufficient to survive a motion for summary judgment. Other courts, such as the U.S. District Court for the Northern District of California, have set the threshold lower. In Columbia Insurance Co. v. Seescandy.com, 185 F.R.D. 573 (N.D. Cal. 1999), the plaintiff was only required to plead facts sufficient to survive a motion to dismiss.

The New Jersey appellate court in Dendrite, Int’l. v. Doe took a more moderate approach. That court held that a plaintiff seeking the identification of an anonymous internet speaker must establish facts sufficient to maintain a prima facie case.

The Maryland court in the present case joined in the more moderate Dendrite approach, holding that when a trial court is confronted with a defamation action in which anonymous speakers or pseudonyms are involved, it should:

  • require the plaintiff to undertake efforts to notify the anonymous posters that they are the subject of a subpoena or application for an order of disclosure, including posting a message of notification of the identity discovery request on the message board;
  • withhold action to afford the anonymous posters a reasonable opportunity to file and serve opposition to the application;
  • require the plaintiff to identify and set forth the exact statements purportedly made by each anonymous poster, alleged to constitute actionable speech;
  • determine whether the complaint has set forth a prima facie defamation per se or per quod action against the anonymous posters; and
  • if all else is satisfied, balance the anonymous poster’s First Amendment right of free speech against the strength of the prima facie case of defamation presented by the plaintiff and the necessity for disclosure of the anonymous defendant’s identity, prior to ordering disclosure.

The Independent Newspapers case is an important case not necessarily because of any groundbreaking jurisprudence that it establishes, but because of the comprehensive way it treats the issue of unmasking unknown internet speakers. The opinion is a nearly exhaustive look at the current state of this question of law.

Anonymous photo courtesy Flickr user Neil Carey under this Creative Commons license.

Scroll to top