Category: Computer Crime

September 27, 2010 Computer Crime, Privacy

Doctor’s wiretapping case under ECPA heads to trial

McCann v. Iroquois Memorial Hospital, No. 08-3420 (7th Cir. September 13, 2010)

Mystery of how doctor’s dictation machine got turned on to record conversation between doctor and hospital employee is a question for the jury and should not have been decided on summary judgment.

Two hospital employees — Dr. Lindberg and the director of physician services, Ms. McCann — had a conversation behind the doctor’s closed office door that the two of them thought was private. In their conversation, the two of them criticized hospital administration. But they did not know that the doctor’s dictation machine was recording what they said.

Dictaphone was cylinder dictation machine from...
Image via Wikipedia

How that machine got turned on is a mystery. Dr. Lindberg had been dictating radiology reports a few minutes before Ms. McCann arrived, so he may have accidentally left the machine running. But the recording of the conversation started in mid-sentence, which discredits that theory.

A member of the hospital’s transcription staff, Ms. Freed, is alleged to have come into the room during this conversation to pick up some papers, and Dr. Lindberg and Ms. McCann believe she surreptitiously turned on the machine. That would seem a plausible explanation, given that Ms. Freed supposedly had an axe to grind with Dr. Lindberg.

The recorded conversation made its way to the transcription staff, and after it was typed out, Ms. Freed forwarded it to the hospital’s CEO. Dr. Lindberg and Ms. McCann filed suit against Ms. Freed and others under the Electronic Communications Privacy Act. They claimed that by secretly turning on the dictation machine and forwarding the transcript, Ms. Freed violated the statute.

The district court granted the defendants’ motion for summary judgment. Plaintiffs sought review with the Seventh Circuit. On appeal, the court reversed in part, finding there was a genuine issue of material fact as to whether Ms. Freed was in the room and secretly turned on the dictation machine.

The court of appeals held that whether Ms. Freed was in the office on the date the recording was made was merely the subject of a “swearing contest,” and that summary judgment is not appropriate to resolve such a contest. The lower court had based its grant of summary judgment largely on the contents of the recording. At the end of the conversation, one can hear the office door close as Ms. McCann leaves. But one cannot hear the door shut with Ms. Freed would have left, during the conversation and after she allegedly turned on the dictation machine.

Viewing the facts in the light most favorable to the plaintiffs, the court found that the absence of such a sound did not prove that Ms. Freed was not there: “[N]othing in the record tells us whether the door could have been closed silently; . . . [Ms.] Freed who was conscious that she was intruding (and, perhaps, that she was being taped) may have closed the door softly to be inconspicuous.”

So the court found that whether Ms. Freed was responsible for making the recording — and by extension whether Ms. Freed intentionally intercepted the conversation between Dr. Lindberg and Ms. McCann in violation of the ECPA — was an issue for the jury, and not one for summary judgment.

September 23, 2010 Computer Crime, Privacy

Lack of knowledge of interception causes ECPA claims against website owners to fail

Zinna v. Cook, No. 06-1733, 2010 WL 3604386 (D. Colo. September 7, 2010)

Plaintiff sued for violation of the Electronic Communications Privacy Act (ECPA) claiming that defendants intercepted his email messages and posted them to a website called ColoradoWackoExposed.com. Defendants moved for summary judgment. The court granted the motion.

It found that although similarities between messages and website content suggested that emails had been intercepted, there was no evidence showing the interception was “contemporaneous” with the messages’ transmission. (Several federal circuits require such contemporaneity. But see the Seventh Circuit’s recent opinion in U.S. v. Szymuszkiewicz for a different take.)

The court also held there was insufficient evidence to show that defendants knew the information posted on the website came about via any unlawful interception. The plaintiff’s assertions that defendants had worked with a non-party wiretapper failed to convince the court of this knowledge.

September 21, 2010 Computer Crime

YouTube video maker who threatened judge must stay jailed awaiting trial

U.S. v. Jeffries, No. 10-CR-100, 2010 WL 3619946 (E.D. Tenn. September 13, 2010)

Defendant created and posted a video to YouTube in which he allegedly sang a song that threatened to bomb the car of a judge scheduled to hear his child custody case. Though he did not mention the judge by name, he said the song was “for you judge” and said “do not tell me I cannot curse.” (The judge had previously admonished defendant for swearing in the courtroom.)

The feds charged defendant with one count of transmitting in interstate commerce a threat to injure and kill.

Recognizing that defendant was a danger to society, the government filed a motion asking the court to order he stay in custody until trial. The court granted the motion.

The court weighed four factors in making this determination. First, the charged offense was a crime of violence (18 U.S.C. 16 defines a crime of violence as one containing an element of threatened use of force against another). Second, the evidence as to defendant’s dangerousness was great — the YouTube video was about killing and car-bombing, after all. Third, the defendant’s character (especially in the past few months) made him a risk — he had attacked a doctor, had alcohol problems, and got kicked out of military housing for firing a weapon during a dispute. Fourth, defendant was a danger to the community and to his family — he was living with his wife and children when he had fired the gun into the air.

September 18, 2010 Computer Crime, Copyright

Ohio record pirating statute preempted by Copyright Act

State v. Boyd, 2010 WL 3565414 (Ohio App. 1 Dist. September 15, 2010)

Defendant was convicted under Ohio state criminal law for selling pirated DVD movies on a street corner. This apparently was the first ever prosecution under a law — a “record pirating statute” — enacted in 1976 (which was two years before the Copyright Act took effect). Defendant sought review of his conviction with the state appellate court. On appeal, the court reversed the conviction.

The court held that the state record pirating statute (R.C. 1333.52) was preempted by Section 301 of the Copyright Act (17 U.S.C. 301).

It was not clear which subsection of the record pirating statute defendant had been accused of violating. The statute provides:

No person shall purposely do either of the following: (1) Transcribe, without the consent of the owner, any sounds recorded on a phonograph record, disc, wire, tape, film, or other article on which sounds are recorded, with intent to sell or use for profit through public performance any product derived from the transcription. . . .

and

No person shall purposely manufacture, sell, or distribute for profit any phonograph record, tape, or album of phonographic records or tapes unless the record and the outside cover, box, or jacket of the record, tape, or album clearly and conspicuously discloses the name and street address of the manufacturer of the record, tape, or album, and the name of the performer or group whose performance is recorded. . . .

The Copyright Act expressly preempts certain state-law actions. Section 301 states that all legal or equitable rights that are equivalent to any of the exclusive rights conferred by the Copyright Act and that come within the subject matter of copyright . . . are governed exclusively by the Copyright Act.

In this case, there was no dispute that the movies were within the subject matter of federal copyright law. The more detailed analysis came in examining the question of whether the work was governed exclusively by the Copyright Act. That inquiry looks to see whether there is a qualitatively different “extra element” in the state law claim beyond what is required to show copyright infringement.

The court looked to two similar Ohio cases in which defendants had engaged in similar conduct. In State v. Perry, the Ohio supreme court found that the statute supporting the prosecution for “unauthorized use of property” by uploading and downloading computer software to an internet bulletin board service was preempted. In State v. Moning, the court held that a computer crime statute that prohibited the unauthorized access to data in a database was not preempted. The unauthorized access provided the extra element in that case.

September 16, 2010 Computer Crime, Privacy

Setting up Outlook rule to intercept another’s email can be a federal crime

U.S. v. Szymuszkiewicz, — F.3d —, 2010 WL 3503506 (7th Cir. September 9, 2010)

Seventh Circuit upholds conviction of employee who secretly intercepted his boss’s email.

A federal jury convicted the defendant, who was an IRS revenue officer, of violating the Wiretap Act (or the Electronic Communications Privacy Act, as some like to call it — 18 USC 2511(1)(a). He had snuck onto his boss’s computer and set a rule in Microsoft Outlook to autoforward copies of all incoming email to his own account.

The defendant sought review of his conviction with the Seventh Circuit. On appeal, the court affirmed. Judge Easterbrook’s opinion is interesting reading. It is a nice accompaniment to the 2005 decision from the First Circuit in U.S. v. Councilman.

The court rejected the defendant’s argument that the Wiretap Act required that the “interception” of the email be “contemporaneous” with its transmission: “[d]ecisions articulating such a requirement are thinking football rather than the terms of the statute.” (Such decisions would include Fraser v. Nationwide Mutual (3d Cir.), Steve Jackson Games v. Secret Service (5th Cir.), Konop v. Hawaiian Airlines (9th Cir.) and United States v. Steiger (11th Cir).

In any event, the court found that the defendant’s interception of the messages in this case was “contemporaneous by any standard.” The evidence showed that the Outlook rules, though set within the email client, operated on the server. A message to the boss would go to an email server in Kansas City, and then be “flung across the network” as packets making up two copies, one for the boss and one for the defendant. It was this copying on the server that was the unlawful interception.

If you’re at all interested in this case and the Wiretap Act, then you must check out Orin Kerr’s post at the Volokh Conspiracy, especially the comments to that post. Very erudite discussion.

August 18, 2010 Computer Crime, Privacy

Computer Fraud and Abuse Act, the Stored Communications Act, and unauthorized access

Monson v. The Whitby School, Inc., No. 09-1096, 2010 WL 3023873 (D.Conn. August 2, 2010)

Plaintiff Monson sued her former employer (a private school) for sex discrimination and related claims. The school filed counterclaims against Monson for, among other things, violation of (1) the Computer Fraud and Abuse Act (CFAA) and (2) the Stored Communications Act (SCA).

The counterclaims were based on allegations that Monson gained unauthorized access to the school’s email server to unlawfully view and delete email messages contained in the email accounts of other school employees. Upon learning of her impending termination, the school alleged, Monson used this unauthorized access to delete more than 1,500 email messages. Further, the school alleged that after Monson was terminated, she intentionally deleted data and software programs that resided on her school-issued computers before she returned them to the school.

Monson moved to dismiss the counterclaims. The court denied the motion.

CFAA claim

Monson argued that the school had not adequately pled that her actions — accessing and deleting data and software — were unauthorized. The court rejected this argument, finding that while it may be implausible (a la Twombly and Iqbal) that Monson wasn’t authorized to access her own email account, there was no reason to find it implausible she was not authorized to access the email accounts of others.

SCA claim

The court dismissed the SCA claim for essentially the same reason. Monson had argued that the school’s “formulaic” statement that she had accessed the stored electronic communications were not pled with enough detail to state a claim. The court found that the allegations were sufficient.

Photo courtesy of Flickr user croncast under this Creative Commons license.

June 15, 2010 Computer Crime, Privacy

Access to private email server supports Stored Communications Act claims

Devine v. Kapasi, 2010 WL 2293461 (N.D. Ill. June 7, 2010)

Kapasi and Devine were equal shareholders in a corporation. In August 2009, the two decided to part ways. The corporation transferred one of its servers to Devine, and he immediately put it into the service of his new company.

After the server was transferred, Kapasi and some employees of the old company allegedly logged on to the server to access and delete email messages stored on that machine. Devine and his new company sued for violation of the Stored Communications Act (at 18 U.S.C. §2701) and the Computer Fraud and Abuse Act (at 18 U.S.C. §1030).

The defendants moved to dismiss under FRCP 12(b)(6) for failure to state a claim. The court denied the motion as to the Stored Communications Act claims but granted the motion (with leave to amend) as to the Computer Fraud and Abuse Act claims.

The Stored Communications Act claims

The defendants argued that the Stored Communications Act did not apply to access to the server because plaintiffs did not provide an electronic communications service to the public. Defendants relied on the case of Andersen Consulting LLP v. UOP, 991 F.Supp. 1041 (N.D.Il.1998) to support this argument. In that case, the court dismissed a Stored Communications Act claim for unauthorized disclosure of emails under 18 U.S.C. §2702. The Andersen Consulting court held that disclosure of emails obtained from the server of a company not in the business of providing electronic communications services to the public did not violate the Stored Communications Act.

This case, however, arose under 18 U.S.C. §2701, which does not impose the same scope on potential defendants – the term “to the public” does not appear in connection with the provision of electronic communication services in §2701. Section 2701 deals with unauthorized access, while §2702 deals with unauthorized disclosure.

So the court held that “[w]here, as here, a plaintiff pleads that it stores electronic communications on its own systems, and that a defendant intentionally and without authorization got hold of those stored communications through the plaintiff’s electronic facilities, the plaintiff states a claim under § 2701 of the [Stored Communications Act].”

The Computer Fraud and Abuse Act claims

The court dismissed the Computer Fraud and Abuse Act claims, finding that the plaintiffs failed to plead that they suffered a cognizable “loss” under the statute. The plaintiffs were required to plead that the defendants’ conduct “caused . . . loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Such allegations were simply missing from the complaint.

The defendants tried an interesting argument that the court rejected as premature at the motion to dismiss stage. They argued that since one of the plaintiffs was a technology company, it should have had a backup of all the data allegedly deleted. Therefore, any cost in excess of the $5,000 statutory threshold would not be a “reasonable cost.” Though it didn’t fly at the motion to dismiss stage, such an argument may fare better in a motion for summary judgment.

Photo courtesy Flickr user Jordiet under this Creative Commons License.

May 28, 2010 Computer Crime

That bogus social networking profile can send you to jail

Facebook

Clear v. Superior Court, 2010 WL 2029016 (Cal.App. 4 Dist. May 24, 2010)

The California Court of Appeal has held that a man who set up a bogus MySpace profile of his former church pastor can stand trial for criminal “personation.”

The defendant’s alleged conduct that might really put him on the hook is what he did after setting up the profile: he posted content that suggested the pastor used drugs and was gay. Because this could have resulted in the pastor losing his job, the court found the statute prohibiting personation of another might have been violated (that question will be resolved at trial unless there’s a plea deal).

The criminal personation statute (Penal Code Sec. 529) has an intriguing framework for liability. Apparently it’s not enough just to say you’re someone else. To be liable you’ve got to actually do something while assuming that persona that would subject your target to some kind of legal harm.

For example, just saying to the cops that you’re someone else, that you have that persons birthday and even responding affirmatively to whether you have their middle name apparently isn’t enough to violate the statute. People v. Cole, 23 Cal.App.4th 1672 (1994).

But using your sister’s name when you get a traffic ticket and also forging her signature on the citation isn’t allowed. People v. Chardon, 77 Cal.App.4th 205 (1999).

All the reason not to set up that Facebook profile of your boss and populate it with tales of drugs and other shenanigans.


Image by Balakov under this Creative Commons license.

May 4, 2010 Computer Crime, Employment, Privacy

Judge: the concept of internet privacy is a fallacy upon which no one should rely

People v. Klapper, — N.Y.S.2d —, 2010 WL 1704796 (N.Y.City Crim.Ct., April 28, 2010)

Let’s hope that’s an overstatement.

A recent case from a criminal court in New York dealt with whether an employer violated the state’s law prohibiting unauthorized use of a computer (Penal Law 156.05). Though the court probably came to the right decision in dismissing the case, it said some puzzling things along the way about internet privacy.

The defendant-boss was alleged to have installed keylogging software on his employee’s work-issued computer. Through those means he acquired the password for the employee’s “personal” email account, and copied some messages from that account.

The court dismissed the case, finding that the prosecution had not alleged that defendant, the computer owner, had notice of any limited access to the computer or the email account. (After all, it was the employer’s computer.) The allegations further failed to allege that the employee had installed a security device to prevent unauthorized access or use.

That last part is a bit puzzling (wouldn’t the password protection on the “personal” email account satisfy that point?). But the real puzzling part of the opinion is how the court essentially destroyed the idea that there’s any hope for an expectation of privacy in internet communications.

Here’s the first paragraph of the opinion:

In this day of wide dissemination of thoughts and messages through transmissions which are vulnerable to interception and readable by unintended parties, armed with software, spyware, viruses and cookies spreading capacity; the concept of internet privacy is a fallacy upon which no one should rely.

Apart from grossly overstating the death of a reasonable expectation of privacy in internet communications, the pronouncement was not needed to dispose of the case. The matter only dealt tangentially with whether the victim had any privacy rights violated. The real analysis was on whether the defendant had notice that access to his employee’s email account was unauthorized.

Though the court was correct on focusing its analysis on that point, i.e., whether the access was authorized, the more general obituary of internet privacy would seem to elminate the need for that proper analysis.

If there’s no internet privacy, why should we even bother to ask ourselves whether access to an account is authorized? If the concept of internet privacy is a “fallacy,” as the court declared, aren’t all our communications open for inspection and review by anyone?

Privacy photo courtesy Flickr user rpongsaj under this Creative Commons license.

January 26, 2010 Computer Crime, Contracts, Litigation

Wait just a second . . . isn’t online gambling illegal?

Wong v. Partygaming Ltd., — F.3d —, 2009 WL 4893955 (6th Cir. December 21, 2009)

The Sixth Circuit’s recent opinion in the case of Wong v. Partygaming is interesting if you’re a civil procedure wonk and care about things like which law applies to determine the enforceability of forum selection clauses in website terms and conditions and what factors a court should consider when dismissing a case on the basis of forum non conveniens.

bling

The most intriguing part of the case, however, comes from Judge Merritt’s concurrence, in which he addresses the significance of the fact that the terms of service for an online gambling website are probably illegal.

The majority opinion painstakingly analyzed whether the district court abused its discretion in dismissing, of its own will (or “sua sponte” as stodgy lawyers like to say), the plaintiffs’ suit against an online gambling website. The plaintiffs had alleged that the site fraudulently misrepresented that there was no collusion among other online gamblers, and that the site did not target people with gambling problems. The website terms of service contained a forum selection clause naming Gibraltar as the jurisdiction in which disputes were to be heard.

The appellate court affirmed the lower court’s decision that the case should be dismissed and that Gibraltar (which follows English law) would be a suitable and not-too-inconvenient forum. But the majority opinion said nothing about the legality of online gaming.

That’s where Judge Merritt picked up in the concurrence. He agreed that the matter should have been dismissed in favor of it being heard in Gibraltar — that’s why he concurred and did not dissent. His reasoning differed from that of the majority.


View Larger Map

Judge Merritt observed that the plaintiffs’ logic was inconsistent. They had argued that Ohio law should apply to the terms of service. But under Ohio law (and federal statutes like RICO), the subject matter of the contract would probably have been illegal and therefore void. Not to mention the fact that the conduct could send the parties to jail.

The judge wrote that something analogous to the principle of lenity — and not necessarily a rigorous analysis of the forum selection clause and the doctrine of forum non conveniens — should underlie the dismissal of the lawsuit. Lenity requires that when the question of criminal liability is ambiguous, interpretation should be made in favor of the defendant (see McNally v. United States). Since online gambling presumably was not illegal under the law of Gibraltar, the more lenient stance would be to see the matter litigated there.

Bling photo courtesy Flickr user PhotoDu.de under this Creative Commons license.

Scroll to top