Category: Privacy

August 18, 2010 Computer Crime, Privacy

Computer Fraud and Abuse Act, the Stored Communications Act, and unauthorized access

Monson v. The Whitby School, Inc., No. 09-1096, 2010 WL 3023873 (D.Conn. August 2, 2010)

Plaintiff Monson sued her former employer (a private school) for sex discrimination and related claims. The school filed counterclaims against Monson for, among other things, violation of (1) the Computer Fraud and Abuse Act (CFAA) and (2) the Stored Communications Act (SCA).

The counterclaims were based on allegations that Monson gained unauthorized access to the school’s email server to unlawfully view and delete email messages contained in the email accounts of other school employees. Upon learning of her impending termination, the school alleged, Monson used this unauthorized access to delete more than 1,500 email messages. Further, the school alleged that after Monson was terminated, she intentionally deleted data and software programs that resided on her school-issued computers before she returned them to the school.

Monson moved to dismiss the counterclaims. The court denied the motion.

CFAA claim

Monson argued that the school had not adequately pled that her actions — accessing and deleting data and software — were unauthorized. The court rejected this argument, finding that while it may be implausible (a la Twombly and Iqbal) that Monson wasn’t authorized to access her own email account, there was no reason to find it implausible she was not authorized to access the email accounts of others.

SCA claim

The court dismissed the SCA claim for essentially the same reason. Monson had argued that the school’s “formulaic” statement that she had accessed the stored electronic communications were not pled with enough detail to state a claim. The court found that the allegations were sufficient.

Photo courtesy of Flickr user croncast under this Creative Commons license.

June 17, 2010 Anonymity, Electronic Discovery, Privacy

Illinois court sets standard for unmasking anonymous commenters

Maxon v. Ottawa Pub. Co., — N.E.2d —, 2010 WL 2245065 (Ill.App. 3 Dist. June 1, 2010)

The rules of civil procedure in Illinois permit an aggrieved party to file a petition with the court asking for an order requiring unknown potential defendants to be identified. This is called a Rule 224 petition.

A couple from Ottawa, Illinois got their feelings hurt over some anonymous comments left in response to content published by the local newspaper on its website. Wanting to sue for defamation, the couple filed a Rule 224 petition. The newspaper opposed the petition. (For something similar, see Enterline v. Pocono Medical Center.)

The trial court denied the petition, applying the standards articulated in Dendrite v. Doe and Doe v. Cahill, finding that the petitioners had not presented a strong enough case for defamation to justify the unmasking of the anonymous commenters. Those cases require, among other things, that a party seeking to identify an anonymous speaker make efforts to notify the anonymous party, and present enough evidence to establish a prima facie case of defamation (Dendrite) or survive a hypothetical motion for summary judgment (Cahill).

The aggrieved couple sought review with the Appellate Court of Illinois. Reviewing the decision to deny the Rule 224 petition de novo, the court reversed and remanded, ordering the identification of the anonymous speakers to be made.

In reaching its decision, the court rejected the newspaper’s (and amicis’) arguments that the trial court should apply the rigorous standards of Dendrite and Cahill. That’s not to say, however, that the court left anonymous speakers at great risk of having their First Amendment rights trampled upon.

The court held that the mechanics of Rule 224 adequately protect the potential First Amendment rights of anonymous internet speakers. Here’s why, according to the court:

  • The petition must be verified – the threat of the pain of perjury should keep out half-hearted claims.
  • The petition must state the reason discovery is necessary.
  • The discovery is limited only to learning the identity of the potential defendant.
  • Most importantly, before the discovery will be permitted, the court must hold a hearing and determine the petition sufficiently states a cause of action.

In this fourth step, the court is to apply the standard it would apply in a Section 2-615 motion. Such a motion is, essentially, the Illinois version of a motion to dismiss for failure to state a claim. That is no insignificant test, because unlike federal court and other state jurisdictions, Illinois requires fact pleading. That means the petition needs to include a significant amount of specific information to survive the motion to dismiss.

A troubling aspect of the ruling is the omission from the test of a requirement that the party seeking discovery attempt to notify the anonymous target of the inquisition. The appellate court held that a trial court may, in its discretion, impose such a requirement.

But it would be nice to know that the real party whose First Amendment interests are at stake (the anonymous speaker) is guaranteed a fair opportunity to argue from his or her perspective. After all, it’s that party with the real incentive to do so. Let’s hope the trial courts exercise that discretion wisely (and that they know in the first place that they have that discretion).

Photo courtesy Flickr user TheTruthAbout… under this Creative Commons license.

June 15, 2010 Computer Crime, Privacy

Access to private email server supports Stored Communications Act claims

Devine v. Kapasi, 2010 WL 2293461 (N.D. Ill. June 7, 2010)

Kapasi and Devine were equal shareholders in a corporation. In August 2009, the two decided to part ways. The corporation transferred one of its servers to Devine, and he immediately put it into the service of his new company.

After the server was transferred, Kapasi and some employees of the old company allegedly logged on to the server to access and delete email messages stored on that machine. Devine and his new company sued for violation of the Stored Communications Act (at 18 U.S.C. §2701) and the Computer Fraud and Abuse Act (at 18 U.S.C. §1030).

The defendants moved to dismiss under FRCP 12(b)(6) for failure to state a claim. The court denied the motion as to the Stored Communications Act claims but granted the motion (with leave to amend) as to the Computer Fraud and Abuse Act claims.

The Stored Communications Act claims

The defendants argued that the Stored Communications Act did not apply to access to the server because plaintiffs did not provide an electronic communications service to the public. Defendants relied on the case of Andersen Consulting LLP v. UOP, 991 F.Supp. 1041 (N.D.Il.1998) to support this argument. In that case, the court dismissed a Stored Communications Act claim for unauthorized disclosure of emails under 18 U.S.C. §2702. The Andersen Consulting court held that disclosure of emails obtained from the server of a company not in the business of providing electronic communications services to the public did not violate the Stored Communications Act.

This case, however, arose under 18 U.S.C. §2701, which does not impose the same scope on potential defendants – the term “to the public” does not appear in connection with the provision of electronic communication services in §2701. Section 2701 deals with unauthorized access, while §2702 deals with unauthorized disclosure.

So the court held that “[w]here, as here, a plaintiff pleads that it stores electronic communications on its own systems, and that a defendant intentionally and without authorization got hold of those stored communications through the plaintiff’s electronic facilities, the plaintiff states a claim under § 2701 of the [Stored Communications Act].”

The Computer Fraud and Abuse Act claims

The court dismissed the Computer Fraud and Abuse Act claims, finding that the plaintiffs failed to plead that they suffered a cognizable “loss” under the statute. The plaintiffs were required to plead that the defendants’ conduct “caused . . . loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Such allegations were simply missing from the complaint.

The defendants tried an interesting argument that the court rejected as premature at the motion to dismiss stage. They argued that since one of the plaintiffs was a technology company, it should have had a backup of all the data allegedly deleted. Therefore, any cost in excess of the $5,000 statutory threshold would not be a “reasonable cost.” Though it didn’t fly at the motion to dismiss stage, such an argument may fare better in a motion for summary judgment.

Photo courtesy Flickr user Jordiet under this Creative Commons License.

June 1, 2010 Electronic Discovery, Privacy

Court refuses to keep train wreck video confidential

Maldonado v. UPRR, No. 09-1187, 2010 WL 1980318 (D.Kan. May 18, 2010)

Even the fear of social media won’t keep some things under wraps.

The video camera onboard a locomotive captured the moments before the train struck a car at a railroad crossing, killing one of the occupants. In the inevitable lawsuit against the railroad following the accident, the plaintiffs’ lawyers demanded that the video of the accident be produced in discovery.

The railroad objected to the production of the video absent a court order keeping it confidential, arguing that the presence of services like YouTube would permit the video to be widely distributed to the public. To keep the video from serving as “entertainment for gawkers looking to satisfy their morbid curiosity,” the railroad wanted only the parties, lawyers, staff and experts to be able to see the video.

The court rejected the arguments and found that nothing in the video depicted gruesome images of death or injury. It denied the railroad’s motion for protective order. So if you’re into this kind of content, keep an eye on YouTube. Though from what I gather from the court’s description of this video, there’s plenty of gorier stuff out there.

Reblog this post [with Zemanta]
May 4, 2010 Computer Crime, Employment, Privacy

Judge: the concept of internet privacy is a fallacy upon which no one should rely

People v. Klapper, — N.Y.S.2d —, 2010 WL 1704796 (N.Y.City Crim.Ct., April 28, 2010)

Let’s hope that’s an overstatement.

A recent case from a criminal court in New York dealt with whether an employer violated the state’s law prohibiting unauthorized use of a computer (Penal Law 156.05). Though the court probably came to the right decision in dismissing the case, it said some puzzling things along the way about internet privacy.

The defendant-boss was alleged to have installed keylogging software on his employee’s work-issued computer. Through those means he acquired the password for the employee’s “personal” email account, and copied some messages from that account.

The court dismissed the case, finding that the prosecution had not alleged that defendant, the computer owner, had notice of any limited access to the computer or the email account. (After all, it was the employer’s computer.) The allegations further failed to allege that the employee had installed a security device to prevent unauthorized access or use.

That last part is a bit puzzling (wouldn’t the password protection on the “personal” email account satisfy that point?). But the real puzzling part of the opinion is how the court essentially destroyed the idea that there’s any hope for an expectation of privacy in internet communications.

Here’s the first paragraph of the opinion:

In this day of wide dissemination of thoughts and messages through transmissions which are vulnerable to interception and readable by unintended parties, armed with software, spyware, viruses and cookies spreading capacity; the concept of internet privacy is a fallacy upon which no one should rely.

Apart from grossly overstating the death of a reasonable expectation of privacy in internet communications, the pronouncement was not needed to dispose of the case. The matter only dealt tangentially with whether the victim had any privacy rights violated. The real analysis was on whether the defendant had notice that access to his employee’s email account was unauthorized.

Though the court was correct on focusing its analysis on that point, i.e., whether the access was authorized, the more general obituary of internet privacy would seem to elminate the need for that proper analysis.

If there’s no internet privacy, why should we even bother to ask ourselves whether access to an account is authorized? If the concept of internet privacy is a “fallacy,” as the court declared, aren’t all our communications open for inspection and review by anyone?

Privacy photo courtesy Flickr user rpongsaj under this Creative Commons license.

March 31, 2010 Electronic Discovery, Employment, Litigation, Privacy

Emails sent through Yahoo account using work computer protected under attorney-client privilege

The New Jersey supreme court has held that emails an employee sent to her lawyer using her company-issued computer and a personal Yahoo account are protected by the attorney-client privilege.

Stengart v. Loving Care Agency, Inc., — A.2d —, 2010 WL 1189458 (N.J. March 30, 2010)

The New Jersey courts have a reputation of being protective of “informational privacy.” See, e.g., State v. Reid. A recent decision concerning employee privacy in personal emails adds to that reputation.

Plaintiff-employee used a work-issued laptop to access her Yahoo email account, through which she communicated with her lawyer about her lawsuit against the employer. During the discovery phase of that employment discrimination lawsuit, the employer used computer forensics to recover those Yahoo emails that had been copied to the computer’s temporary internet files folder.

Counsel for plaintiff demanded that the employer turn over the recovered emails, arguing that the communications were protected by the attorney-client privilege. When the employer agreed to turn them over but not discontinue use of the information garnered from them, plaintiff sought relief from the court.

The trial court denied relief and plaintiff sought review with the appellate court. That court reversed, and the employer sought review with the state’s supreme court. The supreme court upheld the appellate court’s decision, holding that the employee had a reasonable expectation of privacy in the communications.

The employer relied on a broadly-written company policy through which the employer reserved the right to review and access “all matters on the company’s media systems and services at any time.” But the court rejected those arguments.

Framework for the analysis

The supreme court considered two aspects in its analysis: (1) the adequacy of the notice provided by the company policy, and (2) the important public policy concerns raised by the attorney-client privilege.

As for the adequacy of the notice provided by the policy, the court found that because the policy did not address the use of password-protected personal email accounts, the policy was “not entirely clear.” As for the importance of the attorney-client privilege, the court lavished it with almost-sacred verbal accoutrements, calling it a “venerable privilege . . . enshrined in history and practice.”

“Intrusion upon seclusion” as source for standard

The court noted that the analysis for a reasonable expectation of privacy in dealings between two private parties was a bit different than the analysis in a Fourth Amendment case. The common law source for the standard in this context is with the tort of “intrusion upon seclusion.” Under New Jersey law, that tort is committed when one intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, in a manner that would be highly offensive to a reasonable person. (This language comes from the Restatement (Second) of Torts § 652B.)

In this situation, the court found that plaintiff had both a subjective and objective expectation that the messages would be private. Supporting her subjective belief was the fact that she used a private email account that was password protected, instead of her work email account. And she did not store her password on the computer. Her belief was objectively reasonable given the absence of any discussion about private email accounts in the company policy.

Plaintiff’s expectation of privacy was also bolstered by the fact that the email messages were not illegal, nor would they impact the performance of the employer’s computer system. And they bore all the “hallmarks” of attorney-client communications.

For all these reasons, not the least of which the priority of the courts “to keep private the very type of conversations that took place here,” the court found that the conversations were protected by the attorney-client privilege.

January 21, 2010 Privacy

Lawsuit against state officials for privacy violation moves forward

Welch v. Theodorides-Bustle, — F.Supp.2d —, 2010 WL 22365 (N.D. Fla., January 5, 2010)

Plaintiff sued the Florida Department of Highway Safety and Motor Vehicles and a number of state officials for violation of the federal Driver’s Privacy Protection Act, 18 USC §2721-25. Plaintiff claimed that the defendants turned over a large amount of protected personal information to a private party, and that that party then further disclosed the information to another entity that published the information on the web.

Florida driver

As a result, the personal information of a number of Florida drivers became available for viewing online by anyone.

The defendants moved to dismiss the suit for failure to state a claim. The court denied the motion.

There is an exception to the Driver’s Privacy Protection Act’s prohibition on disclosure of personal information when the disclosure is made by a government agency “in carrying out [the agency’s] functions.” The defendants did not deny that their conduct would violate the Act, but argued that the exception applied. The defendants essentially argued that the mere fact that the disclosure was made by a governmental entity made the disclosure to be automatically carried out in connection with that agency’s function.

The court rejected this ipse dixit assertion, holding that disclosure by a government agency being treated as automatically protected would accordingly make any violation of the Act by the government impossible.

Similarly, the court rejected the defendants’ argument that language in the contract with the entity to which the information had been provided rendered the disclosure proper. The receiving entity promised to use the information only for a proper purpose. But the self-serving recitals in that agreement, without specifying in detail what a proper purpose would be, would not bind third parties.

Alligator car photo courtesy Flickr user jeffdhartman under this Creative Commons license.

November 5, 2009 Miscellaneous, Privacy

Death scene photos posted on the web did not subject coroner to liability

Werner v. County of Northampton, 2009 WL 3471188 (3rd Cir. October 29, 2009) (Not selected for official publication).

Plaintiff’s son died in the family home. No one seems to know for sure whether it was an accident or suicide. Even Plaintiff gave conflicting statements to the court — in his complaint he said it was not suicide, but in a later-filed brief he said it was.

Do not cross this line and I mean it.

In any event, on the day the son died, the coroner came to the house to take pictures. Somehow the coroner’s son got a hold of the photos and posted them on the web with a caption “There is no better way to kill yourself.”

Plaintiff sued the coroner under 28 U.S.C. 1983 which, among other things, gives citizens a cause of action when their rights are violated by someone acting under the law. Plaintiff claimed the coroner committed a due process violation of Plaintiff’s liberty interests in his reputation by allowing the photos to be posted.

To succeed on his liberty interest claim, Plaintiff was required to satisfy the “stigma plus” test. The district court dismissed the complaint, finding Plaintiff’s allegations did not meet this standard.

A statement that is “stigmatizing” under this test must be (1) made publicly, and (2) false. In this cause, the court found that the death scene photos were the relevant statement. But there were no allegations in the complaint that the photos themselves were “false.” (What the court was probably saying here is that the photos had not been Photoshopped or otherwise changed in a way to make them not accurately portray the scene.)

The court made a fine distinction in the process of dismissing the case. In response to the motion to dismiss, Plaintiff argued that the thrust of his argument was that the website falsely suggested his son committed suicide. But the court found otherwise, carefully looking at the allegations of the complaint which, for example, said that the photos “fueled the false impression that the Plaintiff’s son committed suicide.”

There were no allegations that the photos themselves were the false statements. But what about the caption, “[t]here is no better way to kill yourself,” you ask? Though the opinion does not address this point, one is left to conclude that that language could not be attributed to the defendant coroner, since it was his son that posted the photos, and not himself.

Photo courtesy Flickr user Fabio Beretta under this Creative Commons license.

October 7, 2009 Privacy, Uncategorized

Group sex photos case heads to trial

Peterson v. Moldofsky, No. 07-2603, 2009 WL 3126229 (D.Kan. September 29, 2009)

Defendant took pictures of his ex-girlfriend “engaged in various sex acts with two other people.” Later he emailed some of the photos to his ex-girlfriend’s mother, ex-husband, ex-in laws, boss and co-workers.

The ex-girlfriend sued for intentional infliction of emotional distress and invasion of privacy. Defendant moved for summary judgment. The court denied the motion in large part.

Infliction of emotional distress

Defendant argued that the court should toss the intentional infliction of emotional distress claim because Plaintiff ex-girlfriend failed to show that Defendant’s conduct was sufficiently extreme and outrageous, and that the alleged distress exceeded what a reasonable person would experience in the circumstances.

The court rejected Defendant’s arguments. It found that an average citizen would think emailing photos of a person engaged in a manage a trois to one of the participants’ mother, among others, was outrageous. Moreover, Plaintiff’s distress was shown to be severe, as she had to get counseling. It sounds as if the court would have found it severe enough even without the counseling — Defendant’s conduct was “so shocking and outrageous as to give rise to an inference of severe emotional distress.”

Invasion of privacy

Plaintiff claimed two forms of invasion of privacy — intrusion upon seclusion and publication of private facts. The court held she had presented enough facts for the latter but not the former.

The court granted Defendant’s motion for summary judgment as to intrusion upon seclusion because no intrusion occurred. Plaintiff knew Defendant was there taking pictures of the activities. The court rejected Plaintiff’s argument that publication of the no doubt intimate photos constituted intrusion. It held that the disclosure of properly obtained information could not give rise to the claim.

But as to the argument that emailing the photos unlawfully publicized private facts, the court sided with Plaintiff. Defendant had argued that emailing the photos to only a half dozen or so people did not amount to “publication,” which is one of the elements of the tort. He pointed to Comment “a” of the Restatement (Second) of Torts §652D which says that “it is not an invasion of the right of privacy to communicate a fact . . . to a single person, or even to a small group of people.”

In rejecting this argument, the court engaged in what some might characterize as “Internet exceptionalism,” — applying the law in response to a perceived substantial difference between online and offline communication. The court observed that “the Internet enables its users to ‘quickly and inexpensively’ surmount the barriers to generating publicity that were inherent in the traditional forms of communication.” Finding this distinction to be significant, the court held that distribution of the photos even to a small group of people through the private means of electronic mail could be considered a “publication” for purposes of the tort of invasion of privacy.

Threesome photo courtesy Flickr user curgoth under this Creative Commons license.

August 31, 2009 Privacy

Email snooping can be intrusion upon seclusion

Analysis could also affect liability of enterprises using cloud computing technologies.

Steinbach v. Village of Forest Park, No. 06-4215, 2009 WL 2605283 (N.D. Ill. Aug. 25, 2009)

Local elected official Steinbach had an email account that was issued by the municipality. Third party Hostway provided the technology for the account. Steinbach logged in to her Hostway webmail account and noticed eleven messages from constituents had been forwarded by someone else to her political rival.

Steinbach sued the municipality, her political rival and an IT professional employed by the municipality. She brought numerous claims, including violation of the Federal Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. She also brought a claim under Illinois common law for intrusion upon seclusion, and the court’s treatment of this claim is of particular interest.

The defendant IT professional moved to dismiss the intrusion upon seclusion claim under Fed. R. Civ. P. 12(b)(6)(for failure to state a claim upon which relief can be granted). The court denied the motion.

The court looked to the case of Busse v. Motorola, Inc., 813 N.E.2d 1013 (Ill.App. 1st. Dist. 2004) for the elements of the tort of intrusion upon seclusion. These elements are:

  • defendant committed an unauthorized prying into the plaintiff’s seclusion;
  • the intrusion would be highly offensive to the reasonable person;
  • the matter intruded upon was private; and
  • the intrusion caused the plaintiff to suffer.

The defendant presented three arguments as to why the claim should fail, but the court rejected each of these. First, the defendant argued that the facts allegedly intruded upon were not inherently private facts such as plaintiff’s financial, medical or sexual life, or otherwise of an intimate personal nature. Whether the emails were actually private, the court held, was a matter of fact that could not be determined at the motion to dismiss stage. Plaintiff’s claim that emails from her constituents were private was not unreasonable.

The defendant next argued that Steinbach had not kept the facts in the email messages private. But the court soundly rejected this argument, stating that the defendant failed to explain how Steinbach displayed anything openly. Plaintiff asserted that she had an expectation of privacy in her email, and defendant cited no authority to the contrary.

Finally, the defendant argued that the intrusion was authorized, looking to language in the Federal Wiretap Act and the Stored Communications Act that states there is no violation when the provider of an electronic communication services intercepts or accesses the information. The court rejected this argument, finding that even though the municipality provided the email address to Steinbach, Hostway was the actual provider. The alleged invasion, therefore, was not authorized by statute.

The court’s analysis on this third point could have broader implications as more companies turn to cloud computing services rather than hosting those services in-house. In situations where an employer with an in-house provided system has no policy getting the employee’s consent to employer access to electronic communications on the system, the employer – as provider of the system – could plausibly argue that such access would be authorized nonetheless. But with the job of providing the services being delegated to a third party, as in the case of a cloud-hosted technology, the scope of this exclusion from liability is narrowed.

Email ribbon photo courtesy Flickr user Mzelle Biscotte under this Creative Commons License

Scroll to top