Privacy – Page 11 – Attorney Evan Brown

June 18, 2009 Copyright, Cybersquatting, Litigation, Privacy

Record companies win $1.92 million in case against individual file sharer

There has only been one copyright infringement case filed against an individual accused of illegally sharing music files over the internet to actually go to trial. That’s the case of Capitol Records v. Jammie Thomas. In October 2007, a jury in the U.S. District Court for the District of Minnesota returned a verdict of $222,000 against Ms. Thomas. The court on its own motion vacated that judgment, and ordered a retrial. That retrial concluded on June 18, 2009, with a judgment of a whopping $1.92 million against Ms. Thomas.

Here is a growing collection of links on the topic:

June 15, 2009 Cybersquatting, Privacy

Scope of Electronic Communications Privacy Act may not be so narrow

Brahmana v. Lembo, No. 09-106, 2009 WL 1424438 (N.D. Cal. May 20, 2009)

Plaintiff former employee Brahmana sued his former employer Cyberdata, claiming that Cyberdata violated the Electronic Communications Privacy Act (at 18 U.S.C. 2511) (&#147ECPA&#148). Brahmana claimed that Cyberdata used a keylogger to intercept the username and password for Brahmana’s personal email account.

Cyberdata moved to dismiss the claim under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. The court denied the motion, finding that the determination of whether there was a violation of the ECPA would best be made after discovery.

The ECPA makes it unlawful for any person to intentionally intercept, among other things, any “electronic communication.” An “electronic communication” is defined in the ECPA as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system that affects interstate or foreign commerce.”

An important question in this case was whether the keystrokes allegedly captured by the keylogging device met this definition of electronic communication.

An earlier case from another district (United States v. Ropp, 347 F.Supp.2d 831 (C.D. Cal. 2004)) held that keystrokes gathered by a hardware keylogger attached between a computer’s keyboard and central processing unit were not electronic communications because the system transmitting the information did not affect interstate commerce.

But another case questioned that opinion’s holding, finding that though the keystrokes themselves did not travel in interstate commerce, they did “affect interstate commerce” and therefore fell within the ECPA’s definition.

This court avoided ruling on the legal question of whether intercepting electronic data being transmitted from one piece of local hardware to another might be an electronic communication as defined by the ECPA. One must remember that a Rule 12(b)(6) motion merely tests the sufficiency of the pleadings. The court does not consider evidence at that stage, but merely tests whether the facts alleged by the plaintiff could plausibly support the legal claim.

In this case, the court found that Brahmana’s allegations did not specify whether the particular means of monitoring affected interstate commerce, but were sufficient to render plausible the claim that communications were monitored in some way. “The issue of how any alleged monitoring took place,” the court found, “and whether it allegedly affected interstate commerce is better resolved after some discovery.”

The case instructs us that this court is not willing to read the definition of “electronic communication” as narrowly as the court did in Ropp. No doubt there will be some interesting evidence produced in discovery that shows how the keystrokes were allegedly intercepted. But at least we know at this early stage in the litigation that the court will consider whether the transmission of electronic data within a system — and not crossing state lines — may still affect interstate commerce.

I-Spy photo courtesy Flickr user Leo Reynolds under this Creative Commons license.

April 26, 2009 Privacy

Court allows Wal-Mart to subpoena Facebook and MySpace

Ledbetter v. Wal-Mart Stores, Inc., 2009 WL 1067018 (D.Colo. April 21, 2009)

A couple of electricians were severely burned when the electrical system they were working on in an Aurora, Colorado Wal-Mart shorted out. They sued Wal-Mart over their injuries. One of the plaintiffs’ wives brought a claim for loss of consortium.

During discovery, Wal-Mart sent subpoenas to Facebook, MySpace and Meetup.com seeking information about the plaintiffs. The plaintiffs filed a motion for protective order which would have prevented the social networking sites from providing the requested information. The plaintiffs claimed that the information should be protected by the physician-patient privilege or, as for the loss of consortium claim, the spousal privilege. The court denied the motion and allowed the subpoenas.

The court held that an earlier protective order entered in the case (to which the parties had agreed) protected the confidentiality of the information. And the plaintiffs had put the purported confidential facts, i.e., the extent of the injuries and the nature of the consortium, at issue by bringing the suit. Moreover, the information sought by the subpoenas was reasonably calculated to lead to the discovery of admissible evidence and was relevant to the issues in the case.

It’s worth noting that the court might have had other reasons to deny the motion for protective order that it did not mention. A privilege of confidentiality is usually destroyed when it is disclosed to a third party. How could information on Facebook or MySpace still be secret? Unless Wal-Mart was only seeking private messages sent either between the spouses or one of the plaintiffs and a doctor, it would seem that most everything these sites would have would not be confidential in the first place.

February 17, 2009 Contracts, Copyright, Privacy, Right of Publicity

Shame on you, Facebook, for overreaching

Facebook, I hereby grant to you an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use the following content: “Go jump in a lake.”

The past few days people have been talking about how scandalous it is that Facebook changed its terms of service to grab up a very broad license in content its users upload. I’m sure that Facebook is counting on this controversy to go wherever it is that memes go to die, to be forgotten just like most controversies-du-semaine. It probably will, but as the sentiment finds itself already on the decline, I’ll comment.

Here’s what the offending section of the Facebook terms of service now says, in relevant part:

You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You represent and warrant that you have all rights and permissions to grant the foregoing licenses.

I was pretty peeved when I learned that Facebook had modified its terms to get a broader license. But I was even more peeved when I read founder Mark Zuckerburg’s blog post from yesterday which tried to justify the changes. Of course Facebook must make sure it has the rights it needs in order to “show [users’ content and information] to the other people they’ve asked [it] to share it with.” But isn’t the right to share that content inherent in the very “asking”? Why be grabby?

Facebook is being content greedy. It’s commandeering more than it needs to run the service. An example Zuckerburg uses in the post concerns the text of a messages sent between friends. If one user deactivates his or her account, a copy of each message will still exist in the other friend’s inbox. Fine. I see the point. So get a license to store and display a copy of private messages. There’s no problem with that.

The bigger rub comes with photos and video users upload. Why does Facebook need a perpetual license for that? I don’t see any reason, whether from a technological or other practical standpoint, why photos and video could not or should not be deleted — and the license to Facebook terminated — when a user deactivates his or her account. YouTube doesn’t demand a license for content after it has been taken down by a user.

Zuckerburg’s post contains the following interesting statement: “In reality, we wouldn’t share your information in a way you wouldn’t want.” Okay Mark, let’s talk about reality. I don’t want you using information about me, like my name, for commercial purposes. That’s reality. Why then do you demand to have the right to use my name and other information for commercial purposes? Are you suggesting that the terms of service as now written don’t reflect reality? I know they were written by lawyers, but surely your legal counsel can’t be that removed from the real world.

I like Facebook, and through it I have reconnected with old friends and made some new ones. But those connections are what’s important, not the intermediary. I may delete my photos off of there but I’ll probably keep using it, at least for now. But I’ll likely post less content. Shame on you, Facebook, and shame on you Mark Zuckerburg, for putting up a post just filled with platitudes, all while ignoring the fact there’s no reason for your new overreaching. That kind of stunt will invigorate those who want an alternative to Facebook, and will accellerate the process of making Facebook tomorrow’s Friendster.

Greedy photo courtesy Flickr user Gribiche under this Creative Commons license.

October 24, 2008 Anonymity, Defamation, Electronic Discovery, Litigation, Privacy

Expedited electronic discovery includes subpoena to ISP and imaging of defendants’ hard drives

Allcare Dental Management, LLC v. Zrinyi, No. 08-407, 2008 WL 4649131 (D. Idaho October 20, 2008)

Plaintiffs filed a defamation lawsuit against some known defendants as well as some anonymous John Doe defendants in federal court over statements posted to Complaintsboard.com. The plaintiffs did not know the names or contact information of the Doe defendants, so they needed to get that information from the Does’ Internet service provider. But the ISP would not turn that information over without a subpoena because of the restrictions of the Cable Communications Policy Act, 47 U.S.C. § 501 et seq. [More on the CCPA.]

Under Federal Rule of Civil Procedure 26(d)(1), a party generally may not seek discovery in a case until the parties have had a Rule 26(f) conference to discuss such things as discovery. Because of the Rule 26(d)(1) requirement, the plaintiffs found themselves in a catch-22 of sorts: how could they know with whom to have the Rule 26(f) conference if they did not know the defendants’ identity.

So the plaintiffs’ filed a motion with the court to allow a subpoena to issue to the ISP prior to the Rule 26(f) conference. Finding that there was good cause for the expedited discovery, the court granted the motion. It found that the subpoena was needed to ascertain the identities of the unknown defendants. [More on Doe subpoenas.] Furthermore, it was important to act sooner than later, because ISPs retain data for only a limited time.

The Plaintiffs also contended that that the known defendants would likely delete relevant information from their computer hard drives before the parties could engage in the ordinary process of discovery. So the plaintiffs’ motion also sought an order requiring the known defendants to turn over their computers to have their hard drives copied.

The court granted this part of the motion as well, ordering the known defendants to turn their computers over to the plaintiffs’ retained forensics professional immediately. The forensics professional was to make the copies of the hard drives and place those copies with the court clerk, not to be accessed or reviewed until stipulation of the parties or further order from the court.

October 21, 2008 Computer Crime, Privacy

Divorce spyware case moves forward

Court refuses to dismiss ECPA, SCA and CFAA claims against ex-spouse accused of delivering malicious code.

Becker v. Toca, No. 07-7202, 2008 WL 4443050 (E.D. La. September 26, 2008)

Plaintiff Becker sued his ex-wife, one Ms. Toca, claiming that Toca installed on Becker’s home and office computers a Trojan Horse that could steal passwords and send them to a remote computer. Becker claimed violations of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and Louisiana’s Electronic Surveillance Act.

Toca moved to dismiss for failure to state a claim upon which relief can be granted. The court dismissed the Louisiana state claim, but allowed the federal claims under the ECPA, SCA and CFAA to move forward.

In denying Toca’s motion on the ECPA claim, the court nodded to the general consensus established by cases such as Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994), United States v. Seiger, 318 F.3d 1039, 1047 (11th Cir. 2003), Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir.2001), and Bailey v. Bailey, 2008 WL 324156 (E.D. Mich. 2008) that ECPA liability requires the electronic communication to be intercepted contemporaneously with its transmission. Toca had argued that merely sending the Trojan Horse could not be considered an “interception” of an “electronic communication” under the ECPA. But the court held that allegations of stealing the passwords and transmitting them elsewhere, in conjunction with Becker’s computers being connected to the Internet, made it “reasonable … to infer that the Trojan Horse program may have collected information contemporaneous to its transmission.”

As for the SCA claim, Toca had argued Becker’s allegedly infected computers were not “a facility through which an electronic communication service is provided,” and thus not within the protection of the SCA. The court declined to dismiss the claim at the pleading stage because it was unclear to what extent the Trojan Horse may have accessed or retrieved information stored with an electronic communication service provider.

The court denied the motion to dismiss the CFAA claim, rejecting Toca’s arguments that the affected computers were not “protected” computers under the CFAA, and that the allegations were insufficient to show Toca intended to cause “damage.” The allegations that the Trojan Horse caused error messages and slow processing were sufficient on this point. Toca argued that an intent to damage the computers would be incompatible with a desire to retrieve information from them. But the court rejected this all-or-nothing damage approach.

The Louisiana statute claim failed simply because the court held that the statute covered only wire and oral communications, leaving electronic communications of the type at issue within the case outside its scope.

June 23, 2008 Privacy

Employee text messages covered under Stored Communications Act and Fourth Amendment

Quon v. Arch Wireless Operating Co., Inc., — F.3d —-, 2008 WL 2440559 (9th Cir. June 18, 2008)

Sergeant Quon’s employer, the City of Ontario, California Police Department, issued him a pager with which he could send and receive text messages. Copies of text messages sent and received using the pager were archived on Arch Wireless’s computer server. The City’s agreement with Arch Wireless allowed for each user to send up to 25,000 characters’ worth of messages a month.

The police department required any employee who went over that monthly limit to pay the overage charges. Quon went over that limit several times and paid the extra fees. After awhile, the department started to investigate Quon, ostensibly to see whether the department should seek to raise the 25,000 monthly character limit. Quon’s supervisor had told him that the department would not review the contents of the messages if he continued to pay for the overages.

But the department acquired transcripts of the messages anyway. Quon sued, alleging violations of the Stored Communications Act, 18 U.S.C. §§2701-2711 (SCA) and the Fourth Amendment.

The district court awarded summary judgment to the defendants on the SCA claim, finding that Arch Wireless was a “remote computing service” as defined by the SCA, and thus it was appropriate for Arch Wireless to turn over the contents of the messages to the police department as a “subscriber” to the service.

On the defendants’ summary judgment motion on the Fourth Amendment claim, the district court determined that Quon had a reasonable expectation of privacy, but that the question of whether the search of the contents of the messages by the police chief was reasonable should be heard by a jury. That jury found that the search was reasonable because it was to determine the efficacy of the 25,000 character limit (i.e., to determine whether work-related reasons warranted upgrading).

Quon sought review of both the SCA and Fourth Amendment issues with the Ninth Circuit. On appeal, the court reversed the lower court’s holding that the SCA was not violated. As for the Fourth Amendment claim, the appellate court held that the search by the police chief was unreasonable as a matter of law, and that the question should not have even made it to the jury.

On the SCA claim, the court looked to the plain meaning of the statute as well as the legislative history from 1986 to conclude that the lower court’s determination that Arch Wireless was a remote computer service was erroneous. Arch Wireless did not provide “computer storage” nor “processing services.” Although Arch Wireless was storing the messages after transmission, the court held that that function was contemplated as one for an electronic communications service as well, which was more in line with the services Arch Wireless provided. So when Arch Wireless turned over the contents of the messages to the police department, which was merely a subscriber and not “an addressee or intended recipient of such communication[s],” it violated the SCA.

On the Fourth Amendment question, the court concluded that the search was unreasonable as a matter of law because it was unreasonable in its scope. Assuming that the only reason the police chief wanted to check the efficacy of the 25,000 character limit, there would have been less intrusive ways of doing so. Quon could have been asked to count the characters himself, or could have redacted personal messages in connection with an audit.

November 15, 2007 Employment, Ethics, Litigation, Privacy

Be careful with email because your employer is “looking over your shoulder”

Workplace email policy destroyed attorney-client privilege

Scott v. Beth Israel Medical Center, — N.Y.S.2d —-, 2007 WL 3053351 (N.Y. Sup. October 17, 2007).

Dr. Scott, who used to work for Beth Israel Medical Center in New York, sued his former employer for breach of contract and a number of other different things. Before he was terminated, however, he had used his work email account to send messages to his attorneys, discussing potential litigation against Beth Israel.

When Dr. Scott found out that Beth Israel was in possession of these email messages, he asked the court to order that those messages be returned to him. He argued that they were protected from disclosure to Beth Israel under the attorney client privilege.

Beth Israel argued that they were not subject to the privilege because they were not made “in confidence.” There was an email policy in place that provided, among other things, that the computers were to be used for business purposes only, that employees had no personal right of privacy in the material they create or receive through Beth Israel’s computer systems, and that Beth Israel had the right to access and disclose material on its system.

Dr. Scott argued that New York law [CPLR 4548] protected the confidentiality. Simply stated, CPLR 4548 provides that a communication shouldn’t lose its privileged character just because it’s transmitted electronically.

The court denied Dr. Scott’s motion for a protective order, finding that the messages were not protected by the attorney client privilege.

It looked to the case of In re Asia Global Crossing, 322 B.R. 247 (S.D.N.Y. 2005) to conclude that the presence of the email policy destroyed the confidential nature of the communications. The policy banned personal use, the hospital had the right to review the email messages (despite Scott’s unsuccessful HIPAA argument), and Dr. Scott had notice of the policy.

The decision has implications for both individuals and the attorneys who represent them. Employees should be aware that when they are sending messages through their employer’s system, they may not be communicating in confidence. And attorneys sending email messages to their clients’ work email accounts, on matters not relating to the representation of the employer, must be careful not to unwittingly violate the attorney client privilege.

What’s more, although the decision is based on email communications, it could affect the results of any case involving instant messaging or text messaging through the company’s server.

August 28, 2007 Privacy

No recovery for credit monitoring costs after data breach

Pisciotta v. Old National Bancorp, No. 06-3817, — F.3d —-, (7th Cir. August 23, 2007)

Defendant Old National Bank had a website through which it gathered numerous fields of confidential information about its customers, and it stored that information in a database. After a hacker compromised the system and gained access to the confidential customer information, two of the bank’s customers filed suit in an Indiana federal court, alleging breach of contract and negligence. They sought recovery not of any actual loss suffered from the security breach (e.g., amounts drained from the accounts), but instead sought to be reimbursed for future credit monitoring services.

The bank answered the complaint and moved for judgment on the pleadings under Fed. R. Civ. P. 12(c). The court granted the motion, holding that the alleged damages were not cognizable under Indiana law. The plaintiffs sought review with the Seventh Circuit Court of Appeals, which affirmed the dismissal of the action.

The court observed that there was essentially no authority providing guidance on how the issue should be resolved under Indiana law. (The district court sitting in diversity was required to apply the law of the state in which it sits — Indiana.) Part of the analysis, however, relied on a recently enacted Indiana statute dealing with data breaches. Under that statute [I.C. 24-4.9 et seq.], under certain circumstances, if a bank becomes aware of a compromise in its security, it must notify its customers. The only cause of action available under the statute lies with the government, as the attorney general is authorized to pursue civil actions against non-compliant banks. Private individuals are not entitled to recovery under the statute.

The lack of any affirmative right to recover the costs of prospective credit monitoring services in the statute contributed to the court’s decision to hold that none should be available at common law. Given the absence of any state authority directly addressing the point, the federal court declined to implement such a “substantial innovation” on a question of state law.

Opinion appears below (or click through if it’s not showing up in the RSS feed):

July 19, 2007 Privacy

Data privacy and third party Facebook applications

Over in the UK, Facebook has been getting some scrutinty from a privacy standpoint, especially after officials at Oxford University used the service recently to identify celebrating students who may have been up to some naughtiness. [More on that here]

But there are some even more subtle privacy issues with Facebook, arising from the proliferation of the use of third party applications within the Facebook platform. Alex Newson at Freeth Cartwright’s Impact blog has written up a pair of posts [here and here] which take a serious look at these Facebook privacy concerns. Naturally the posts are written from a UK perspective, but are useful to U.S. readers inasmuch as they prompt one to consider that which has largely hitherto been unconsidered, namely, what legal issues should a Facebook app developer be thinking about.

The U.S. approach to data privacy is frequently characterized as “scattershot.” So there aren’t any bright lines to draw when it comes to how one should manage the sharing of information within the Facebook platform. What is most appropriate at this time is to recognize it as an issue of which developers (and users) should be aware.