Category: Privacy

November 17, 2011 Anonymity, Computer Crime, Copyright, Privacy, Section 230

Video: my appearance on the news talking about isanyoneup.com

Last night I appeared in a piece that aired on the 9 o’clock news here in Chicago, talking about the legal issues surrounding isanyoneup.com. (That site is definitely NSFW and I’m not linking to it because it doesn’t deserve the page rank help.) The site presents some interesting legal questions, like whether and to what extent it is shielded by Section 230 of the Communications Decency Act for the harm that arises from the content it publishes (I don’t think it is shielded completely). The site also engages in some pretty blatant copyright infringement, and does not enjoy safe harbor protection under the Digital Millennium Copyright Act.

Here’s the video:

September 29, 2011 Employment, Privacy

Employer did not violate employee’s privacy by accessing personal laptop

Sitton v. Print Direction, Inc., — S.E.2d —, 2011 WL 4469712 (Ga.App. September 28, 2011)

A Georgia court held that an employee using a personal laptop to conduct business for a competitor did not have an invasion of privacy claim when his employer busted him at work using the laptop to send email.

Plaintiff-employee worked for a printing company. His wife also owned a printing business. On the side, plaintiff would broker printing jobs, sending them to his wife’s company. He would bring his own laptop to work and use that to conduct business for his wife’s company while at work for his employer.

One day, the boss came into plaintiff’s office (apparently when plaintiff was not in the room) and saw that the computer screen on plaintiff’s computer showed a non-work related email account, with messages concerning the brokering of print jobs to the wife’s company. The boss printed out the email messages.

Plaintiff sued, claiming, among other things, common law invasion of privacy and violation of a provision of the Georgia Computer Systems Protection Act. The case went to trial, and plaintiff lost. In fact, he ended up having to pay almost $40,000 to his employer on counterclaims for breach of loyalty. Plaintiff sought review of the trial court’s decision. On appeal, the court affirmed.

The appellate court affirmed the trial court’s finding that the boss’s access to plaintiff’s computer did not constitute common law invasion of privacy based upon an intrusion upon plaintiff’s seclusion or solitude, or into his private affairs. The court held that the boss’s activity was “reasonable in light of the situation” because:

  • He was acting in order to obtain evidence in connection with an investigation of improper employee behavior,
  • The company’s interests were at stake, and
  • He had “every reason” to suspect that plaintiff was conducting a competing business on the side, as in fact he was.

To bolster this holding, the court cited from a Georgia Supreme Court case that said, “[T]here are some shocks, inconveniences and annoyances which members of society in the nature of things must absorb without the right of redress.”

August 31, 2011 Privacy

Sexy MySpace photos stay out of evidence

Webb v. Jessamine County Fiscal Court, 2011 WL 3652751 (E.D. Ky. August 19, 2011)

Plaintiff filed a civil rights lawsuit against the local jail and other governmnet officials after she gave birth while incarcerated. She claimed, among other things, that the jail’s failure to get her proper medical care before and during the delivery caused her extreme humiliation, mental anguish and emotional distress.

The defendants tried an extremely bizarre and highly questionable tactic — they sought to use provocative photos purportedly copied from plaintiff’s MySpace profile, to demonatrate that it is “less probable that [plaintiff] would experience humiliation and mental anguish by being in a jail cell while delivering a baby.” Defendants claimed that the photos were “of such a nature that a reasonable person would be embarrassed if such photographs were placed in public view.”

In other words, defendants argued that because plaintiff would post photos like that of herself online, she did not have the dignity to be free from being ignored or called a child and a liar during labor.

The court granted plaintiff’s motion in limine, excluding the photos from evidence. It found that the photos were irrelevant:

Although the appearance of provocative photos online may cause some humiliation, it bears no relation at all to the extreme humiliation and mental anguish a woman forced to go through labor on her own in a jail cell would bring.

The court also found that the defendants had not properly authenticated the photos, i.e., had not provided enough supporting evidence to show that they actually were of plaintiff. The photos that the defendants offered bore “no indicia of authenticity, such as a web address or a photo of these images on the public MySpace account from which Defendants claim they originated.”

August 29, 2011 Privacy

Using remote tracking software to find stolen laptop may have violated federal wiretap statute

Clements-Jeffrey v. City of Springfield, Ohio, 2011 WL 3678397 (S.D. Ohio August 22, 2011) [PDF copy of opinion]

Services that help track down stolen laptops and other lost mobile hardware are indispensable. Consider, for example, the year-long saga of Jeff Blakeman who used MobileMe to help recover his MacBook Pro that a TSA agent stole from checked luggage. Or how Joshua Kaufman used the remote recovery application Hidden to snap pics of the creepy dude who made off with his MacBook.

It is hard to not rejoice when one reads stories about laptop thieves being brought to justice. And we generally feel no pangs of conscience over whether the apprehended criminal had any privacy rights that were violated when he was being monitored with the software.

But what if the person being tracked did not steal the device, and did not know that it was stolen? Do we then care about whether the remote tracking process violated that person’s privacy? If so, how should that privacy right stack up against the theft victim’s right to get his or her property back?

A recent case from Ohio shows how the privacy right of the innocent user can constrain the rightful owner from using all means of what we might call “remote self help.” The court applied the Electronic Communications Privacy Act (“ECPA”) in a way that should cause users and purveyors of theft recovery services to reevaluate their methodologies.

Hot communications using hot property

The facts of the case were salacious and embarassing. Plaintiff bought a non-functioning laptop for $60 from one of her students (she was a substitute teacher at an “alternative” high school). After she got the computer working, she used it to have sexually explicit communications with her out-of-state boyfriend — they even got naked in front of their webcams with one another.

As it turns out, however, the student who sold plaintiff the laptop had stolen it. The teacher claimed she did not know it was purloined. The original, rightful owner of the laptop had installed Absolute Software’s LoJack for Laptops on the device. After it was stolen, and after it had made its way into plaintiff’s hands, Absolute began its work of locating the machine and gathering information about its whereabouts and its user.

In this process, one of Absolute’s employees obtained real-time access to what was happening on the stolen computer. He was able to collect keystrokes of the sexually explicit communications, and gather three screen shots of plaintiff and her boyfriend, both naked, fooling around on the webcam.

Absolute turned the information — including the X-rated screen shots — over to the police. Plaintiff was arrested and handcuffed. The criminal court dismissed the case against her.

But plaintiff (and her boyfriend) sued. They brought several claims against the police for violation of their constitutional rights, and claims against Absolute for, among other things, violation of the ECPA. Absolute moved for summary judgment on the ECPA claim but the court denied the motion. The court found that Absolute could not show, as a matter of law, that it should not be liable for the interception of the explicit communications.

Legitimate privacy expectation, even on a stolen computer

Subject to certain exceptions, the ECPA prohibits one from surreptitiously intercepting or disclosing the contents of any wire, oral or electronic communications of another. The defendants first argued that plaintiff could not put forward a valid ECPA claim because she did not have a legitimate expectation of privacy in these communications.

The court rejected this argument, finding that plaintiff’s belief as to her privacy was reasonable both subjectively and objectively. She felt safe enough to engage in the explicit communications (subjective belief), and she demonstrated that she had no reason to suspect the laptop was stolen (objective belief). Had she known or had reason to know it was stolen, her claim of privacy would have been subordinated to the possessory interest of the owner. (As an aside, there was some interesting evidentiary wrangling that went on a few weeks ago about defendants’ expert witnesses opining on internet privacy. Read more about that at Bow Tie Law.)

Public policy did not come to the rescue

Absolute next argued that certain exceptions to liability for violation of the ECPA should protect it. The court rejected each of these arguments. It found that the exception for those acting “under color of law” to track down “computer trespassers” did not apply, because Absolute was a private entity, not one acting under color of law. The court also rejected Absolute’s argument that it could divulge the intercepted contents as a provider of an electronic communications service. The court found that Absolute did not provide an “electronic communications service to the public” as defined by the ECPA.

So Absolute was left with one final argument, namely, that public policy should shield it from liability for the unauthorized interception and disclosure of the keystrokes and screen shots. Absolute argued that the legal owner of the stolen laptop should be able to take steps to locate and recover that property, and that the rights of the property owner must trump those of a thief.

The court declined to implement such a per se rule, noting that:

It is one thing to cause a stolen computer to report its IP address or its geographical location in an effort to track it down. It is something entirely different to violate federal wiretapping laws by intercepting the electronic communications of the person using the stolen laptop.

In so many words, the court was saying that Absolute went too far in collecting the contents of the communications being made on the stolen computer. Had the information collection stopped at IP addresses and other non-content information, the remote tracking efforts may not have run afoul of the ECPA.

August 11, 2011 Computer Crime, Privacy

Court sides with college accused of snooping on student’s email

Reichert v. Elizabethtown College, 2011 WL 3438318 (E.D.Pa. August 5, 2011)

Plaintiff’s threatening behavior toward certain faculty members of his college led the administration to monitor plaintiff’s school-issued email account. Plaintiff’s lawsuit against the school included claims for violation of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and common law invasion of privacy.

The college moved to dismiss these claims and the court granted the motion.

The court found that the ECPA claim failed because plaintiff did not allege the interception of the email messages was contemporaneous with the messages’ transmission. As for the SCA claim, the court noted that the statute protects electronic communications providers from liability for searches of their own systems which are used to provide the service. The school provided the service, so it could not be liable for monitoring its own system. And as for invasion of privacy, the court found that plaintiff had failed to allege the mental distress required to sustain such a claim.

June 20, 2011 Computer Crime, Privacy

Court upholds criminal intimidation conviction over threats to distribute sexually explicit photo

State v. Noll, 2011 WL 2418895 (Ind. App. June 14, 2011) (Not selected for publication)

Defendant used a sexually explicit photo of the victim in an attempt to gain leverage in an intra-family dispute. She handed an envelope containing the photo to the victim, and indicated she would begin distributing the photo if certain demands were not met.

Defendant was convicted of intimidation under Indiana law. She sought review of her conviction. On appeal, the court affirmed.

One of the arguments that defendant made on appeal was that there was no intimidation because distribution of the photo to persons such as the victim’s husband or co-workers would not subject her to hatred, contempt, disgrace or ridicule as required by the Indiana statute. Defendant pointed out that the victim had posted the sexually explicit photo of herself at issue on the web five years earlier. So in essence, defendant argued, further distribution would do the victim no harm.

The court rejected this argument, finding:

The fact that [victim] already publicized the material herself certainly merits consideration, but is not alone determinative because publicizing material to a particular audience does not necessarily mean that further, targeted, publication would not lead to hatred, contempt, disgrace, or ridicule. In other words, we consider [victim’s] posting of these photographs online in the past as it might mitigate reputational consequences of [defendant] mailing the photographs to others. Although internet websites are of an unusually public and long-lasting nature, we also recognize that making an obscure set of photographs available online is qualitatively different in nature from directly mailing the same photographs as hard-copies addressed to a particular individual or company. [Victim’s] husband or employer could have discovered [victim’s] prior internet posting of the photographs, but a direct mailing is certain to reach them.

The court similarly rejected defendant’s argument that because the victim had posted the photo on the web before, she had no reasonable expectation of privacy in the photo and thus could not be the subject of intimidation. The court disagreed with the analogy to the Fourth Amendment expectation of privacy because in this case, the privacy interest was the victim’s, not the defendant’s. So use of such an analogy might “misdirect [the court] from the determinative issue of whether she would be exposed to reputational consequences.”

June 14, 2011 Copyright, Electronic Discovery, Privacy

Court deals blow to anonymous Bittorrent defendants’ efforts to challenge subpoenas

West Coast Productions v. Does 1 – 5,829, — F.Supp.2d —, 2011 WL 2292239 (D.D.C. June 10, 2011)

The judge in one of the well-known mass copyright cases filed by Dunlap, Grubb & Weaver a/k/a U.S. Copyright Group (West Coast Productions v. Does 1 – 5,829) has issued an order denying motions to quash filed by several of the unnamed defendants. Plaintiff had served subpoenas on the ISPs associated with the IP addresses allegedly involved in Bittorrent activity, seeking to learn the identity of those account holders.

The ruling is potentially troubling because the court refused to even consider the arguments presented by those anonymous parties who did not reveal their identity in connection with the motion to quash. Such an approach undermines, and indeed comes close to refusing altogether to recognize any privacy interest that a person may have concerning his or her ISP account information.

The court observed that the Federal Rules of Civil Procedure require that a party must identify himself or herself in the papers filed with the court. In some situations, however, a court may grant a “rare dispensation” of anonymity after taking into account the risk of unfairness to the party seeking anonymity as well as the general presumption of openness in judicial proceedings.

In this case, the court noted that other courts had “uniformly held that the privacy interest in [ISP account] information is minimal and not significant enough to warrant the special dispensation of anonymous filing.”

Absent from the court’s analysis was the potential for harm to defendants who were the subject of these subpoenas but might have the ability to demonstrate (anonymously) that they were not involved. In cases involving adult content, in particular, the harm of being publicly associated with that content — even if the association turns out to be in error — is one that should not be disregarded in this way. Moreover, taking away the ability of an anonymous defendant to challenge his unmasking will encourage extortionate-like behavior on the part of copyright plaintiffs hoping to extract a settlement early in the case. If writing a check is the only way to keep from having to turn one’s name over (and this case pretty much establishes that rule), then more settlements should be expected.

The court went on to reject the arguments in favor of motions to quash filed by John Does who had provided their contact information to the court. The court found that it was premature to rule on any objections based on a lack of personal jurisdiction because the defendants filing the motions had not actually been named as a party. And the court rejected the arguments that the defendants were improperly joined into the action, noting the allegations in the complaint that the IP addresses were involved in a single Bittorrent swarm.

Evan Brown is a Chicago-based attorney practicing technology and intellectual property law. Send email to ebrown@internetcases.com, call (630) 362-7237, follow on Twitter at @internetcases, and be sure to like Internet Cases on Facebook.

June 4, 2011 Privacy

Court dismisses class action against MySpace for violation of the Stored Communications Act

Hubbard v. MySpace, 2011 WL 2149456 (S.D.N.Y. June 1, 2011)

Plaintiff, who sued on behalf himself and others similarly situated, claimed that MySpace improperly turned over account information and private messages to law enforcement, even though there was a search warrant. Plaintiff claimed this violated the Stored Communications Act, 18 USC 2701 et seq.

MySpace moved to dismiss. The court granted the motion.

The version of the Stored Communications Act in effect at the time of the alleged wrongful disclosure in this case provided that a search warrant seeking the information must issue from a federal court “with jurisdiction over the offense under investigation,” or be “an equivalent State warrant.”

Plaintiff argued that the warrant sent to MySpace was not sufficient under the SCA (and should have been ignored) because (1) the state magistrate did not have jurisdiction to hear the felony that the cops were investigating plaintiff for, and (2) the magistrate did not have the power to issue search warrants across state lines.

The court rejected both of these arguments. In determining the warrant to be “an equivalent State warrant,” it looked to the way federal magistrates issue warrants in SCA cases. It held that the phrase “jurisdiction over the offense under investigation” refers to the power to issue warrants, not to the power to ultimately try the case. And the court looked to the legislative history around the Patriot Act amendments to conclude that SCA investigations give magistrate judges special powers to direct search warrants across state lines, because having to require cooperation with the courts in which an ISP actually exists might allow enough time for a terrorist to get away or strike again.

This case is worth noting for the wide scope the court establishes for valid search warrants under the SCA. It is also worth noting that the SCA has since been amended to make the scope more clearly this broad. 

June 3, 2011 Privacy

Court dismisses unfair competition claim against Facebook over alleged privacy violation

This is a post by Sierra Falter.  Sierra is a third-year law student at DePaul University College of Law in Chicago focusing on intellectual property law.  You can reach her by email at sierrafalter [at] gmail dot com or follow her on Twitter (@lawsierra).  Bio: www.sierrafalter.com.

In re Facebook Privacy Litigation, 2011 WL 2039995 (N.D.Cal. May 12, 2011)

Plaintiff Facebook users sued defendant Facebook for violation of California’s Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code §§ 17200, et seq., alleging that Facebook intentionally and knowingly transmitted personal information about plaintiffs to third-party advertisers without plaintiffs’ consent.  Facebook moved to dismiss the UCL claim.  The court granted the motion.

Defendant argued that plaintiffs failed to state a claim because they lacked standing under the UCL, since they did not allege they lost money or property.  Defendant asserted there was no such loss because plaintiffs’ “personal information” did not constitute property under the UCL.

Instead, the plaintiffs had alleged that defendant unlawfully shared their “personally identifiable information” with third-party advertisers.  However, the court distinguished the plaintiffs’ claim from Doe 1 v. AOL, LLC, 719 F.Supp.2d 1102 (N.D. Cal. 2010).  In that case, the plaintiffs’ personal and financial information had been distributed to the public after the plaintiffs therein signed up and paid fees for AOL’s service.  The court dismissed plaintiff’s claim in this case under the holding of Doe v. AOL — since plaintiffs alleged they received defendant’s services for free, they could not state a UCL claim.

April 7, 2011 Computer Crime, Privacy

Court says law firm did not eavesdrop on employee phone calls

Bowden v. Kirkland & Ellis, 2011 WL 1211555 (7th Cir. April 1, 2011)

Two former employees of a law firm sued the firm for violation of the Electronic Communications Privacy Act, 18 USC 2510 et seq. and for violation of the Illinois Eavesdropping Act, 720 ILCS 5/14-2. The district court granted summary judgment in favor of the law firm. The former employees sought review with the Seventh Circuit. On appeal, the court affirmed the grant of summary judgment.

The court held that the former employees’ evidence of eavesdropping raised no more than a “theoretical possibility” of a violation. Even one of the strongest experts in the case triple hedged his testimony, saying the records “could indicate the potential that interception may have occurred.” So the grant of summary judgment was proper.

The plaintiffs had also raised an electronic discovery issue, namely a claim that the law firm spoliated evidence by destroying a server that contained phone records relevant to the case. The court rejected that argument, finding no credible evidence that the destruction was undertaken in bad faith.

Scroll to top