Category: Privacy

April 5, 2011 Computer Crime, Privacy

Do certain mobile apps violate the Computer Fraud and Abuse Act?

[This is a guest post by attorney Caroline Belich. Caroline is a Chicago native, former Michigan State volleyball player, and recent admitee to the California bar with particular interest in the First Amendment.]

According to the Wall Street Journal and other sources, federal prosecutors in New Jersey are investigating whether certain mobile applications for smartphones have illegally obtained or transmitted information about their users. Part of the criminal investigation is to determine whether these app makers made appropriate disclosures to users about how and why their personal information is being used. The app makers subpoenaed include the popular online music service Pandora.

Examples of information disclosed by these app makers may include a user’s age, gender, location, and also unique identifiers for the phone. The information may then passed on to third parties and advertising networks. The problem is that users may be unaware that their information is being accessed by a smartphone app because a maker failed to notify them.

As a result, this failure to notify may violate the Computer Fraud and Abuse Act (18 USC 1030). The CFAA is a federal statute that is often used against hackers. Applying this rationale here, federal prosecutors may argue that the app makers essentially hacked users cellphones.

However, some legal experts believe that criminal charges against the app makers are unlikely. Supporting this belief is the fact that many criminal charges against companies result in non-prosecution or deferred prosecution agreements in exchange for concessions of wrongdoing or monetary payments.

But while criminal charges are doubtful, civil lawsuits by users and causes of action brought by the Federal Trade Commission (FTC) may not be. First, consumers may sue app makers for failure to notify under privacy rights claims. Second, the FTC could allege unfair and deceptive trade practices by makers for failure to inform users how their personal information is being employed. Recently, Google settled with the FTC regarding its social network, Buzz, where allegations were made about violations of users’ privacy.

In light of the potential for privacy rights violations and deceptive trade practices, the FTC has advocated a “Do Not Track” option for web browsers and cellphone users, similar to the “Do Not Call” list for telemarketing. But app makers strongly oppose this idea, of course, for various reason. First, it could obstruct their ability to collect data about their users’ utilization of their product. Second, the option could frustrate financial opportunities with third parties seeking the invaluable consumer statistics. And the third justification is best depicted by Facebook’s privacy policy – while a user may be giving away his own information, he’s not giving away that of his friends… as long as his friends haven’t shared the info with “everyone.”

So even if these criminal investigations do not come to fruition, at least the possibility is making the public aware of their rights involving smartphone products so that industry standards may be created or laws requiring notification may be made.

April 2, 2011 Computer Crime, Privacy

Sexting minor’s lawsuit against website moves forward despite her violation of federal law

Doe v. Peterson, 2011 WL 1120172 (E.D.Mich. March 24, 2011)

When plaintiff Jane Doe was seventeen years old, she took some nude photos of herself and sent them over the internet to her boyfriend. Somehow the photos ended up on an adult website owned by defendants. Doe brought a civil cause of action against defendants for violation of the federal child pornography laws and for intrusion upon seclusion, public disclosure of private facts, intentional infliction of emotional distress, and negligence.

The defendants pled an interesting affirmative defense to Doe’s claims — in pari delicto. A plaintiff’s actions that are found to be in pari delicto are just as bad or worse than what the plaintiff is suing over, so in cases like that the court will not award relief. Doe moved to strike this affirmative defense. The court granted the motion.

Although the court found that “it seems clear that [Doe was] guilty of violating federal laws prohibiting the production and distribution of child pornography,” it held that as a matter of law the doctrine of in pari delicto was not available to the defendants as an affirmative defense.

The court refused to allow “broad common-law barriers to relief where a private suit serv[ed] important public purposes.” Doe was a member of the class sought to be protected by the statute she had violated, and was not equally culpable as defendants allegedly were in permitting the distribution of the images. In this respect, it was not clear that Doe was of greater or equal fault than defendants, so the in pari delicto defense did not apply.

March 13, 2011 Defamation, Privacy

Woman mistaken for Spitzer prostitute in Girls Gone Wild internet video awarded $3 million

Arpaio v. Dupre, 2011 WL 831964 (D.N.J., Mar 3, 2011)

It has been three years since Eliot Spitzer resigned as governor of New York for getting busted for hooking up with a prostitute (time flies!). Shortly after he resigned, Girls Gone Wild offered Ashley Dupre, the high-priced prostitute Spitzer was accused of patronizing, a million dollars to be in a new Girls Gone Wild magazine spread and promotional tour. But when the producers realized they already had archival footage of her from years earlier, they revoked that offer.

Dupre sued Joseph Francis, the head of Matra Films (the producer of Girls Gone Wild) for $10 million alleging that he improperly used Dupre’s image from the archival footage. She claimed that because she was only 17 at the time, she didn’t understand the nature of what she was doing. Francis responded by releasing a video that made its rounds on the web (maybe NSFW) that showed the 17-year-old Dupree saying she was of age, and presenting a New Jersey driver’s license bearing the name of plaintiff Arpaio.

Plaintiff filed this lawsuit against Dupre and Girls Gone Wild alleging defamation and invasion of privacy. After none of the defendants responded to the lawsuit, the court entered default against the Girls Gone Wild defendants. Plaintiff never properly served the complaint on Dupre, so it did not enter default judgment against her.

The court awarded plaintiff $3 million in damages. It based this figure on her testimony and other evidence relating to plaintiff’s distress from being mistaken for Dupre, her concern that future employment would be jeopardized from employers doing a Google search on her and learning of the situation, the harm from plaintiff’s children (someday) being exposed to insulting material, and plaintiff’s symptoms consistent with post traumatic stress disorder.

March 12, 2011 Privacy

Court says you don’t need a person’s permission to tag them in a Facebook photo

Lalonde v. Lalonde, — S.W.3d —, 2011 WL 832465 (Ky. App., February 25, 2011)

Mother sought appellate review of the lower court’s order that awarded primary physical custody of her daughter to the child’s father. The mother argued, among other things, that the court improperly considered Facebook photos showing her drinking. This was not good because her psychologist had testified that alcohol would have an adverse effect on the medication she was taking for bipolar disorder. (Seems like there’s no shortage of cases involving drinkin’ photos on social media.)

The court rejected the mother’s assertion that the photos should not be considered as evidence. She argued that because Facebook allows anyone to post pictures and then “tag” or identify the people in the pictures, she never gave permission for the photographs to be published in this manner. The court held that “[t]here is nothing within the law that requires [one’s] permission when someone takes a picture and posts it on a Facebook page. There is nothing that requires [one’s] permission when she [is] “tagged” or identified as a person in those pictures.”

It might be easy to overstate the court’s conclusion here. Some instances of tagging might be part of something actionable. For example, the posting and tagging of photos in the right context might constitute harassment, infliction of emotional distress, or invasion of privacy. Use of another’s photo on the web without permission for commercial purposes might violate that person’s right of publicity. And of course there is the question of copyright as to the uploading of the photo in the first place — if the person appearing in the photo owns the copyright (e.g., it’s a self-portrait) there is the risk of infringement. But it’s interesting to see the court appear to validate ordinary tagging.

March 9, 2011 Privacy

Judge uses Facebook to research litigant

We’ve all heard the stories about lawyers using social media to research jurors and to gather evidence about opponents. But here’s a new twist: even judges look to Facebook to find information about the parties appearing before them.

In Purvis v. Commissioner of Social Sec., 2011 WL 741234 (D.N.J., Feb. 23, 2011), the question before federal judge Susan Davis Wigenton was whether the plaintiff had been wrongfully denied Social Security benefits. Ultimately the judge determined that the question of whether plaintiff’s asthma made her disabled needed to go back to the Social Security office for further proceedings. But the judge had some pretty severe skepticism about the merits of the plaintiff’s claim, expressed in this footnote:

Although the Court remands the ALJ’s decision for a more detailed finding, it notes that in the course of its own research, it discovered one profile picture on what is believed to be Plaintiff’s Facebook page where she appears to be smoking. Profile Pictures by Theresa Purvis, Facebook, [link omitted because it’s broken] (last visited Feb. 16, 2011). If accurately depicted, Plaintiff’s credibility is justifiably suspect.

I guess the moral of the story is to hide your smokes when someone pulls out a camera. Or maybe there’s an even bigger lesson. What do you think? Leave your comments.

March 4, 2011 Computer Crime, Privacy

Mom violated wiretap law by bugging daughter’s teddy bear to eavesdrop on dad

Lewton v. Divingnzzo, 2011 WL 692292 (D.Neb. Feb. 18, 2011)

Defendant thought her ex-husband was abusing their daughter during visitations. To prove these allegations in the custody case, defendant sewed an electronic recording device into the little girl’s favorite teddy bear. After the daughter returned from visiting with her father, the mom would unstitch the teddy bear and download the recorded conversations onto her computer.

She tried using the transcribed recordings as evidence in the state court custody proceeding. But the judge would not let them into evidence because they violated Nebraska law. The father and others whose conversations were recorded via the teddy bear sued the mom under the federal Electronic Communications Privacy Act.

Both sides moved for summary judgment. The court ruled in favor of the father, finding that the surreptitious recording did not fit into any exception of the ECPA.

The ECPA provides a private right of action to any person whose wire, oral or electronic communication is intercepted, disclosed or intentionally used in violation of the ECPA. Looking to Eighth Circuit authority, the court observed that the ECPA prohibits all wiretapping that is not specifically exempted by the statute.

No doubt this was a tough case – a parent fearing for the safety of his or her child might have strong reasons to resort to eavesdropping to protect the child. But the court was hamstrung – “[w]hile the notion that a parent or guardian should be able to listen to a child’s conversations to protect the child from harm may have merit as a matter of policy, it is for Congress, not the courts, to alter the provisions of the statute.”

The court ordered the defendant and her father (who had transcribed the recordings) to pay $10,000 to each of the offended plaintiffs. The defendant’s lawyer who had distributed the recordings to the guardian ad litem and others was found to have violated the ECPA but was not ordered to pay any money damages.

February 8, 2011 Electronic Discovery, Privacy, Uncategorized

Facebook user had standing to challenge subpoena seeking his profile information

Mancuso v. Florida Metropolitan University, Inc., 2011 WL 310726 (S.D. Fla. January 28, 2011 )

Plaintiff sued his former employer seeking back overtime wages. In preparing its defense of the case, the employer sent supboenas to Facebook and Myspace seeking information about plaintiff’s use of those platforms. (The employer probably wanted to subtract the amount of time plaintiff spent messing around online from his claim of back pay.) Plaintiff moved to quash the subpoenas, claiming that his accounts contained confidential and privileged information. The court denied the motion as to these social networking accounts, but did so kind of on a technicality. The subpoenas were issued out of federal district courts in California, and since this court (in Florida) did not have jurisdiction over the issuance of those subpoenas, it had to deny the motion to quash.

But there was some interesting discussion that took place in getting to this analysis that is worth noting. Generally, a party does not have standing to challenge a subpoena served on a non-party, unless that party has a personal right or privilege with respect to the subject matter of the materials subpoenaed. The employer argued that plaintiff did not have standing to challenge the subpoenas in the first place.

The court disagreed, looking to the case of Crispin v. Christian Audiger, Inc. 717 F.Supp.2d 965 (C.D. Cal. 2010), in which that court explained:

[A]n individual has a personal right in information in his or her profile and inbox on a social networking site and his or her webmail inbox in the same way that an individual has a personal right in employment and banking records. As with bank and employment records, this personal right is sufficient to confer standing to move to quash a subpoena seeking such information.

This almost sounds like an individual has a privacy right in his or her social media information. But the p-word is absent from this analysis. So from this case we know there is a right to challenge subpoenas directed at intermediaries with information. We’re just not given much to go on as to why such a subpoena should be quashed.

January 22, 2011 Privacy

College must reinstate nursing student who posted placenta picture on Facebook

Byrnes v. Johnson County Community College, 2011 WL 166715 (D. Kan., January 19, 2011)

Plaintiff nursing student and some of her classmates attended a clinical OB/GYN course at the local hospital in Olathe, Kansas last November. They got permission from their instructor to photograph themselves with a placenta. Plaintiff posted the photo on Facebook. She got expelled from school. Yes, I know you want to see the photo. Here it is.

So she sued the college for violation of her due process rights and sought an injunction ordering that she be reinstated. The court granted the motion.

The court found that the appeal process that the college provided to plaintiff was in no way a fair and unbiased opportunity for her to fully present her case before a neutral and unbiased arbitrator.

The instructor had granted permission for plaintiff to take the picture — and may have consented to its publication on Facebook — but plaintiff did not get an adequate chance to make that argument. The court observed that “photos are taken to be viewed,” and that “by giving the students permission to take the photos, which [the instructor] admitted, it was reasonable to anticipate that the photos would be shown to others.”

Also relevant in the analysis was the absence of any apparent privacy right implicated by showing the placenta. Nothing in the photo showed any patient identification, nor were any of the nursing students able to testify that they knew the patient’s identity. The court found it irrelevant that the placenta appeared to be “fresh,” rejecting the defendants’ implications that that would somehow indicate who the patient was.

Because plaintiff had shown a likelihood of success on her due process argument, and had met the other requirements for the injunction (such as a showing of irreparable harm if not reinstated), the court granted the order that plaintiff be permitted to take last semester’s final exams and permitted to go back to class.

December 15, 2010 Anonymity, Privacy

Publishing child sex abuse victim’s name on the web was not a privacy violation

Doe v. Fankhauser, 2010 WL 4702295 (N.D. Ohio, November 30, 2010)

County clerk immune from law suit over posting court document on government website.

Plaintiff Jane Doe was the victim of physical and sexual abuse when she was a minor. In the criminal case against the perpetrator, Doe’s name was redacted, and she and her family were allegedly assured that her name would not be publicly disclosed. But someone in the county clerk’s website scanned some documents from the criminal case that had Doe’s name in them and posted those electronic documents on the county’s website, making them publicly available.

So Doe sued the county clerk for violation of Doe’s constitutional due process rights and for common law invasion of privacy. The clerk moved to dismiss. The court granted the motion.

The court found that the clerk was protected by judicial immunity. Judges and court personnel who perform judicial and quasi-judicial functions are absolutely immune from suits for damages arising out of the performance of official judicial acts. In this case, the court found that the clerk’s actions in permitting the documents to be scanned and posted required a type of judgment closely related to the judicial process and therefore deserving of immunity.

Interestingly, the court held that the clerk was entitled to immunity from suit regardless of how careless she may have been. There was no loss of immunity merely because a mistake was made and the original document, without redaction, was made available to the public. “Where there is immunity, it applies even in the face of allegations of bad faith, malice, or reckless indifference.”

Makes you feel confident that the government is watching out for your privacy, doesn’t it?

December 7, 2010 Privacy

Credit card receipt shown on computer screen not “printed” for purposes of FACTA

Kelleher v. Eaglerider, Inc., 2010 WL 4684037 (N.D.Ill., Nov. 10 2010)

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) prohibits any “person that accepts credit cards or debit cards for the transaction of business” from “print[ing] more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. § 1681 c(g)(1). The prohibition applies only to receipts that are “electronically printed.” Id. § 1681 c(g)(2).

Plaintiffs used the web to book reservations to rent motorcycles from defendant. At the end of the reservation process, the plaintiffs allegedly saw on their computer screens their credit cards’ expiration dates. So they sued under FACTA.

Defendant moved for summary judgment. The court granted the motion.

The court looked to the recent Seventh Circuit case of Shlahtichman v. 1-800 Contacts, Inc., which it found to resolve the present dispute. In Shlahtichman, the court considered whether an email confirmation of a purchase, showing the credit card’s expiration date, was “electroncially printed” under FACTA. It answered the question in the negative, finding that “when one refers to a printed receipt, what springs to mind is a tangible document.” FACTA’s language, “as a whole clearly shows that the statute contemplates transactions where receipts are physically printed using electronic point of sale devices like electronic cash registers or dial-up terminals.”

Scroll to top