Doctor’s wiretapping case under ECPA heads to trial

McCann v. Iroquois Memorial Hospital, No. 08-3420 (7th Cir. September 13, 2010)

Mystery of how doctor’s dictation machine got turned on to record conversation between doctor and hospital employee is a question for the jury and should not have been decided on summary judgment.

Two hospital employees — Dr. Lindberg and the director of physician services, Ms. McCann — had a conversation behind the doctor’s closed office door that the two of them thought was private. In their conversation, the two of them criticized hospital administration. But they did not know that the doctor’s dictation machine was recording what they said.

Dictaphone was cylinder dictation machine from...
Image via Wikipedia

How that machine got turned on is a mystery. Dr. Lindberg had been dictating radiology reports a few minutes before Ms. McCann arrived, so he may have accidentally left the machine running. But the recording of the conversation started in mid-sentence, which discredits that theory.

A member of the hospital’s transcription staff, Ms. Freed, is alleged to have come into the room during this conversation to pick up some papers, and Dr. Lindberg and Ms. McCann believe she surreptitiously turned on the machine. That would seem a plausible explanation, given that Ms. Freed supposedly had an axe to grind with Dr. Lindberg.

The recorded conversation made its way to the transcription staff, and after it was typed out, Ms. Freed forwarded it to the hospital’s CEO. Dr. Lindberg and Ms. McCann filed suit against Ms. Freed and others under the Electronic Communications Privacy Act. They claimed that by secretly turning on the dictation machine and forwarding the transcript, Ms. Freed violated the statute.

The district court granted the defendants’ motion for summary judgment. Plaintiffs sought review with the Seventh Circuit. On appeal, the court reversed in part, finding there was a genuine issue of material fact as to whether Ms. Freed was in the room and secretly turned on the dictation machine.

The court of appeals held that whether Ms. Freed was in the office on the date the recording was made was merely the subject of a “swearing contest,” and that summary judgment is not appropriate to resolve such a contest. The lower court had based its grant of summary judgment largely on the contents of the recording. At the end of the conversation, one can hear the office door close as Ms. McCann leaves. But one cannot hear the door shut with Ms. Freed would have left, during the conversation and after she allegedly turned on the dictation machine.

Viewing the facts in the light most favorable to the plaintiffs, the court found that the absence of such a sound did not prove that Ms. Freed was not there: “[N]othing in the record tells us whether the door could have been closed silently; . . . [Ms.] Freed who was conscious that she was intruding (and, perhaps, that she was being taped) may have closed the door softly to be inconspicuous.”

So the court found that whether Ms. Freed was responsible for making the recording — and by extension whether Ms. Freed intentionally intercepted the conversation between Dr. Lindberg and Ms. McCann in violation of the ECPA — was an issue for the jury, and not one for summary judgment.

Lack of knowledge of interception causes ECPA claims against website owners to fail

Zinna v. Cook, No. 06-1733, 2010 WL 3604386 (D. Colo. September 7, 2010)

Plaintiff sued for violation of the Electronic Communications Privacy Act (ECPA) claiming that defendants intercepted his email messages and posted them to a website called ColoradoWackoExposed.com. Defendants moved for summary judgment. The court granted the motion.

It found that although similarities between messages and website content suggested that emails had been intercepted, there was no evidence showing the interception was “contemporaneous” with the messages’ transmission. (Several federal circuits require such contemporaneity. But see the Seventh Circuit’s recent opinion in U.S. v. Szymuszkiewicz for a different take.)

The court also held there was insufficient evidence to show that defendants knew the information posted on the website came about via any unlawful interception. The plaintiff’s assertions that defendants had worked with a non-party wiretapper failed to convince the court of this knowledge.

Setting up Outlook rule to intercept another’s email can be a federal crime

U.S. v. Szymuszkiewicz, — F.3d —, 2010 WL 3503506 (7th Cir. September 9, 2010)

Seventh Circuit upholds conviction of employee who secretly intercepted his boss’s email.

A federal jury convicted the defendant, who was an IRS revenue officer, of violating the Wiretap Act (or the Electronic Communications Privacy Act, as some like to call it — 18 USC 2511(1)(a). He had snuck onto his boss’s computer and set a rule in Microsoft Outlook to autoforward copies of all incoming email to his own account.

The defendant sought review of his conviction with the Seventh Circuit. On appeal, the court affirmed. Judge Easterbrook’s opinion is interesting reading. It is a nice accompaniment to the 2005 decision from the First Circuit in U.S. v. Councilman.

The court rejected the defendant’s argument that the Wiretap Act required that the “interception” of the email be “contemporaneous” with its transmission: “[d]ecisions articulating such a requirement are thinking football rather than the terms of the statute.” (Such decisions would include Fraser v. Nationwide Mutual (3d Cir.), Steve Jackson Games v. Secret Service (5th Cir.), Konop v. Hawaiian Airlines (9th Cir.) and United States v. Steiger (11th Cir).

In any event, the court found that the defendant’s interception of the messages in this case was “contemporaneous by any standard.” The evidence showed that the Outlook rules, though set within the email client, operated on the server. A message to the boss would go to an email server in Kansas City, and then be “flung across the network” as packets making up two copies, one for the boss and one for the defendant. It was this copying on the server that was the unlawful interception.

If you’re at all interested in this case and the Wiretap Act, then you must check out Orin Kerr’s post at the Volokh Conspiracy, especially the comments to that post. Very erudite discussion.

Email snooping can be intrusion upon seclusion

Analysis could also affect liability of enterprises using cloud computing technologies.

Steinbach v. Village of Forest Park, No. 06-4215, 2009 WL 2605283 (N.D. Ill. Aug. 25, 2009)

Local elected official Steinbach had an email account that was issued by the municipality. Third party Hostway provided the technology for the account. Steinbach logged in to her Hostway webmail account and noticed eleven messages from constituents had been forwarded by someone else to her political rival.

Steinbach sued the municipality, her political rival and an IT professional employed by the municipality. She brought numerous claims, including violation of the Federal Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. She also brought a claim under Illinois common law for intrusion upon seclusion, and the court’s treatment of this claim is of particular interest.

The defendant IT professional moved to dismiss the intrusion upon seclusion claim under Fed. R. Civ. P. 12(b)(6)(for failure to state a claim upon which relief can be granted). The court denied the motion.

The court looked to the case of Busse v. Motorola, Inc., 813 N.E.2d 1013 (Ill.App. 1st. Dist. 2004) for the elements of the tort of intrusion upon seclusion. These elements are:

  • defendant committed an unauthorized prying into the plaintiff’s seclusion;
  • the intrusion would be highly offensive to the reasonable person;
  • the matter intruded upon was private; and
  • the intrusion caused the plaintiff to suffer.

The defendant presented three arguments as to why the claim should fail, but the court rejected each of these. First, the defendant argued that the facts allegedly intruded upon were not inherently private facts such as plaintiff’s financial, medical or sexual life, or otherwise of an intimate personal nature. Whether the emails were actually private, the court held, was a matter of fact that could not be determined at the motion to dismiss stage. Plaintiff’s claim that emails from her constituents were private was not unreasonable.

The defendant next argued that Steinbach had not kept the facts in the email messages private. But the court soundly rejected this argument, stating that the defendant failed to explain how Steinbach displayed anything openly. Plaintiff asserted that she had an expectation of privacy in her email, and defendant cited no authority to the contrary.

Finally, the defendant argued that the intrusion was authorized, looking to language in the Federal Wiretap Act and the Stored Communications Act that states there is no violation when the provider of an electronic communication services intercepts or accesses the information. The court rejected this argument, finding that even though the municipality provided the email address to Steinbach, Hostway was the actual provider. The alleged invasion, therefore, was not authorized by statute.

The court’s analysis on this third point could have broader implications as more companies turn to cloud computing services rather than hosting those services in-house. In situations where an employer with an in-house provided system has no policy getting the employee’s consent to employer access to electronic communications on the system, the employer – as provider of the system – could plausibly argue that such access would be authorized nonetheless. But with the job of providing the services being delegated to a third party, as in the case of a cloud-hosted technology, the scope of this exclusion from liability is narrowed.

Email ribbon photo courtesy Flickr user Mzelle Biscotte under this Creative Commons License

Scope of Electronic Communications Privacy Act may not be so narrow

Brahmana v. Lembo, No. 09-106, 2009 WL 1424438 (N.D. Cal. May 20, 2009)

Plaintiff former employee Brahmana sued his former employer Cyberdata, claiming that Cyberdata violated the Electronic Communications Privacy Act (at 18 U.S.C. 2511) (&#147ECPA&#148). Brahmana claimed that Cyberdata used a keylogger to intercept the username and password for Brahmana’s personal email account.

Cyberdata moved to dismiss the claim under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. The court denied the motion, finding that the determination of whether there was a violation of the ECPA would best be made after discovery.

The ECPA makes it unlawful for any person to intentionally intercept, among other things, any “electronic communication.” An “electronic communication” is defined in the ECPA as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system that affects interstate or foreign commerce.”

An important question in this case was whether the keystrokes allegedly captured by the keylogging device met this definition of electronic communication.

An earlier case from another district (United States v. Ropp, 347 F.Supp.2d 831 (C.D. Cal. 2004)) held that keystrokes gathered by a hardware keylogger attached between a computer’s keyboard and central processing unit were not electronic communications because the system transmitting the information did not affect interstate commerce.

But another case questioned that opinion’s holding, finding that though the keystrokes themselves did not travel in interstate commerce, they did “affect interstate commerce” and therefore fell within the ECPA’s definition.

This court avoided ruling on the legal question of whether intercepting electronic data being transmitted from one piece of local hardware to another might be an electronic communication as defined by the ECPA. One must remember that a Rule 12(b)(6) motion merely tests the sufficiency of the pleadings. The court does not consider evidence at that stage, but merely tests whether the facts alleged by the plaintiff could plausibly support the legal claim.

In this case, the court found that Brahmana’s allegations did not specify whether the particular means of monitoring affected interstate commerce, but were sufficient to render plausible the claim that communications were monitored in some way. “The issue of how any alleged monitoring took place,” the court found, “and whether it allegedly affected interstate commerce is better resolved after some discovery.”

The case instructs us that this court is not willing to read the definition of “electronic communication” as narrowly as the court did in Ropp. No doubt there will be some interesting evidence produced in discovery that shows how the keystrokes were allegedly intercepted. But at least we know at this early stage in the litigation that the court will consider whether the transmission of electronic data within a system — and not crossing state lines — may still affect interstate commerce.

I-Spy photo courtesy Flickr user Leo Reynolds under this Creative Commons license.

Divorce spyware case moves forward

Court refuses to dismiss ECPA, SCA and CFAA claims against ex-spouse accused of delivering malicious code.

Becker v. Toca, No. 07-7202, 2008 WL 4443050 (E.D. La. September 26, 2008)

Plaintiff Becker sued his ex-wife, one Ms. Toca, claiming that Toca installed on Becker’s home and office computers a Trojan Horse that could steal passwords and send them to a remote computer. Becker claimed violations of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and Louisiana’s Electronic Surveillance Act.

Toca moved to dismiss for failure to state a claim upon which relief can be granted. The court dismissed the Louisiana state claim, but allowed the federal claims under the ECPA, SCA and CFAA to move forward.

In denying Toca’s motion on the ECPA claim, the court nodded to the general consensus established by cases such as Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994), United States v. Seiger, 318 F.3d 1039, 1047 (11th Cir. 2003), Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir.2001), and Bailey v. Bailey, 2008 WL 324156 (E.D. Mich. 2008) that ECPA liability requires the electronic communication to be intercepted contemporaneously with its transmission. Toca had argued that merely sending the Trojan Horse could not be considered an “interception” of an “electronic communication” under the ECPA. But the court held that allegations of stealing the passwords and transmitting them elsewhere, in conjunction with Becker’s computers being connected to the Internet, made it “reasonable … to infer that the Trojan Horse program may have collected information contemporaneous to its transmission.”

As for the SCA claim, Toca had argued Becker’s allegedly infected computers were not “a facility through which an electronic communication service is provided,” and thus not within the protection of the SCA. The court declined to dismiss the claim at the pleading stage because it was unclear to what extent the Trojan Horse may have accessed or retrieved information stored with an electronic communication service provider.

The court denied the motion to dismiss the CFAA claim, rejecting Toca’s arguments that the affected computers were not “protected” computers under the CFAA, and that the allegations were insufficient to show Toca intended to cause “damage.” The allegations that the Trojan Horse caused error messages and slow processing were sufficient on this point. Toca argued that an intent to damage the computers would be incompatible with a desire to retrieve information from them. But the court rejected this all-or-nothing damage approach.

The Louisiana statute claim failed simply because the court held that the statute covered only wire and oral communications, leaving electronic communications of the type at issue within the case outside its scope.

Scroll to top