Tag: email

August 11, 2011 Computer Crime, Privacy

Court sides with college accused of snooping on student’s email

Reichert v. Elizabethtown College, 2011 WL 3438318 (E.D.Pa. August 5, 2011)

Plaintiff’s threatening behavior toward certain faculty members of his college led the administration to monitor plaintiff’s school-issued email account. Plaintiff’s lawsuit against the school included claims for violation of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and common law invasion of privacy.

The college moved to dismiss these claims and the court granted the motion.

The court found that the ECPA claim failed because plaintiff did not allege the interception of the email messages was contemporaneous with the messages’ transmission. As for the SCA claim, the court noted that the statute protects electronic communications providers from liability for searches of their own systems which are used to provide the service. The school provided the service, so it could not be liable for monitoring its own system. And as for invasion of privacy, the court found that plaintiff had failed to allege the mental distress required to sustain such a claim.

March 23, 2011 Spam

Yahoo not liable for blocking marketing email

Section 230 of Communications Decency Act (47 U.S.C. 230) shields Yahoo’s spam filtering efforts

Holomaxx v. Yahoo, 2011 WL 865794 (N.D.Cal. March 11, 2011)

Plaintiff provides email marketing services for its clients. It sends out millions of emails a day, many of those to recipients having Yahoo email addresses. Yahoo used its spam filtering technology to block many of the messages plaintiff was trying to send to Yahoo account users. So plaintiff sued Yahoo, alleging various causes of action such as intentional interference with prospective business advantage.

Yahoo moved to dismiss, arguing, among other things, that it was immune from liability under Section 230(c)(2) of the Communications Decency Act. The court granted the motion to dismiss.

Section 230(c)(2) provides, in relevant part, that “[n]o provider or user of an interactive computer service shall be held liable on account of … any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable.”

Plaintiff argued that immunity should not apply here because Yahoo acted in bad faith by using “faulty filtering technology and techniques,” motivated “by profit derived from blocking both good and bad e-mails.” But the court found no factual basis to support plaintiff’s allegations that Yahoo used “cheap and ineffective technologies to avoid the expense of appropriately tracking and eliminating only spam email.”

The court rejected another of plaintiff’s arguments against applying Section 230, namely, that Yahoo should not be afforded blanket immunity for blocking legitimate business emails. Looking to the cases of Goddard v. Google and National Numismatic Certification v. eBay, plaintiff argued that the court should apply the canon of statutory construction known as ejusdem generis to find that legitimate business email should not be treated the same as the more nefarious types of content enumerated in Section 230(c)(2). (Content that is, for example, obscene, lewd, lascivious, filthy, excessively violent, harassing).

On this point the court looked to the sheer volume of the purported spam to conclude Yahoo was within Section 230’s protection to block the messages — plaintiff acknowledged that it sent approximately six million emails per day through Yahoo’s servers and that at least .1% of those emails either were sent to invalid addresses or resulted in user opt-out. On an annual basis, that amounted to more than two million invalid or unwanted emails.

October 20, 2010 Electronic Discovery, Privacy

Stored Communications Act protects Yahoo email account from subpoena

Chasten v. Franklin, 2010 WL 4065606 (N.D.Cal. October 14, 2010)

Plaintiff sued some corrections officers at the prison where her inmate son was killed. She learned in a deposition that one of the defendants had a Yahoo email account. So she sent a subpoena to Yahoo seeking all the email messages sent from that account during a period of more than two years.

Defendant moved to quash the subpoena, arguing that disclosure of the email messages would violate his rights under the Stored Communications Act (SCA). The court granted the motion to quash.

Subject to certain specifically-enumerated exceptions, the SCA (at 18 U.S.C. 2702(a) and (b)) essentially prohibits providers of electronic communication or remote computing services to the public from knowingly divulging the contents of their customers’ electronic communications or the records relating to their customers. The court found that no such exception applied in this case. Citing to Theofel v. Farey-Jones, it held that compliance with the subpoena would be an invasion of the specific interests that the SCA seeks to protect.

October 12, 2010 Electronic Discovery, Privacy

Bipolar disorder no excuse for email hacker

Leor Exploration v. Aguiar, 2010 WL 3782195 (S.D. Fla. September 28, 2010)

Plaintiffs claimed that defendant hacked into one of the plaintiffs’ email accounts during the litigation to get an advantage in the case. The court entered severe sanctions against defendant for doing this — it struck his answer. In litigation, that is like declaring plaintiffs the winners.

Defendant had argued to the magistrate judge that his mental illness (bipolar disorder) caused him to hack plaintiff’s email account out of fear for his security. Defendant even presented expert testimony from a psychiatrist to support the claim that he lacked the mental state to act in bad faith.

In adopting the magistrate’s findings, the district judge found defendant’s psychiatric expert’s testimony unmoving. (Mainly because defendant’s lawyers limited what the expert could say.) So the court relied on other evidence that showed defendant’s bad faith intent in accessing the email. The novel theory of “not guilty of email hacking by reason of insanity” failed in this case.

October 11, 2010 Computer Crime, Privacy

Emails on laptop not protected by the Stored Communications Act

Thompson v. Ross, 2010 WL 3896533 (W.D. Pa. September 30, 2010)

Messages from Yahoo and AOL email accounts saved on laptop computer were not in “electronic storage” as defined by Stored Communications Act.

Plaintiff’s ex-girlfriend kept his laptop computer after the two of them broke up. The ex-girlfriend let two of her co-workers access some email messages stored on the computer. Plaintiff filed suit under the Stored Communications Act. Defendants moved to dismiss. The court granted the motion.

Under the Stored Communications Act (at 18 U.S.C. 2701), one is liable if he or she accesses without authorization a facility through which an electronic communication service is provided and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.

The court held that the Stored Communications Act did not cover the email messages because they were not in “electronic storage” as defined at 18 U.S.C. 2510(17)(B). In relevant part, that section defines “electronic storage” as “any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”

The court looked to the plain language of the statute, finding that the definition was not met because the messages were not stored by an electronic communication service. It rejected plaintiff’s arguments that the fact the messages were in “backup storage” extended the scope of the definition.

Enhanced by Zemanta
October 4, 2010 Computer Crime

Palin email hacker conviction survives motion for acquittal

U.S. v. Kernell, No. 08-CR-142 (E.D. Tenn. September 23, 2010)

A federal jury convicted defendant for a number of crimes related to his hacking into Sarah Palin’s Yahoo email account in September 2008. One of the crimes the jury convicted him of was the “destruction or alteration of a record or document with the intent to obstruct an investigation” (a violation of 18 USC 1519).

After hacking into Palin’s account, but before the formal FBI investigation began, defendant deleted some Palin family pictures he had downloaded from the account, uninstalled his web browser, and defragmented his hard drive.

Defendant moved for a “judgment of acquittal”, arguing that the evidence was insufficent to support his convictions. The court denied the motion.

The court found that the Government offered sufficient proof to support the conviction. Even though defendant preserved (did not destroy) his computer, spoke with an FBI agent investigating the matter and advised his friends to be truthful in what they said about the case, the court looked to the totality of the evidence as supporting defendant’s guilt.

Given that defendant deleted images from his computer that he had downloaded from Palin’s account, and had run web searches on “legalities email” and “soppenaing [sic.] ip addresses”, a rational jury could find him guilty. So the jury verdit stood.

September 30, 2010 Computer Crime, Privacy

Divorce attorney did not conspire to violate the Electronic Communications Privacy Act

Court declines to recognize secondary liability for civil ECPA violation, holding that defendant’s divorce lawyer could not be a conspirator in a civil action alleging email interception.

Garback v. Lossing, 2010 WL 3733971 (E.D.Mich. September 20, 2010)

Plaintiff sued his ex-wife’s attorney for violation of the Electronic Communications Privacy Act. He claimed that his ex-wife, her attorney and some other defendants (including a computer forensics firm) acted together to violate the ECPA by “hacking” into plaintiff’s email account. The ex-wife allegedly used information gathered in this process to negotiate a more favorable divorce settlement.

The defendant attorney moved to dismiss for failure to state a claim upon which relief may be granted. The court granted the motion.

The court found that in plaintiff’s “inartful” pleading, he had failed to allege that the defendant attorney had actually intercepted or knowingly used information obtained in violation of the ECPA. Plaintiff argued that this failure was not fatal, however, in that he had alleged that the defendant attorney conspired to intercept emails.

Rejecting this argument, the court observed that “normally federal courts refrain from creating secondary liability that is not specified by statute.” Finding no textual support in the ECPA for such secondary liability, the court declined to read ECPA’s scope so expansively. The court found the statute as being clear on who may be liable: those who intercept communications and those who get ahold of those communications knowing they were illegally obtained. So the ECPA claim failed and plaintiff was given leave to replead.

September 16, 2010 Computer Crime, Privacy

Setting up Outlook rule to intercept another’s email can be a federal crime

U.S. v. Szymuszkiewicz, — F.3d —, 2010 WL 3503506 (7th Cir. September 9, 2010)

Seventh Circuit upholds conviction of employee who secretly intercepted his boss’s email.

A federal jury convicted the defendant, who was an IRS revenue officer, of violating the Wiretap Act (or the Electronic Communications Privacy Act, as some like to call it — 18 USC 2511(1)(a). He had snuck onto his boss’s computer and set a rule in Microsoft Outlook to autoforward copies of all incoming email to his own account.

The defendant sought review of his conviction with the Seventh Circuit. On appeal, the court affirmed. Judge Easterbrook’s opinion is interesting reading. It is a nice accompaniment to the 2005 decision from the First Circuit in U.S. v. Councilman.

The court rejected the defendant’s argument that the Wiretap Act required that the “interception” of the email be “contemporaneous” with its transmission: “[d]ecisions articulating such a requirement are thinking football rather than the terms of the statute.” (Such decisions would include Fraser v. Nationwide Mutual (3d Cir.), Steve Jackson Games v. Secret Service (5th Cir.), Konop v. Hawaiian Airlines (9th Cir.) and United States v. Steiger (11th Cir).

In any event, the court found that the defendant’s interception of the messages in this case was “contemporaneous by any standard.” The evidence showed that the Outlook rules, though set within the email client, operated on the server. A message to the boss would go to an email server in Kansas City, and then be “flung across the network” as packets making up two copies, one for the boss and one for the defendant. It was this copying on the server that was the unlawful interception.

If you’re at all interested in this case and the Wiretap Act, then you must check out Orin Kerr’s post at the Volokh Conspiracy, especially the comments to that post. Very erudite discussion.

August 18, 2010 Computer Crime, Privacy

Computer Fraud and Abuse Act, the Stored Communications Act, and unauthorized access

Monson v. The Whitby School, Inc., No. 09-1096, 2010 WL 3023873 (D.Conn. August 2, 2010)

Plaintiff Monson sued her former employer (a private school) for sex discrimination and related claims. The school filed counterclaims against Monson for, among other things, violation of (1) the Computer Fraud and Abuse Act (CFAA) and (2) the Stored Communications Act (SCA).

The counterclaims were based on allegations that Monson gained unauthorized access to the school’s email server to unlawfully view and delete email messages contained in the email accounts of other school employees. Upon learning of her impending termination, the school alleged, Monson used this unauthorized access to delete more than 1,500 email messages. Further, the school alleged that after Monson was terminated, she intentionally deleted data and software programs that resided on her school-issued computers before she returned them to the school.

Monson moved to dismiss the counterclaims. The court denied the motion.

CFAA claim

Monson argued that the school had not adequately pled that her actions — accessing and deleting data and software — were unauthorized. The court rejected this argument, finding that while it may be implausible (a la Twombly and Iqbal) that Monson wasn’t authorized to access her own email account, there was no reason to find it implausible she was not authorized to access the email accounts of others.

SCA claim

The court dismissed the SCA claim for essentially the same reason. Monson had argued that the school’s “formulaic” statement that she had accessed the stored electronic communications were not pled with enough detail to state a claim. The court found that the allegations were sufficient.

Photo courtesy of Flickr user croncast under this Creative Commons license.

June 15, 2010 Computer Crime, Privacy

Access to private email server supports Stored Communications Act claims

Devine v. Kapasi, 2010 WL 2293461 (N.D. Ill. June 7, 2010)

Kapasi and Devine were equal shareholders in a corporation. In August 2009, the two decided to part ways. The corporation transferred one of its servers to Devine, and he immediately put it into the service of his new company.

After the server was transferred, Kapasi and some employees of the old company allegedly logged on to the server to access and delete email messages stored on that machine. Devine and his new company sued for violation of the Stored Communications Act (at 18 U.S.C. §2701) and the Computer Fraud and Abuse Act (at 18 U.S.C. §1030).

The defendants moved to dismiss under FRCP 12(b)(6) for failure to state a claim. The court denied the motion as to the Stored Communications Act claims but granted the motion (with leave to amend) as to the Computer Fraud and Abuse Act claims.

The Stored Communications Act claims

The defendants argued that the Stored Communications Act did not apply to access to the server because plaintiffs did not provide an electronic communications service to the public. Defendants relied on the case of Andersen Consulting LLP v. UOP, 991 F.Supp. 1041 (N.D.Il.1998) to support this argument. In that case, the court dismissed a Stored Communications Act claim for unauthorized disclosure of emails under 18 U.S.C. §2702. The Andersen Consulting court held that disclosure of emails obtained from the server of a company not in the business of providing electronic communications services to the public did not violate the Stored Communications Act.

This case, however, arose under 18 U.S.C. §2701, which does not impose the same scope on potential defendants – the term “to the public” does not appear in connection with the provision of electronic communication services in §2701. Section 2701 deals with unauthorized access, while §2702 deals with unauthorized disclosure.

So the court held that “[w]here, as here, a plaintiff pleads that it stores electronic communications on its own systems, and that a defendant intentionally and without authorization got hold of those stored communications through the plaintiff’s electronic facilities, the plaintiff states a claim under § 2701 of the [Stored Communications Act].”

The Computer Fraud and Abuse Act claims

The court dismissed the Computer Fraud and Abuse Act claims, finding that the plaintiffs failed to plead that they suffered a cognizable “loss” under the statute. The plaintiffs were required to plead that the defendants’ conduct “caused . . . loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Such allegations were simply missing from the complaint.

The defendants tried an interesting argument that the court rejected as premature at the motion to dismiss stage. They argued that since one of the plaintiffs was a technology company, it should have had a backup of all the data allegedly deleted. Therefore, any cost in excess of the $5,000 statutory threshold would not be a “reasonable cost.” Though it didn’t fly at the motion to dismiss stage, such an argument may fare better in a motion for summary judgment.

Photo courtesy Flickr user Jordiet under this Creative Commons License.

Scroll to top