privacy – Page 2 – Attorney Evan Brown

February 15, 2022 Privacy

Biometric privacy statute does not violate First Amendment

biometric privacy First Amendment — Biometric identifiers extracted from a photo are not public in the same way the photo itself is

Plaintiffs filed a class action lawsuit against a facial recognition technology company and related individual defendants, asserting violations of the Illinois Biometric Information Privacy Act (“BIPA”). Plaintiffs alleged that defendants covertly scraped over three billion photographs of faces from the internet and then used artificial intelligence algorithms to scan the face geometry of each individual depicted to harvest the individuals’ unique biometric identifiers and corresponding biometric information. One of the defendants then created a searchable database containing this biometric information and data that enabled users of its proprietary platform to identify unknown individuals by uploading a photograph to the database. Accordingly, plaintiffs alleged that defendants collected, captured, or otherwise obtained their biometric data without notice and consent, and thereafter, sold or otherwise profited from their biometric information, all in violation of BIPA.

Unconstitutional restriction on public information?

Defendants moved to dismiss the BIPA claim on a number of grounds, including an argument that BIPA violated defendants’ First Amendment rights. More specifically, defendants maintained that the capture and analysis of faceprints from public images was protected speech, and thus, BIPA was unconstitutional because it inhibited the ability to collect and analyze public information. Plaintiffs, however, asserted that the capturing of faceprints and the action of extracting private biometric identifiers from the faceprints was unprotected conduct. The court sided with plaintiffs and rejected defendants’ argument.

The court held that defendants’ argument oversimplified plaintiffs’ allegations. Although defendants captured public photographs from the internet, they then harvested an individual’s unique biometric identifiers and information – which are not public information – without the individual’s consent. Put differently, plaintiffs asserted that the defendants’ business model was not based on the collection of public photographs from the internet, some source code, and republishing information via a search engine, but the additional conduct of harvesting nonpublic, personal biometric data. And, as plaintiffs further alleged, unlike fingerprints, facial biometrics are readily observable and present a grave and immediate danger to privacy, individual autonomy, and liberty.

An intermediate approach to biometric privacy

Accordingly, the court looked at defendants’ conduct as involving both speech and nonspeech elements. Looking to the test set out in the Supreme Court case of United States v. O’Brien, 391 U.S. 367 (1968), the court evaluated how when “elements are combined in the same course of conduct, a sufficiently important governmental interest in regulating the nonspeech element can justify incidental limitations on First Amendment freedoms.” The court applied the intermediate scrutiny standard set out in O’Brien, namely, a regulation does not violate the First Amendment if (1) it is within the power of the government to enact, (2) furthers an important government interest, (3) the governmental interest is unrelated to the suppression of free expression, and (4) any incidental restriction on speech is no greater than is necessary to further the government interest.

The first element was easy to dispense with because the parties did not argue that the Illinois General Assembly lacked the power to enact BIPA. On the second element, the court found that the General Assembly enacted BIPA to protect Illinois residents’ highly sensitive biometric information from unauthorized collection and disclosure. Regarding the third element, the court noted that BIPA, including its exceptions, does not restrict a particular viewpoint, nor does it target public discussion of an entire topic. And on the fourth O’Brien element, the court found BIPA to be narrowly tailored by legitimately protecting Illinois residents’ highly sensitive biometric information and data, yet allowing residents to share their biometric information through its consent provision. And BIPA is not overly-broad, in the court’s view, because it does not prohibit a substantial amount of protected speech.

In re Clearview AI, Inc., Consumer Privacy Litigation, 2022 WL 444135 (N.D. Illinois, February 14, 2022)

February 14, 2022 Anonymity, Blockchain

Court protects the privacy of bitcoin address and transaction information

Defendant asked the court to redact his bitcoin address and transaction information from exhibits used at trial, which ordinarily would become part of the public record. He argued that for each transaction recorded on the blockchain, one could reverse engineer the entire transaction if he or she knows the individual associated with one of a number of pieces of information, including transaction ID and public bitcoin address. “[O]nce a particular individual is associated [with] any of this information, it is essentially akin to providing that individual’s financial account number.”

The court allowed the redaction of the bitcoin address and bitcoin transactions. It found that defendant had demonstrated good cause to support the redactions. The court balanced the public’s right of access to court information against defendant’s interest in keeping the information confidential. It agreed with defendant’s assertion that the bitcoin information he sought to redact is akin to a financial account number or personally identifiable information.

Kleiman v. Wright, 2022 WL 390702 (S.D. Fla., February 9, 2022)

January 20, 2022 Computer Crime, Privacy

Is Indiana’s revenge porn law constitutional?

revenge porn constitutional — Stained glass window at Pokagon State Park in Angola, Indiana, near where the underlying events in this case took place.

In 2019, Indiana joined a number of other states and enacted a statute that makes it a crime for a person to distribute an “intimate image” when he or she knows or reasonably should know that an individual depicted in the image does not consent to the distribution. In March 2020, defendant sent a video of himself receiving oral sex to his ex-girlfriend via Snapchat. After being charged under the statute, defendant moved to dismiss, arguing in part that the statute violates both the Indiana and U.S. constitutions. The trial court agreed and dismissed the case. But the state appealed to the Indiana Supreme Court.

What part of the Indiana constitution applied?

The court’s analysis under the Indiana constitution is particularly interesting. Indiana’s constitutional protection in this area reads quite a bit differently than the language of the First Amendment.

Article 1, Section 9 of the Indiana constitution reads as follows:

No law shall be passed, restraining the free interchange of thought and opinion, or restricting the right to speak, write, or print, freely, on any subject whatever: but for the abuse of that right, every person shall be responsible.

The court first had to evaluate whether videos – and in particular the video at issue – were covered by the applicable Indiana constitutional provision. “Our encounters with Article 1, Section 9 have always involved words, thus invoking the ‘right to speak’ clause.” The court held that the video content was protected under the “free interchange” clause of the state’s constitution. “We understand the free interchange clause to encompass the communication of any thought or opinion, on any topic, through ‘every conceivable mode of expression.’” And the court quickly ascertained that being prosecuted for the distribution of the video was a “direct and substantial burden” on defendant’s right to self-expression.

Abuse of rights?

But defendant’s expressive activity in this case – though within his right to free interchange as expressed in the constitution – was an abuse of that right. Looking through the lens of the natural rights philosophy that informed the drafting of the Indiana constitution, the court cited to previous authority (Whittington v. State, 669 N.E.2d 1363 (Ind. 1996)) that explained how “individuals possess ‘inalienable’ freedom to do as they will, but they have collectively delegated to government a quantum of that freedom in order to advance everyone’s ‘peace, safety, and well-being.'” Thus, the court observed that the purpose of state power is “to foster an atmosphere in which individuals can fully enjoy that measure of freedom they have not delegated to government.”

Citing to State v. Gerhardt, 145 Ind. 439 (Ind. 1896), the court evaluated how “[t]he State may exercise its police power to promote the health, safety, comfort, morals, and welfare of the public.” And citing to other authority, the court noted that “courts defer to legislative decisions about when to exercise the police power and typically require only that they be rational.” So the question became whether – approached from the standpoint of rationality – the statute’s restriction on the right to self-expression was appropriate to promote the health, safety, comfort, morals and welfare of the public.

Rationality favored public protection

“Under our rationality inquiry, we have no trouble concluding the impingement created by the statute is vastly outweighed by the public health, welfare, and safety served.” In reaching this conclusion, the court examined, among other things, the tremendous harms of revenge porn – including its connection to domestic violence and psychological injury. Accordingly, the court found the statute did not violate the Indiana constitution.

The court also found that the statute did not violate the First Amendment of the U.S. Constitution. It held that the statute is content-based and therefore subject to strict scrutiny. Even under this standard, the court found that it served a compelling government interest, and was narrowly tailored to achieve that compelling interest.

State v. Katz, 2022 WL 152487 (Ind., January 18, 2022)

Can a party recover statutory damages under the Stored Communications Act without proving actual damages?

The Stored Communications Act (18 USC 2701 et seq.) is among the most powerful tools relating to email privacy. It is a federal statute that prohibits, in certain circumstances, one from intentionally accessing without authorization, or exceeding authorized access to, a facility through which an electronic communication service is provided. The statute provides criminal penalties and an aggrieved party can bring a civil suit for damages in certain cases.

The statute contains a provision that addresses the amount of money damages a successful plaintiff can recover. Section 2707(c) provides the following:

Damages. The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000. If the violation is willful or intentional, the court may assess punitive damages. In the case of a successful action to enforce liability under this section, the court may assess the costs of the action, together with reasonable attorney fees determined by the court.

Note the phrase “but in no case shall a person entitled to recover receive less than the sum of $1,000.” Does that mean every plaintiff that successfully proves the defendant’s liability is entitled to at least $1,000, regardless of whether there was any actual damage that occurred? The Fifth Circuit Court of Appeals recently addressed that question in the case of Domain Protection, L.L.C. v. Sea Wasp, L.L.C. It held that one must show at least some actual damages before being entitled to the minimum of $1,000.

The court looked to the Supreme Court’s approach in addressing nearly identical language in another statute, wherein SCOTUS concluded that “person entitled to recover” refers back to the party that suffers “actual damages.” Doe v. Chao, 540 U.S. 614, 620, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004). And it noted that two other circuits have held that this reasoning should apply to the same terms in the Stored Communications Act: Vista Mktg., LLC v. Burkett, 812 F.3d 954, 964–75 (11th Cir. 2016) and Van Alstyne v. Elec. Scriptorium, Ltd., 560 F.3d 199, 204–208 (4th Cir. 2009). The court “endorse[d] the reasoning of those opinions and [saw] no need to repeat it.”

Domain Protection, L.L.C. v. Sea Wasp, L.L.C., — F.4th —, 2022 WL 123408 (5th Cir. January 13, 2022)

September 30, 2019 Anonymity, Electronic Discovery, Litigation

Plaintiff failed to make key arguments in bid to unmask anonymous online defendants

Plaintiff sued some unknown defendants for breach of contract and violations of the Computer Fraud and Abuse Act, based on the defendants’ deceptive conduct that tricked some internet users into signing up for plaintiff’s paid services. The unknown defendants would receive affiliate commissions from operating this scheme. This caused reputation problems for plaintiff.

Plaintiff sought early discovery to ascertain the identities of the unknown defendants. The court denied the motion.

The Federal Rules of Civil Procedure do not permit a party to seek discovery from the adverse parties in the case until all parties have conducted an initial conference under Rule 26(f). But when the defendants are unknown, that conference cannot take place. So the plaintiff needs to conduct discovery to find out who they are. In situations like these, for the required early discovery to occur and the unknown defendants to be identified (so that the conference can take place), the court must enter an order permitting early discovery.

A court can authorize early discovery to identify unknown defendants if there is good cause. In determining whether there is good cause, courts consider whether the plaintiff:

can identify the missing party with sufficient specificity such that the court can determine that defendant is a real person or entity who could be sued in federal court;
has identified all previous steps taken to locate the elusive defendant;
has articulated claims against defendant that would withstand a motion to dismiss; and
has demonstrated that there is a reasonable likelihood of being able to identify the defendant through discovery such that service of process would be possible.

In this case, the court found that plaintiff failed to identify the defendants with sufficient specificity, and did not demonstrate that each defendant was a real person or entity who would be subject to jurisdiction in the Northern District of California. Plaintiff had not explained why defendants would be subject to the jurisdiction of the court, as defendants’ activities seemed directed at Argentina, and plaintiff’s harm was felt in Argentina and other parts of Latin America. The only apparent connection defendants had with the Northern District of California was that they used domain name services from California companies. Plaintiff provided no authority to suggest this was sufficient to create jurisdiction.

Plaintiff also failed to explain what steps it had taken to locate defendants. Citing to Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573 (N.D. Cal. 1999), the court noted that “[t]his element is aimed at ensuring that plaintiffs make a good faith effort to comply with the requirements of service of process and specifically identifying defendants.”

In its motion, plaintiff only stated that there were no more practical measures that would permit it to identify the unknown defendants, but did not identify what measures – if any – were taken. For example, plaintiff was apparently able to identify defendants as affiliates, and that a contract existed, giving rise to legal liability. It was therefore not clear why plaintiff was unable to identify defendants based on the contract.

Binbit Argentina, S.A. v. Does 1-25, No. 19-5384, 2019 WL 4645159 (N.D. Cal., September 24, 2019)

Court labels copyright plaintiff as a troll and shuts down efforts to ID anonymous infringer

When a copyright plaintiff does not know who a particular alleged infringer is, it must first send a subpoena to the ISP assigned the IP address used to commit the alleged infringement. But the rules of procedure do not allow the sending of subpoenas until after the 26(f) conference – a meeting between the plaintiff and defendant (or their lawyers) to discuss the case. A plaintiff cannot have a 26(f) conference if the defendant has not been served with the complaint, and the complaint cannot be served unless the defendant’s identity is known.

So you can see the conundrum. To break out of this not-knowing, plaintiffs in situations like this will ask the court’s help through a motion for leave to take early discovery. That way the plaintiff can learn who the defendant is, serve the complaint, and move the case forward.

In the recent case of Strike 3 Holdings v. Doe, Judge Royce Lamberth of the U.S. District Court for the District of Columbia put a stop to the efforts of a plaintiff that it called a copyright troll right to its face (or at least right in the text of the opinion). The court denied Strike 3’s motion for leave to take early discovery to learn the identity of an unknown BitTorrent user accused of downloading pornography.

The court held that the plaintiff’s request was not specific enough, and the privacy interests of the unknown defendant, together with the social harm of being wrongfully accused of obtaining “particularly prurient pornography” were not outweighed by the trollish plaintiff’s need for the information.

Key to the court’s ruling was the idea that a subpoena in circumstances like this must be able to actually identify a defendant who could be sued. The court noted, however, that

Strike 3 could not withstand a 12(b)(6) motion in this case without resorting to far more intensive discovery machinations sufficiently establishing defendant did the infringing—examining physical evidence (at least the computers, smartphones, and tablets of anyone in the owner’s house, as well as any neighbor or houseguest who shared the Internet), and perhaps even interrogatories, document requests, or depositions. Strike 3’s requested subpoena thus will not—and may never—identify a defendant who could be sued.

The opinion is an entertaining read and conveys the judge’s clear frustration with copyright troll plaintiffs. Below are some of the more memorable quips.

Regarding the flaws of using IP addresses to identify people:

[Plaintiff’s] method [of identifying infringers] is famously flawed: virtual private networks and onion routing spoof IP addresses (for good and ill); routers and other devices are unsecured; malware cracks passwords and opens backdoors; multiple people (family, roommates, guests, neighbors, etc.) share the same IP address; a geolocation service might randomly assign addresses to some general location if it cannot more specifically identify another.

Regarding the public shame of being accused of infringing porn:

… But in many cases, the method is enough to force the Internet service provider (ISP) to unmask the IP address’s subscriber. And once the ISP outs the subscriber, permitting them to be served as the defendant, any future Google search of their name will turn-up associations with the websites Vixen, Blacked, Tushy, and Blacked Raw. The first two are awkward enough, but the latter two cater to even more singular tastes.

How trolls are quick to flee:

Indeed, the copyright troll’s success rate comes not from the Copyright Act, but from the law of large numbers. … These serial litigants drop cases at the first sign of resistance, preying on low-hanging fruit and staying one step ahead of any coordinated defense. They don’t seem to care about whether defendant actually did the infringing, or about developing the law. If a Billy Goat Gruff moves to confront a copyright troll in court, the troll cuts and runs back under its bridge. Perhaps the trolls fear a court disrupting their rinse-wash-and-repeat approach: file a deluge of complaints; ask the court to compel disclosure of the account holders; settle as many claims as possible; abandon the rest.

It’s pretty much extortion:

Armed with hundreds of cut-and-pasted complaints and boilerplate discovery motions, Strike 3 floods this courthouse (and others around the country) with lawsuits smacking of extortion. It treats this Court not as a citadel of justice, but as an ATM. Its feigned desire for legal process masks what it really seeks: for the Court to oversee a high-tech shakedown. This Court declines.

The court’s decision to deny discovery is anything but the rubber stamp approach so many judges in these kinds of cases over the past several years have been accused of employing.

Strike 3 Holdings v. Doe, 2018 WL 6027046 (D.D.C. November 16, 2018)

May 22, 2018 Copyright, Electronic Discovery, Litigation, Privacy

Court takes into consideration defendant’s privacy in BitTorrent copyright infringement case

Frequent copyright plaintiff Strike 3 Holdings filed a motion with the U.S. District Court for the District of Minnesota seeking an order allowing Strike 3 to send a subpoena to Comcast, to learn who owns the account used to allegedly infringe copyright. The Federal Rules of Civil Procedure created a bootstrapping problem or, as the court called it, a Catch-22, for Strike 3 – it was not able to confer with the unknown Doe defendant as required by Rule 26(f) because it could not identify the defendant, but it could not identify defendant without discovery from Comcast.

The court granted Strike 3’s motion for leave to take early discovery, finding that good cause existed for granting the request, and noting:

Strike 3 had stated an actionable claim for copyright infringement,
The discovery request was specific,
There were no alternative means to ascertain defendant’s name and address,
Strike 3 had to know defendant’s name and address in order to serve the summons and complaint, and
Defendant’s expectation of privacy in his or her name and address was outweighed by Strike 3’s right to use the judicial process to pursue a plausible claim of copyright infringement.

On the last point, the court observed that the privacy interest was outweighed especially given that the court could craft a limited protective order under Federal Rule of Civil Procedure 26(c) to protect an innocent ISP subscriber and to account for the sensitive and personal nature of the subject matter of the lawsuit.

Strike 3 Holdings, LLC v. Doe, 2018 WL 2278110 (D.Minn. May 18, 2018)

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

May 15, 2018 Privacy

No privacy violation for disclosing information otherwise available on member-only website

Plaintiff sued several defendants related to her past work as a government employee. She sought to amend her pleadings to add claims for violation of the Fourth Amendment and the federal Stored Communications Act. She claimed that defendants wrongfully disclosed private medical information about her. The court denied her motion to amend the pleadings to add the Fourth Amendment and Stored Communications Act claims because such amendments would have been futile.

Specifically, the court found there to be no violation because she had no reasonable expectation of privacy in the information allegedly disclosed. She had made that information available on a website. Though to view the information required signing up for an account, plaintiff had not set up the website to make the information available only to those she invited to view it. The court relied on several cases from earlier in the decade that addressed the issue of privacy of social media content, among them Rosario v. Clark Cty. Sch. Dist., 2013 WL 3679375 (D. Nev. July 3, 2013), which held that one has no reasonable expectation of privacy in his or her tweets, even if he or she had maintained a private account. In that case, the court held that even if the social media user maintained a private account, his tweets still amounted to the dissemination of information to the public.

Burke v. New Mexico, 2018 WL 2134030 (D.N.M. May 9, 2018)

November 6, 2017 Anonymity, Privacy

Puzzling privacy analysis in decision to unmask anonymous accused copyright infringers

Plaintiff porn company sued an unknown bittorrent user (identified as John Doe) alleging that defendant had downloaded and distributed more than 20 of plaintiff’s films. Plaintiff asked the court for leave to serve a subpoena on Optimum Online – the ISP associated with defendant’s IP address – prior to the Rule 26(f) conference. (As we have recently discussed, leave of court is required to start discovery before the Rule 26(f) conference, but a plaintiff cannot have that conference unless it knows who the defendant is.) Plaintiff already knew defendant’s IP address. It needed to serve the subpoena on the ISP to learn defendant’s real name and physical address so it could serve him with the complaint.

The court went through a well-established test to determine that good cause existed for allowing the expedited discovery. Drawing heavily on the case of Sony Music Entm’t, Inc. v. Does 1-40, 326 F. Supp. 2d 556 (S.D.N.Y. 2004), the court evaluated:

(1) the concreteness of the plaintiff’s showing of a prima facie claim of copyright infringement,

(2) the specificity of the discovery request,

(3) the absence of alternative means to obtain the subpoenaed information,

(4) the need for the subpoenaed information to advance the claim, and

(5) the objecting party’s expectation of privacy.

The court’s conclusions were not surprising on any of these elements. But it’s discussion under the fifth point, namely, the defendant’s expectation of privacy, was puzzling, and the court may have missed an important point.

It looked to the recent case involving Dred Pirate Roberts and Silk Road, namely, United States v. Ulbricht, 858 F.3d 71 (2d Cir. 2017). Leaning on the Ulbricht case, the court concluded that defendant had no reasonable expectation of privacy in the sought-after information (name and physical address) because there is no expectation of privacy in “subscriber information provided to an internet provider,” such as an IP address, and such information has been “voluntarily conveyed to third parties.”

While the court does not misquote the Ulbricht case, one is left to wonder why it would use that case to support discovery of the unknown subscriber’s name and physical address. At issue in Ulbricht was whether the government violated Dred Pirate Roberts’s Fourth Amendment rights when it obtained the IP address he was using. In this case, however, the plaintiff already knew the IP address from its forensic investigations. The sought-after information here was the name and physical address, not the IP address he used.

So looking to Ulbricht to say that the Doe defendant had no expectation of privacy in his IP address does nothing to shed information on the kind of expectation of privacy, if any, he should have had on his real name and physical address.

The court’s decision ultimately is not incorrect, but it did not need to consult with Ulbricht. As in the Sony Music case from which it drew the 5-part analysis, and in many other similar expedited discovery cases, the court could have simply found there was no reasonable expectation of privacy in the sought-after information, because the ISP’s terms of service put the subscriber on notice that it will turn over the information to third parties in certain circumstances like the ones arising in this case.

Strike 3 Holdings, LLC v. Doe, 2017 WL 5001474 (D.Conn., November 1, 2017)

September 9, 2016 Litigation, Privacy

No liability for cable company that retained customer information in violation of law

Court essentially holds “no harm, no foul” in case involving violation of federal privacy statute. The case fails to provide an incentive for “privacy by design”.

Can a company that is obligated by law to destroy information about its former customers be held liable under that law if, after the contract with the customer ends, the company does not destroy the information as required? A recent decision from the United States Court of Appeals for the Eighth Circuit (which is located in St. Louis) gives some insight into that issue. The case is called Braitberg v. Charter Communications, Inc., — F.3d —, 2016 WL 4698283 (8th Cir., Sep. 8, 2016).

12493182714_859e827fe6_z

Plaintiff filed a lawsuit against his former cable company after he learned that the company held on to his personally identifiable information, including his social security number, years after he had terminated his cable service. The cable company was obligated under the federal Cable Communications Policy Act to “destroy personally identifiable information if the information is no longer necessary for the purpose for which it was collected.”

The lower court dismissed the lawsuit on the basis that plaintiff had not properly demonstrated that he had standing to bring the lawsuit. Plaintiff appealed to the Eighth Circuit. On review, the court of appeals affirmed the dismissal of the lawsuit.

The appellate court’s decision was informed by the recent Supreme Court decision in Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (S.Ct. 2016), which addressed, among other things, the question of whether a plaintiff asserting violation of a privacy statute has standing to sue.

As a general matter, Article III of the Constitution limits the jurisdiction of the federal courts to actual “cases or controversies”. A party invoking federal jurisdiction must show, among other things, that the alleged injury is both “concrete and particularized” and “actual or imminent, not conjectural or hypothetical”.

In this case, the Court of Appeals found that plaintiff had not alleged an injury in fact as required under Article III and the Spokeo decision. His complaint asserted merely “a bare procedural violation, divorced from any concrete harm.”

The court’s opinion goes on to provide some examples of when the violation of a privacy statute would give rise to standing. It does this by noting certain things that plaintiff did not allege. He did not, for example allege that defendant had disclosed information to a third party, that any other party accessed the data, or that defendant used the information in any way after the termination of the agreement. Simply stated, he identified no material risk of harm from the retention. This speculative or hypothetical risk was insufficient for him to bring the lawsuit.

One unfortunate side effect of this decision is that it does little to encourage the implementation of “privacy by design” in the development of online platforms. As we have discussed before, various interests, including the federal government, have encouraged companies to develop systems in a way that only keeps data around for as long as it is needed. The federal courts’ unwillingness to recognize liability in situations where data is indeed kept around longer than necessary, even in violation of the law, does not provide an incentive for the utilization of privacy by design practices.

Braitberg v. Charter Communications, Inc., — F.3d —, 2016 WL 4698283 (8th Cir., Sep. 8, 2016)

Photo courtesy Flickr user Justin Hall under this Creative Commons license.