September 29, 2011 Employment, Privacy

Employer did not violate employee’s privacy by accessing personal laptop

Sitton v. Print Direction, Inc., — S.E.2d —, 2011 WL 4469712 (Ga.App. September 28, 2011)

A Georgia court held that an employee using a personal laptop to conduct business for a competitor did not have an invasion of privacy claim when his employer busted him at work using the laptop to send email.

Plaintiff-employee worked for a printing company. His wife also owned a printing business. On the side, plaintiff would broker printing jobs, sending them to his wife’s company. He would bring his own laptop to work and use that to conduct business for his wife’s company while at work for his employer.

One day, the boss came into plaintiff’s office (apparently when plaintiff was not in the room) and saw that the computer screen on plaintiff’s computer showed a non-work related email account, with messages concerning the brokering of print jobs to the wife’s company. The boss printed out the email messages.

Plaintiff sued, claiming, among other things, common law invasion of privacy and violation of a provision of the Georgia Computer Systems Protection Act. The case went to trial, and plaintiff lost. In fact, he ended up having to pay almost $40,000 to his employer on counterclaims for breach of loyalty. Plaintiff sought review of the trial court’s decision. On appeal, the court affirmed.

The appellate court affirmed the trial court’s finding that the boss’s access to plaintiff’s computer did not constitute common law invasion of privacy based upon an intrusion upon plaintiff’s seclusion or solitude, or into his private affairs. The court held that the boss’s activity was “reasonable in light of the situation” because:

  • He was acting in order to obtain evidence in connection with an investigation of improper employee behavior,
  • The company’s interests were at stake, and
  • He had “every reason” to suspect that plaintiff was conducting a competing business on the side, as in fact he was.

To bolster this holding, the court cited from a Georgia Supreme Court case that said, “[T]here are some shocks, inconveniences and annoyances which members of society in the nature of things must absorb without the right of redress.”

September 27, 2011 First Amendment

Online threats made by blogger were not protected by the First Amendment

State v. Turner, 2011 WL 4424754 (Conn. Super. September 6, 2011)

A Connecticut state court held that prosecuting a blogger for posting content online encouraging others to use violence did not violate the blogger’s First Amendment right to free speech.

Defendant was charged under a Connecticut statute prohibiting individuals from “inciting injury to persons or property.” Angry about a bill in the state General Assembly that would have removed financial oversight of Catholic parishes from priests and bishops, defendant posted the following statements to his blog:

  • [T]he Founding Fathers gave us the tools necessary to resolve [this] tyranny: The Second Amendment
  • [My organization] advocates Catholics in Connecticut take up arms and put down this tyranny by force. To that end, THIS WEDNESDAY NIGHT ON [my radio show], we will be releasing the home addresses of the Senator and Assemblyman who introduced bill 1098 as well as the home address of [a state ethics officer].
  • These beastly government officials should be made an example of as a warning to others in government: Obey the Constitution or die.
  • If any state attorney, police department or court thinks they’re going to get uppity with us about this, I suspect we have enough bullets to put them down too

Defendant challenged the application of the state statute as unconstitutional. The court disagreed, finding there to be “little dispute that the defendant’s message explicitly advocate[ed] using violence.” Moreover, the court found the threatened violence to be “imminent and likely.” The blog content said that the home address of the legislators and government officials would be released the following day.

Though the court did not find that a substantial number of persons would actually take up arms, it did note, in a nod to 9/11, “the devastation that religious fanaticism can produce in this country.” As such, there was a sufficient basis to say that defendant’s vitriolic language had a substantial capacity to propel action to kill or injure a person.

September 21, 2011 Copyright

Court denies anonymous motion to quash subpoena in BitTorrent copyright case

First Time Videos v. Does 1-18, 2011 WL 4079177 (S.D. Indiana, September 13, 2011)

Plaintiff owns the copyright in an adult film that a swarm of anonymous “Doe” BitTorrent users allegedly traded. So plaintiff filed suit for infringement in the U.S. District Court for the Southern District of Indiana and issued subpoenas to the internet service providers associated with the IP addresses of the unknown Doe defendants.

After one of the Doe defendant’s ISP, Insight Communications, put her on notice that the ISP was about to turn over her account information to plaintiff’s lawyer, Doe filed a motion to quash the subpoena. The court denied the motion.

Doe had raised several common arguments in support of the motion to quash. But the court rejected each of these:

  • Plaintiff had no protectable privacy interest in her ISP account information because that was held by a third party, namely, the ISP. Moreover, the court found that a subscriber has no privacy interest when there is an allegation of copyright infringement. (It would have been nice had the court put the words “valid” or “prima facie” before the word “allegation,” but alas, it did not.)
  • Responding to the subpoena was not unduly burdensome to Doe. The burden, if any, in responding to the plaintiff’s subpoena, would fall onto the ISP, not the anonymous defendant.
  • The fact that Doe denied involvement with trading porn files did not matter at this stage in the litigation. The court held that the question of liability for copyright infringement should be determined when the parties are properly brought into the suit.

So the court concluded that the anonymous Doe BitTorrent user should be identified.

September 14, 2011 Governance

ISP’s alleged throttling of BitTorrent and Skype violates Computer Fraud and Abuse Act

Fink v. Time Warner Cable, 2011 WL 3962607 (S.D.N.Y. September 7, 2011)

Plaintiffs sued Time Warner (the provider of Road Runner High Speed Online internet access), alleging, among other things, that Time Warner’s alleged “throttling” of plaintiffs’ internet communications violated the Computer Fraud and Abuse Act, 18 USC 1030 (“CFAA”). Specifically, plaintiffs alleged that without their authorization, Time Warner sent forged reset packets which frustrated plaintiffs’ peer-to-peer communications (e.g., BitTorrent and other P2P mechanisms) as well as their use of Skype.

Time Warner moved to dismiss the CFAA claims. The court granted the motion as to claims that required plaintiffs to  plead “loss” as defined by the statute. As for those claims that required only allegations of “access” and “damage,” the court denied the motion to dismiss and let the case move forward.

Plaintiffs brought three claims under the CFAA, one under each of subparts (A), (B) and (C) of 18 USC 1030(a)(5). This part of the statute provides liability for anyone who:

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

No CFAA loss

The CFAA defines “loss” as “any reasonable cost to any victim, including the
cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

In this case, plaintiffs alleged that the loss they suffered arose from their payments for high-speed internet services allegedly not received, costs to prevent Time Warner’s throttling practice and the costs of obtaining information elsewhere when they were unable to use their computers for file transfers and VoIP communications. Plaintiffs also pled losses relating to time and effort in assessing “damage” to each computer for which transmissions were interrupted. 

The court found these alleged losses to be outside the scope of those contemplated by the CFAA. Plaintiffs did not allege that they needed to restore data,a program, a system, or information to its condition prior to Time Warner’s conduct. The court held that Plaintiffs had failed to adequately plead this element of a CFAA claim. So it dismissed the claim plaintiffs had brought under 18 USC 1030(a)(5)(C).

“Damage” and “access” adequately pled

Plaintiffs’ failure to adequately plead loss was not the end of the case. Since subparts (A) and (B) of  18 USC 1030(a)(5) do not require one to plead “loss,” but do require pleading “damage” and “access,” the court turned its attention to see if those elements were adequately pled. It found that they were.

The CFAA defines “damage” as “any impairment to the integrity or availability of data, a system, or information.” Plaintiffs alleged that Time Warner impaired their ability to obtain data and utilize their computer systems by knowingly transmitting “reset packets to [their] computers with the intention of impeding or preventing [their] peer-to-peer transmissions” and that damage was caused because the reset packets “compromis[ed] the internal software of [their]computers and impair[ed] their ability to receive and transmit data.” The plaintiffs also alleged that the throttling process prevented data exchange and inhibited certain use of their computers. In addition, plaintiffs identified the specific types of information that had its availability “impeded” and identified a particular program, Skype, that was rendered unusable by the alleged throttling. 

As for “access,” the court looked to the plain meaning, dictionary definition of the word for guidance (since the term is not defined in the CFAA). Plaintiffs had alleged that Time Warner accessed their computers in violation of the statute by knowingly transmitting reset packets to plaintiff’s computers and otherwise accessed their computers to impede data receipt and transmission.” Giving the term “access” a broad meaning, the court found these allegations to satisfy the CFAA requirement.

September 13, 2011 First Amendment, Right of Publicity

Video game maker scores First Amendment win in right of publicity case

Hart v. Electronic Arts, Inc. — F.Supp.2d —, 2011 WL 4005350 (D.N.J. September 9, 2011)

Former Rutgers quarterback Ryan Hart sued Electronic Arts (“EA”), the maker of the very popular video game NCAA Football, alleging misappropriation of his right of publicity under New Jersey law.

EA moved to dismiss. Treating the filing as one for summary judgment, the court granted the motion. It held that EA’s right to free expression under the First Amendment outweighed Hart’s right of publicity.

The court recognized the tension between Hart’s right of publicity and EA’s free speech interest in seeking to incorporate Hart’s characteristics and other information about him into the game. The resolution of this tension is an unsettled area of the law — and the court no doubt recognized this. So in what appears to be an effort to reduce the likelihood that the appellate court will reverse, the judge applied two different tests, finding that EA’s First Amendment interests prevailed under both of them.

Hart’s claims

Hart claimed that the game misappropriated his right of publicity by, among other things, giving a virtual player of the game Hart’s physical attributes (including appearance, height and weight), the same jersey number, the same home state, and with wearing a helmet visor and left wrist band. Hart claimed the virtual player shared other features with him as well, such as speed and agility rating, and passing accuracy and arm strength.

Transformative test

The court first applied the “transformative test” to balance the right of publicity and First Amendment interests. This test borrows heavily from copyright law’s fair use analysis, and looks to the extra elements in the subsequent work. A court will look at:

whether the celebrity likeness is one of the “raw materials” from which an original work is synthesized, or whether the depiction or imitation of the celebrity is the very sum and substance of the work in question

In this case, the game included numerous creative elements apart from Hart’s image, such as virtual stadiums, athletes, coaches, fans, sound effects, music and commentary. Moreover, and perhaps more importantly, the court emphasized that EA created a mechanism in the game “by which the virual player may be altered, as well as the multiple permutations available for each virtual player image.”

The Rogers test

The Rogers test borrows from the trademark context to aid a court in determining whether First Amendment interests will trump a right of publicity claim. In applying this test, a court will make two queries: (a) whether the challenged work is wholly unrelated to the underlying work (or person asserting the claim), and (b) whether the use of the plaintiff’s name is a disguised commercial advertisement. In this case, the court found that one could not reasonably argue that Hart’s image was wholly unrelated to the game (it was college football, after all). But the use of Hart’s image was not a “disguised commercial advertisement.” Instead, the use of his image was part of an expressive act by EA that might draw upon public familiarity with Hart’s college football career but did not explicitly state that he endorsed or contributed to the creation of the game.

September 12, 2011 Employment, Trade Secrets

Former employer’s trade secret claim under inevitable disclosure doctrine moves forward

Copying of employer computer files central to trade secrets claim

Mobile Mark, Inc. v. Pakosz, 2011 WL 3898032 (N.D.Ill. September 6, 2011)

Defendant used to work for plaintiff. Before he left that organization to work for a competitor, he allegedly accessed plaintiff’s computer system and copied proprietary information to a laptop that plaintiff had loaned him. He then allegedly transferred the proprietary data to a number of external storage devices, and then installed and repeatedly ran a “Window Washer” program on the laptop to delete files and other data in order to conceal his activities.

Plaintiff sued, putting forth several claims, including a claim of misappropriation of trade secrets under the Illinois Trade Secrets Act, 765 ILCS 1065/2. Defendant moved to dismiss. The court denied the motion.

One of the bases for plaintiff’s trade secret misappropriation claim was that defendant, by going to work for a competitor, would inevitably disclose the proprietary information he had obtained while working for plaintiff. Looking to Illinois law, the court noted that “[i]nevitable disclosure is not assumed when an employee has general information in his head as a result of working for a company.” But “where evidence exists that the employee copied the employer’s confidential information, it leads to the conclusion of inevitable disclosure.”

September 6, 2011 Contracts

Website terms and conditions were unenforceable because of fraud

Duick v. Toyota Motor Sales, U.S.A., Inc., 2011 WL 3834740 (Cal.App. 2 Dist. August 31, 2011)

Someone signed plaintiff up through a Toyota website to take part in a “Personality Evaluation.” She got an email with a link to a website, and on the second page that she had to click through, she was presented with the well-known check box next to the words “I have read and agree to the terms and conditions.”

Later plaintiff started getting creepy emails from an unknown male calling himself “Sebastian Bowler” who indicated that he was on a cross-country road trip to come and visit plaintiff. He even listed plaintiff’s physical address. One of the emails had a link to Bowler’s MySpace page, which revealed he “enjoyed drinking alcohol to excess.” A few days later plaintiff got another email from someone purporting to be the manager of the hotel in which Bowler had trashed a room, and attempted to bill plaintiff for the damage.

As one would expect, plaintiff was disturbed by these messages. She finally got an email with a link to a video that said Bowler was a fictional character and that the emails were part of an elaborate prank, all to advertise the Toyota Matrix.

Plaintiff sued Toyota for, among other things, infliction of emotional distress. Toyota moved to dismiss the lawsuit, arguing that the online terms and conditions contained an arbitration provision, so the case did not belong in court but before an arbitrator. The court rejected this argument, finding that the terms and conditions were void, because plaintiff’s agreement to them was procured by “fraud in the inception or execution.”

The court found that the terms and conditions led plaintiff to believe that she was going to participate in a personality evaluation and nothing more. A reasonable reader in plaintiff’s position would not have known that she was signing up to be the target of a prank. For example, the terms and conditions were under the heading “Personality Evaluation Terms and Conditions” and made vague and opaque references to terms such as “interactive experience” and a “digital experience.” Simply stated, plaintiff, through no fault of her own, did not know what she was getting herself into.

For these reasons, the court held that the terms and conditions were void, and all the provisions contained in those terms and conditions, including the purported agreement to arbitrate any disputes, did not bind the parties.

August 31, 2011 Privacy

Sexy MySpace photos stay out of evidence

Webb v. Jessamine County Fiscal Court, 2011 WL 3652751 (E.D. Ky. August 19, 2011)

Plaintiff filed a civil rights lawsuit against the local jail and other governmnet officials after she gave birth while incarcerated. She claimed, among other things, that the jail’s failure to get her proper medical care before and during the delivery caused her extreme humiliation, mental anguish and emotional distress.

The defendants tried an extremely bizarre and highly questionable tactic — they sought to use provocative photos purportedly copied from plaintiff’s MySpace profile, to demonatrate that it is “less probable that [plaintiff] would experience humiliation and mental anguish by being in a jail cell while delivering a baby.” Defendants claimed that the photos were “of such a nature that a reasonable person would be embarrassed if such photographs were placed in public view.”

In other words, defendants argued that because plaintiff would post photos like that of herself online, she did not have the dignity to be free from being ignored or called a child and a liar during labor.

The court granted plaintiff’s motion in limine, excluding the photos from evidence. It found that the photos were irrelevant:

Although the appearance of provocative photos online may cause some humiliation, it bears no relation at all to the extreme humiliation and mental anguish a woman forced to go through labor on her own in a jail cell would bring.

The court also found that the defendants had not properly authenticated the photos, i.e., had not provided enough supporting evidence to show that they actually were of plaintiff. The photos that the defendants offered bore “no indicia of authenticity, such as a web address or a photo of these images on the public MySpace account from which Defendants claim they originated.”

August 29, 2011 Privacy

Using remote tracking software to find stolen laptop may have violated federal wiretap statute

Clements-Jeffrey v. City of Springfield, Ohio, 2011 WL 3678397 (S.D. Ohio August 22, 2011) [PDF copy of opinion]

Services that help track down stolen laptops and other lost mobile hardware are indispensable. Consider, for example, the year-long saga of Jeff Blakeman who used MobileMe to help recover his MacBook Pro that a TSA agent stole from checked luggage. Or how Joshua Kaufman used the remote recovery application Hidden to snap pics of the creepy dude who made off with his MacBook.

It is hard to not rejoice when one reads stories about laptop thieves being brought to justice. And we generally feel no pangs of conscience over whether the apprehended criminal had any privacy rights that were violated when he was being monitored with the software.

But what if the person being tracked did not steal the device, and did not know that it was stolen? Do we then care about whether the remote tracking process violated that person’s privacy? If so, how should that privacy right stack up against the theft victim’s right to get his or her property back?

A recent case from Ohio shows how the privacy right of the innocent user can constrain the rightful owner from using all means of what we might call “remote self help.” The court applied the Electronic Communications Privacy Act (“ECPA”) in a way that should cause users and purveyors of theft recovery services to reevaluate their methodologies.

Hot communications using hot property

The facts of the case were salacious and embarassing. Plaintiff bought a non-functioning laptop for $60 from one of her students (she was a substitute teacher at an “alternative” high school). After she got the computer working, she used it to have sexually explicit communications with her out-of-state boyfriend — they even got naked in front of their webcams with one another.

As it turns out, however, the student who sold plaintiff the laptop had stolen it. The teacher claimed she did not know it was purloined. The original, rightful owner of the laptop had installed Absolute Software’s LoJack for Laptops on the device. After it was stolen, and after it had made its way into plaintiff’s hands, Absolute began its work of locating the machine and gathering information about its whereabouts and its user.

In this process, one of Absolute’s employees obtained real-time access to what was happening on the stolen computer. He was able to collect keystrokes of the sexually explicit communications, and gather three screen shots of plaintiff and her boyfriend, both naked, fooling around on the webcam.

Absolute turned the information — including the X-rated screen shots — over to the police. Plaintiff was arrested and handcuffed. The criminal court dismissed the case against her.

But plaintiff (and her boyfriend) sued. They brought several claims against the police for violation of their constitutional rights, and claims against Absolute for, among other things, violation of the ECPA. Absolute moved for summary judgment on the ECPA claim but the court denied the motion. The court found that Absolute could not show, as a matter of law, that it should not be liable for the interception of the explicit communications.

Legitimate privacy expectation, even on a stolen computer

Subject to certain exceptions, the ECPA prohibits one from surreptitiously intercepting or disclosing the contents of any wire, oral or electronic communications of another. The defendants first argued that plaintiff could not put forward a valid ECPA claim because she did not have a legitimate expectation of privacy in these communications.

The court rejected this argument, finding that plaintiff’s belief as to her privacy was reasonable both subjectively and objectively. She felt safe enough to engage in the explicit communications (subjective belief), and she demonstrated that she had no reason to suspect the laptop was stolen (objective belief). Had she known or had reason to know it was stolen, her claim of privacy would have been subordinated to the possessory interest of the owner. (As an aside, there was some interesting evidentiary wrangling that went on a few weeks ago about defendants’ expert witnesses opining on internet privacy. Read more about that at Bow Tie Law.)

Public policy did not come to the rescue

Absolute next argued that certain exceptions to liability for violation of the ECPA should protect it. The court rejected each of these arguments. It found that the exception for those acting “under color of law” to track down “computer trespassers” did not apply, because Absolute was a private entity, not one acting under color of law. The court also rejected Absolute’s argument that it could divulge the intercepted contents as a provider of an electronic communications service. The court found that Absolute did not provide an “electronic communications service to the public” as defined by the ECPA.

So Absolute was left with one final argument, namely, that public policy should shield it from liability for the unauthorized interception and disclosure of the keystrokes and screen shots. Absolute argued that the legal owner of the stolen laptop should be able to take steps to locate and recover that property, and that the rights of the property owner must trump those of a thief.

The court declined to implement such a per se rule, noting that:

It is one thing to cause a stolen computer to report its IP address or its geographical location in an effort to track it down. It is something entirely different to violate federal wiretapping laws by intercepting the electronic communications of the person using the stolen laptop.

In so many words, the court was saying that Absolute went too far in collecting the contents of the communications being made on the stolen computer. Had the information collection stopped at IP addresses and other non-content information, the remote tracking efforts may not have run afoul of the ECPA.

August 11, 2011 Computer Crime, Privacy

Court sides with college accused of snooping on student’s email

Reichert v. Elizabethtown College, 2011 WL 3438318 (E.D.Pa. August 5, 2011)

Plaintiff’s threatening behavior toward certain faculty members of his college led the administration to monitor plaintiff’s school-issued email account. Plaintiff’s lawsuit against the school included claims for violation of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and common law invasion of privacy.

The college moved to dismiss these claims and the court granted the motion.

The court found that the ECPA claim failed because plaintiff did not allege the interception of the email messages was contemporaneous with the messages’ transmission. As for the SCA claim, the court noted that the statute protects electronic communications providers from liability for searches of their own systems which are used to provide the service. The school provided the service, so it could not be liable for monitoring its own system. And as for invasion of privacy, the court found that plaintiff had failed to allege the mental distress required to sustain such a claim.

Scroll to top