Is the Sixth Circuit willing to recognize a right to be forgotten under U.S. law?

Recent FOIA decision questions the 20-year-old notion that defendants have no interest in preventing release of booking photographs during ongoing criminal proceedings.

The Freedom of Information Act (“FOIA”) implements “a general philosophy of full agency disclosure” of government records. Since the mid-90s, the Sixth Circuit has required law enforcement to turn over booking photographs of defendants while ongoing criminal proceedings are occurring.

Plaintiff sought the booking photos of four criminal defendants from the U.S. Marshall’s office. When the U.S. Marshall refused to turn the photos over, plaintiff filed suit. The district court found in plaintiff’s favor, citing the Sixth Circuit case of Detroit Free Press v. United States Department of Justice, 73 F.3d 93 (1996). Defendant sought review with the Sixth Circuit and, bound by the 1996 decision, a panel of the Sixth Circuit affirmed, ordering that the photos be turned over.

But the panel was far from comfortable in its holding. Although it was bound to follow the earlier Sixth Circuit precedent, it urged the court to consider en banc whether an exception to FOIA applies to booking photographs. “In particular, we question the panel’s conclusion that defendants have no interest in preventing the public release of their booking photographs during ongoing criminal proceedings.”

The general theory behind the current requirement that booking photos be released is that the suspects have already appeared publicly in court, and the release of the photos and their names conveys no further information to implicate a protectible privacy interest. But this panel of the court noted that “[s]uch images convey an ‘unmistakable badge of criminality’ and, therefore, provide more information to the public than a person’s mere appearance.”

Something like a right to be forgotten appears in the court’s discussion of how photos can linger online: “[B]ooking photographs often remain publicly available on the Internet long after a case ends, undermining the temporal limitations presumed” by Sixth Circuit case law that calls for the release of photos during ongoing proceedings.

Detroit Free Press v. U.S. Dept. of Justice, — F.3d —, 2015 WL 4745284 (6th Cir. August 12, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

Facebook hacking victim’s CFAA and SCA claims not barred by statutes of limitation

Knowledge that email account had been hacked did not start the statutes of limitation clock ticking for Computer Fraud and Abuse Act and Stored Communications Act claims based on alleged related hacking of Facebook account occurring several months later.

Plaintiff sued her ex-boyfriend in federal court for allegedly accessing her Facebook and Aol email accounts. She brought claims under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and the Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”).

Both the CFAA and the SCA have two-year statutes of limitation. Defendant moved to dismiss, arguing that the limitation periods had expired.

The district court granted the motion to dismiss, but plaintiff sought review with the Second Circuit Court of Appeals. On appeal, the court affirmed the dismissal as to the email account, but reversed and remanded as to the Facebook account.

In August 2011, plaintiff discovered that someone had altered her Aol email account password. Later that month someone used her email account to send lewd and derogatory sexually-themed messages about her to people in her contact list. A few months later, similar things happened with her Facebook account — she discovered she could not log in in February 2012, and in March 2012 someone publicly posted sexually-themed messages using her account. She figured out it was her (now married) ex-boyfriend and filed suit.

The district court dismissed the claims because it found plaintiff first discovered facts giving rise to the claims in August 2011, but did not file suit until more than two years later, in January 2014. The Court of Appeals agreed with the district court as to the email account. She had enough facts in 2011 to know her Aol account had been compromised, and waited too long to file suit over that. But that was not the case with the Facebook account. The district court had concluded plaintiff knew in 2011 that her “computer” had been compromised. The Court of Appeals observed that the lower court failed to properly recognize the nuance concerning which computer systems were being accessed without authorization. Unauthorized access to the Facebook server gave rise to the claims relating to the Facebook account. The 2011 knowledge about her email being hacked did not bear on whether she knew her Facebook account would be compromised. The court observed:

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account — AOL e-mail — had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts — Facebook — might similarly have become compromised.

The decision gives us an opportunity to think about how users’ interests in having their data kept secure from third party access attaches to devices and systems that may be quite remote from where the user is located. The typical victim of a hack or data breach these days is not going to be the owner of the server that is compromised. Instead, the incident will typically involve the compromising of a system somewhere else that is hosting the user’s information or communications. This decision from the Second Circuit recognizes that reality, and contributes to the reasonable opportunity for redress in those situations.

Sewell v. Bernardin, — F.3d —, 2015 WL 4619519 (2nd Cir. August 4, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

Is a DMCA subpoena to identify unknown infringers valid if the infringement has ended?

The Digital Millennium Copyright Act (“DMCA”) is well-known for its notice and takedown provisions. But the DMCA provides a number of other interesting mechanisms, including a procedure for potential copyright plaintiffs to send subpoenas to online service providers to learn the identity of users who posted infringing content to that service. A recent case involving some subpoenas that a copyright owner sent to eBay examines the relationship between the notice and takedown procedures on one hand, and the subpoena mechanism on the other. The question before the court was whether a DMCA subpoena is valid if, by the time it is served on the online service provider, that online service provider has already removed or has disabled access to that content.

Section 512(h) (17 U.S.C. 512(h)) spells out the DMCA subpoena process, and how it relates to the notice and takedown provisions. An online service provider must act expeditiously to identify the user who uploaded infringing content “[u]pon receipt of the issued subpoena, either accompanying or subsequent to the receipt of a [takedown request].” That plain language seems straightforward — an online service provider has to provide the identifying information in response to any subpoena it receives either with or subsequent to a takedown notice.

But it was not so straightforward in a 2011 case, where some confusing facts made for some confusing law. In Maximized Living, Inc., v. Google, Inc., 2011 WL 6749017 (N.D. Cal. December 22, 2011), the copyright holder sent a subpoena to the online service provider after the copyright holder had sent a DMCA takedown notice. That would appear to comport with the statute — the subpoena came subsequent to the takedown notice. But the problem in that case was that the takedown notice was not valid. By the time it was sent, the alleged infringer had already removed the infringing content. From that, the Maximized Living case pronounced that “the subpoena power of §512(h) is limited to currently infringing activity and does not reach former infringing activity that has ceased and thus can no longer be removed or disabled.”

In the recent case of In re DMCA Subpoena to eBay, Inc., eBay, as the recipient of subpoenas to identify some of its users, picked up on the Maximized Living holding to argue that it did not have to answer the subpoenas because it had already taken down the offending content pursuant to previous takedown notices. Since the subpoenas did not relate to “currently infringing activity,” eBay argued à la Maximized Living, that the subpoenas had not been issued under §512(h)’s power and were therefore invalid.

The court rejected eBay’s argument. The key distinction in this case was that, unlike in Maximized Living, the takedown notices in this case, when they issued, related to content that was on the eBay servers at the time the takedown notices were issued. Granted, some of those takedown notices went all the way back to early 2012 (query whether the subpoena should be valid if it would only uncover the identity of an infringer for whom the 3-year copyright statute of limitations had passed; but that wasn’t before the court).

So to simply state the rule in this case — for a DMCA subpoena to be valid, it has to relate to a valid DMCA takedown notice. That DMCA takedown notice is not valid unless it was served at a time when infringing content resided on the service. An online service provider cannot avoid the obligation of responding to a subpoena by taking down the content, thereby causing there to be no “currently infringing activity”. Such a rule would, as the court observed, cause the online service provider’s safe harbor protection to also shield the alleged infringer from being identified. That would indeed be an odd application of the DMCA’s protection. The court in this case avoided that outcome.

In re DMCA Subpoena to eBay, Inc., 2015 WL 3555270 (S.D. Cal. June 5, 2015).

Evan Brown is a Chicago attorney helping clients in matters dealing with copyright, technology, the internet and new media. Call him at (630) 362-7237, send email to ebrown [at] internetcases dot com, or follow him on Twitter @internetcases

Photo courtesy of Flickr user Thomas Galvez under this Creative Commons license.

Casual website visitor who watched videos was not protected under the Video Privacy Protection Act

A recent federal court decision from the Southern District of New York sheds light on what is required to be considered a “consumer” who is protected under the Video Privacy Protection Act (VPPA). The court held that a website visitor who merely visited a website once in awhile to watch videos — without establishing a more “deliberate and durable” affiliation with the website — was not a “subscriber” to the website’s services and thus the VPPA did not prohibit the alleged disclosure of information about the website visitor’s viewing habits.

Defendant was a television network that maintains a website offering video clips and episodes of many of its television shows. The website also incorporated Facebook’s software development kit which, among other things, let visitors log into websites using their Facebook credentials. This mechanism relied on cookies. If a person had chosen to remain logged into Facebook by checking the “keep me logged in” button on Facebook’s homepage, the relevant cookie would continue to operate, regardless of what the user did with the web browser. Plaintiff alleged that this mechanism caused AMC to transmit information to Facebook about the video clips she watched on the AMC site.

Plaintiff sued under the VPPA. Defendant moved to dismiss, arguing that plaintiff lacked standing under the statute and that she was not a protected “consumer” as required by the statute.

The court found that plaintiff had standing. It rejected defendant’s argument that a VPPA plaintiff must allege some injury in addition to asserting that defendant had violated the statute. “It is true . . . that Congress cannot erase Article III’s standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing.” But Congress “can broaden the injuries that can support constitutional standing.”

The court next looked to whether plaintiff was a “consumer” protected under the statute. The VPPA defines the term “consumer” to include “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Absent any assertion that plaintiff was a renter or purchaser of AMC’s goods, the parties and the court focused on whether she was a “subscriber” (a term not defined in the statute).

Because plaintiff’s allegations failed to establish a relationship with defendant sufficient to characterize her as a subscribers of defendant’s goods or services, the court dismissed the VPPA claim with leave to amend. It observed: “Conventionally, ‘subscription’ entails an exchange between subscriber and provider whereby the subscriber imparts money and/or personal information in order to receive a future and recurrent benefit, whether that benefit comprises, for instance, periodical magazines, club membership, cable services, or email updates.” In this case, “[s]uch casual consumption of web content, without any attempt to affiliate with or connect to the provider, exhibit[ed] none of the critical characteristics of ‘subscription’ and therefore [did] not suffice to render [plaintiff] a subscriber of [defendant’s] services.”

Austin-Spearman v. AMC Network Entertainment LLC, 2015 WL 1539052 (S.D.N.Y. April 7, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

1 2 3 4 5 6 189 190 191