Author Archives: Evan Brown

Judge: the concept of internet privacy is a fallacy upon which no one should rely

People v. Klapper, — N.Y.S.2d —, 2010 WL 1704796 (N.Y.City Crim.Ct., April 28, 2010)

Let’s hope that’s an overstatement.

A recent case from a criminal court in New York dealt with whether an employer violated the state’s law prohibiting unauthorized use of a computer (Penal Law 156.05). Though the court probably came to the right decision in dismissing the case, it said some puzzling things along the way about internet privacy.

The defendant-boss was alleged to have installed keylogging software on his employee’s work-issued computer. Through those means he acquired the password for the employee’s “personal” email account, and copied some messages from that account.

The court dismissed the case, finding that the prosecution had not alleged that defendant, the computer owner, had notice of any limited access to the computer or the email account. (After all, it was the employer’s computer.) The allegations further failed to allege that the employee had installed a security device to prevent unauthorized access or use.

That last part is a bit puzzling (wouldn’t the password protection on the “personal” email account satisfy that point?). But the real puzzling part of the opinion is how the court essentially destroyed the idea that there’s any hope for an expectation of privacy in internet communications.

Here’s the first paragraph of the opinion:

In this day of wide dissemination of thoughts and messages through transmissions which are vulnerable to interception and readable by unintended parties, armed with software, spyware, viruses and cookies spreading capacity; the concept of internet privacy is a fallacy upon which no one should rely.

Apart from grossly overstating the death of a reasonable expectation of privacy in internet communications, the pronouncement was not needed to dispose of the case. The matter only dealt tangentially with whether the victim had any privacy rights violated. The real analysis was on whether the defendant had notice that access to his employee’s email account was unauthorized.

Though the court was correct on focusing its analysis on that point, i.e., whether the access was authorized, the more general obituary of internet privacy would seem to elminate the need for that proper analysis.

If there’s no internet privacy, why should we even bother to ask ourselves whether access to an account is authorized? If the concept of internet privacy is a “fallacy,” as the court declared, aren’t all our communications open for inspection and review by anyone?

Privacy photo courtesy Flickr user rpongsaj under this Creative Commons license.

Pro-DRM decision under DMCA

Actuate Corp. v. IBM Corp., No. 09-5892 (N.D. Cal. April 5, 2010) [Scroll down for opinion]

Distribution of software license keys on the internet may constitute trafficking in circumvention technology, which is prohibited under the Digital Millennium Copyright Act (“DMCA”)

Plaintiff software licensor sued defendant for, among other things, violation of the anticircumvention provisions of the DMCA found at 17 USC 1201. Plaintiff alleged that defendant posted license keys on the internet, which purportedly would enable plaintiff’s software to be “installed on an unlimited basis.”

Defendant moved to dismiss, pointing to a line of cases including I.M.S. Inquiry Management Systems, Ltd. v. Berkshire Information Systems, Inc. and Egilman v. Keller & Heckman, LLP [see this old blog post about Egilman].

The I.M.S. line of cases hold that the use of a password issued by the copyright holder does not amount to “circumvention” under the DMCA. Under this thinking, the use of an issued password, even if done without authority, does not result in the “avoiding, bypassing, removing, deactivating, or otherwise impairing [of] a technological measure.”

But another line of cases, headed by 321 Studios v. MGM Studios, Inc. suggests differently. The court in 321 Studios reasoned that unauthorized use of a decryption code (the same one issued by the manufacturer) to bypass the encryption on a DVD served to avoid and bypass the encryption.

In this case, despite both parties’ attempts to show the compatibility of the lines of cases, the court found them to be irreconcilable. It sided with the thinking behind the 321 Studios line, finding no support for a distinction between passwords and other types of code that might be used for decryption.

Here’s the opinion:

Skeleton key photo courtesy Flickr user theogeo under this Creative Commons license.

Ohio internet obscenity statute constitutional

American Booksellers Foundation for Free Expression v. Strickland, — F.3d —, 2010 WL 1488123 (6th Cir. April 15, 2010)

Court holds that statute prohibiting distribution of material harmful to minors directly via the internet is not overly broad and therefore not unconstitutional.

Ohio has a statute that criminalizes sending juveniles material that is harmful to those juveniles (ORC 2907.31). Section D of that statute specifically addresses communications “by means of an electronic method of remotely transmitting information.”

A group of booksellers and publishers challenged this statute on First Amendmendment grounds, arguing that the provisions are overly broad. After a complex procedural journey that began in 2002, the Sixth Circuit Court of Appeals has held that the statute is not unconstitutional.

The court held that the statute was not overly broad because it only apllies to personally directed communications. For that reason, the plaintiffs were unable to demonstrate from the text of the statute that a “substantial number of instances exist in which the law cannot be applied constitutionally.”

Unlike a typical First Amendment case, the court did not apply the “strict scrutiny” test for constitutionality, because the statute does not affect protected speech among adults. But the court noted that even if that test applied, it would have survived strict scrutiny, given the compelling interests in protecting children from predators.

(Photo: Derived from an image licensed under a Creative Commons Attribution Share-Alike (2.0) from iboy’s photostream)

How Twitter’s grant to the Library of Congress could be copyright-okay

Indigo Bunting - Audubon

Twitter is giving a copy of the archive of all tweets from the beginning of time to the Library of Congress. The inevitable outrage has ensued. One big concern is privacy. You gotta admit it’s creepy (and evokes Big Brother) to know that all your tweets will belong to the feds.

The other outrage-catalyst is copyright, and the possible violation of the license that one grants to Twitter via the terms of service.

Venkat and I exchanged some email earlier today on this topic. What if you delete your tweets? Doesn’t that terminate the license you gave to Twitter to store and share your content? How can the Library of Congress still keep its copy if the original license has ended? Fred Stutzman has also asked these kinds of questions.

These objections seem to presume that if one were to remove his or her tweets from Twitter, the license would be revoked, and any subsequent display by Twitter would be an infringement. I imagine that’s true in relation to Twitter, but I’m not so convinced when it comes to the Library of Congress. They’d likely fall under Section 108 of the Copyright Act.

Section 108 (17 USC 108) says that it’s not an infringement for a library to make a copy or distribute a work if (1) it’s not for commercial advantage, (2) the collections of the library are open to the public or available to all researchers in a particular field, and (3) the notice of copyright in the original work remains intact or if no notice can be found, there’s a legend stating that it may be protected under copyright.

You see what I’m saying? The Library of Congress would appear to have the right to archive one’s Twitter stream regardless of any assitance on Twitter’s part. In other words, by providing the archive, Twitter is just helping the LOC do something it’s entitled to do anyway.

What do you think?

UDRP loser did not commit fraud on USPTO by saying it was exclusive user of mark

Salu, Inc. v. Original Skin Store, Slip Copy, 2010 WL 1444617 (E.D.Cal. April 12, 2010)

This is kind of a wonky trademark/domain name case. So if that’s not in your wheelhouse, don’t strain yourself.

Plaintiff sued defendant for infringement of plaintiff’s registered trademark. Defendant moved for summary judgment, claiming that the asserted trademark registration was obtained by fraud on the United States Patent and Trademark Office. Specifically, defendant argued that plaintiff misrepresented when it told the USPTO that its SKINSTORE mark had “acquired distinctiveness” (i.e., was not merely descriptive of the goods and servcies) by means of “substantially exclusive” use in commerce.

The court denied the motion for summary judgment.

Defendant had argued that plaintiff committed fraud by saying its use was exclusive. It pointed to a case under the Uniform Domain Name Dispute Resolution Policy (UDRP) that the plaintiff had brought against the user of the domain name eskinstore.com. The WIPO panel in that case refused to find a clear case of cybersquatting.

In this case, defendant argued that plaintiff’s earlier unsuccessful UDRP challenge to a similar mark showed there were third parties using the mark and therefore the claim of exclusivity was fraudulent.

The court rejected this argument, noting that the plaintiff had undertaken significant efforts to protect its exclusive rights in the trademark. (It had sent out an astounding 300 cease and desist letters in the past couple of years alone!)

Moreover, and more importantly, the court noted that the WIPO panel hearing the UDRP complaint specifically declined to determine cybersquatting had occurred, finding it to be a question of infringement better addressed by the United States courts.

Wife posts pics with boyfriend on MySpace, loses child custody

And you should have heard what the judge said in open court!

Lipps v. Lipps, 2010 Ark. App. 295, 2010 WL 1379803 (Ark. App. April 7, 2010). [Read the opinion]

This is one of those cases that’d do well as a movie on Lifetime Television for Women. Unlike other cases I talk about on this blog, this one only kind of deals with the internet Here the husband (an Iraq war veteran) saw pictures on MySpace of his wife in bed with another man, so he filed for divorce and sought child custody.

What’s worth paying attention to in this case is the “disparaging and intemperate remarks” made in open court by the judge.

At a hearing where the judge entered a temporary order granting joint custody of the couples’ infant son, the court admonished the wife/mother, characterizing her situation as “a nightmare every parent faces . . . when you have got a child that acts like a slut, quite frankly, a slut.”

Later in the case the judge granted sole custody to the husband. The wife sought review with the Arkansas appellate court. On appeal, that court affirmed the trial court’s order on custody.

The wife had argued that the trial court judge was biased, and asked for a new trial with an impartial judge. Although the appellate court was “deeply troubled” by judge’s rude remarks, it held that because the wife had not raised that argument in the trial court, and had not asked the judge to recuse himself, the court could not consider that question on appeal.

So the court affirmed the foul-mouthed judge.

The appellate opinion is embedded below:

2010-04-07_lipps_v_lipps

Nefarious LinkedIn use finally makes it to the courts

TEKsystems, Inc. v. Hammernick, No. 10-99819 (D. Minn., Filed 3/16/2010). [Link to Complaint (PDF)]

Here is an interesting lawsuit that is bound to convince some employers that social media is causing the sky to fall (to the extent they’re not thinking that already).

Minnesota, showing roads and major bodies of water
Image via Wikipedia

An IT headhunting company that does business in the Twin Cities area of Minnesota has filed suit against a former recruiter-employee for breach of her noncompetition agreement. The complaint says that she violated that agreement when she connected on LinkedIn with 20 of the candidates her old firm was working with.

One thing that’s missing from the allegations is when the defendant made these allegedly improper LinkedIn connections. Did she already have them as connections when she left the plaintiff’s employment or did she invite them to connect after she left? The distinction seems like it would be relevant.

No doubt this case should get some attention due to the novelty of the allegations, namely, that the defendant used a social networking site to break the law. But as thinking persons, we should be careful not to sensationalize these facts. When you stop and think about it, how does the fact that the defendant may have used LinkedIn really differentiate the case from one in which she would have used a more conventional form of communication to solicit?

[Thanks to Paul Cherner at the HR Counsel blog for alerting me to this case. More coverage at the Delaware Employment Law Blog and Portfolio.com]

Emails sent through Yahoo account using work computer protected under attorney-client privilege

The New Jersey supreme court has held that emails an employee sent to her lawyer using her company-issued computer and a personal Yahoo account are protected by the attorney-client privilege.

Stengart v. Loving Care Agency, Inc., — A.2d —, 2010 WL 1189458 (N.J. March 30, 2010)

The New Jersey courts have a reputation of being protective of “informational privacy.” See, e.g., State v. Reid. A recent decision concerning employee privacy in personal emails adds to that reputation.

Plaintiff-employee used a work-issued laptop to access her Yahoo email account, through which she communicated with her lawyer about her lawsuit against the employer. During the discovery phase of that employment discrimination lawsuit, the employer used computer forensics to recover those Yahoo emails that had been copied to the computer’s temporary internet files folder.

Counsel for plaintiff demanded that the employer turn over the recovered emails, arguing that the communications were protected by the attorney-client privilege. When the employer agreed to turn them over but not discontinue use of the information garnered from them, plaintiff sought relief from the court.

The trial court denied relief and plaintiff sought review with the appellate court. That court reversed, and the employer sought review with the state’s supreme court. The supreme court upheld the appellate court’s decision, holding that the employee had a reasonable expectation of privacy in the communications.

The employer relied on a broadly-written company policy through which the employer reserved the right to review and access “all matters on the company’s media systems and services at any time.” But the court rejected those arguments.

Framework for the analysis

The supreme court considered two aspects in its analysis: (1) the adequacy of the notice provided by the company policy, and (2) the important public policy concerns raised by the attorney-client privilege.

As for the adequacy of the notice provided by the policy, the court found that because the policy did not address the use of password-protected personal email accounts, the policy was “not entirely clear.” As for the importance of the attorney-client privilege, the court lavished it with almost-sacred verbal accoutrements, calling it a “venerable privilege . . . enshrined in history and practice.”

“Intrusion upon seclusion” as source for standard

The court noted that the analysis for a reasonable expectation of privacy in dealings between two private parties was a bit different than the analysis in a Fourth Amendment case. The common law source for the standard in this context is with the tort of “intrusion upon seclusion.” Under New Jersey law, that tort is committed when one intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, in a manner that would be highly offensive to a reasonable person. (This language comes from the Restatement (Second) of Torts § 652B.)

In this situation, the court found that plaintiff had both a subjective and objective expectation that the messages would be private. Supporting her subjective belief was the fact that she used a private email account that was password protected, instead of her work email account. And she did not store her password on the computer. Her belief was objectively reasonable given the absence of any discussion about private email accounts in the company policy.

Plaintiff’s expectation of privacy was also bolstered by the fact that the email messages were not illegal, nor would they impact the performance of the employer’s computer system. And they bore all the “hallmarks” of attorney-client communications.

For all these reasons, not the least of which the priority of the courts “to keep private the very type of conversations that took place here,” the court found that the conversations were protected by the attorney-client privilege.

Kentucky Supreme Court: gambling domain names did not have standing

Com. ex rel. Brown v. Interactive Media Entertainment and Gaming Ass’n, Inc., — S.W.3d —, 2010 WL 997104 (Ky. March 18, 2010)

Back in 2008 the Commonwealth of Kentucky took an extraordinary step in its battle against online gambling. It filed an action in state court seeking to take over 141 domain names that the Commonwealth believed were used for illegal gambling sites. The trial court ordered forfeiture of the domain names.

Kentucky

Lawyers arguing against the forfeiture of the domain names sought a “writ of prohibition” from the appellate court, asking that court to prevent the forfeiture of the domain names. The lawyers appearing before the appellate court fell into two categories: those purporting to actually represent certain domain names (not the domain names’ owners) and those representing gambling trade associations whose members purportedly included some of the registrants of the affected domain names.

The appellate court granted the writ of prohibition. The Commonwealth sought review with the state supreme court. The supreme court dismissed the writ because those arguing against it lacked standing.

Who’s interest was at stake?

The court noted that only a party with a “judicially recognized interest” could challenge the forfeiture of the domain names. The court rejected the notion that the domain names could represent themselves:

An internet domain name does not have an interest in itself any more than a piece of land is interested in its own use. Just as with real property, a domain name cannot own itself; it must be owned by a person or legally recognized entity.

As for the gambling associations, the court held that there could be no “associational standing” because none of the associations would identify any of their members. Associational standing is when an organization (say, for example, the NAACP or a labor union) files suit on behalf of its members. One of the fundamental requirements of associational standing a showing that members of the association would have the right to sue in their individual capacities. Since there was no evidence as to whose interests the associations represented, there was no basis to conclude that the associations’ members would have standing to sue in their own right.

So the court sent the matter back down to the appellate court with orders to vacate the writ of prohibition. But the supreme court also hinted that those affected by the forfeiture could get another bite at the apple: “If a party that can properly establish standing comes forward, the writ petition giving rise to these proceedings could be re-filed with the Court of Appeals.” One would think that at least one brave soul will step forward. Some in the industry seem to hope so.

Other accounts of this story: