Monson v. The Whitby School, Inc., No. 09-1096, 2010 WL 3023873 (D.Conn. August 2, 2010)

Plaintiff Monson sued her former employer (a private school) for sex discrimination and related claims. The school filed counterclaims against Monson for, among other things, violation of (1) the Computer Fraud and Abuse Act (CFAA) and (2) the Stored Communications Act (SCA).

The counterclaims were based on allegations that Monson gained unauthorized access to the school’s email server to unlawfully view and delete email messages contained in the email accounts of other school employees. Upon learning of her impending termination, the school alleged, Monson used this unauthorized access to delete more than 1,500 email messages. Further, the school alleged that after Monson was terminated, she intentionally deleted data and software programs that resided on her school-issued computers before she returned them to the school.

Monson moved to dismiss the counterclaims. The court denied the motion.

CFAA claim

Monson argued that the school had not adequately pled that her actions — accessing and deleting data and software — were unauthorized. The court rejected this argument, finding that while it may be implausible (a la Twombly and Iqbal) that Monson wasn’t authorized to access her own email account, there was no reason to find it implausible she was not authorized to access the email accounts of others.

SCA claim

The court dismissed the SCA claim for essentially the same reason. Monson had argued that the school’s “formulaic” statement that she had accessed the stored electronic communications were not pled with enough detail to state a claim. The court found that the allegations were sufficient.

Photo courtesy of Flickr user croncast under this Creative Commons license.

Devine v. Kapasi, 2010 WL 2293461 (N.D. Ill. June 7, 2010)

Kapasi and Devine were equal shareholders in a corporation. In August 2009, the two decided to part ways. The corporation transferred one of its servers to Devine, and he immediately put it into the service of his new company.

After the server was transferred, Kapasi and some employees of the old company allegedly logged on to the server to access and delete email messages stored on that machine. Devine and his new company sued for violation of the Stored Communications Act (at 18 U.S.C. §2701) and the Computer Fraud and Abuse Act (at 18 U.S.C. §1030).

The defendants moved to dismiss under FRCP 12(b)(6) for failure to state a claim. The court denied the motion as to the Stored Communications Act claims but granted the motion (with leave to amend) as to the Computer Fraud and Abuse Act claims.

The Stored Communications Act claims

The defendants argued that the Stored Communications Act did not apply to access to the server because plaintiffs did not provide an electronic communications service to the public. Defendants relied on the case of Andersen Consulting LLP v. UOP, 991 F.Supp. 1041 (N.D.Il.1998) to support this argument. In that case, the court dismissed a Stored Communications Act claim for unauthorized disclosure of emails under 18 U.S.C. §2702. The Andersen Consulting court held that disclosure of emails obtained from the server of a company not in the business of providing electronic communications services to the public did not violate the Stored Communications Act.

This case, however, arose under 18 U.S.C. §2701, which does not impose the same scope on potential defendants – the term “to the public” does not appear in connection with the provision of electronic communication services in §2701. Section 2701 deals with unauthorized access, while §2702 deals with unauthorized disclosure.

So the court held that “[w]here, as here, a plaintiff pleads that it stores electronic communications on its own systems, and that a defendant intentionally and without authorization got hold of those stored communications through the plaintiff’s electronic facilities, the plaintiff states a claim under § 2701 of the [Stored Communications Act].”

The Computer Fraud and Abuse Act claims

The court dismissed the Computer Fraud and Abuse Act claims, finding that the plaintiffs failed to plead that they suffered a cognizable “loss” under the statute. The plaintiffs were required to plead that the defendants’ conduct “caused . . . loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Such allegations were simply missing from the complaint.

The defendants tried an interesting argument that the court rejected as premature at the motion to dismiss stage. They argued that since one of the plaintiffs was a technology company, it should have had a backup of all the data allegedly deleted. Therefore, any cost in excess of the $5,000 statutory threshold would not be a “reasonable cost.” Though it didn’t fly at the motion to dismiss stage, such an argument may fare better in a motion for summary judgment.

Photo courtesy Flickr user Jordiet under this Creative Commons License.

Clear v. Superior Court, 2010 WL 2029016 (Cal.App. 4 Dist. May 24, 2010)

The California Court of Appeal has held that a man who set up a bogus MySpace profile of his former church pastor can stand trial for criminal “personation.”

The defendant’s alleged conduct that might really put him on the hook is what he did after setting up the profile: he posted content that suggested the pastor used drugs and was gay. Because this could have resulted in the pastor losing his job, the court found the statute prohibiting personation of another might have been violated (that question will be resolved at trial unless there’s a plea deal).

The criminal personation statute (Penal Code Sec. 529) has an intriguing framework for liability. Apparently it’s not enough just to say you’re someone else. To be liable you’ve got to actually do something while assuming that persona that would subject your target to some kind of legal harm.

For example, just saying to the cops that you’re someone else, that you have that persons birthday and even responding affirmatively to whether you have their middle name apparently isn’t enough to violate the statute. People v. Cole, 23 Cal.App.4th 1672 (1994).

But using your sister’s name when you get a traffic ticket and also forging her signature on the citation isn’t allowed. People v. Chardon, 77 Cal.App.4th 205 (1999).

All the reason not to set up that Facebook profile of your boss and populate it with tales of crystal meth and kiddie porn.

Image by Balakov under this Creative Commons license.

People v. Klapper, — N.Y.S.2d —, 2010 WL 1704796 (N.Y.City Crim.Ct., April 28, 2010)

Let’s hope that’s an overstatement.

A recent case from a criminal court in New York dealt with whether an employer violated the state’s law prohibiting unauthorized use of a computer (Penal Law 156.05). Though the court probably came to the right decision in dismissing the case, it said some puzzling things along the way about internet privacy.

The defendant-boss was alleged to have installed keylogging software on his employee’s work-issued computer. Through those means he acquired the password for the employee’s “personal” email account, and copied some messages from that account.

The court dismissed the case, finding that the prosecution had not alleged that defendant, the computer owner, had notice of any limited access to the computer or the email account. (After all, it was the employer’s computer.) The allegations further failed to allege that the employee had installed a security device to prevent unauthorized access or use.

That last part is a bit puzzling (wouldn’t the password protection on the “personal” email account satisfy that point?). But the real puzzling part of the opinion is how the court essentially destroyed the idea that there’s any hope for an expectation of privacy in internet communications.

Here’s the first paragraph of the opinion:

In this day of wide dissemination of thoughts and messages through transmissions which are vulnerable to interception and readable by unintended parties, armed with software, spyware, viruses and cookies spreading capacity; the concept of internet privacy is a fallacy upon which no one should rely.

Apart from grossly overstating the death of a reasonable expectation of privacy in internet communications, the pronouncement was not needed to dispose of the case. The matter only dealt tangentially with whether the victim had any privacy rights violated. The real analysis was on whether the defendant had notice that access to his employee’s email account was unauthorized.

Though the court was correct on focusing its analysis on that point, i.e., whether the access was authorized, the more general obituary of internet privacy would seem to elminate the need for that proper analysis.

If there’s no internet privacy, why should we even bother to ask ourselves whether access to an account is authorized? If the concept of internet privacy is a “fallacy,” as the court declared, aren’t all our communications open for inspection and review by anyone?

Privacy photo courtesy Flickr user rpongsaj under this Creative Commons license.

Wong v. Partygaming Ltd., — F.3d —, 2009 WL 4893955 (6th Cir. December 21, 2009)

The Sixth Circuit’s recent opinion in the case of Wong v. Partygaming is interesting if you’re a civil procedure wonk and care about things like which law applies to determine the enforceability of forum selection clauses in website terms and conditions and what factors a court should consider when dismissing a case on the basis of forum non conveniens.

The most intriguing part of the case, however, comes from Judge Merritt’s concurrence, in which he addresses the significance of the fact that the terms of service for an online gambling website are probably illegal.

The majority opinion painstakingly analyzed whether the district court abused its discretion in dismissing, of its own will (or “sua sponte” as stodgy lawyers like to say), the plaintiffs’ suit against an online gambling website. The plaintiffs had alleged that the site fraudulently misrepresented that there was no collusion among other online gamblers, and that the site did not target people with gambling problems. The website terms of service contained a forum selection clause naming Gibraltar as the jurisdiction in which disputes were to be heard.

The appellate court affirmed the lower court’s decision that the case should be dismissed and that Gibraltar (which follows English law) would be a suitable and not-too-inconvenient forum. But the majority opinion said nothing about the legality of online gaming.

That’s where Judge Merritt picked up in the concurrence. He agreed that the matter should have been dismissed in favor of it being heard in Gibraltar — that’s why he concurred and did not dissent. His reasoning differed from that of the majority.

View Larger Map

Judge Merritt observed that the plaintiffs’ logic was inconsistent. They had argued that Ohio law should apply to the terms of service. But under Ohio law (and federal statutes like RICO), the subject matter of the contract would probably have been illegal and therefore void. Not to mention the fact that the conduct could send the parties to jail.

The judge wrote that something analogous to the principle of lenity — and not necessarily a rigorous analysis of the forum selection clause and the doctrine of forum non conveniens — should underlie the dismissal of the lawsuit. Lenity requires that when the question of criminal liability is ambiguous, interpretation should be made in favor of the defendant (see McNally v. United States). Since online gambling presumably was not illegal under the law of Gibraltar, the more lenient stance would be to see the matter litigated there.

Bling photo courtesy Flickr user PhotoDu.de under this Creative Commons license.

Last time it was probation being revoked. This time it’s children being taken away. A recent Texas case shows how irresponsible social media use can have some unpleasant consequences.

Mann v. Department of Family and Protective Services, 2009 WL 2961396 (Tex. App. September 17, 2009)

Appellant had her baby taken away by state protective services. She sought review with the court claiming, among other things, that the state had presented “no evidence that [Appellant] engaged in endangering conduct.”

The court found otherwise, agreeing with the lower court that Appellant had endangered the child. Among the evidence it considered were photos from Appellant’s MySpace account with the following captions, unedited to preserve their original ebullience:

• At Ashley House Dranking it Up
• Me Helping Ashley Stand Up, Were Both Drunk
• Me Dancing my ass off, I can dance when I drunk
• Yall see how much we Dranked plus the one’s that droped on the floor
• We were all fucked up

Oh, by the way, Appellant was under 21.

The court held that “[t]his evidence could lead a reasonable factfinder to firmly believe that appellant engaged in underage drinking on these two occasions, despite knowing that she was under the legal drinking age.”

Photo courtesy Flickr user Mercury98 under this Creative Commons license.

Mashable and others are reporting on a law that the governor of Illinois signed earlier this week, banning use of social networking sites by convicted sex offenders. The big criticism of that law seems to be that it may be unconstitutional. That question is worth thinking about.

The most likely constitutional challenge will be that the law is too broad. For a law to prohibit certain speech and not run afoul of the First Amendment, it must be narrowly tailored to serve a compelling government interest. Clearly there is a compelling government interest in protecting children and other victims of sex crimes from perpetrators. So the real analysis comes from examining whether this restriction on the use of social networking sites is narrowly tailored to serve that purpose.

What the law says

Let’s back up and take a look at what the new law actually says. In short, it requires any sex offender that is on parole, supervised release, probation, conditional release or court supervision to “refrain from accessing or using a social networking website.” Note that the restriction is not a lifetime ban, but just a restriction to be in effect during the sentence.

There are a number of terms to unpack.

There is a prohibition on “accessing” and “using.” This is kind of redundant, because the statute defines “access” as “to use, instruct, communicate with, store data in, retrieve or intercept data from, or otherwise utilize any services of a computer.” (The redundant part comes from the fact that to “use” is part of the definition of “access”.)

The most important definition for our discussion is that of a “social networking website”:

“Social networking website” means an Internet website containing profile web pages of the members of the website that include the names or nicknames of such members, photographs placed on the profile web pages by such members, or any other personal or personally identifying information about such members and links to other profile web pages on social networking websites of friends or associates of such members that can be accessed by other members or visitors to the website. A social networking website provides members of or visitors to such website the ability to leave messages or comments on the profile web page that are visible to all or some visitors to the profile web page and may also include a form of electronic mail for members of the social networking website.

This is a tortured definition plagued by a couple of runon sentences, but in essence, a social networking website, as defined under Illinois law, is any site that has:

• profile pages that contain
• identifying information such as names, usernames or photographs, and which are
• linked to other profile pages of “friends or associates” that can be
• accessed by other members or visitors to the website, and
• provides the ability to leave messages or comments on the profile visible to others

In a rather strange style for legislative writing, the definition says that a social networking site “may also include” direct messaging. That’s weird to say in a statute — does it have to include direct messaging to be considered a social networking site? One could argue either way. So that part of the definition does nothing to assist.

How one can run afoul of the law

By merely accessing a social networking site, a sex offender violates this new law. He or she doesn’t have to actually use any of the social networking functionality, all that is necessary is to merely retrieve data from the computer on which the site is stored. Clearly it would be verboten to use MySpace and Facebook. But also off limits would be LinkedIn and Focus. Flickr? YouTube? No way, even if the offender is just going there to passively view content for completely benign purposes.

The constitutional problem

Remember, the law has to be narrowly tailored to meet the compelling state interest. That means that if there is some less restrictive alternative than the law as enacted to fix the problem, the law is too broad and therefore unconstitutional. It would certainly seem that there is something less restrictive than a prohibition on merely visiting a website with social media functionality. A good start would be more aggressively targeting the actual online conduct that might put people at risk — actual online interaction through social media.

But it is far from clear. The Seventh Circuit (which is the federal appellate court that would hear a constitutional challenge to an Illinois law) has held that a convicted sex offender can lawfully be prohibited from visiting a city park. See Doe v. City of Lafayette, 377 F.3d 757 (7th. Cir. 2004). In a city park there is plenty of conduct one can undertake which is not unlawful or does not threaten others. And the court held that restriction was not unconstitutional. There is plenty of conduct one can engage in on a “social networking site” as defined by the statute that is not harmful as well.

Is the comparison between a city park and a social networking site justified?

Keyboard image courtesy Flickr user striatic under this Creative Commons License.

Marshall v. State, 2009 WL 2243467 (Ind. App. July 28, 2009)

Gotta love the facts of this case from my home state of Indiana.

Marshall and Goodman traded cars with one another, but that deal went sour. Marshall then got into an altercation with Goodman’s mother (named Lee) and Marshall was arrested. She was also ordered to have no contact with either Goodman or Lee. Three days after her arrest, Marshall sent the following (redacted) private message through MySpace to Goodman:

Dont think that you are gonna get away from this s***. you can’t hide forever and one of these days when you are out and about … you know thy aint going to pin nothing on me. Cant prove s***. aint gonna and I am just waiting for that day. You want a war? ? ? Your gonna get it now f*****. I don’t know YET who told you the s*** in my blogs or was feedin you info on me but you can rest assured that I am gonna f*** them uptoo when I found out. And I WILL find out. The s*** aint done and you better know that. Its only a matter of time.

The b**** you know I can be.

(Ed. note: stay classy, Ms. Marshall!)

Based on this message, Marshall was convicted of felony intimidation against Lee. The prosecution had argued that Marshall committed this crime by communicating a threat to knowingly injure Lee, with the intent that Lee be placed in fear of retaliation for calling the police.

Marshall sought review of her conviction with the Indiana Court of Appeals. On appeal, the court reversed the conviction.

The court held that the prosecution failed to prove its allegations of intimidation against Lee, because the message was sent to Goodman’s ( and not Lee’s) MySpace account. Even though an intimidating communication may be indirect, the state had to prove that Marshall must have known or had reason to know that her communication would reach Lee. In this case, there was no such proof.

The MySpace message was not addressed to Lee, nor was she mentioned by name. Accordingly, there was no evidence that Marshall knew or had reason to know that Goodman would show the message to his mother.

Photo courtesy Flickr user subewl under this Creative Commons license.

Lesson of the day: don’t post pictures of yourself on MySpace holding a beer if the conditions of your probation don’t let you drink alcohol or use the internet.

Defendant Pressley pled guilty to some ugly crimes and was sentenced to a lifetime of probation. As part of the deal, he promised not “to consume or drink any substance containing alcohol,” and to “not possess, use or have personal access to any computer or similar equipment that has internet capability without prior written permission of [his] Probation Officer.”

In July 2007, Pressley’s probation officer paid him a visit. There in Pressley’s house was a vodka bottle two-thirds empty (or as I like to say, one-third full) and a laptop having a desktop icon with Pressley’s name. (It’s not clear what that icon was, but it sounds like a profile icon for Windows XP.)

The state filed a petition to revoke Pressley’s probation. The trial court granted the petition and sentenced him to ten years in prison. Pressley appealed. On review, the court affirmed the prison sentence.

The most intriguing argument that Pressley made to the appellate court was that the lower court erred in admitting photos of Pressley holding a beer. According to Pressley’s wife’s testimony, the photos came from her MySpace page. One of the other pictures had a caption, as if written by the defendant, that said, “Me and my wife.” The court found that these pictures were relevant to whether Pressley violated the terms of his probation.

Good thing you’d never see anything like this over at Sorry I Missed Your Party.

You know the story of Lori Drew — the mom from Missouri who was accused of setting up a bogus MySpace profile impersonating an adolescent boy. Lori acted as this fake “Josh” to stir up romantic feelings in young Megan Meier who, after being dumped by “Josh,” took her own life.

A terrible thing of course. And someone needed blaming. So federal prosecutors chose to go after Lori Drew. The jury convicted her of violating the Computer Fraud and Abuse Act (the federal anti-hacking statute), but today the judge acquitted her. Seems like a good decision, as the theory on which the prosecution based its case — that Lori violated the site’s terms of service by saying she was someone other than she is and thereby exceeded her authority — was shaky at best. The big problem with that theory was that such a reading would make most of us criminals. I’m sure you don’t mean to tell me you’ve never signed up for an online service using something other than your real name or accurate contact information.

Most smart people can agree that the Computer Fraud and Abuse Act was not the right way to punish this “crime.” Various states have enacted legislation to handle cyberbullying and are already prosecuting people in state court. But the problem is not going to go away. People will still do foolish things on the internet.

And to the extent that foolishness is criminal, the individual should pay a criminal price. The individual.

Using the Computer Fraud and Abuse Act to go after this conduct put the contractual relationship between the end user and the provider (i.e., Lori Drew and MySpace) under the microscope where it did not belong. The court and jury had to scrutinize that contractual relationship and the resulting authority (or lack thereof). They had to do that because there was no other way the government was going to win a CFAA prosecution otherwise.

Focusing on that relationship in this context did not make sense. MySpace didn’t have anything to do with this other than being a passive intermediary. Why should the inquiry at trial have gone to those kinds of questions? Why should the intermediary have been bothered? It shouldn’t have.

The bad act was (I guess we have to again say “allegedly was” now that she’s been acquitted) between Lori Drew and Megan Meier. That’s the space where the factual focus and legal analysis belonged. Not in the legal relationship between Lori Drew and MySpace.

Now that we have a sensible legal outcome in this case, hopefully prosecutors will take some more principled approaches and leave the intermediaries out of it.