Video: my appearance on the news talking about isanyoneup.com

Last night I appeared in a piece that aired on the 9 o’clock news here in Chicago, talking about the legal issues surrounding isanyoneup.com. (That site is definitely NSFW and I’m not linking to it because it doesn’t deserve the page rank help.) The site presents some interesting legal questions, like whether and to what extent it is shielded by Section 230 of the Communications Decency Act for the harm that arises from the content it publishes (I don’t think it is shielded completely). The site also engages in some pretty blatant copyright infringement, and does not enjoy safe harbor protection under the Digital Millennium Copyright Act.

Here’s the video:

Impostor bids in online auction sufficient allegation of interrupted service under CFAA

Yoder v. Equipmentfacts, 2011 WL 2433504 (N.D.Ohio June 14, 2011)

[This is a post by Jackson Cooper. Jackson graduated from DePaul University College of Law in May 2011 with a certificate in intellectual property and information technology law. Jackson also recently passed the Kentucky bar exam and will begin practicing soon. You can find him online at jacksonccooper.com or follow him on Twitter at @jacksoncooper.]

The plaintiffs here were an auction company and a firm employed to assist them with running a private online auction.  They sued the defendant, a firm previously employed by the auction company to assist them with running online auctions.  The plaintiffs  alleged violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, stemming from the defendant’s unauthorized access to a private auction conducted by the plaintiffs after the defendant’s relationship with the auction company was terminated.  According to the plaintiffs, the defendant made unauthorized access to the auction system using an administrative user name and password to post negative comments, and later impersonated a customer in order to place fraudulent bids as that customer.  The plaintiffs further alleged that the defendant, posing as a customer, won auctions for over one million dollars of equipment and failed to pay on those winning bids.

The defendant asked the court to dismiss the CFAA claim, challenging the plaintiffs’ pleadings on the issue of “loss” as defined by the CFAA. The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Plaintiffs alleged lost commission resulting from the defendant’s fraudulent bids and resulting failed auctions.  Defendant claimed that the small scale sabotage as at issue here did not satisfy the “interruption of service” requirement, and therefore could not support the claimed violation of the CFAA.

The court, noting the lack of a definition of “interruption of service” in the statute and the lack of case law dealing with disruptions of this type, treated the issue as one of first impression.  The court concluded that the disruption alleged here was sufficient to support the “interruption of service” requirement in the CFAA.

The court found that the defendant’s alleged “intentional disruption of even a portion of the online auction” constituted an interruption of the service of the site. Although the auction system was not taken offline by defendant’s alleged activities, the court found that thwarting individual transactions and the resulting denial of service to plaintiffs and their customers was an interruption as envisioned by the statute.

Court sides with college accused of snooping on student’s email

Reichert v. Elizabethtown College, 2011 WL 3438318 (E.D.Pa. August 5, 2011)

Plaintiff’s threatening behavior toward certain faculty members of his college led the administration to monitor plaintiff’s school-issued email account. Plaintiff’s lawsuit against the school included claims for violation of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and common law invasion of privacy.

The college moved to dismiss these claims and the court granted the motion.

The court found that the ECPA claim failed because plaintiff did not allege the interception of the email messages was contemporaneous with the messages’ transmission. As for the SCA claim, the court noted that the statute protects electronic communications providers from liability for searches of their own systems which are used to provide the service. The school provided the service, so it could not be liable for monitoring its own system. And as for invasion of privacy, the court found that plaintiff had failed to allege the mental distress required to sustain such a claim.

Computer Fraud and Abuse Act case against hard drive destroying director goes forward

Deloitte & Touche LLP v. Carlson, 2011 WL 2923865 (N.D. Ill. July 18, 2011)

Defendant had risen to the level of Director of a large consulting and professional services firm. (There is some irony here – this case involves the destruction of electronic data, and defendant had been in charge of the firm’s security and privacy practice.)

After defendant left the firm to join a competitor, he returned his work-issued laptop with the old hard drive having been replaced by a new blank one. Defendant had destroyed the old hard drive because it had personal data on it such as tax returns and account information.

The firm sued, putting forth a number of claims, including violation of the Computer Fraud and Abuse Act (CFAA). Defendant moved to dismiss for failure to state a claim upon which relief can be granted. The court denied the motion.

Defendant argued that the CFAA claim should fail because plaintiff had not adequately pled that the destruction of the hard drive was done “without authorization.” The court rejected this argument.

The court looked to Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) for guidance on the question of whether defendant’s alleged conduct was “without authorization.” Int’l Airport Centers held that an employee acts without authorization as contemplated under the CFAA if he or she breaches a duty of loyalty to the employer prior to the alleged data destruction.

In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the “without authorization” element to be adequately pled.

Court upholds criminal intimidation conviction over threats to distribute sexually explicit photo

State v. Noll, 2011 WL 2418895 (Ind. App. June 14, 2011) (Not selected for publication)

Defendant used a sexually explicit photo of the victim in an attempt to gain leverage in an intra-family dispute. She handed an envelope containing the photo to the victim, and indicated she would begin distributing the photo if certain demands were not met.

Defendant was convicted of intimidation under Indiana law. She sought review of her conviction. On appeal, the court affirmed.

One of the arguments that defendant made on appeal was that there was no intimidation because distribution of the photo to persons such as the victim’s husband or co-workers would not subject her to hatred, contempt, disgrace or ridicule as required by the Indiana statute. Defendant pointed out that the victim had posted the sexually explicit photo of herself at issue on the web five years earlier. So in essence, defendant argued, further distribution would do the victim no harm.

The court rejected this argument, finding:

The fact that [victim] already publicized the material herself certainly merits consideration, but is not alone determinative because publicizing material to a particular audience does not necessarily mean that further, targeted, publication would not lead to hatred, contempt, disgrace, or ridicule. In other words, we consider [victim’s] posting of these photographs online in the past as it might mitigate reputational consequences of [defendant] mailing the photographs to others. Although internet websites are of an unusually public and long-lasting nature, we also recognize that making an obscure set of photographs available online is qualitatively different in nature from directly mailing the same photographs as hard-copies addressed to a particular individual or company. [Victim’s] husband or employer could have discovered [victim’s] prior internet posting of the photographs, but a direct mailing is certain to reach them.

The court similarly rejected defendant’s argument that because the victim had posted the photo on the web before, she had no reasonable expectation of privacy in the photo and thus could not be the subject of intimidation. The court disagreed with the analogy to the Fourth Amendment expectation of privacy because in this case, the privacy interest was the victim’s, not the defendant’s. So use of such an analogy might “misdirect [the court] from the determinative issue of whether she would be exposed to reputational consequences.”

Violent posts on social media profile determined to be threats

This is a post by Jonathan Rogers. Jon is a licensed attorney in California, with a focus on technology and entertainment law. You can reach him by email at jon@jonarogers.com or follow him on Twitter at @jonarogers.

Holcomb v. Com., — S.E.2d —, 2011 WL 2183100 (Va.App., Jun 07, 2011)

Appellant challenged his conviction over posts he made to MySpace on his profile page, arguing that they did not constitute the knowing communications of a threat. He argued that MySpace posts were not the type of communication contemplated by the statute, and his postings did not constitute a threat. Appellant posted violent original lyrics which were clearly about his child’s mother.

Appellant had been convicted under a provision of Virginia law that provides:

Code § 18.2–60(A)(1):

Any person who knowingly communicates, in a writing, including an electronically transmitted communication producing a visual or electronic message, a threat to kill or do bodily injury to a person, regarding that person or any member of his family, and the threat places such person in reasonable apprehension of death or bodily injury to himself or his family member, is guilty of a Class 6 felony.

Appellant argued that he did not knowingly communicate the posts within the meaning of the statute because he posted them through his profile, which was available for anyone to view, as opposed to a communication aimed directly at the victim. The court found that there was no requirement that a threat be communicated directly to the intended victim. It instead focused on the fact that an “electronically transmitted communication” produced a “visual or electronic message” that could be viewed by anyone accessing the MySpace profile. It was enough that the victim was able to identify herself based on the references in his posts and that the appellant knew the victim had access to the profile. In fact, the court found, he knew she had viewed it previously.

Appellant’s second argument was that the posts were not threats under the statute. He argued they were lyrics which he had a history of writing and posting on his profile. The court disagreed, finding that because of specific references to the victim, and the unusual subject matter of the lyrics, the post contained statements that would place the victim in “reasonable apprehension of death or bodily injury.” The court pointed to actions taken by the victim, including moving in with her parents, and her testimony that she felt scared after seeing the postings.

The court found the online postings to MySpace where threats which placed apprehension in the victim. So the court upheld the convictions.

CFAA violation where employee’s access to work computer violated fiduciary duty to employer

Plaintiff former employer sued defendant former employee for violation of the Computer Fraud and Abuse Act, 18 U.S.C. 1030, alleging that defendant, while still in the employ of plaintiff, accessed confidential business information and destroyed other important data. Defendant moved to dismiss the CFAA claim. The court denied the motion.

Defendant had argued that the complaint failed to establish that access to the work computer was had without authorization. He assserted that plaintiff did not allege that at any time while defendant was employed by plaintiff his access to his work-issued computer was restricted, or that plaintiff ever told him that he was no longer permitted to access the computer.

But the plaintiff had alleged that defendant’s access violated the fiduciary duty defendant owed. The court held that under Int’l Airport Ctr., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir.2006), allegations of a breach of duty are enough to properly allege that defendant lost his authorization to access his company computer.

Compare this holding (and Citrin) with the Ninth Circuit’s holding in LVRC Holdings v. Brekka.

Employee did not violate Computer Fraud and Abuse Act by checking Facebook and personal email at work

Lee v. PMSI, Inc., 2011 WL 1742028 (M.D.Fla., May 6, 2011)

Former employee sued the company she used to work for alleging pregnancy discrimination. The company countersued under the Computer Fraud and Abuse Act (“CFAA”) alleging that the former employee violated the CFAA by using her work computer to access Facebook and check her personal email. She moved to dismiss the counterclaim, and the court granted the motion. The court found that the company failed to allege that its computer system was damaged by plaintiff’s internet usage, and plaintiff was alleged only to have accessed her own information, not that of the employer.

Court says law firm did not eavesdrop on employee phone calls

Bowden v. Kirkland & Ellis, 2011 WL 1211555 (7th Cir. April 1, 2011)

Two former employees of a law firm sued the firm for violation of the Electronic Communications Privacy Act, 18 USC 2510 et seq. and for violation of the Illinois Eavesdropping Act, 720 ILCS 5/14-2. The district court granted summary judgment in favor of the law firm. The former employees sought review with the Seventh Circuit. On appeal, the court affirmed the grant of summary judgment.

The court held that the former employees’ evidence of eavesdropping raised no more than a “theoretical possibility” of a violation. Even one of the strongest experts in the case triple hedged his testimony, saying the records “could indicate the potential that interception may have occurred.” So the grant of summary judgment was proper.

The plaintiffs had also raised an electronic discovery issue, namely a claim that the law firm spoliated evidence by destroying a server that contained phone records relevant to the case. The court rejected that argument, finding no credible evidence that the destruction was undertaken in bad faith.

Do certain mobile apps violate the Computer Fraud and Abuse Act?

[This is a guest post by attorney Caroline Belich. Caroline is a Chicago native, former Michigan State volleyball player, and recent admitee to the California bar with particular interest in the First Amendment.]

According to the Wall Street Journal and other sources, federal prosecutors in New Jersey are investigating whether certain mobile applications for smartphones have illegally obtained or transmitted information about their users. Part of the criminal investigation is to determine whether these app makers made appropriate disclosures to users about how and why their personal information is being used. The app makers subpoenaed include the popular online music service Pandora.

Examples of information disclosed by these app makers may include a user’s age, gender, location, and also unique identifiers for the phone. The information may then passed on to third parties and advertising networks. The problem is that users may be unaware that their information is being accessed by a smartphone app because a maker failed to notify them.

As a result, this failure to notify may violate the Computer Fraud and Abuse Act (18 USC 1030). The CFAA is a federal statute that is often used against hackers. Applying this rationale here, federal prosecutors may argue that the app makers essentially hacked users cellphones.

However, some legal experts believe that criminal charges against the app makers are unlikely. Supporting this belief is the fact that many criminal charges against companies result in non-prosecution or deferred prosecution agreements in exchange for concessions of wrongdoing or monetary payments.

But while criminal charges are doubtful, civil lawsuits by users and causes of action brought by the Federal Trade Commission (FTC) may not be. First, consumers may sue app makers for failure to notify under privacy rights claims. Second, the FTC could allege unfair and deceptive trade practices by makers for failure to inform users how their personal information is being employed. Recently, Google settled with the FTC regarding its social network, Buzz, where allegations were made about violations of users’ privacy.

In light of the potential for privacy rights violations and deceptive trade practices, the FTC has advocated a “Do Not Track” option for web browsers and cellphone users, similar to the “Do Not Call” list for telemarketing. But app makers strongly oppose this idea, of course, for various reason. First, it could obstruct their ability to collect data about their users’ utilization of their product. Second, the option could frustrate financial opportunities with third parties seeking the invaluable consumer statistics. And the third justification is best depicted by Facebook’s privacy policy – while a user may be giving away his own information, he’s not giving away that of his friends… as long as his friends haven’t shared the info with “everyone.”

So even if these criminal investigations do not come to fruition, at least the possibility is making the public aware of their rights involving smartphone products so that industry standards may be created or laws requiring notification may be made.

1 2 3 4 5 6 7 8 9