Scope of Electronic Communications Privacy Act may not be so narrow

Brahmana v. Lembo, No. 09-106, 2009 WL 1424438 (N.D. Cal. May 20, 2009)

Plaintiff former employee Brahmana sued his former employer Cyberdata, claiming that Cyberdata violated the Electronic Communications Privacy Act (at 18 U.S.C. 2511) (&#147ECPA&#148). Brahmana claimed that Cyberdata used a keylogger to intercept the username and password for Brahmana’s personal email account.

Cyberdata moved to dismiss the claim under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. The court denied the motion, finding that the determination of whether there was a violation of the ECPA would best be made after discovery.

The ECPA makes it unlawful for any person to intentionally intercept, among other things, any “electronic communication.” An “electronic communication” is defined in the ECPA as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system that affects interstate or foreign commerce.”

An important question in this case was whether the keystrokes allegedly captured by the keylogging device met this definition of electronic communication.

An earlier case from another district (United States v. Ropp, 347 F.Supp.2d 831 (C.D. Cal. 2004)) held that keystrokes gathered by a hardware keylogger attached between a computer’s keyboard and central processing unit were not electronic communications because the system transmitting the information did not affect interstate commerce.

But another case questioned that opinion’s holding, finding that though the keystrokes themselves did not travel in interstate commerce, they did “affect interstate commerce” and therefore fell within the ECPA’s definition.

This court avoided ruling on the legal question of whether intercepting electronic data being transmitted from one piece of local hardware to another might be an electronic communication as defined by the ECPA. One must remember that a Rule 12(b)(6) motion merely tests the sufficiency of the pleadings. The court does not consider evidence at that stage, but merely tests whether the facts alleged by the plaintiff could plausibly support the legal claim.

In this case, the court found that Brahmana’s allegations did not specify whether the particular means of monitoring affected interstate commerce, but were sufficient to render plausible the claim that communications were monitored in some way. “The issue of how any alleged monitoring took place,” the court found, “and whether it allegedly affected interstate commerce is better resolved after some discovery.”

The case instructs us that this court is not willing to read the definition of “electronic communication” as narrowly as the court did in Ropp. No doubt there will be some interesting evidence produced in discovery that shows how the keystrokes were allegedly intercepted. But at least we know at this early stage in the litigation that the court will consider whether the transmission of electronic data within a system — and not crossing state lines — may still affect interstate commerce.

I-Spy photo courtesy Flickr user Leo Reynolds under this Creative Commons license.

Cybersquatter hit with maximum penalty

Citigroup, Inc. v. Shui, 2009 WL 483145 (E.D. Va. Feb. 24, 2009)

Court enjoins use of citybank.org, orders defendant to pay $100,000 in statutory damages and to pay Citibank’s attorneys’ fees.

Defendant Shui registered the domain name citybank.org and established a site there promoting financial services, sometimes using the mark CITIBANK. The real Citibank, armed with its trademark registrations in over 200 countries and over 50 years of use of its CITIBANK mark, filed suit against Shui under the Anticybersquatting and Consumer Protection Act, 15 USC 1125(d) (“ACPA”).

Citibank moved for summary judgment on its ACPA claim and also asked the court to enter an injunction against Shui. Citibank also sought $100,000 — the maximum amount of statutory damages available under the ACPA, plus payment of Citibank’s attorneys’ fees. The court granted all of Citibank’s requested relief.

To prevail on the ACPA claim, Citibank had to show that (1) Shui had a bad faith intent to profit from using the domain name, and (2) that the domain name at issue was identical or confusingly similar to, or dilutive of, Citibank’s distinctive or famous mark.

Finding of bad faith

The court found Shui registered the domain name in bad faith because:

  • Shui did not have any trademark or other intellectual property rights in the domain name, and the registration of the domain name was not sufficient to establish any rights.
  • The domain name consisted of the legal name of Citibank (with one letter difference) and not the legal name of, nor any name that was otherwise used to identify Shui.
  • Shui had not engaged in prior use of the disputed domain name in connection with the bona fide offering of any goods or services prior to registering the domain name.
  • Shui’s use of the domain name was commercial in nature. Notably, some of the advertisements on Shui’s site were exact replicas of the marks CITIBANK and CITI. Each clickthrough provided Shui with advertising revenue, even though clicking on a link with Citibank in the title did not redirect the user to any website affiliated with the real Citibank.
  • Shui clearly intended to confuse, mislead and divert internet traffic from Citibank’s official website to his own in order to garner more clickthrough revenue from the misleading “citibank” advertisements.
  • Subsequent to the filing of the complaint, Shui sold the domain name for financial gain to a third-party in an apparent effort to avoid liability.
  • Shui registered other internet domain names which were identical or similar to Citibank’s marks, and the CITIBANK mark was distinctive and famous at the time Defendant registered the disputed domain name.

Confusing similarity

On the issue of confusing similarity, the court observed the strength of Citibank’s mark and the fact that the parties both offered financial services. Taking those facts in combination with the bad faith demonstrated by Shui, the court found the disputed domain name to be confusingly similar to Citibank’s marks.

The remedy

Accordingly, the court found in favor of Citibank on the ACPA claim. The court was stern in its remedy. It found that Shui’s registration of the confusingly similar domain name was “sufficiently willful, deliberate, and performed in bad faith to merit the maximum statutory award of $100,000 and an award of attorney’s fees.”

$100K photo courtesy Flickr user Ricardo (Kadinho) Villela under this Creative Commons license.

Verizon obtains damages, injunction against regsitrar under ACPA

[This is a guest post by contributor Brian Beckham]

Plaintiff Verizon California, Inc. (Verizon) recently obtained a default judgment in the U.S. District Court for the Northern District of California, San Jose Division, in its favor against Defendant, the registrar OnlineNIC, Inc. (press release).

Despite repeated attempts, Verizon was not able to serve notice on OnlineNIC; the court ultimately approved Verizon’s application to serve process with the California Secretary of State. OnlineNIC was alleged to have engaged in the bad faith registration of 663 identical or confusingly similar domain names incorporating one of Verizon’s family of marks (e.g., <bestverizon.net>, <myprepaidverizon.com>, <verizonflios.com>, <vzwactivate.com>, etc.) inter alia, in violation of the ACPA. Verizon’s unchallenged, well-pleaded allegations were accepted by the court as true; OnlineNIC’s liability was thus established.

In addition to OnlineNIC’s default, significantly, the court noted that OnlineNIC had refused to alter its behavior (presumably after a cease & desist letter) and had purposefully attempted to avoid detection (e.g., by providing false contact information). However, given the default, the court was reluctant to impose the full statutory damages provided for under the ACPA ($100,000 per infringement), but imposed damages of $50,000 per violation (totaling $33.15 million). It remains to be seen whether Verizon will successfully collect, nonetheless, Verizon obtained a transfer order in its favor for all of the 663 infringing domain names. OnlineNIC (including any related entity) was further enjoined from directly or indirectly (i) registering, trafficking in or using any domain name that is identical or confusingly similar to the Verizon marks and (ii) assisting, aiding or abetting any other person or business entity in engaging in or performing and of the said activities.

This injunction seems to leaves open the question of whether the seemingly common registrar practice of actively suggesting alternate domain names available for registration (e.g., those that add alphanumerical strings, e.g., <new____4u.com>, <buy____.net>, <your____.org>, <my____pro.com>, <best____.com>, etc.) would be covered by the “assisting, aiding or abetting” language in the injunction.

Case is: 2008 U.S. Dist. LEXIS 104516

1 2 3 4 5 6 8 9 10