Category Archives: Privacy

Company facing liability for accessing employee’s Twitter and Facebook accounts

While plaintiff was away from the office for a serious brain injury she suffered in a work-related auto accident, some of her co-workers accessed and posted, allegedly without authorization, from her Twitter and Facebook accounts. (There was some dispute as to whether those accounts were personal to plaintiff or whether they were intended to promote the company.) Plaintiff sued, alleging several theories, including violations of the Lanham Act and the Stored Communications Act. Defendants moved for summary judgment. The court dismissed the Lanham Act claim but did not dismiss the Stored Communications Act claim.

Plaintiff had asserted a Lanham Act “false endorsement” claim, which occurs when a person’s identity is connected with a product or service in such a way that consumers are likely to be misled about that person’s sponsorship or approval of the product or service. The court found that although plaintiff had a protectable interest in her “personal brand,” she had not properly put evidence before the court that she suffered the economic harm necessary for a Lanham Act violation. The record showed that plaintiff’s alleged damages related to her mental suffering, something not recoverable under the Lanham Act.

As for the Stored Communications Act claim, the court found that the question of whether defendants were authorized to access and post using plaintiff’s social media accounts should be left up to the jury (and not determined on summary judgment). Defendants had also argued that plaintiff’s Stored Communications Act claim should be thrown out because she had not shown any actual damages. But the court held plaintiff could be entitled to the $1,000 minimum statutory damages under the act even without a showing of actual harm.

Maremont v. Susan Fredman Design Group, Ltd., 2014 WL 812401 (N.D.Ill. March 3, 2014)

Massachusetts supreme court says cops should have gotten warrant before obtaining cell phone location data

Court takes a “different approach” with respect to one’s expectation of privacy

After defendant’s girlfriend was murdered in 2004, the police got a “D order” (an order authorized under 18 U.S.C. 2703(d)) from a state court to compel Sprint to turn over historical cell site location information (“CSLI”) showing where defendant placed telephone calls around the time of the girlfriend’s murder. Importantly, the government did not get a warrant for this information. After the government indicted defendant seven years later, he moved to suppress the CSLI evidence arguing a violation of his Fourth Amendment rights. The trial court granted the motion to suppress, and the government sought review with the Massachusetts supreme court. That court agreed, holding that a search warrant based on probable cause was required.

The government invoked the third party doctrine, arguing that no search in the constitutional sense occurred because CSLI was a business record of the defendant’s cellular service provider, a private third party. According to the government, the defendant could thus have no expectation of privacy in location information — i.e., information about the his location when using the cell phone — that he voluntarily revealed.

The court concluded that although the CSLI at issue was a business record of the defendant’s cellular service provider, he had a reasonable expectation of privacy in it, and in the circumstances of this case — where the CSLI obtained covered a two-week period — the warrant requirement of the Massachusetts constitution applied. The court made a qualitative distinction in cell phone location records to reach its conclusion:

No cellular telephone user . . . voluntarily conveys CSLI to his or her cellular service provider in the sense that he or she first identifies a discrete item of information or data point like a telephone number (or a check or deposit slip…) … In sum, even though CSLI is business information belonging to and existing in the records of a private cellular service provider, it is substantively different from the types of information and records contemplated by [the Supreme Court's seminal third-party doctrine cases]. These differences lead us to conclude that for purposes of considering the application of [the Massachusetts constitution] in this case, it would be inappropriate to apply the third-party doctrine to CSLI.

To get to this conclusion, the court avoided the question of whether obtaining the records constituted a “search” under the Fourth Amendment, but focused instead on the third party doctrine (and the expectation of privacy one has in information stored on a third party system) in relation to the Massachusetts constitution.

In a sense, though, the court gave the government another bite at the apple. It remanded the case to the trial court where the government could seek to establish that the affidavit submitted in support of its application for an order under 18 U.S.C. § 2703(d) demonstrated probable cause for the CSLI records at issue.

Commonwealth v. Augustine, — N.E.3d —, Mass. , 2014 WL 563258 (Mass. February 18, 2014)

Is the future a trade between convenience and privacy?

This TechCrunch piece talks about how (predictably) Google wants to build the “ultimate personal assistant.” With Google’s collecting user preferences cross-platform and applying algorithms to ascertain intentions, getting around in the world, purchasing things, and interacting with others could get a lot easier.

But at what cost? The success of any platform that becomes a personal assistant in the cloud would depend entirely on the collection of vast amounts of information about the individual. And since Google makes its fortunes on advertising, there is no reason to be confident that the information gathered will not be put to uses other than adding conveniences to the user’s life. Simply stated, the platform is privacy-destroying.

What if one wants to opt-out of this utopically convenient future? Might such a person be unfairly disadvantaged by, for example, choosing to undertake tasks the “old fashioned” way, unassisted by the privacy eviscerating tools? This points to larger questions about augmented reality. As a society, will we implement regulations to level the playing field among those who are not augmented versus those who are? Questions of social justice in the future may take a different tone.

Guy faces lawsuit for using another man’s Facebook pics to send sexually explicit communications to undercover cops

Defendant emailed three pictures, thinking he was communicating with two 14-year-old girls. But he was actually communicating with a police detective. And the pictures were not of defendant, but of plaintiff — a cop in a neighboring community. The pictures were not sexually explicit, but the accompanying communications were. Defendant had copied them from plaintiff’s Facebook page.

Plaintiff and his wife sued defendant under a number of tort theories. Defendant moved to dismiss plaintiffs’ claims for false light publicity and intentional infliction of emotional distress. The court denied the motion.

It found that the false light in which defendant placed plaintiff through his conduct would be highly offensive to a reasonable person, and that defendant had knowledge of or acted in reckless disregard as to the falsity of the identity of the person in the photo, and the false light into which the plaintiff would be placed.

As for the intentional infliction of emotional distress claim, the court found that: (1) defendant intended to inflict emotional distress or that he knew or should have known that emotional distress was the likely result of his conduct; (2) that the conduct was extreme and outrageous; (3) that the conduct was the cause of plaintiff’s distress; and (4) that the emotional distress sustained by the plaintiff was severe.

Defendant argued that his conduct was not extreme and outrageous. The court addressed that argument by noting that:

[Defendant] cannot do that with a straight face. The test is whether “the recitation of the facts to an average member of the community would arouse his resentment against the actor and lead him to exclaim, Outrageous!” . . . This is such a case.

Plaintiff’s wife’s intentional infliction of emotional distress claim survived as well. This was not, as defendant argued, an allegation of bystander emotional distress, such as that of a witness to an automobile accident. Defendant’s conduct implied that plaintiff was a sexual predator. This would naturally reflect on his spouse and cause her great personal embarrassment and natural concern for her own personal health quite apart from the distress she may have experienced from observing her husband’s own travail.

Dzamko v. Dossantos, 2013 WL 5969531 (Conn.Super. October 23, 2013)

Can the government violate the Computer Fraud and Abuse Act?

Short answer: Pretty much no.

The Computer Fraud and Abuse Act is found at 18 U.S.C. 1030. Subpart (f) reads as follows:

This section [i.e., the Computer Fraud and Abuse Act] does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

The recent controversy over whether the FBI and/or the NSA is behind the recent Tor anonymity compromising brings this question up. So we can cut right to the question of whether that conduct is outside this exception to the CFAA, in that it is not a “lawfully authorized” law enforcement activity. Given the nuance and complexity of these issues, we should not expect easy answers.

Can an LLC member violate the Stored Communications Act by accessing other members’ email?

Yes.

Two members of an LLC sued another member and the company’s manager of information services alleging violation of the Stored Communications Act, 28 U.S.C. 2701 et seq. Defendants moved to dismiss for failure to state a claim. The court denied the motion.

Plaintiffs alleged that the LLC’s operating agreement required “Company decisions” to be made based on four of the five members voting in favor. The company had no policy in place authorizing the search and review of employees’ email messages, nor did it inform employees that their email may be accessed. Plaintiffs did not consent to their emails being searched and reviewed.

In connection with a dispute among the LLC members, one of them allegedly (in cooperation with the manager of information services) accessed the company’s email server using administrative credentials. She allegedly performed over 2,000 searches, retrieving other members’ communications of a personal nature, as well as communications with those members’ legal counsel.

Defendants moved to dismiss under 12(b)(6), arguing that plaintiffs could not show the access was unauthorized. Defendants argued that there was no electronic trespass, as the access was accomplished simply by company procedure.

The court rejected defendants’ arguments, finding that plaintiffs had sufficiently alleged an SCA violation, since plaintiffs had not consented to the access, and because no policy existed permitting an individual to search and review emails of members or employees absent the four-fifths approval required by the operating agreement.

Joseph v. Carnes, 2013 WL 2112217 (N.D.Ill. May 14, 2013)

Email privacy is weak even with court oversight

Huntington Ingalls Inc. v. Doe, 2012 WL 5897483 (N.D. Cal. November 21, 2012)

A federal court in California has allowed a party to subpoena Google to learn the identity of a Gmail account owner, even though that owner did nothing to involve himself in the dispute.

A contractor that plaintiff hired accidentally emailed “property” belonging to plaintiff to the wrong email address. (The court’s opinion is not clear on the nature of this “property,” but we are safe in assuming it was some sort of proprietary information.) Plaintiff sent messages to the Gmail account seeking return of the property, but the unknown account owner did not respond.

Plaintiff filed suit in federal court against the anonymous account holder (John Doe) seeking declaratory and injunctive relief (i.e., to get the property back). Since plaintiff did not know Doe’s identity, it sought expedited discovery so that it could subpoena Google for the identifying information.

email

The court granted the motion for leave to send the subpoenas. It found that:

  • without the subpoena, plaintiff would have no other way to obtain “this most basic information”
  • the subpoena was the exclusive means available to plaintiff to protect its property interest
  • plaintiff’s proposed procedure guarded Doe’s due process rights by requiring Google to give Doe notice of the subpoena and an opportunity to object

The court’s opinion shows how any privacy interest in one’s email account information is tenuous at best. In this situation, the target of the unmasking efforts was, as they say, minding his own business, not doing anything to inject himself into any dispute.

Moreover, unlike many previous cases in which courts have required the party seeking discovery of an anonymous party’s identity to put forth facts showing it has a good case, there was no claim here that Doe did anything wrong. Instead, it was the sender’s mistake. One could find it unsettling to know that other peoples’ errors could cause a court to order his or her identity to be publicly revealed.

Photo courtesy Flickr user Bart Heird under this Creative Commons license.

Trial court erred in ordering defendant to turn over his iPhone in ediscovery dispute

AllianceBernstein L.P. v. Atha, — N.Y.S.2d —, 2012 WL 5519060 (N.Y.A.D. 1 Dept., November 15, 2012)

Plaintiff sued its former employee for breach of contract alleging he took client contact information on his iPhone when he left the job. The trial court ordered defendant to turn the iPhone over to plaintiff’s counsel so plaintiff could obtain the allegedly retained information.

Defendant sought review of the discovery order. On appeal, the court reversed and remanded.

The appellate court found that the lower court’s order that defendant turn over his iPhone was beyond the scope of plaintiff’s request and was too broad for the needs of the case. Ordering production of defendant’s iPhone (which, the court observed, has built-in applications and internet access) “was tantamount to ordering the production of his computer.” The iPhone would disclose irrelevant information that might include privileged communications or confidential information.

So the court ordered that the phone and a record of the device’s contents be delivered to the court for an in camera review to determine what, if any information contained on the phone was responsive to plaintiff’s discovery request.

Court won’t ban Gawker from posting Hulk Hogan sex tape

Bollea v. Gawker Media, LLC, 2012 WL 5509624 (M.D.Fla. November 14, 2012)

A few years ago someone surreptitiously filmed Hulk Hogan cavorting in bed with a woman not his wife. Gawker got a copy through an anonymous source and posted a minute of excerpts on gawker.com. (I’m not linking to it but it’s easily accessible. Just be warned, it’s extremely NSFW.)

Hulk sued in federal court alleging various invasion of privacy claims. He sought a preliminary injunction against Gawker continuing to make the video available. The court denied the motion, finding such an injunction to be an unconstitutional prior restraint on Gawker’s free speech right.

Gawker conceded that Hulk had a right of privacy in the contents of the tape, but argued that Gawker’s First Amendment rights outweighed the privacy interest.

The court found that Hulk failed to satisfy his heavy burden to overcome the presumption that a preliminary injunction would be an unconstitutional prior restraint under the First Amendment. Hulk’s public persona, including the publicity he and his family derived from his reality show, his own book describing an affair he had during his marriage, prior reports by other parties of the existence and content of the tape, and Hulk’s own public discussion of issues relating to his marriage, sex life, and the tape all demonstrated, in the court’s view, that the tape was a subject of general interest and concern to the community.

And he failed to show that he would suffer irreparable harm from the publication. The court’s decision on this point was based in part on the fact that mere embarassment was not enough to satisfy the irreparable harm standard. Moreover, the court found this to be a case where the “cat is out of the bag,” so it was not apparent that a preliminary injunction would do anything to help.