Category Archives: Privacy

Divorce spyware case moves forward

Court refuses to dismiss ECPA, SCA and CFAA claims against ex-spouse accused of delivering malicious code.

Becker v. Toca, No. 07-7202, 2008 WL 4443050 (E.D. La. September 26, 2008)

Plaintiff Becker sued his ex-wife, one Ms. Toca, claiming that Toca installed on Becker’s home and office computers a Trojan Horse that could steal passwords and send them to a remote computer. Becker claimed violations of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and Louisiana’s Electronic Surveillance Act.

Toca moved to dismiss for failure to state a claim upon which relief can be granted. The court dismissed the Louisiana state claim, but allowed the federal claims under the ECPA, SCA and CFAA to move forward.

In denying Toca’s motion on the ECPA claim, the court nodded to the general consensus established by cases such as Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994), United States v. Seiger, 318 F.3d 1039, 1047 (11th Cir. 2003), Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir.2001), and Bailey v. Bailey, 2008 WL 324156 (E.D. Mich. 2008) that ECPA liability requires the electronic communication to be intercepted contemporaneously with its transmission. Toca had argued that merely sending the Trojan Horse could not be considered an “interception” of an “electronic communication” under the ECPA. But the court held that allegations of stealing the passwords and transmitting them elsewhere, in conjunction with Becker’s computers being connected to the Internet, made it “reasonable … to infer that the Trojan Horse program may have collected information contemporaneous to its transmission.”

As for the SCA claim, Toca had argued Becker’s allegedly infected computers were not “a facility through which an electronic communication service is provided,” and thus not within the protection of the SCA. The court declined to dismiss the claim at the pleading stage because it was unclear to what extent the Trojan Horse may have accessed or retrieved information stored with an electronic communication service provider.

The court denied the motion to dismiss the CFAA claim, rejecting Toca’s arguments that the affected computers were not “protected” computers under the CFAA, and that the allegations were insufficient to show Toca intended to cause “damage.” The allegations that the Trojan Horse caused error messages and slow processing were sufficient on this point. Toca argued that an intent to damage the computers would be incompatible with a desire to retrieve information from them. But the court rejected this all-or-nothing damage approach.

The Louisiana statute claim failed simply because the court held that the statute covered only wire and oral communications, leaving electronic communications of the type at issue within the case outside its scope.

Employee text messages covered under Stored Communications Act and Fourth Amendment

Quon v. Arch Wireless Operating Co., Inc., — F.3d —-, 2008 WL 2440559 (9th Cir. June 18, 2008)

Sergeant Quon’s employer, the City of Ontario, California Police Department, issued him a pager with which he could send and receive text messages. Copies of text messages sent and received using the pager were archived on Arch Wireless’s computer server. The City’s agreement with Arch Wireless allowed for each user to send up to 25,000 characters’ worth of messages a month.

The police department required any employee who went over that monthly limit to pay the overage charges. Quon went over that limit several times and paid the extra fees. After awhile, the department started to investigate Quon, ostensibly to see whether the department should seek to raise the 25,000 monthly character limit. Quon’s supervisor had told him that the department would not review the contents of the messages if he continued to pay for the overages.

But the department acquired transcripts of the messages anyway. Quon sued, alleging violations of the Stored Communications Act, 18 U.S.C. §§2701-2711 (SCA) and the Fourth Amendment.

The district court awarded summary judgment to the defendants on the SCA claim, finding that Arch Wireless was a “remote computing service” as defined by the SCA, and thus it was appropriate for Arch Wireless to turn over the contents of the messages to the police department as a “subscriber” to the service.

On the defendants’ summary judgment motion on the Fourth Amendment claim, the district court determined that Quon had a reasonable expectation of privacy, but that the question of whether the search of the contents of the messages by the police chief was reasonable should be heard by a jury. That jury found that the search was reasonable because it was to determine the efficacy of the 25,000 character limit (i.e., to determine whether work-related reasons warranted upgrading).

Quon sought review of both the SCA and Fourth Amendment issues with the Ninth Circuit. On appeal, the court reversed the lower court’s holding that the SCA was not violated. As for the Fourth Amendment claim, the appellate court held that the search by the police chief was unreasonable as a matter of law, and that the question should not have even made it to the jury.

On the SCA claim, the court looked to the plain meaning of the statute as well as the legislative history from 1986 to conclude that the lower court’s determination that Arch Wireless was a remote computer service was erroneous. Arch Wireless did not provide “computer storage” nor “processing services.” Although Arch Wireless was storing the messages after transmission, the court held that that function was contemplated as one for an electronic communications service as well, which was more in line with the services Arch Wireless provided. So when Arch Wireless turned over the contents of the messages to the police department, which was merely a subscriber and not “an addressee or intended recipient of such communication[s],” it violated the SCA.

On the Fourth Amendment question, the court concluded that the search was unreasonable as a matter of law because it was unreasonable in its scope. Assuming that the only reason the police chief wanted to check the efficacy of the 25,000 character limit, there would have been less intrusive ways of doing so. Quon could have been asked to count the characters himself, or could have redacted personal messages in connection with an audit.

Be careful with email because your employer is “looking over your shoulder”

Workplace email policy destroyed attorney-client privilege

Scott v. Beth Israel Medical Center, — N.Y.S.2d —-, 2007 WL 3053351 (N.Y. Sup. October 17, 2007).

Dr. Scott, who used to work for Beth Israel Medical Center in New York, sued his former employer for breach of contract and a number of other different things. Before he was terminated, however, he had used his work email account to send messages to his attorneys, discussing potential litigation against Beth Israel.

When Dr. Scott found out that Beth Israel was in possession of these email messages, he asked the court to order that those messages be returned to him. He argued that they were protected from disclosure to Beth Israel under the attorney client privilege.

Beth Israel argued that they were not subject to the privilege because they were not made “in confidence.” There was an email policy in place that provided, among other things, that the computers were to be used for business purposes only, that employees had no personal right of privacy in the material they create or receive through Beth Israel’s computer systems, and that Beth Israel had the right to access and disclose material on its system.

Dr. Scott argued that New York law [CPLR 4548] protected the confidentiality. Simply stated, CPLR 4548 provides that a communication shouldn’t lose its privileged character just because it’s transmitted electronically.

The court denied Dr. Scott’s motion for a protective order, finding that the messages were not protected by the attorney client privilege.

It looked to the case of In re Asia Global Crossing, 322 B.R. 247 (S.D.N.Y. 2005) to conclude that the presence of the email policy destroyed the confidential nature of the communications. The policy banned personal use, the hospital had the right to review the email messages (despite Scott’s unsuccessful HIPAA argument), and Dr. Scott had notice of the policy.

The decision has implications for both individuals and the attorneys who represent them. Employees should be aware that when they are sending messages through their employer’s system, they may not be communicating in confidence. And attorneys sending email messages to their clients’ work email accounts, on matters not relating to the representation of the employer, must be careful not to unwittingly violate the attorney client privilege.

What’s more, although the decision is based on email communications, it could affect the results of any case involving instant messaging or text messaging through the company’s server.

No recovery for credit monitoring costs after data breach

Pisciotta v. Old National Bancorp, No. 06-3817, — F.3d —-, (7th Cir. August 23, 2007)

Defendant Old National Bank had a website through which it gathered numerous fields of confidential information about its customers, and it stored that information in a database. After a hacker compromised the system and gained access to the confidential customer information, two of the bank’s customers filed suit in an Indiana federal court, alleging breach of contract and negligence. They sought recovery not of any actual loss suffered from the security breach (e.g., amounts drained from the accounts), but instead sought to be reimbursed for future credit monitoring services.

The bank answered the complaint and moved for judgment on the pleadings under Fed. R. Civ. P. 12(c). The court granted the motion, holding that the alleged damages were not cognizable under Indiana law. The plaintiffs sought review with the Seventh Circuit Court of Appeals, which affirmed the dismissal of the action.

The court observed that there was essentially no authority providing guidance on how the issue should be resolved under Indiana law. (The district court sitting in diversity was required to apply the law of the state in which it sits — Indiana.) Part of the analysis, however, relied on a recently enacted Indiana statute dealing with data breaches. Under that statute [I.C. 24-4.9 et seq.], under certain circumstances, if a bank becomes aware of a compromise in its security, it must notify its customers. The only cause of action available under the statute lies with the government, as the attorney general is authorized to pursue civil actions against non-compliant banks. Private individuals are not entitled to recovery under the statute.

The lack of any affirmative right to recover the costs of prospective credit monitoring services in the statute contributed to the court’s decision to hold that none should be available at common law. Given the absence of any state authority directly addressing the point, the federal court declined to implement such a “substantial innovation” on a question of state law.

Opinion appears below (or click through if it’s not showing up in the RSS feed):

Data privacy and third party Facebook applications

Over in the UK, Facebook has been getting some scrutinty from a privacy standpoint, especially after officials at Oxford University used the service recently to identify celebrating students who may have been up to some naughtiness. [More on that here]

But there are some even more subtle privacy issues with Facebook, arising from the proliferation of the use of third party applications within the Facebook platform. Alex Newson at Freeth Cartwright’s Impact blog has written up a pair of posts [here and here] which take a serious look at these Facebook privacy concerns. Naturally the posts are written from a UK perspective, but are useful to U.S. readers inasmuch as they prompt one to consider that which has largely hitherto been unconsidered, namely, what legal issues should a Facebook app developer be thinking about.

The U.S. approach to data privacy is frequently characterized as “scattershot.” So there aren’t any bright lines to draw when it comes to how one should manage the sharing of information within the Facebook platform. What is most appropriate at this time is to recognize it as an issue of which developers (and users) should be aware.

Catching the Redeye to vigilante website land

Tracy Swartz has written an interesting little article in today’s Redeye (for you non-Chicago readers, the Redeye is published by the Chicago Tribune and covers the trendier side of the news and the Chicago scene). The article talks about so-called “vigilante websites,” which provide users with a forum in which to report bad drivers by posting the license plate numbers of offenders. Interesting concept, and it presents some worthwhile questions about secondary liability for site owners. I’m quoted very briefly toward the end of the article. Hope you’ll check it out.

New Jersey gives nod to right of “informational privacy”

In contrast to federal right, state recognizes legitimate privacy interest in data held by third parties.

A New Jersey business owner began to suspect that one of his employees had, without authorization, accessed the company’s computer system to modify shipping and other customer information. The business owner knew someone with a Comcast IP address had accessed the system, and a police detective went to the local municipal court, to have the administrator issue a subpoena to Comcast. The ISP complied, and the information provided implicated the suspected employee. She was arrested, and before trial, successfully moved to suppress the evidence linking her identity with the IP address. The state sought review of the suppression of the evidence, and the appellate court affirmed. Pro-privacy advocates should applaud the court’s opinion.

The appellate court first looked at the validity of the subpoena that the administrator of the municipal court issued. For a number of reasons particular to New Jersey criminal procedure, the subpoena was invalid. (For example, the offense being investigated was one that would have been outside that court’s subject matter jurisdiction.)

The court then examined whether the invalidity of the subpoena really mattered. The lower court judge’s decision to suppress the evidence “might still be subject to reversal if [the] defendant had no privacy interest in the information obtained from Comcast. If there were no constitutionally protected privacy interest, it would not matter how the police obtained the information.”

Making no effort to conceal the fact that its decision departed from “uniform” federal jurisprudence on the issue, the court ruled in favor of the defendant’s “informational privacy.” Even though the U.S. Supreme Court “consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties,” the New Jersey court continued a trend apparent in a number of past New Jersey cases which provide an individual with the right to control “the acquisition or release of information about oneself.” In New Jersey, this right to informational privacy is derived from an implied right of privacy found in the state’s constitution, and has manifested itself in past decisions involving a right to privacy in telephone records, bank records, and garbage left out for pickup.

Because the defendant had a reasonable expectation of privacy in her identity linked to the Comcast IP address, the state was required to get a valid subpoena before obtaining that information. Without the valid subpoena, the defendant’s rights were violated, and the evidence was properly excluded.

So does this mean that Internet subscriber information held by ISPs in New Jersey can never be revealed to law enforcement? No. But the court instructed “that information concerning the identity of an internet user can only be obtained by law enforcement through some means of judicial process.” All it takes is a valid subpoena.

State v. Reid, — A.2d —-, 2007 WL 135685 (N.J.Super.A.D., Jan. 22, 2007)

Parties must use neutral forensics examiner in file-sharing case

Case highlights important privacy interests in electronic discovery dispute.

From Ray Beckerman, we learn of the U.S. District Court for the Eastern District of Texas’s decision on a motion to compel discovery filed by the recording industry against an accused file-sharer. While the defendant will have to submit her hard drive for forensic examination to see whether she had any copyrighted sound recordings stored on it, she will not have to turn it over to the recording industry’s forensic expert.

Instead, seeking to “balance the legitimate interests of both sides,” the court ordered the parties to select a neutral computer forensics expert to conduct the inspection. Such an approach, the court found, would protect the disclosure of the defendant’s personal information, such as personal correspondence, household financial matters, school homework, and perhaps attorney-client privileged information.

Although in theory this sounds like a reasonable approach to protect the confidentiality of the defendant’s information, one could be troubled by a particular part of the court’s decision. The order states that “the Plaintiffs shall have the right to suggest hard drive search methodologies to the neutral expert and the expert shall make every effort to utilize those methodologies.”

But there is nothing in the order giving the defendant the right or opportunity to object to those methodologies. With an obligation to “make every effort” to comply with the suggestions of the plaintiffs, just how neutral is that forensic examiner really going to be?

Sony BMG Music Entertainment et al. v. Arellanes, No. 05-CV-328 (E.D. Tex., October 27, 2006).

Government couldn’t track location of cell phone without probable cause

In the case of In the Matter of the Application of the United States of America for an Order Authorizing the Disclosure of Prospective Cell Site Information, the U.S. District Court for the Eastern District of Wisconsin denied the government’s application for disclosure of “cell [s]ite information” pursuant to the Stored Communications Act (SCA), 18 U.S.C. § 2703, and the pen register statute, 42 U.S.C. § 3122.

The government sought cell site information so that it could track the general whereabouts of a criminal suspect. Cell site information is a record of the cell towers a cell phone connects to while the phone is turned on. The government, with cell cite information, can determine the location of a suspect possessing the cell phone. For more information on the technical aspects of cell site information, refer to this Wikipedia article.

The court noted at the outset that the issue in the case was not whether the government could obtain cell site information (it can), but rather what standard the government must meet to obtain such information. As a preface to the analysis of that issue, the court set out the three ways the government generally may access information related to telephone usage.

First, the government can listen in on calls if it shows probable cause and obtains a “super-warrant” under 18 U.S.C. §2518(3). Second, if it seeks records pertaining to a subscriber to an electronic communications service, it must show “specific and articulable facts” showing the records are relevant and material to the investigation. (See the Stored Communications Act at 18 U.S.C. §2703.) Third, the government can proceed under 18 U.S.C. §3122(b)(2) (the “pen register statute”) to obtain the numbers dialed from a phone or the numbers from which calls are made to a target phone.

The government claimed that by seeking cell site information, which included information about the towers used by the suspect’s phone and a map of tower locations, it was not requesting precise tracking information. Because it would only be able to determine the general neighborhood of the suspect, the government argued that the proper standard for obtaining the information should be “likely to be relevant” or “specific and articulable facts,” rather than the higher standard of “probable cause.”

The court rejected the government’s argument, citing to the Communications Assistance for Law Enforcement Act (“CALEA”). CALEA expressly prohibits the government from obtaining “information that may disclose the physical location of the subscriber” except where the probable cause standard has been met. Although the text of CALEA does not indicate how granular the term “physical location” is to be interpreted, the court held that the general geographical location revealed by cell site information clearly is a “physical location.” Accordingly, the “probable cause” standard was appropriate.

The government had not met its burden, so the request was denied.

In the Matter of the Application of the United States of American for an Order Authorizing the Disclosure of Prospective Cell Site Information, 2006 WL 2871743 (E.D. Wis., October 6, 2006).

No reasonable expectation of privacy in files on work computer

Defendant Ziegler was arrested after his employer’s ISP tipped off the FBI that he was accessing some illegal pornographic websites while at work. At the trial court level, the defendant moved to suppress evidence obtained from his office computer, arguing that it had been searched in violation of his Fourth Amendment rights.

The court denied the motion to suppress, and the defendant sought review. On appeal, the Ninth Circuit affirmed. It held that given the circumstances, the defendant did not have a reasonable expectation of privacy in his work computer or the files contained on its hard drive.

Although it was undisputed that the defendant had a subjective expectation of privacy in the contents of the hard drive — the computer was password protected and kept in a locked office — the relevant inquiry was whether he had an objectively reasonable expectation of privacy. For a number of reasons, the Ninth Circuit held that such an expectation had been defeated.

Most significantly, the employer’s IT department had a policy of routinely monitoring the traffic crossing the company’s firewall, and had full administrative access to all computers in the facility. The defendant did not demonstrate that he was unaware of that monitoring policy. (A defendant bears the burden of showing a reasonable expectation of privacy. U.S. v. Caymen, 404 F.3d 1196 (9th Cir. 2005)).

The court looked to a number of other cases to support its conclusion. It readily endorsed the district court’s reliance on U.S. v. Simons, 206 F.3d 392 (4th Cir. 2000), a case with similar facts. It also embraced the holding of a California case called TBG Ins. Serv. Corp. v. Superior Court, 117 Cal.Rptr.2d 155 (Cal. Ct. App. 2002), to note that “community norms” tolerate employee monitoring of computer activity, so that companies can, for example, avoid liability for permitting a hostile work environment. These social norms “effectively diminish the employee’s reasonable expectation of privacy.”

U.S. v. Ziegler, — F.3d —-, 2006 WL 2255688 (9th Cir., August 8, 2006).