Category Archives: Privacy

Parties must use neutral forensics examiner in file-sharing case

Case highlights important privacy interests in electronic discovery dispute.

From Ray Beckerman, we learn of the U.S. District Court for the Eastern District of Texas’s decision on a motion to compel discovery filed by the recording industry against an accused file-sharer. While the defendant will have to submit her hard drive for forensic examination to see whether she had any copyrighted sound recordings stored on it, she will not have to turn it over to the recording industry’s forensic expert.

Instead, seeking to “balance the legitimate interests of both sides,” the court ordered the parties to select a neutral computer forensics expert to conduct the inspection. Such an approach, the court found, would protect the disclosure of the defendant’s personal information, such as personal correspondence, household financial matters, school homework, and perhaps attorney-client privileged information.

Although in theory this sounds like a reasonable approach to protect the confidentiality of the defendant’s information, one could be troubled by a particular part of the court’s decision. The order states that “the Plaintiffs shall have the right to suggest hard drive search methodologies to the neutral expert and the expert shall make every effort to utilize those methodologies.”

But there is nothing in the order giving the defendant the right or opportunity to object to those methodologies. With an obligation to “make every effort” to comply with the suggestions of the plaintiffs, just how neutral is that forensic examiner really going to be?

Sony BMG Music Entertainment et al. v. Arellanes, No. 05-CV-328 (E.D. Tex., October 27, 2006).

Government couldn’t track location of cell phone without probable cause

In the case of In the Matter of the Application of the United States of America for an Order Authorizing the Disclosure of Prospective Cell Site Information, the U.S. District Court for the Eastern District of Wisconsin denied the government’s application for disclosure of “cell [s]ite information” pursuant to the Stored Communications Act (SCA), 18 U.S.C. § 2703, and the pen register statute, 42 U.S.C. § 3122.

The government sought cell site information so that it could track the general whereabouts of a criminal suspect. Cell site information is a record of the cell towers a cell phone connects to while the phone is turned on. The government, with cell cite information, can determine the location of a suspect possessing the cell phone. For more information on the technical aspects of cell site information, refer to this Wikipedia article.

The court noted at the outset that the issue in the case was not whether the government could obtain cell site information (it can), but rather what standard the government must meet to obtain such information. As a preface to the analysis of that issue, the court set out the three ways the government generally may access information related to telephone usage.

First, the government can listen in on calls if it shows probable cause and obtains a “super-warrant” under 18 U.S.C. §2518(3). Second, if it seeks records pertaining to a subscriber to an electronic communications service, it must show “specific and articulable facts” showing the records are relevant and material to the investigation. (See the Stored Communications Act at 18 U.S.C. §2703.) Third, the government can proceed under 18 U.S.C. §3122(b)(2) (the “pen register statute”) to obtain the numbers dialed from a phone or the numbers from which calls are made to a target phone.

The government claimed that by seeking cell site information, which included information about the towers used by the suspect’s phone and a map of tower locations, it was not requesting precise tracking information. Because it would only be able to determine the general neighborhood of the suspect, the government argued that the proper standard for obtaining the information should be “likely to be relevant” or “specific and articulable facts,” rather than the higher standard of “probable cause.”

The court rejected the government’s argument, citing to the Communications Assistance for Law Enforcement Act (“CALEA”). CALEA expressly prohibits the government from obtaining “information that may disclose the physical location of the subscriber” except where the probable cause standard has been met. Although the text of CALEA does not indicate how granular the term “physical location” is to be interpreted, the court held that the general geographical location revealed by cell site information clearly is a “physical location.” Accordingly, the “probable cause” standard was appropriate.

The government had not met its burden, so the request was denied.

In the Matter of the Application of the United States of American for an Order Authorizing the Disclosure of Prospective Cell Site Information, 2006 WL 2871743 (E.D. Wis., October 6, 2006).

No reasonable expectation of privacy in files on work computer

Defendant Ziegler was arrested after his employer’s ISP tipped off the FBI that he was accessing some illegal pornographic websites while at work. At the trial court level, the defendant moved to suppress evidence obtained from his office computer, arguing that it had been searched in violation of his Fourth Amendment rights.

The court denied the motion to suppress, and the defendant sought review. On appeal, the Ninth Circuit affirmed. It held that given the circumstances, the defendant did not have a reasonable expectation of privacy in his work computer or the files contained on its hard drive.

Although it was undisputed that the defendant had a subjective expectation of privacy in the contents of the hard drive — the computer was password protected and kept in a locked office — the relevant inquiry was whether he had an objectively reasonable expectation of privacy. For a number of reasons, the Ninth Circuit held that such an expectation had been defeated.

Most significantly, the employer’s IT department had a policy of routinely monitoring the traffic crossing the company’s firewall, and had full administrative access to all computers in the facility. The defendant did not demonstrate that he was unaware of that monitoring policy. (A defendant bears the burden of showing a reasonable expectation of privacy. U.S. v. Caymen, 404 F.3d 1196 (9th Cir. 2005)).

The court looked to a number of other cases to support its conclusion. It readily endorsed the district court’s reliance on U.S. v. Simons, 206 F.3d 392 (4th Cir. 2000), a case with similar facts. It also embraced the holding of a California case called TBG Ins. Serv. Corp. v. Superior Court, 117 Cal.Rptr.2d 155 (Cal. Ct. App. 2002), to note that “community norms” tolerate employee monitoring of computer activity, so that companies can, for example, avoid liability for permitting a hostile work environment. These social norms “effectively diminish the employee’s reasonable expectation of privacy.”

U.S. v. Ziegler, — F.3d —-, 2006 WL 2255688 (9th Cir., August 8, 2006).

Eleventh Circuit almost lets Section 230 preempt right of publicity claim

In the recent case of Almeida v. Amazon.com, Inc., the Eleventh Circuit Court of Appeals came close to issuing an interesting ruling in a case involving immunity under the Communications Decency Act, at 47 U.S.C. §230. At issue was whether Section 230 provided immunity to Amazon.com in a suit brought against it alleging violation of the plaintiff’s right to publicity.

A photograph of plaintiff Almeida appeared on the cover of a book that Amazon.com offered for sale online. Almeida filed suit claiming, among other things, that she had not authorized the use of the photograph in the way it appeared on the cover of the book. Accordingly, Almeida argued, Amazon.com had violated Florida’s right of publicity statute, Fla. Stat. §540.08.

The district court granted summary judgment in favor of Amazon.com, holding that Section 230 preempted the state right of publicity claim. On review, the appellate court affirmed summary judgment, but disagreed that Section 230 applied.

The lower court had decided on its own (without Amazon.com making the argument) that Section 230 preempted the right of publicity claim. As any loyal reader of this weblog knows, Section 230 provides, in relevant part, that

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

Because Almeida was pursuing a claim against Amazon.com for information (the photo) provided by a third party, the district court held that Amazon.com could not be the “publisher or speaker” of that information, and therefore not liable.

The district court did not consider, however, 47 U.S.C. §230(e)(2), which states that “[n]othing in this section shall be construed to limit or expand any law pertaining to intellectual property.” Almeida argued on appeal that her right of publicity claim was one sounding in intellectual property, and thus should have been unaffected by Section 230 immunity.

And the appellate court came oh-so-close to agreeing with Almeida on this point. But it found a way around having to answer the question of whether Section 230 provides immunity for right of publicity claims: Almeida’s claim would have failed anyway. Because it was clear from the complaint that Amazon did not use Almeida’s image for “trade, commercial, or advertising purposes,” there was no violation of the right of publicity as defined by the Florida statute.

Almeida v. Amazon.com, Inc., (Slip Op.) — F.3d —-, 2006 WL 1984448 (11th Cir., July 18, 2006).

This content originally posted by Evan Brown to InternetCases.com.

Blogger does not have to disclose information obtained in investigation for story

A recent decision from the United States District Court for the Northern District of Illinois in the case of Bond v. Utreras examines the scope of discovery available from a nonparty who may have information relating to a matter. What makes the case provocative is that the party from whom discovery was sought is a blogger. Unlike the recent California Court of Appeal decision in O’Grady v. Superior Court, 139 Cal.App.4th 1423 (May 26, 2006), the Bond case does not implicate the doctrine of journalistic privilege. It does, however, demonstrate a court’s willingness to favor the confidentiality of facts obtained by one investigating a story. The court recognized and responded to the chilling effect that could occur if bloggers were routinely required by law to disclose information obtained during the investigative process.

Jamie Kalvern “fancies himself as being a voice of the people in the [Chicago housing] projects.” On the blog The View From the Ground, Kalvern published a multipart post titled “Kicking the Pigeon”, which purported to be an account of alleged misconduct by members of the Chicago Police Department. The post provided a significant amount of detail about a particular incident, and stated that it was based in part on interviews with persons having first hand knowledge.

One of the victims of the alleged misconduct filed a civil rights lawsuit against the police officers involved. During discovery, the defendants deposed Kalvern and served him with a broadly-worded subpoena duces tecum seeking, among other things, documents relating to any allegations of misconduct by police officers at the housing project where the incident is said to have taken place. Because Kelvern refused to answer certain questions at the deposition and failed to produce documents pursuant to the subpoena, the defendants moved to compel. The court denied the motion.

The court cited to the case of McKevitt v. Pallasch, 339 F.3d 530 (7th Cir. 2003) which advised that “rather than speaking of privilege, courts should simply make sure that a subpoena duces tecum directed to the media, like any other subpoena duces tecum, is reasonable in the circumstances, which is the general criterion for judicial review of subpoenas.” Because Kalvern was a nonparty, the court concluded that he should be entitled to somewhat greater protection than would a party in similar circumstances. Mere relevance of the information would not be enough to justify compelling the disclosures the defendants sought.

Although the court did not go so far as to establish a per se rule for heightened protection for journalists, it did acknowledge that Kalvern’s journalistic efforts would be undermined if he got the reputation of being one ready to disclose confidential information. That would ruin his “street cred”. Accordingly, in light of the circumstances, the court held that forcing to comply with the subpoena, and to answer the deposition questions, would be unduly burdensome.

Bond v. Utreras, No. 04-2617, (N.D.Ill., June 27, 2006).

Stored Communications Act not violated by viewing website readily accessible to the general public

You’ve really got to commend Michael Snow for his creative thinking. A few years ago, DirecTV sued Snow in Florida federal court, alleging that he had illegally intercepted DirecTV’s satellite signal. The case was dismissed, but Snow apparently held a grudge.

Not being satisfied with merely setting up a gripe site to air his grievances against DirecTV and so-called “corporate extortion,” Snow went a step further. He set up a “private support group” website for “individuals who have been, are being, or will be sued by any Corporate entity.” The language on the home page expressly forbade access “by DIRECTV and its agents.” To actually visit the site, you had to establish a username and password, and enter into a click-wrap agreement wherein you promised you had nothing to do with DirecTV.

Some employees of DirecTV as well as some attorneys from a couple of the firms that had represented DirecTV found Snow’s site and, notwithstanding the prohibition against their entry, signed up and went on in. After Snow discovered this “unauthorized” access, he filed suit against DirecTV and its law firms, alleging that the defendants had unlawfully accessed the stored web pages in violation of the Stored Communications Act, 18 U.S.C. §2701 et seq.

The U.S. District Court for the Middle District of Florida tossed out Snow’s suit on a motion to dismiss for failure to state a claim upon which relief could be granted. It held that the pages of the website were not “in electronic storage,” and thus could not be protected from unauthorized access under the Stored Communications Act. On appeal, the Eleventh Circuit affirmed the dismissal, but on different grounds.

The Electronic Communications Privacy Act provides that “[i]t shall not be unlawful . . . for any person – (1) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.”

The court held that the way Snow had set up the entry page of his site was not sufficient to take it out of the class of electronic communications that are “readily accessible to the general public.” Apparently, the mechanism Snow had established to exclude certain people was too passive.

Unlike the case of Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002), which was a case involving a site where users had to demonstrate knowledge not publicly available in order to gain access, Snow’s site employed a mere “self-screening methodology” by which “unintended users would voluntarily excuse themselves.” The court indicated that Snow needed a stronger safeguard than the honor-system method he used. “A short simple statement that the plaintiff screens the registrants before granting access may have been sufficient to infer that the website was not configured to be readily accessible to the general public.”

So the key seems to lie in the screening process. The case doesn’t provide a whole lot of guidance on what level of screening is necessary to make a site off-limits to the general public. Nonetheless, the holding of the case, along with the holding of Konop, seems to indicate that it’s easier from a legal standpoint to partition off a portion of the Internet for a specific crowd, rather than open it up to everyone while excluding just a few individuals.

Snow v. DirecTV, Inc., — F.3d —, 2006 WL 1493817 (11th Cir., June 1, 2006).

Joe Gratz has a great post on the case, and his blog (which is very interesting, by the way) is where I first learned of the decision.

Apple v. Does it mean anything?

You can almost literally hear the buzz from today’s California Court of Appeal ruling in the Apple v. Does case. The champagne is probably flowing at the EFF after the court’s holding that (for the time being) in California, web publishers (this probably includes bloggers) do not have to reveal their confidential sources when they get a news scoop.

Think back. When was the last time you got a secret e-mail from a company insider and posted it to your blog? It’s been awhile, right? So what does the case mean for the run-of-the-mill blogger or web publisher?

I say that the part of the case everyone’s all excited about really doesn’t mean that much.

There is a part of the case, however, that is quite relevant to everyday Internet users. The court gave a detailed analysis of how the federal Stored Communications Act (18 U.S.C. §§2701 – 2712) (“SCA”) requires e-mail messages saved on an ISP’s server to remain undisclosed in the face of a third party civil subpoena.

Here are the basics of the SCA analysis:

In 2004, someone at Apple Computer apparently sent a few e-mails containing confidential details of an unreleased Apple product to the publishers of some Mac enthusiast websites. The publishers of the sites posted the information about the anticipated product, thereby disclosing some of Apple’s trade secrets.

Apple filed suit, and naturally wanted to know who had leaked the information. It issued subpoenas to the e-mail service provider on whose server the surreptitious e-mails were stored, demanding to know the contents of the e-mail messages.

The web publishers asked the trial court for a protective order to prevent the disclosure of the messages, because they wanted to protect their confidential sources. The trial court denied the motion, however, because the publishers had involved themselves in the unlawful misappropriation of a trade secret.

On appeal, the publishers argued, among other things, that the e-mail service provider could not comply with the subpoena without violating the SCA. The Court of Appeal agreed, and reversed the trial court.

The SCA provides, in relevant part, that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service . . . .” It’s a fancy way of saying that an ISP can’t turn over server copies of e-mail messages. But like any good law enacted by Congress, there are some exceptions.

An ISP can turn over stored communications to a third party, for example, when doing so is “incidental to the protection of the rights or property of the service provider.” Apple argued that this exception should apply, and that the subpoena should be enforced, because failing to comply with the subpoena would subject the service provider to contempt proceedings, thus placing the provider’s property at risk. Read that sentence again. Yep, the court thought that was a circular argument too. And it made no effort to conceal the flaw in logic: “the antecedent assumes the consequents.”

Did you notice that I linked to Wikipedia just then? The court relied on Wikipedia as well in its opinion — no less than ten times! [More on Wikipedia and the courts.]

In any event, the court rejected Apple’s various arguments that the SCA would not prohibit disclosure of the stored e-mail messages. For example, it disagreed with Apple’s argument that there must be an implied exception in the SCA for disclosure of e-mail messages pursuant to a civil subpoena.

The court went on for several pages addressing this argument, analyzing the plain meaning of the SCA, and delving into the policy reasons for its enactment. It concluded that Congress “reasonably decide[d]” that email service providers are a “kind of data bailee to whom email is trusted for delivery and secure storage. . . .”

So at the end of the day, the case is no doubt interesting. Whether the heady First Amendment issues mean anything to the average blogger is not obvious. But the SCA part of the holding is at least refreshing, especially in light of all the other threats to personal privacy looming large recently.

There is plenty of commentary on this case out there already. Try Denise Howell, Joe Gratz, and the EFF for starters.

H&R Block can proceed with its suit over unauthorized access to customer data

In early 2005, H&R Block noticed a strange new pattern. It began getting an unusual amount of bulk garnishment orders from defendant J&M Securities, a debt buyer, requiring H&R Block to withhold portions of some of its clients’ tax refunds. In light of the detail supporting the garnishment orders, Block believed that J&M “could not possibly have gathered Block’s clients’ income tax information … without improperly accessing and obtaining Block’s confidential information.”

Block filed suit against J&M, alleging several claims, including violations of the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §§ 2701 and 2707. (This portion of the Wiretap Act is also commonly referred to as the Stored Communications Act.) J&M moved to dismiss, arguing, among other things, that H&R Block had failed to properly allege its claims under the ECPA. The court denied J&M’s motion to dismiss.

J&M had argued that Block should not be permitted to plead “access by inference” to the confidential stored communications. Applying the liberal pleading standards used in Federal litigation, the court held that Block had sufficiently placed J&M on notice that Block was alleging unauthorized access. The court went on to hold that “finding the fact of ‘access’ or ‘no access’ [was] a task for discovery, summary judgment, and trial.”

The court essentially instructed J&M how to argue a summary judgment motion it could file after discovery. It observed that “[J&M’s] best argument is that [Block] is not a provider of an ‘electronic communication service,’ and thus the ECPA does not regulate access to [Block’s] facility.”

In support of that observation, the court cited to the cases of In re JetBlue Airways Corp. Privacy Litigation, 379 F.Supp.2d 299 (E.D.N.Y. 2005), In re DoubleClick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y. 2001), and Crowley v. Cybersource Corp., 166 F.Supp.2d 1263 (N.D.Cal. 2001). Each of those cases indicated that a provider of web services is not the same as a provider of an electronic communication service.

Nonetheless, the court fell short of holding that Block was not a provider of an electronic communication service, concluding that such a holding would be “premature,” and would require “speculation about the nature of [Block’s] role in electronic communication.” The court denied the motion to dismiss as to the ECPA claim.

H&R Block Eastern Enterprises, Inc. v. J&M Securities, LLC, (Slip Op.) 2006 WL 1128744 (W.D. Mo., April 24, 2006).

Company had no standing to challenge discovery on behalf of anonymous defamers

After seeing what it believed to be defamatory statements about it on Yahoo! Finance and Silicon Investor message boards, plaintiff Matrixx Initiatives, Inc. (“Matrixx”) filed a lawsuit against several “John Doe” defendants. Through information obtained from Yahoo!, Matrixx determined that certain of the alleged defamatory statements were posted with computers owned by Barbary Coast Capital Management. Matrixx took the deposition of one Mr. Worthington, the manager of Barbary Coast, asking him to identify the anonymous Internet users who posted the alleged defamatory statements. Worthington refused.

Matrixx filed a motion to compel Worthington to answer the questions, and the trial court granted the motion. Worthington and Barbary Coast sought review, arguing that the posters’ First Amendment right to speak anonymously should prohibit the disclosure of their identities. On appeal, the court affirmed the decision of the lower court, holding that Worthington and Barbary Coast did not have standing to invoke the anonymous posters’ First Amendment rights.

In reaching its decision, the court distinguished two other cases in which the recipient of a subpoena did have standing to challenge the unmasking of another person. In the cases of In re Subpoena Duces Tecum to America Online, Inc., 2000 WL 1210372 (Va. App. 2000), and In re Verizon Internet Services, 257 F.Supp.2d 244 (D.D.C. 2003)(both cases reversed on other grounds), Internet service providers did not have to identify anonymous customers pursuant to subpoenas served on the ISPs. In each of these cases, the courts held that the ISPs had standing to assert the customers’ rights to remain anonymous, because the customer relationships were sufficiently close. In this case, however, the court held that “by contrast, we are presented with no ‘close relationship’ — or, indeed, any relationship — between appellants and the individuals for whom they are seeking First Amendment protection.”

Matrixx Initiatives, Inc. v. Doe, — Cal.Rptr.3d —, 2006 WL 999933 (Cal.App. 6 Dist, April 18, 2006).

File sharers now have even more to fear

Decision confirms that illegal P2P users can expect to get sued many miles from home.

The United States District Court for the District of Columbia has handed another procedural victory to plaintiff record companies in a copyright infringement suit relating to music traded over P2P networks. The court ruled that it had personal jurisdiction over an out-of-state accused file-sharer merely because the defendant offered sound recordings to the public and was able to download recordings made available by others.

Plaintiff record companies filed suit against 35 John Doe defendants, identifying those defendants by their IP addresses and the songs they were accused of illegally distributing. John Doe #18, who was notified of the suit by his ISP Verizon, asked the court to dismiss the case for lack of personal jurisdiction, arguing that he did not have sufficient contacts with the District of Columbia.

The court denied John Doe #18’s motion to dismiss. For one thing, the motion was premature. “Simply, the parties [could not] formally litigate any aspect of personal jurisdiction until the defendant [had] actually been identified.” Without knowing who the defendant was, the court could not tell whether it had jurisdiction.

As it turns out, the prematurity of the motion was inconsequential. The court held that, anonymous or not, the plaintiffs established that the court had personal jurisdiction over John Doe #18. By simply contracting with Verizon, a “District of Columbia-based ISP,” and using a Verizon facility to trade files, John Doe #18 was “transacting business” in the District, and caused tortious injury in the District.

Further, by simply making files available for download by others through his file-sharing software, and being able to download other files, John Doe #18 “clearly directed tortious activity into the District of Columbia.”

Finally, citing to the case of Gorman v. Ameritrade Holding Corp., 293 F.3d 506 (D.C.Cir. 2002), and the famous case of Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F.Supp. 1119, (W.D.Pa.1997), the court held that John Doe #18’s computer was “transformed . . . into an interactive Internet site.” This “interactivity” provided the sort of “continuous” and “systematic” contacts with the forum sufficient to support personal jurisdiction over the defendant.

Virgin Records America, Inc. v. Does 1-35, Slip Copy, 2006 WL 1028956 (D.D.C., April 18, 2006).