Stored Communications Act not violated by viewing website readily accessible to the general public

You’ve really got to commend Michael Snow for his creative thinking. A few years ago, DirecTV sued Snow in Florida federal court, alleging that he had illegally intercepted DirecTV’s satellite signal. The case was dismissed, but Snow apparently held a grudge.

Not being satisfied with merely setting up a gripe site to air his grievances against DirecTV and so-called “corporate extortion,” Snow went a step further. He set up a “private support group” website for “individuals who have been, are being, or will be sued by any Corporate entity.” The language on the home page expressly forbade access “by DIRECTV and its agents.” To actually visit the site, you had to establish a username and password, and enter into a click-wrap agreement wherein you promised you had nothing to do with DirecTV.

Some employees of DirecTV as well as some attorneys from a couple of the firms that had represented DirecTV found Snow’s site and, notwithstanding the prohibition against their entry, signed up and went on in. After Snow discovered this “unauthorized” access, he filed suit against DirecTV and its law firms, alleging that the defendants had unlawfully accessed the stored web pages in violation of the Stored Communications Act, 18 U.S.C. §2701 et seq.

The U.S. District Court for the Middle District of Florida tossed out Snow’s suit on a motion to dismiss for failure to state a claim upon which relief could be granted. It held that the pages of the website were not “in electronic storage,” and thus could not be protected from unauthorized access under the Stored Communications Act. On appeal, the Eleventh Circuit affirmed the dismissal, but on different grounds.

The Electronic Communications Privacy Act provides that “[i]t shall not be unlawful . . . for any person – (1) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.”

The court held that the way Snow had set up the entry page of his site was not sufficient to take it out of the class of electronic communications that are “readily accessible to the general public.” Apparently, the mechanism Snow had established to exclude certain people was too passive.

Unlike the case of Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002), which was a case involving a site where users had to demonstrate knowledge not publicly available in order to gain access, Snow’s site employed a mere “self-screening methodology” by which “unintended users would voluntarily excuse themselves.” The court indicated that Snow needed a stronger safeguard than the honor-system method he used. “A short simple statement that the plaintiff screens the registrants before granting access may have been sufficient to infer that the website was not configured to be readily accessible to the general public.”

So the key seems to lie in the screening process. The case doesn’t provide a whole lot of guidance on what level of screening is necessary to make a site off-limits to the general public. Nonetheless, the holding of the case, along with the holding of Konop, seems to indicate that it’s easier from a legal standpoint to partition off a portion of the Internet for a specific crowd, rather than open it up to everyone while excluding just a few individuals.

Snow v. DirecTV, Inc., — F.3d —, 2006 WL 1493817 (11th Cir., June 1, 2006).

Joe Gratz has a great post on the case, and his blog (which is very interesting, by the way) is where I first learned of the decision.

Apple v. Does it mean anything?

You can almost literally hear the buzz from today’s California Court of Appeal ruling in the Apple v. Does case. The champagne is probably flowing at the EFF after the court’s holding that (for the time being) in California, web publishers (this probably includes bloggers) do not have to reveal their confidential sources when they get a news scoop.

Think back. When was the last time you got a secret e-mail from a company insider and posted it to your blog? It’s been awhile, right? So what does the case mean for the run-of-the-mill blogger or web publisher?

I say that the part of the case everyone’s all excited about really doesn’t mean that much.

There is a part of the case, however, that is quite relevant to everyday Internet users. The court gave a detailed analysis of how the federal Stored Communications Act (18 U.S.C. §§2701 – 2712) (“SCA”) requires e-mail messages saved on an ISP’s server to remain undisclosed in the face of a third party civil subpoena.

Here are the basics of the SCA analysis:

In 2004, someone at Apple Computer apparently sent a few e-mails containing confidential details of an unreleased Apple product to the publishers of some Mac enthusiast websites. The publishers of the sites posted the information about the anticipated product, thereby disclosing some of Apple’s trade secrets.

Apple filed suit, and naturally wanted to know who had leaked the information. It issued subpoenas to the e-mail service provider on whose server the surreptitious e-mails were stored, demanding to know the contents of the e-mail messages.

The web publishers asked the trial court for a protective order to prevent the disclosure of the messages, because they wanted to protect their confidential sources. The trial court denied the motion, however, because the publishers had involved themselves in the unlawful misappropriation of a trade secret.

On appeal, the publishers argued, among other things, that the e-mail service provider could not comply with the subpoena without violating the SCA. The Court of Appeal agreed, and reversed the trial court.

The SCA provides, in relevant part, that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service . . . .” It’s a fancy way of saying that an ISP can’t turn over server copies of e-mail messages. But like any good law enacted by Congress, there are some exceptions.

An ISP can turn over stored communications to a third party, for example, when doing so is “incidental to the protection of the rights or property of the service provider.” Apple argued that this exception should apply, and that the subpoena should be enforced, because failing to comply with the subpoena would subject the service provider to contempt proceedings, thus placing the provider’s property at risk. Read that sentence again. Yep, the court thought that was a circular argument too. And it made no effort to conceal the flaw in logic: “the antecedent assumes the consequents.”

Did you notice that I linked to Wikipedia just then? The court relied on Wikipedia as well in its opinion — no less than ten times! [More on Wikipedia and the courts.]

In any event, the court rejected Apple’s various arguments that the SCA would not prohibit disclosure of the stored e-mail messages. For example, it disagreed with Apple’s argument that there must be an implied exception in the SCA for disclosure of e-mail messages pursuant to a civil subpoena.

The court went on for several pages addressing this argument, analyzing the plain meaning of the SCA, and delving into the policy reasons for its enactment. It concluded that Congress “reasonably decide[d]” that email service providers are a “kind of data bailee to whom email is trusted for delivery and secure storage. . . .”

So at the end of the day, the case is no doubt interesting. Whether the heady First Amendment issues mean anything to the average blogger is not obvious. But the SCA part of the holding is at least refreshing, especially in light of all the other threats to personal privacy looming large recently.

There is plenty of commentary on this case out there already. Try Denise Howell, Joe Gratz, and the EFF for starters.

H&R Block can proceed with its suit over unauthorized access to customer data

In early 2005, H&R Block noticed a strange new pattern. It began getting an unusual amount of bulk garnishment orders from defendant J&M Securities, a debt buyer, requiring H&R Block to withhold portions of some of its clients’ tax refunds. In light of the detail supporting the garnishment orders, Block believed that J&M “could not possibly have gathered Block’s clients’ income tax information … without improperly accessing and obtaining Block’s confidential information.”

Block filed suit against J&M, alleging several claims, including violations of the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §§ 2701 and 2707. (This portion of the Wiretap Act is also commonly referred to as the Stored Communications Act.) J&M moved to dismiss, arguing, among other things, that H&R Block had failed to properly allege its claims under the ECPA. The court denied J&M’s motion to dismiss.

J&M had argued that Block should not be permitted to plead “access by inference” to the confidential stored communications. Applying the liberal pleading standards used in Federal litigation, the court held that Block had sufficiently placed J&M on notice that Block was alleging unauthorized access. The court went on to hold that “finding the fact of ‘access’ or ‘no access’ [was] a task for discovery, summary judgment, and trial.”

The court essentially instructed J&M how to argue a summary judgment motion it could file after discovery. It observed that “[J&M’s] best argument is that [Block] is not a provider of an ‘electronic communication service,’ and thus the ECPA does not regulate access to [Block’s] facility.”

In support of that observation, the court cited to the cases of In re JetBlue Airways Corp. Privacy Litigation, 379 F.Supp.2d 299 (E.D.N.Y. 2005), In re DoubleClick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y. 2001), and Crowley v. Cybersource Corp., 166 F.Supp.2d 1263 (N.D.Cal. 2001). Each of those cases indicated that a provider of web services is not the same as a provider of an electronic communication service.

Nonetheless, the court fell short of holding that Block was not a provider of an electronic communication service, concluding that such a holding would be “premature,” and would require “speculation about the nature of [Block’s] role in electronic communication.” The court denied the motion to dismiss as to the ECPA claim.

H&R Block Eastern Enterprises, Inc. v. J&M Securities, LLC, (Slip Op.) 2006 WL 1128744 (W.D. Mo., April 24, 2006).

Company had no standing to challenge discovery on behalf of anonymous defamers

After seeing what it believed to be defamatory statements about it on Yahoo! Finance and Silicon Investor message boards, plaintiff Matrixx Initiatives, Inc. (“Matrixx”) filed a lawsuit against several “John Doe” defendants. Through information obtained from Yahoo!, Matrixx determined that certain of the alleged defamatory statements were posted with computers owned by Barbary Coast Capital Management. Matrixx took the deposition of one Mr. Worthington, the manager of Barbary Coast, asking him to identify the anonymous Internet users who posted the alleged defamatory statements. Worthington refused.

Matrixx filed a motion to compel Worthington to answer the questions, and the trial court granted the motion. Worthington and Barbary Coast sought review, arguing that the posters’ First Amendment right to speak anonymously should prohibit the disclosure of their identities. On appeal, the court affirmed the decision of the lower court, holding that Worthington and Barbary Coast did not have standing to invoke the anonymous posters’ First Amendment rights.

In reaching its decision, the court distinguished two other cases in which the recipient of a subpoena did have standing to challenge the unmasking of another person. In the cases of In re Subpoena Duces Tecum to America Online, Inc., 2000 WL 1210372 (Va. App. 2000), and In re Verizon Internet Services, 257 F.Supp.2d 244 (D.D.C. 2003)(both cases reversed on other grounds), Internet service providers did not have to identify anonymous customers pursuant to subpoenas served on the ISPs. In each of these cases, the courts held that the ISPs had standing to assert the customers’ rights to remain anonymous, because the customer relationships were sufficiently close. In this case, however, the court held that “by contrast, we are presented with no ‘close relationship’ — or, indeed, any relationship — between appellants and the individuals for whom they are seeking First Amendment protection.”

Matrixx Initiatives, Inc. v. Doe, — Cal.Rptr.3d —, 2006 WL 999933 (Cal.App. 6 Dist, April 18, 2006).

File sharers now have even more to fear

Decision confirms that illegal P2P users can expect to get sued many miles from home.

The United States District Court for the District of Columbia has handed another procedural victory to plaintiff record companies in a copyright infringement suit relating to music traded over P2P networks. The court ruled that it had personal jurisdiction over an out-of-state accused file-sharer merely because the defendant offered sound recordings to the public and was able to download recordings made available by others.

Plaintiff record companies filed suit against 35 John Doe defendants, identifying those defendants by their IP addresses and the songs they were accused of illegally distributing. John Doe #18, who was notified of the suit by his ISP Verizon, asked the court to dismiss the case for lack of personal jurisdiction, arguing that he did not have sufficient contacts with the District of Columbia.

The court denied John Doe #18’s motion to dismiss. For one thing, the motion was premature. “Simply, the parties [could not] formally litigate any aspect of personal jurisdiction until the defendant [had] actually been identified.” Without knowing who the defendant was, the court could not tell whether it had jurisdiction.

As it turns out, the prematurity of the motion was inconsequential. The court held that, anonymous or not, the plaintiffs established that the court had personal jurisdiction over John Doe #18. By simply contracting with Verizon, a “District of Columbia-based ISP,” and using a Verizon facility to trade files, John Doe #18 was “transacting business” in the District, and caused tortious injury in the District.

Further, by simply making files available for download by others through his file-sharing software, and being able to download other files, John Doe #18 “clearly directed tortious activity into the District of Columbia.”

Finally, citing to the case of Gorman v. Ameritrade Holding Corp., 293 F.3d 506 (D.C.Cir. 2002), and the famous case of Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F.Supp. 1119, (W.D.Pa.1997), the court held that John Doe #18’s computer was “transformed . . . into an interactive Internet site.” This “interactivity” provided the sort of “continuous” and “systematic” contacts with the forum sufficient to support personal jurisdiction over the defendant.

Virgin Records America, Inc. v. Does 1-35, Slip Copy, 2006 WL 1028956 (D.D.C., April 18, 2006).

Kansas Supreme Court overturns conviction because hard drive was searched without valid warrant

Agents of the Kansas State Gaming Agency visited Zeke Rupnick in his office, and questioned him about allegations that he was illegally in possession of confidential business information. The agents seized his laptop computer, and a magistrate in a different county issued a warrant authorizing the search of the hard drive’s contents. Rupnick was convicted of felony computer crime based on the evidence obtained from the laptop.

Before trial, Rupnick sought to suppress the evidence contained on the computer, claiming violation of his Fourth Amendment rights. The trial court denied the motion to suppress. Rupnick sought review with the Kansas Supreme Court, which overturned the conviction.

The court held that the initial seizure of the laptop computer from Rupnick’s office without a warrant was justified, on the basis of probable cause plus the exigent circumstances presented by the possibility that Rupnick could easily delete the relevant data. The later warrant and search of the laptop, however, provided the basis for the reversal of the conviction.

The court began its analysis of the legality of the search by answering the question, which was one of first impression before the court, of whether a warrant must be obtained before the government may search the contents of a personal computer. In answering the question in the affirmative, the court looked to the Tenth Circuit cases of U.S. v. Carey, 172 F.3d 1268 (10th Cir. 1999) and U.S. v. Walser, 275 F.3d 981 (10th Cir. 2001).

In this case, the agents had indeed obtained a warrant before searching the contents of the laptop’s hard drive. However, the warrant failed to comply with the relevant Kansas statute (K.S.A. 22-2503), which requires that the search warrant be executed in the judicial district in which the magistrate judge resides. Because the magistrate that issued the warrant did not reside in the county in which the warrant was executed (i.e., where the search of the hard drive was made), the warrant was invalid, and the search was unlawful.

Despite the government’s argument that the defect in the warrant was a mere “technical irregularity,” the court strictly enforced the statute. The felony conviction was reversed and remanded for further proceedings.

State v. Rupnick, — P.3d —, 2005 WL 3439897 (Kan., December 16, 2005).

[Text of opinion]

Unauthorized use of username and password not a “circumvention” under DMCA

The recent case of Egilman v. Keller & Heckman LLP addressed a close question arising under a provision of the Digital Millennium Copyright Act (“DMCA”) found at 17 U.S.C. § 1201. The issue was whether accessing a computer system through the unauthorized use of a valid username and password constitutes an unlawful circumvention of a technological measure. The court held that such conduct is not “circumvention,” and thus not a violation of the DMCA.

Plaintiff Egilman maintained a website that was only available to visitors who entered a correct username and password. He had employed such measures so that only certain people (e.g., his students) would have access. Egilman alleged that, without authorization, the defendants obtained the correct username and password combination, and subsequently gained “improper and illegal” access to the site. He filed suit in federal court asserting, among other things, that the use of the unauthorized username and password was an illegal circumvention of a technological measure, in violation of 17 U.S.C. § 1201.

One defendant moved to dismiss for failure to state a claim, and the others moved for judgment on the pleadings. The court granted the motions.

An essential fact that drove the court’s holding was that the username and password which the defendants allegedly used were the actual username and password which the plaintiff had chosen to protect his website from unauthorized access. For this reason, the defendants were alleged to have merely “used” the technological measure put in place by the plaintiff, and not to have “circumvented” the measure. The court specifically adopted the language and analysis of the case of I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info. Sys., Inc., 307 F.Supp.2d 521 (S.D.N.Y. 2004), a case with similar facts and issues.

Quoting from I.M.S., the court stated:

Whatever the impropriety of defendant’s conduct, the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity.

The court went so far as to say:

It was irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained. (Emphasis added.)

With this last statement, namely, that the means by which the username and password are obtained is irrelevant, did the court adjudicate a loophole in Section 1201? What if a defendant uses technological means to guess a username and crack a password? In that case, the defendant would ultimately be using the plaintiff’s intended username and password, and thus, according to the court, would merely be “using” and not “circumventing” a technological measure. In such a case, could one really say that for purposes of a Section 1201 analysis, how a username and password are obtained is irrelevant?

Egilman v. Keller & Heckman, LLP, — F.Supp.2d —, 2005 WL 3077260 (D.D.C., November 10, 2005).

[Text of opinion]



Delaware decision defines standards for protecting anonymous Internet speech

The recent case of Doe v. Cahill, coming to us from the Supreme Court of Delaware, illustrates a court’s willingness to ensure adequate safeguards to protect anonymous speech on the Internet.

In September of 2004, an anonymous visitor to a Smyrna, Delaware community weblog posted comments about city councilman Patrick Cahill, which Cahill believed to be damaging to his reputation. Cahill filed a defamation lawsuit. Because he did not know the identity of the anonymous commenter, he filed suit against “John Doe,” and began procedures under Delaware law to discover Doe’s true identity. Cahill learned that Doe used Comcast as an Internet service provider, and obtained a court order requiring Comcast to disclose Doe’s real name.

As required by the federal Cable Communications Policy Act of 1984, at 47 U.S.C. §551(c)(2), Comcast notified Doe of the request for information about his identity. [More on the Cable Communications Policy Act.] In response, Doe sought an emergency protective order to bar Comcast from turning over his information. The trial court denied Doe’s request for a protective order, and held that Cahill could obtain Doe’s identity from Comcast. Doe appealed directly to the Delaware Supreme Court. On appeal, the Court reversed the lower court’s decision.

The Supreme Court determined that the trial court had applied too low a standard in testing whether Comcast should be ordered to turn over Doe’s identity. The trial court had applied a “good faith” standard, namely, that disclosure was warranted because Cahill had established through his pleadings that he had a legitimate, good faith basis on which to bring the defamation claim.

The Supreme Court held that such a low standard was not sufficient to protect one’s right to speak anonymously. The lower, good faith standard might encourage meritless lawsuits brought merely to uncover the identities of anonymous critics. Accordingly, the Supreme Court adopted a standard “that appropriately balances one person’s right to speak anonymously against another person’s right to protect his reputation.”

The Court held that before a defamation plaintiff can obtain the identity of an anonymous defendant through the compulsory discovery process, he must come forth with facts sufficient to defeat a summary judgment motion. Said another way, before a Delaware court will order an anonymous speaker to be unmasked, the plaintiff has to present evidence creating a genuine issue of material fact for each element of the defamation claim.

Applying that standard to the present case, the court held that “no reasonable person could have interpreted [Doe’s] statements to be anything other than opinion.” The court observed that its conclusion was supported by the “unreliable nature of assertions posted in chat rooms and on blogs.” The case was dismissed.

Doe v. Cahill, — A.2d —, 2005 WL 2455266 (Del., October 5, 2005).
[Full text of decision in PDF]

Florida appellate court issues ruling on electronic discovery

Administrative law judge’s discovery order permitting “access to literally everything” on petitioner’s computer did not adequately protect against disclosure of confidential and privileged information.

After being suspended from his job as a school teacher, petitioner Menke was placed under investigation for alleged misconduct. In a formal proceeding against Menke before Florida’s Division of Administrative Hearings, the school board sought discovery of all of the computers in Menke’s household. The board requested that its retained computer expert be allowed to inspect Menke’s computers in a laboratory, so that it could search for improper instant messages.

Menke objected to the discovery request on the grounds that such a wholesale inspection of his computers would violate his Fifth Amendment right and his right of privacy, and would reveal privileged communications with his wife, attorneys, accountants, clergy, or doctors.

Over Menke’s objections, the administrative law judge granted the motion to compel production of the computers for inspection. Menke sought review with the Florida appellate court, which quashed the discovery order.

The appellate court looked to the only other Florida appellate court decision relating to electronic discovery, Strasser v. Yalamanchi, 669 So.2d 1142 (Fla.App.1996), noting that the relevant rules of procedure were broad enough to encompass requests to examine computer hard drives, but only in limited and strictly controlled circumstances. The court concluded that permitting unlimited access to everything on a computer would constitute irreparable harm, because it would expose confidential and privileged information to the opposing party.

The court continued by noting that in cases where there is a need for access to electronically stored information, searching for such data should first be done by the party responding to the discovery request, unless there is evidence of data destruction designed to prevent the discovery of relevant evidence.

In this case, there was no evidence of any destruction of evidence or thwarting of discovery. The court sent the matter back to the administrative body, allowing the school board to request that Menke produce relevant, non-privileged, information. In the court’s words, Menke was not required to provide unfettered access to the entire “electronic filing cabinet” that was his computers.

Menke v. Broward County School Bd., — So.2d —-, 2005 WL 2373923 (Fla.App., Sep 28, 2005).

Personal e-mail sent by government employees at work protected from disclosure under Colorado Open Records Act

Decision maintains privacy of communications between alleged philandering boss and employee.

In 2002, the Board of Commissioners of Arapahoe County, Colorado hired a private investigator to prepare a report on alleged misconduct of Tracy Baker, the Arapahoe County Clerk and Recorder. The investigator’s report contained, among other things, copies of numerous e-mail messages between Baker and one of his employees. Many of the messages contained “sexually explicit and/or romantic content.”

The Denver Publishing Company, owner of the Rocky Mountain News, requested a copy of the report containing the e-mail messages. Instead of complying with the newspaper’s request, the Board of Commissioners filed a legal action, asking the court to determine whether the requested items could be released. The newspaper intervened, claiming that the e-mail messages had to be released to the public under the Colorado Open Records Act, C.R.S. §24-72-201 et seq. (“CORA”). The district court agreed, and ordered disclosure of the full report, including the salacious e-mail messages.

Baker and the employee sought review of the district court’s decision. The appellate court reversed, holding that although the e-mail messages were “public records” as defined under CORA, they should not be released because of their authors’ constitutional right to privacy. The Denver Publishing Company appealed the decision to the Colorado Supreme Court, which affirmed in part and reversed in part.

The Supreme Court held that the appellate court had properly concluded the e-mail messages should not be disclosed, but arrived at that conclusion on different grounds. Instead of invoking a constitutional privacy concern to bar disclosure, the court held that the definition of “public records” under CORA does not include private e-mail correspondence like the messages at issue in the case.

Under the statute, “public records” include “writings made, maintained or kept . . . [by the government] . . . for use in the exercise of functions required or authorized by law or administrative rule or involving the receipt or expenditure of public funds.”

The court noted that the inquiry in the case was content-driven: “The content of the messages must address the performance of public functions or the receipt of and expenditure of public funds. Insofar as the messages do not, they remain non-public and outside the scope of CORA.” In this case, the messages at issue were made, maintained or kept by the governmental agency. However, given the content, it was clear that they were not made in connection with official public business. Accordingly, the records were protected from public disclosure.

The Denver Publishing Co. v. Board of County Comm., — P.3d —, 2005 WL 2203157 (Colo., September 12, 2005).

Posts navigation

1 2 3 8 9 10 11 12