Category Archives: Privacy

Court orders in camera review of injured plaintiff’s Facebook content

Richards v. Hertz Corp., — N.Y.S.2d —, 2012 WL 5503841 (N.Y.A.D. 2 Dept. November 14, 2012)

Plaintiff sued defendant for personal injury. Defendant saw a photo plaintiff had publicly posted on Facebook of herself skiing. When defendant requested plaintiff to turn over the rest of her Facebook content (presumably to find other like-pictures which would undermine plaintiff’s case), plaintiff sought a protective order. The trial court granted the motion for protective order, but required plaintiff to turn over every photo she had posted to Facebook of herself engaged in a “sporting activity”.

woman skiing

Defendants appealed the entry of the protective order. On review, the appellate court reversed and remanded, finding that defendants had made a showing that at least some of the discovery sought would result in the disclosure of relevant or potentially relevant evidence.

But due to the “likely presence” of private and irrelevant information in plaintiff’s account, the court ordered the information be turned over to the judge for an in camera review prior to disclosure to defendants.

Whether the plaintiff effectively preserved her Facebook account information may be an issue here. The facts go back to 2009. One is left to wonder whether and to what extent plaintiff has not gone back and deleted information from her account which would bear on the nature and extent of her injuries. It goes to show that social media discovery disputes can take on a number of nuances.

Photo courtesy Flickr user decafinata under this Creative Commons license.

Class action against Path faces uphill climb

Hernandez v. Path, Inc., 2012 WL 5194120 (N.D.Cal. October 19, 2012)

uphill path

Earlier this year plaintiff filed a class action lawsuit against photo app provider Path, alleging ten claims relating to Path’s alleged surreptitious collecting of mobile device address books and installation of tracking software. Path moved to dismiss the lawsuit for lack of standing and for failure to state a claim. The court held that plaintiff had standing to pursue the case, but dismissed some of the claims.

Standing

The court found that alleged depletion of “two to three seconds of battery capacity” was de minimus and thus not sufficient to support the injury-in-fact plaintiff was required to show. Citing to the fairly recent case of Krottner v. Starbucks, the court found that the hypothetical threat of future harm due to a security risk to plaintiff’s personal information was insufficient to confer standing. The only basis on which the court found there to be a sufficient claim of injury to support standing was the (hard to believe) claim by plaintiff that he would have to spend $12,500 to pay a professional to remove the Path app and related data from his phone.

The Dismissed Claims

The court dismissed for failure to state a claim (with leave to amend) plaintiff’s claims under the Electronic Communications Privacy Act (ECPA), Stored Communications Act (SCA), California wiretapping statute, state common law privacy, conversion and trespass.

ECPA and California Wiretapping Statute Claim. The court dismissed the ECPA and California Wiretapping Statute claims, finding that the complaint did not allege that Path intercepted any communication contemporaneous with its transmission. At best (from plaintiff’s perspective), it appears that Path gathered information on social networking sites after it was transmitted. And the uploading of the address books does not appear to have qualified as a communication under these statutes.

SCA Claim. The SCA claim failed “on multiple fronts.” Plaintiff was not a provider of electronic communication services and his iPhone was not a facility through which such service was provided. So Path’s alleged access did not come within the prohibition of the SCA. Moreover, the address books were not communications to which the SCA applied, because they were not in “electronic storage” as defined by the SCA, namely, being in temporary, intermediate storage incidental to their electronic transmission. (We see a similar issue in the recent Jennings case from South Carolina.)

State Common Law Privacy. This claim would have required plaintiff to show (1) public disclosure (2) of private facts (3) which would be offensive and objectionable to the reasonable person and (4) which is not of legitimate public concern. The court found there was no public disclosure, only Path’s storage of data on its servers.

Conversion. Under California law, to be successful on a claim of conversion, plaintiff would have had to plead and prove “ownership or right to possession of property, wrongful disposition of the property right and damages.” The court dismissed this claim because plaintiff pled only that Path copied the data, not dispossessing him of it. (As an aside, it’s this very point that underscores my common admonition to copyright maximalists that infringement is not “theft,” because theft involves dispossession. End of digression.)

Trespass. The California common law action of trespass in the computer context requires a plaintiff to show that (1) defendant intentionally and without authorization interfered with plaintiff’s possessory interest in a computer system; and (2) defendant’s unauthorized use proximately resulted in damage to plaintiff. The tort “does not encompass … an electronic communication that neither damages the recipient computer system nor impairs its functioning.” Intel v. Hamidi, 30 Cal.4th 1342 (Cal. 2003). In this case, plaintiff did not allege that the functioning of his mobile device was significantly impaired to the degree that would enable him to plead the elements of a trespass. The court found that any depletion of his mobile device’s finite resources was a de minimis injury. (See the standing analysis above.)

The Remaining Claims

The claims for violations of the California Computer Crime Law, Californa’s Unfair Competition Law (Section 17200), negligence and unjust enrichment remain in the case.

California Computer Crime Law. Based on the limited briefing, the court could not conclude as a matter of law whether Path’s alleged conduct fell outside this statute. The question remains whether providing the app which plaintiff voluntarily downloaded and installed on his iPhone provided undisclosed software code that surreptitiously transferred plaintiff’s data.

Californa’s Unfair Competition Law. This statute prohibits “any unlawful, unfair or fraudulent business act or practice.” The court found that the conduct alleged in the complaint, if true, constituted an unlawful or unfair act or practice within the meaning of the statute. It found that plaintiff had failed to allege any fraudulent practice, but since plaintiff met the first two prongs (unlawfulness and unfairness), the claim survived.

Negligence. Plaintiff alleged that Path owed a duty to plaintiff to protect his personal information and data property and take reasonable steps to protect him from the wrongful taking of such information and the wrongful invasion of privacy. Path allegedly breached this duty by, among other things, accessing and uploading data from plaintiff’s phone, storing that data in an unsecure manner, and transmitting the data to third parties. Path relied on In re iPhone Application Litigation to argue it had no duty to plaintiff. In that decision, Judge Koh held that plaintiffs had not yet adequately pled or identified a legal duty on the part of Apple to protect users’ personal information from third-party app developers. This case was different because Path was a third party developer. Despite the existence of a duty, plaintiff’s claims of damages (here’s the $12,500 repair bill issue again) will likely face substantial challenges as the case progresses.

Unjust Enrichment. Path argued that unjust enrichment was not a cause of action under California law. The court cited to cases suggesting that California law does indeed recognize such a claim and kept in in this case.

Photo credit Flickr user stormwarning under this Creative Commons license.

Fear of crime exception made recording phone call okay under eavesdropping statute

Carroll v. Merrill Lynch, No. 12-1076 (7th Cir. October 16, 2012)

Late in the evening on Thanksgiving Day 2005, plaintiff called her co-worker at home and started yelling profanities. The co-worker’s wife picked up another phone on the line and, becoming alarmed at the threatening nature of the conversation, began recording the call.

rotary phone

Plaintiff sued under the Illinois eavesdropping statute, 720 ILCS 5/14. Defendants moved for summary judgment, arguing that the recording was covered under the “fear of crime” exception to the statute. The lower court granted the motion for summary judgment and plaintiff sought review with the Seventh Circuit. On appeal, the court affirmed the award of summary judgment.

The Illinois eavesdropping statute prohibits recording a conversation unless all parties consent to the recording. But that general rule is subject to a bunch of exceptions, such as recordings made:

under reasonable suspicion that another party to the conversation is committing, is about to commit, or has committed a criminal offense against the person or a member of his or her immediate household, and there is reason to believe that evidence of the criminal offense may be obtained by the recording

In this case, the court held that the wife had both a subjective and objective belief that the plaintiff would, at minimum, vandalize their home. Since plaintiff introduced no evidence to create a genuine issue of material fact on the question of the wife’s asserted fear of a crime being committed, summary judgment had been properly granted.

Photo courtesy Vincent Van Der Pas under this Creative Commons license.

Plaintiff has to turn over emotional social media content in employment lawsuit

Court holds that Facebook, LinkedIn and MySpace postings relating to plaintiff’s emotional state must be produced in discovery.

Robinson v. Jones Lang LaSalle Americas, Inc., 2012 WL 3763545 (D.Or. August 29, 2012)

Plaintiff sued her former employer for discrimination and emotional distress. In discovery, defendant employer sought from plaintiff all of her social media content that revealed her “emotion, feeling, or mental state,” or related to “events that could be reasonably expected to produce a significant emotion, feeling, or mental state.”

emotional on social media

When plaintiff did not turn over the requested content, defendant filed a motion to compel. The court granted the motion.

The court relied heavily on the case of E.E.O.C. v. Simply Storage Mgmt., LLC, 270 F.R.D. 430 (S.D.Ind. 2010) in ordering plaintiff to produce the requested social media content. The Simply Storage court found that:

It is reasonable to expect severe emotional or mental injury to manifest itself in some [social media] content, and an examination of that content might reveal whether onset occurred, when, and the degree of distress. Further, information that evidences other stressors that could have produced the alleged emotional distress is also relevant.

Consistent with the principles of Simply Storage the court in this case ordered production from plaintiff all social media communications:

that reveal, refer, or relate to any significant emotion, feeling, or mental state allegedly caused by defendant’s conduct;

The production of this category of communications was meant to elicit information establishing the onset, intensity, and cause of emotional distress allegedly suffered by plaintiff because of defendant during the relevant time period.

The court also ordered plaintif to produce all social media materials concerning:

events or communications that could reasonably be expected to produce a significant emotion, feeling, or mental state allegedly caused by defendant’s conduct.

This second category was meant to elicit information establishing the absence of plaintiff’s alleged emotional distress where it reasonably should have been evident (i.e., under the rubric of Simply Storage, on her social media accounts).

The court observed how counsel for the parties plays an important role in the discovery of social media. As the court in Simply Storage recognized, it is an “impossible” job for the court to define the limits of social media discovery with enough precision to satisfy the producing party. To address this impossible situation, it falls to the lawyers to act in good faith to produce required materials, inquire about what has and has not been produced, make the appropriate challenges, and seek revision of the discovery order as appropriate.

Photo courtesy Flickr user xdxd_vs_xdxd under this Creative Commons license.

No Fourth Amendment violation when government looked at Facebook profile using friend’s account

U.S. v. Meregildon, — F.Supp.2d —, 2012 WL 3264501 (S.D.N.Y. August 10, 2012)

The government suspected defendant was involved in illegal gang activity and secured the assistance of a cooperating witness who was a Facebook friend of defendant. Viewing defendant’s profile using the friend’s account, the government gathered evidence of probable cause (discussion of past violence, threats, and gang loyalty maintenance) which it used to swear out a search warrant.

What you do on Facebook is almost guaranteed to come back and bite you in the ass.

Defendant argued that the means by which the government obtained the probable cause evidence – by viewing content protected by defendant’s Facebook privacy settings – violated defendant’s Fourth Amendment rights. The court denied defendant’s motion to suppress.

It held that where Facebook privacy settings allowed viewership of postings by friends, the Government could access them through a friend/cooperating witness without violating the Fourth Amendment. The court compared the scenario to how a person loses his legitimate expectation of privacy when the government records a phone call with the consent of a cooperating witness who participates in the call. It held that defendant’s legitimate expectation of privacy ended when he disseminated posts to his Facebook friends because those friends were then free to use the information however they wanted, including sharing it with the government.

Photo credit: Flickr user Poster Boy NYC under this Creative Commons license.

Reading a non-friend’s comment on Facebook wall was not a privacy invasion

Sumien v. CareFlite, 2012 WL 2579525 (Tex.App. July 5, 2012)

Plaintiff, an emergency medical technician, got fired after he commented on his coworker’s Facebook status update. The coworker had complained in her post about belligerent patients and the use of restraints. Here is plaintiff’s comment:

Yeah like a boot to the head…. Seriously yeah restraints and actual HELP from [the police] instead of the norm.

After getting fired, plaintiff sued his former employer for, among other things, “intrusion upon seclusion” under Texas law. That tort requires a plaintiff to show (1) an intentional intrusion, physical or otherwise, upon another’s solitude, seclusion or private affairs that (2) would be highly offensive to a reasonable person.

The trial court threw out the case on summary judgment. Plaintiff sought review with the Court of Appeals of Texas. On appeal, the court affirmed the summary judgment award.

The court found plaintiff failed to provide any evidence his former employer “intruded” when it encountered the offending comment. Plaintiff had presented evidence that he misunderstood his co-worker’s Facebook settings, did not know who had access to his co-worker’s Facebook Wall, and did not know how his employer was able to view the comment. But none of these misunderstandings of the plaintiff transformed the former employer’s viewing of the comment into an intentional tort.

Read Professor Goldman’s post on this case.


Photo credit: Flickr user H.L.I.T. under this license.

Can you snoop if someone has forgotten to log out?

Marcus v. Rogers, 2012 WL 2428046 (N.J.Super.A.D. June 28, 2012)

The answer to that question may depend on whether you knowingly exceed your authorization. A New Jersey court recently held that a defendant was within the bounds of the law when he accessed and printed a co-worker’s personal email after the coworker left the computer without signing out of her account.

can you snoop the email account left on the screen when someone forgets to log out

One morning when defendant, a teacher, sat down in the computer room of the school where he worked to check his email, he bumped the mouse of the computer next to him when he sat his drink down. That stopped the screen saver on the other machine, revealing the inbox of a coworker’s Yahoo account. Defendant saw that some of the emails’ subjects mentioned him, so he clicked on them, printed them out, and later used them at an adminstrative meeting to further some points in a work dispute.

The coworkers whose email communications defendant had accessed in this way sued him for violation of New Jersey’s equivalent of the Stored Communications Act (N.J.S.A. 2A:156A–27). The plaintiffs moved for summary judgment on their claim, but the court let the question go to the jury. That jury found defendant had not violated the statute.

Plaintiffs appealed the denial of their motion for summary judgment. On appeal, the court affirmed, holding that the jury properly got the question to consider.

Under the New Jersey statute, a plaintiff has a cause of action if, among other things, another person knowingly:

  • accesses without authorization a facility through which an electronic communication service is provided, or
  • exceeds an authorization to access that facility

The court briefly discussed whether the term knowingly applies both to “access without authorization” and “exceeds an authorization”. It held that it does.

Then the court went on to evaluate whether the jury should have gotten the question in the first place.

The court held that as a matter of law, defendant did not access the email account without authorization. Because the “index to the inbox” of the co-worker’s Yahoo account was displayed on the screen when the coworker left the computer, defendant did not access the “facility” without authorization. The accessing of the facility had been accomplished by coworker. There was no evidence of hacking or other unauthorized access to her account.

As for whether defendent exceeded his authorized access, the court held that the lower court properly submitted the question to the jury. The court held that the facts could not preclude a jury finding that defendant did not exceed his authorized access. Indeed, six of the seven deliberating jurors found that defendant had not exceeded his authorization. And all of the jurors found that the coworker had provided “tacit authorization” for him to access the account. (The case does not specify what that evidence of tacit authorization was.)

So the jury’s finding that defendant did not exceed his authorized access stood.

An obvious pro-tip from the case is to remember to log out of shared computers. But the decision is potentially relevant to contexts other than email accounts on desktop computers. Does a person who finds another’s mobile device have the right to rummage through all the accounts (e.g., social media, email, dating sites) that the phone’s owner is logged into? This case underscores that the answer will be, frustratingly, “it depends.” It’s best to put some facts into play — like even the simple requirement of a 4-digit password — to establish contours for authorization which, when exceeded, are clear.

Is there a constitutional right of privacy in a family member’s autopsy photos?

Marsh v. County of San Diego, — F.3d —, 2012 WL 1922193 (9th Cir. May 29, 2012)

Yes, there is now. At least in the Ninth Circuit. Since the defendant was found to be not liable for violation of that right because of qualified immunity, an appeal is unlikely and the ruling will probably stand.

autopsy table

Background

When defendant Coulter retired from the district attorney’s office, he kept a photocopy of an autopsy photo (of a 2-year old boy with head injuries) from one of the cases he tried in 1983. What’s even more bizarre is that defendant turned over the photo and a memo to a newspaper and television station.

When the mother of the deceased little boy who appeared in the photo heard about this, she sued the district attorney and the county for violation of her due process rights under the Fourteenth Amendment of the United States Constitution.

The trial court threw out the case on summary judgment. Plaintiff sought review with the Ninth Circuit. Though the court found defendant was not liable for a constitutional violation because of qualified immunity, it held that plaintiff had a constitutionally protected right to privacy over her child’s death images.

Due Process

The Due Process Clause of the Fourteenth Amendment to the U.S. Constitution has been held to protect “a right of personal privacy, or a guarantee of certain areas or zones of privacy.” Carey v. Population Servs. Int’l, 431 U.S. 678, 684 (1977) (quoting Roe v. Wade, 410 U.S. 113, 152 (1973)). This privacy right is of two types: (1) the individual interest in avoiding disclosure of personal matters, and (2) the interest in independence in making certain kinds of important decisions concerning, for example, family relationships and child rearing.

In this case, the court observed that other courts, including the Supreme Court, had recognized a common law (but not constitutional) protection against the disclosure of a deceased family member’s death scene photos. But this case was the first time a court held that protection against public disclosure of such photos was a constitutionally protected right under substantive due process.

The court noted that “the well-established cultural tradition acknowledging a family’s control over the body and death images of the deceased has long been recognized at common law.” Because such sensibility is so deeply-rooted in our culture, the test for both types of substantive due process were met in this case. Protecting the interest would serve to avoid the disclosure of the graphic details of a family member’s tragic death (which reveals much about the manner of death and extent of suffering). In the context of a child’s autopsy photos, the right of a parent to determine the “care, custody and control” of the child is protected by a federal privacy right against public disclosure.

State Law – Procedural Due Process

The court held that plaintiff’s procedural due process rights were violated by the disclosure of the autopsy photo. California has a statute — Cal.Civ.Proc.Code § 129 — that codifies the state’s public policy against the reproduction of post-mortem photos for improper purposes. This served to create a liberty interest in plaintiff that could not be taken away without due process. The court found that plaintiff had sufficiently alleged a claim of violation of the statute and, therefore, a deprivation of a state-created liberty interest.

Photo credit: atluxity under this license.

Social media legal best practices: some problems and solutions with uploading photos and tagging people

Facebook, Flickr, 500px and mobile sharing applications such as Instagram have replaced the hard copy photo album as the preferred method for letting others see pictures you have taken. Now photos are easy to take and easy to share. This easiness makes a number of legal questions potentially more relevant.

Embarrassing photos

Let’s be honest — every one of us has been in photos that we do not want others to see. It may be just bad lighting, an awkward angle, or something more sinister such as nudity or drug use, but having a photo like that made public would cause embarrassment or some other type of harm. Sometimes the law affords ways to get embarrassing photos taken down. To the same extent the law can help, the one posting the embarrassing photo puts himself at risk for legal liability.

Invasion of privacy. If someone takes a picture of another in a public place, or with a bunch of other people, the subject of the photo probably does not have a right of privacy in whatever he or she is doing in the photo. So the law will not be helpful in getting that content off the internet. But there are plenty of situations where the subject of a photo may have a privacy interest that the law will recognize.

  • “Intrusion upon seclusion,” as its name suggests, is a legal claim that one can make when someone has intentionally intruded — physically or otherwise — upon their solitude or seclusion. Surreptitiously taken photos of a person in her own home, or in a place where she expected privacy (e.g., in a hotel room or dressing room) would likely give rise to an unlawful intrusion upon seclusion.
  • “Publication of private facts” is another form of invasion of privacy. A person commits this kind of invasion of privacy by publishing private, non-newsworthy facts about another person in a way that would be offensive to a reasonable person. Posting photos of one’s ex-girlfriend engaged in group sex would be considered publication of private facts. Posting family pics of one’s nephew when he was a kid would not.

Photoshop jobs

Some people enjoy using Photoshop or a similar advanced photo editing application to paste the head of one person onto the body of another. (Reddit has an entire category devoted to Photoshop requests.) This can have drastic, negative consequences on the person who — through this editing — appears to be in the photo doing something he or she did not and would not do. This conduct might give rise to legal claims of infliction of emotional distress and defamation.

Infliction of emotional distress. We expect our fellow members of society to be somewhat thick-skinned, and courts generally do not allow lawsuits over hurt feelings. But when it’s really bad, the law may step in to help. One may recover for infliction of emotional distress (sometimes called “outrage”) against another person who acts intentionally, and in a way that is extreme and outrageous, to cause emotional distress that is severe. Some states require there to be some associated physical harm. A bride who sued her photographer over the emotional distress she suffered when the photographer posted pictures of her in her underwear lost her case because she alleged no fear that she was exposed to physical harm.

Defamation. A person can sue another for defamation over any “published” false statement that harms the person’s reputation. Some forms of defamation are particularly bad (they are called defamation per se), and are proven when, for example, someone falsely states that a person has committed a crime, has engaged in sexually immoral behavior, or has a loathsome disease. A realistic Photoshop job could effectively communicate a false statement about someone that is harmful to his or her reputation.

Copied photos

Since copying and reposting images is so easy, a lot of people do it. On social media platforms, users often do not mind if a friend copies the photos from last night’s dinner party and reuploads them to another account. In situations like these, it’s simply “no harm, no foul.” Technically there is copyright infringement going on, but what friend is going to file a lawsuit against another friend over this socially-acceptable use? The more nefarious situations illustrate how copyright can be used to control the display and distribution of photos.

In most instances, the person who takes a photo owns the copyright in that photo. A lot of people believe that if you appear in a photo, you own the copyright. That’s not true unless the photo is a self portrait (e.g., camera held at arm’s length and turned back toward the person, or shot into the mirror), or unless the person in the photo has otherwise gotten ownership of the copyright through a written assignment (a much rarer situation).

A person who finds that his or her copyrighted photos have been copied and reposted without permission has a number of options available. In the United States, a quick remedy is available under the notice and takedown provisions of the Digital Millennium Copyright Act. The copyright owner sends a notice to the platform hosting the photos and demands the photos be taken down. The platform has an incentive to comply with that demand, because if it does, it cannot be held responsible for the infringement. Usually a DMCA takedown notice is sufficient to solve the problem. But occasionally one must escalate the dispute into copyright infringement litigation.

Some other things to keep in mind

With the protections afforded by free speech and the difficulties involved in winning an invasion of privacy or infliction of emotional distress lawsuit, one can get away with quite a bit when using photos in social media. One court has even observed that you do not need a person’s permission before tagging him or her in a photo.

A person offended by the use of a photo by him or of him may have recourse even in those situations where it is not so egregious as to give him a right to sue. Social media platforms have terms of service that prohibit users from harassing others, imitating others, or otherwise engaging in harmful conduct. The site will likely remove content once it is made aware of it. (I have sent many requests to Facebook’s legal department requesting content to be removed — and it has been removed.) The norms of social media communities play an important role in governing how users treat one another, and that principle extends to the notions of civility as played out through the use of photos online.

Evan Brown is a Chicago technology and intellectual property attorney. He advises businesses and individuals in a wide range of situations, including social media best practices. 

Photo credit: AForestFrolic