Facebook hacking victim’s CFAA and SCA claims not barred by statutes of limitation

Knowledge that email account had been hacked did not start the statutes of limitation clock ticking for Computer Fraud and Abuse Act and Stored Communications Act claims based on alleged related hacking of Facebook account occurring several months later.

Plaintiff sued her ex-boyfriend in federal court for allegedly accessing her Facebook and Aol email accounts. She brought claims under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and the Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”).

Both the CFAA and the SCA have two-year statutes of limitation. Defendant moved to dismiss, arguing that the limitation periods had expired.

The district court granted the motion to dismiss, but plaintiff sought review with the Second Circuit Court of Appeals. On appeal, the court affirmed the dismissal as to the email account, but reversed and remanded as to the Facebook account.

In August 2011, plaintiff discovered that someone had altered her Aol email account password. Later that month someone used her email account to send lewd and derogatory sexually-themed messages about her to people in her contact list. A few months later, similar things happened with her Facebook account — she discovered she could not log in in February 2012, and in March 2012 someone publicly posted sexually-themed messages using her account. She figured out it was her (now married) ex-boyfriend and filed suit.

The district court dismissed the claims because it found plaintiff first discovered facts giving rise to the claims in August 2011, but did not file suit until more than two years later, in January 2014. The Court of Appeals agreed with the district court as to the email account. She had enough facts in 2011 to know her Aol account had been compromised, and waited too long to file suit over that. But that was not the case with the Facebook account. The district court had concluded plaintiff knew in 2011 that her “computer” had been compromised. The Court of Appeals observed that the lower court failed to properly recognize the nuance concerning which computer systems were being accessed without authorization. Unauthorized access to the Facebook server gave rise to the claims relating to the Facebook account. The 2011 knowledge about her email being hacked did not bear on whether she knew her Facebook account would be compromised. The court observed:

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account — AOL e-mail — had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts — Facebook — might similarly have become compromised.

The decision gives us an opportunity to think about how users’ interests in having their data kept secure from third party access attaches to devices and systems that may be quite remote from where the user is located. The typical victim of a hack or data breach these days is not going to be the owner of the server that is compromised. Instead, the incident will typically involve the compromising of a system somewhere else that is hosting the user’s information or communications. This decision from the Second Circuit recognizes that reality, and contributes to the reasonable opportunity for redress in those situations.

Sewell v. Bernardin, — F.3d —, 2015 WL 4619519 (2nd Cir. August 4, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

Is a DMCA subpoena to identify unknown infringers valid if the infringement has ended?

The Digital Millennium Copyright Act (“DMCA”) is well-known for its notice and takedown provisions. But the DMCA provides a number of other interesting mechanisms, including a procedure for potential copyright plaintiffs to send subpoenas to online service providers to learn the identity of users who posted infringing content to that service. A recent case involving some subpoenas that a copyright owner sent to eBay examines the relationship between the notice and takedown procedures on one hand, and the subpoena mechanism on the other. The question before the court was whether a DMCA subpoena is valid if, by the time it is served on the online service provider, that online service provider has already removed or has disabled access to that content.

Section 512(h) (17 U.S.C. 512(h)) spells out the DMCA subpoena process, and how it relates to the notice and takedown provisions. An online service provider must act expeditiously to identify the user who uploaded infringing content “[u]pon receipt of the issued subpoena, either accompanying or subsequent to the receipt of a [takedown request].” That plain language seems straightforward — an online service provider has to provide the identifying information in response to any subpoena it receives either with or subsequent to a takedown notice.

But it was not so straightforward in a 2011 case, where some confusing facts made for some confusing law. In Maximized Living, Inc., v. Google, Inc., 2011 WL 6749017 (N.D. Cal. December 22, 2011), the copyright holder sent a subpoena to the online service provider after the copyright holder had sent a DMCA takedown notice. That would appear to comport with the statute — the subpoena came subsequent to the takedown notice. But the problem in that case was that the takedown notice was not valid. By the time it was sent, the alleged infringer had already removed the infringing content. From that, the Maximized Living case pronounced that “the subpoena power of §512(h) is limited to currently infringing activity and does not reach former infringing activity that has ceased and thus can no longer be removed or disabled.”

In the recent case of In re DMCA Subpoena to eBay, Inc., eBay, as the recipient of subpoenas to identify some of its users, picked up on the Maximized Living holding to argue that it did not have to answer the subpoenas because it had already taken down the offending content pursuant to previous takedown notices. Since the subpoenas did not relate to “currently infringing activity,” eBay argued à la Maximized Living, that the subpoenas had not been issued under §512(h)’s power and were therefore invalid.

The court rejected eBay’s argument. The key distinction in this case was that, unlike in Maximized Living, the takedown notices in this case, when they issued, related to content that was on the eBay servers at the time the takedown notices were issued. Granted, some of those takedown notices went all the way back to early 2012 (query whether the subpoena should be valid if it would only uncover the identity of an infringer for whom the 3-year copyright statute of limitations had passed; but that wasn’t before the court).

So to simply state the rule in this case — for a DMCA subpoena to be valid, it has to relate to a valid DMCA takedown notice. That DMCA takedown notice is not valid unless it was served at a time when infringing content resided on the service. An online service provider cannot avoid the obligation of responding to a subpoena by taking down the content, thereby causing there to be no “currently infringing activity”. Such a rule would, as the court observed, cause the online service provider’s safe harbor protection to also shield the alleged infringer from being identified. That would indeed be an odd application of the DMCA’s protection. The court in this case avoided that outcome.

In re DMCA Subpoena to eBay, Inc., 2015 WL 3555270 (S.D. Cal. June 5, 2015).

Evan Brown is a Chicago attorney helping clients in matters dealing with copyright, technology, the internet and new media. Call him at (630) 362-7237, send email to ebrown [at] internetcases dot com, or follow him on Twitter @internetcases

Photo courtesy of Flickr user Thomas Galvez under this Creative Commons license.

Casual website visitor who watched videos was not protected under the Video Privacy Protection Act

A recent federal court decision from the Southern District of New York sheds light on what is required to be considered a “consumer” who is protected under the Video Privacy Protection Act (VPPA). The court held that a website visitor who merely visited a website once in awhile to watch videos — without establishing a more “deliberate and durable” affiliation with the website — was not a “subscriber” to the website’s services and thus the VPPA did not prohibit the alleged disclosure of information about the website visitor’s viewing habits.

Defendant was a television network that maintains a website offering video clips and episodes of many of its television shows. The website also incorporated Facebook’s software development kit which, among other things, let visitors log into websites using their Facebook credentials. This mechanism relied on cookies. If a person had chosen to remain logged into Facebook by checking the “keep me logged in” button on Facebook’s homepage, the relevant cookie would continue to operate, regardless of what the user did with the web browser. Plaintiff alleged that this mechanism caused AMC to transmit information to Facebook about the video clips she watched on the AMC site.

Plaintiff sued under the VPPA. Defendant moved to dismiss, arguing that plaintiff lacked standing under the statute and that she was not a protected “consumer” as required by the statute.

The court found that plaintiff had standing. It rejected defendant’s argument that a VPPA plaintiff must allege some injury in addition to asserting that defendant had violated the statute. “It is true . . . that Congress cannot erase Article III’s standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing.” But Congress “can broaden the injuries that can support constitutional standing.”

The court next looked to whether plaintiff was a “consumer” protected under the statute. The VPPA defines the term “consumer” to include “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Absent any assertion that plaintiff was a renter or purchaser of AMC’s goods, the parties and the court focused on whether she was a “subscriber” (a term not defined in the statute).

Because plaintiff’s allegations failed to establish a relationship with defendant sufficient to characterize her as a subscribers of defendant’s goods or services, the court dismissed the VPPA claim with leave to amend. It observed: “Conventionally, ‘subscription’ entails an exchange between subscriber and provider whereby the subscriber imparts money and/or personal information in order to receive a future and recurrent benefit, whether that benefit comprises, for instance, periodical magazines, club membership, cable services, or email updates.” In this case, “[s]uch casual consumption of web content, without any attempt to affiliate with or connect to the provider, exhibit[ed] none of the critical characteristics of ‘subscription’ and therefore [did] not suffice to render [plaintiff] a subscriber of [defendant’s] services.”

Austin-Spearman v. AMC Network Entertainment LLC, 2015 WL 1539052 (S.D.N.Y. April 7, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

Complaint site does not have to identify its users

Petitioner filed an action in New York state court seeking to compel PissedConsumer.com to disclose the identity of the person or persons who posted certain statements to the site. These statements criticized petitioner for allegedly failing to fulfill an advertising promise to give the user a $500 gas card. The anonymous user went on to complain that petitioner “will forget about you and … all the promises they made to you” once “you sign on the dotted line.”

The trial court denied the petition to compel PissedConsumer.com to turn over the names of its users. Petitioner sought review with the Appellate Division. On appeal, the court affirmed.

It held that the lower court properly denied the petition since petitioner failed to demonstrate that it had a meritorious cause of action as required to obtain pre-action discovery:

Nothing in the petition identifies specific facts that are false and when the statements complained of are viewed in context, they suggest to a reasonable reader that the writer was a dissatisfied customer who utilized respondent’s consumers’ grievance website to express an opinion. Although some of the statements are based on undisclosed, unfavorable facts known to the writer, the disgruntled tone, anonymous posting, and predominant use of statements that cannot be definitively proven true or false, supports the finding that the challenged statements are only susceptible of a non-defamatory meaning, grounded in opinion.

The court seemed to recognize the importance of anonymous speech, and that one must not lightly cast aside its protections. If you’re going to go after an online critic, best have a cause of action that you can actually plead.

Woodbridge Structured Funding, LLC v. Pissed Consumer, — N.Y.S.2d —, 2015 WL 686383, (February 19, 2015)

Evan Brown is an attorney in Chicago helping clients with technology, intellectual property and new media issues.

1 2 3 4 5 6 7 8 193 194 195