Tag Archives: ecpa

Class action against Path faces uphill climb

Hernandez v. Path, Inc., 2012 WL 5194120 (N.D.Cal. October 19, 2012)

uphill path

Earlier this year plaintiff filed a class action lawsuit against photo app provider Path, alleging ten claims relating to Path’s alleged surreptitious collecting of mobile device address books and installation of tracking software. Path moved to dismiss the lawsuit for lack of standing and for failure to state a claim. The court held that plaintiff had standing to pursue the case, but dismissed some of the claims.

Standing

The court found that alleged depletion of “two to three seconds of battery capacity” was de minimus and thus not sufficient to support the injury-in-fact plaintiff was required to show. Citing to the fairly recent case of Krottner v. Starbucks, the court found that the hypothetical threat of future harm due to a security risk to plaintiff’s personal information was insufficient to confer standing. The only basis on which the court found there to be a sufficient claim of injury to support standing was the (hard to believe) claim by plaintiff that he would have to spend $12,500 to pay a professional to remove the Path app and related data from his phone.

The Dismissed Claims

The court dismissed for failure to state a claim (with leave to amend) plaintiff’s claims under the Electronic Communications Privacy Act (ECPA), Stored Communications Act (SCA), California wiretapping statute, state common law privacy, conversion and trespass.

ECPA and California Wiretapping Statute Claim. The court dismissed the ECPA and California Wiretapping Statute claims, finding that the complaint did not allege that Path intercepted any communication contemporaneous with its transmission. At best (from plaintiff’s perspective), it appears that Path gathered information on social networking sites after it was transmitted. And the uploading of the address books does not appear to have qualified as a communication under these statutes.

SCA Claim. The SCA claim failed “on multiple fronts.” Plaintiff was not a provider of electronic communication services and his iPhone was not a facility through which such service was provided. So Path’s alleged access did not come within the prohibition of the SCA. Moreover, the address books were not communications to which the SCA applied, because they were not in “electronic storage” as defined by the SCA, namely, being in temporary, intermediate storage incidental to their electronic transmission. (We see a similar issue in the recent Jennings case from South Carolina.)

State Common Law Privacy. This claim would have required plaintiff to show (1) public disclosure (2) of private facts (3) which would be offensive and objectionable to the reasonable person and (4) which is not of legitimate public concern. The court found there was no public disclosure, only Path’s storage of data on its servers.

Conversion. Under California law, to be successful on a claim of conversion, plaintiff would have had to plead and prove “ownership or right to possession of property, wrongful disposition of the property right and damages.” The court dismissed this claim because plaintiff pled only that Path copied the data, not dispossessing him of it. (As an aside, it’s this very point that underscores my common admonition to copyright maximalists that infringement is not “theft,” because theft involves dispossession. End of digression.)

Trespass. The California common law action of trespass in the computer context requires a plaintiff to show that (1) defendant intentionally and without authorization interfered with plaintiff’s possessory interest in a computer system; and (2) defendant’s unauthorized use proximately resulted in damage to plaintiff. The tort “does not encompass … an electronic communication that neither damages the recipient computer system nor impairs its functioning.” Intel v. Hamidi, 30 Cal.4th 1342 (Cal. 2003). In this case, plaintiff did not allege that the functioning of his mobile device was significantly impaired to the degree that would enable him to plead the elements of a trespass. The court found that any depletion of his mobile device’s finite resources was a de minimis injury. (See the standing analysis above.)

The Remaining Claims

The claims for violations of the California Computer Crime Law, Californa’s Unfair Competition Law (Section 17200), negligence and unjust enrichment remain in the case.

California Computer Crime Law. Based on the limited briefing, the court could not conclude as a matter of law whether Path’s alleged conduct fell outside this statute. The question remains whether providing the app which plaintiff voluntarily downloaded and installed on his iPhone provided undisclosed software code that surreptitiously transferred plaintiff’s data.

Californa’s Unfair Competition Law. This statute prohibits “any unlawful, unfair or fraudulent business act or practice.” The court found that the conduct alleged in the complaint, if true, constituted an unlawful or unfair act or practice within the meaning of the statute. It found that plaintiff had failed to allege any fraudulent practice, but since plaintiff met the first two prongs (unlawfulness and unfairness), the claim survived.

Negligence. Plaintiff alleged that Path owed a duty to plaintiff to protect his personal information and data property and take reasonable steps to protect him from the wrongful taking of such information and the wrongful invasion of privacy. Path allegedly breached this duty by, among other things, accessing and uploading data from plaintiff’s phone, storing that data in an unsecure manner, and transmitting the data to third parties. Path relied on In re iPhone Application Litigation to argue it had no duty to plaintiff. In that decision, Judge Koh held that plaintiffs had not yet adequately pled or identified a legal duty on the part of Apple to protect users’ personal information from third-party app developers. This case was different because Path was a third party developer. Despite the existence of a duty, plaintiff’s claims of damages (here’s the $12,500 repair bill issue again) will likely face substantial challenges as the case progresses.

Unjust Enrichment. Path argued that unjust enrichment was not a cause of action under California law. The court cited to cases suggesting that California law does indeed recognize such a claim and kept in in this case.

Photo credit Flickr user stormwarning under this Creative Commons license.

Using remote tracking software to find stolen laptop may have violated federal wiretap statute

Clements-Jeffrey v. City of Springfield, Ohio, 2011 WL 3678397 (S.D. Ohio August 22, 2011) [PDF copy of opinion]

Services that help track down stolen laptops and other lost mobile hardware are indispensable. Consider, for example, the year-long saga of Jeff Blakeman who used MobileMe to help recover his MacBook Pro that a TSA agent stole from checked luggage. Or how Joshua Kaufman used the remote recovery application Hidden to snap pics of the creepy dude who made off with his MacBook.

It is hard to not rejoice when one reads stories about laptop thieves being brought to justice. And we generally feel no pangs of conscience over whether the apprehended criminal had any privacy rights that were violated when he was being monitored with the software.

But what if the person being tracked did not steal the device, and did not know that it was stolen? Do we then care about whether the remote tracking process violated that person’s privacy? If so, how should that privacy right stack up against the theft victim’s right to get his or her property back?

A recent case from Ohio shows how the privacy right of the innocent user can constrain the rightful owner from using all means of what we might call “remote self help.” The court applied the Electronic Communications Privacy Act (“ECPA”) in a way that should cause users and purveyors of theft recovery services to reevaluate their methodologies.

Hot communications using hot property

The facts of the case were salacious and embarassing. Plaintiff bought a non-functioning laptop for $60 from one of her students (she was a substitute teacher at an “alternative” high school). After she got the computer working, she used it to have sexually explicit communications with her out-of-state boyfriend — they even got naked in front of their webcams with one another.

As it turns out, however, the student who sold plaintiff the laptop had stolen it. The teacher claimed she did not know it was purloined. The original, rightful owner of the laptop had installed Absolute Software’s LoJack for Laptops on the device. After it was stolen, and after it had made its way into plaintiff’s hands, Absolute began its work of locating the machine and gathering information about its whereabouts and its user.

In this process, one of Absolute’s employees obtained real-time access to what was happening on the stolen computer. He was able to collect keystrokes of the sexually explicit communications, and gather three screen shots of plaintiff and her boyfriend, both naked, fooling around on the webcam.

Absolute turned the information — including the X-rated screen shots — over to the police. Plaintiff was arrested and handcuffed. The criminal court dismissed the case against her.

But plaintiff (and her boyfriend) sued. They brought several claims against the police for violation of their constitutional rights, and claims against Absolute for, among other things, violation of the ECPA. Absolute moved for summary judgment on the ECPA claim but the court denied the motion. The court found that Absolute could not show, as a matter of law, that it should not be liable for the interception of the explicit communications.

Legitimate privacy expectation, even on a stolen computer

Subject to certain exceptions, the ECPA prohibits one from surreptitiously intercepting or disclosing the contents of any wire, oral or electronic communications of another. The defendants first argued that plaintiff could not put forward a valid ECPA claim because she did not have a legitimate expectation of privacy in these communications.

The court rejected this argument, finding that plaintiff’s belief as to her privacy was reasonable both subjectively and objectively. She felt safe enough to engage in the explicit communications (subjective belief), and she demonstrated that she had no reason to suspect the laptop was stolen (objective belief). Had she known or had reason to know it was stolen, her claim of privacy would have been subordinated to the possessory interest of the owner. (As an aside, there was some interesting evidentiary wrangling that went on a few weeks ago about defendants’ expert witnesses opining on internet privacy. Read more about that at Bow Tie Law.)

Public policy did not come to the rescue

Absolute next argued that certain exceptions to liability for violation of the ECPA should protect it. The court rejected each of these arguments. It found that the exception for those acting “under color of law” to track down “computer trespassers” did not apply, because Absolute was a private entity, not one acting under color of law. The court also rejected Absolute’s argument that it could divulge the intercepted contents as a provider of an electronic communications service. The court found that Absolute did not provide an “electronic communications service to the public” as defined by the ECPA.

So Absolute was left with one final argument, namely, that public policy should shield it from liability for the unauthorized interception and disclosure of the keystrokes and screen shots. Absolute argued that the legal owner of the stolen laptop should be able to take steps to locate and recover that property, and that the rights of the property owner must trump those of a thief.

The court declined to implement such a per se rule, noting that:

It is one thing to cause a stolen computer to report its IP address or its geographical location in an effort to track it down. It is something entirely different to violate federal wiretapping laws by intercepting the electronic communications of the person using the stolen laptop.

In so many words, the court was saying that Absolute went too far in collecting the contents of the communications being made on the stolen computer. Had the information collection stopped at IP addresses and other non-content information, the remote tracking efforts may not have run afoul of the ECPA.

Court sides with college accused of snooping on student’s email

Reichert v. Elizabethtown College, 2011 WL 3438318 (E.D.Pa. August 5, 2011)

Plaintiff’s threatening behavior toward certain faculty members of his college led the administration to monitor plaintiff’s school-issued email account. Plaintiff’s lawsuit against the school included claims for violation of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and common law invasion of privacy.

The college moved to dismiss these claims and the court granted the motion.

The court found that the ECPA claim failed because plaintiff did not allege the interception of the email messages was contemporaneous with the messages’ transmission. As for the SCA claim, the court noted that the statute protects electronic communications providers from liability for searches of their own systems which are used to provide the service. The school provided the service, so it could not be liable for monitoring its own system. And as for invasion of privacy, the court found that plaintiff had failed to allege the mental distress required to sustain such a claim.

Court says law firm did not eavesdrop on employee phone calls

Bowden v. Kirkland & Ellis, 2011 WL 1211555 (7th Cir. April 1, 2011)

Two former employees of a law firm sued the firm for violation of the Electronic Communications Privacy Act, 18 USC 2510 et seq. and for violation of the Illinois Eavesdropping Act, 720 ILCS 5/14-2. The district court granted summary judgment in favor of the law firm. The former employees sought review with the Seventh Circuit. On appeal, the court affirmed the grant of summary judgment.

The court held that the former employees’ evidence of eavesdropping raised no more than a “theoretical possibility” of a violation. Even one of the strongest experts in the case triple hedged his testimony, saying the records “could indicate the potential that interception may have occurred.” So the grant of summary judgment was proper.

The plaintiffs had also raised an electronic discovery issue, namely a claim that the law firm spoliated evidence by destroying a server that contained phone records relevant to the case. The court rejected that argument, finding no credible evidence that the destruction was undertaken in bad faith.

Mom violated wiretap law by bugging daughter’s teddy bear to eavesdrop on dad

Lewton v. Divingnzzo, 2011 WL 692292 (D.Neb. Feb. 18, 2011)

Defendant thought her ex-husband was abusing their daughter during visitations. To prove these allegations in the custody case, defendant sewed an electronic recording device into the little girl’s favorite teddy bear. After the daughter returned from visiting with her father, the mom would unstitch the teddy bear and download the recorded conversations onto her computer.

She tried using the transcribed recordings as evidence in the state court custody proceeding. But the judge would not let them into evidence because they violated Nebraska law. The father and others whose conversations were recorded via the teddy bear sued the mom under the federal Electronic Communications Privacy Act.

Both sides moved for summary judgment. The court ruled in favor of the father, finding that the surreptitious recording did not fit into any exception of the ECPA.

The ECPA provides a private right of action to any person whose wire, oral or electronic communication is intercepted, disclosed or intentionally used in violation of the ECPA. Looking to Eighth Circuit authority, the court observed that the ECPA prohibits all wiretapping that is not specifically exempted by the statute.

No doubt this was a tough case – a parent fearing for the safety of his or her child might have strong reasons to resort to eavesdropping to protect the child. But the court was hamstrung – “[w]hile the notion that a parent or guardian should be able to listen to a child’s conversations to protect the child from harm may have merit as a matter of policy, it is for Congress, not the courts, to alter the provisions of the statute.”

The court ordered the defendant and her father (who had transcribed the recordings) to pay $10,000 to each of the offended plaintiffs. The defendant’s lawyer who had distributed the recordings to the guardian ad litem and others was found to have violated the ECPA but was not ordered to pay any money damages.

Divorce attorney did not conspire to violate the Electronic Communications Privacy Act

Court declines to recognize secondary liability for civil ECPA violation, holding that defendant’s divorce lawyer could not be a conspirator in a civil action alleging email interception.

Garback v. Lossing, 2010 WL 3733971 (E.D.Mich. September 20, 2010)

Plaintiff sued his ex-wife’s attorney for violation of the Electronic Communications Privacy Act. He claimed that his ex-wife, her attorney and some other defendants (including a computer forensics firm) acted together to violate the ECPA by “hacking” into plaintiff’s email account. The ex-wife allegedly used information gathered in this process to negotiate a more favorable divorce settlement.

The defendant attorney moved to dismiss for failure to state a claim upon which relief may be granted. The court granted the motion.

The court found that in plaintiff’s “inartful” pleading, he had failed to allege that the defendant attorney had actually intercepted or knowingly used information obtained in violation of the ECPA. Plaintiff argued that this failure was not fatal, however, in that he had alleged that the defendant attorney conspired to intercept emails.

Rejecting this argument, the court observed that “normally federal courts refrain from creating secondary liability that is not specified by statute.” Finding no textual support in the ECPA for such secondary liability, the court declined to read ECPA’s scope so expansively. The court found the statute as being clear on who may be liable: those who intercept communications and those who get ahold of those communications knowing they were illegally obtained. So the ECPA claim failed and plaintiff was given leave to replead.

Doctor’s wiretapping case under ECPA heads to trial

McCann v. Iroquois Memorial Hospital, No. 08-3420 (7th Cir. September 13, 2010)

Mystery of how doctor’s dictation machine got turned on to record conversation between doctor and hospital employee is a question for the jury and should not have been decided on summary judgment.

Two hospital employees — Dr. Lindberg and the director of physician services, Ms. McCann — had a conversation behind the doctor’s closed office door that the two of them thought was private. In their conversation, the two of them criticized hospital administration. But they did not know that the doctor’s dictation machine was recording what they said.

Dictaphone was cylinder dictation machine from...
Image via Wikipedia

How that machine got turned on is a mystery. Dr. Lindberg had been dictating radiology reports a few minutes before Ms. McCann arrived, so he may have accidentally left the machine running. But the recording of the conversation started in mid-sentence, which discredits that theory.

A member of the hospital’s transcription staff, Ms. Freed, is alleged to have come into the room during this conversation to pick up some papers, and Dr. Lindberg and Ms. McCann believe she surreptitiously turned on the machine. That would seem a plausible explanation, given that Ms. Freed supposedly had an axe to grind with Dr. Lindberg.

The recorded conversation made its way to the transcription staff, and after it was typed out, Ms. Freed forwarded it to the hospital’s CEO. Dr. Lindberg and Ms. McCann filed suit against Ms. Freed and others under the Electronic Communications Privacy Act. They claimed that by secretly turning on the dictation machine and forwarding the transcript, Ms. Freed violated the statute.

The district court granted the defendants’ motion for summary judgment. Plaintiffs sought review with the Seventh Circuit. On appeal, the court reversed in part, finding there was a genuine issue of material fact as to whether Ms. Freed was in the room and secretly turned on the dictation machine.

The court of appeals held that whether Ms. Freed was in the office on the date the recording was made was merely the subject of a “swearing contest,” and that summary judgment is not appropriate to resolve such a contest. The lower court had based its grant of summary judgment largely on the contents of the recording. At the end of the conversation, one can hear the office door close as Ms. McCann leaves. But one cannot hear the door shut with Ms. Freed would have left, during the conversation and after she allegedly turned on the dictation machine.

Viewing the facts in the light most favorable to the plaintiffs, the court found that the absence of such a sound did not prove that Ms. Freed was not there: “[N]othing in the record tells us whether the door could have been closed silently; . . . [Ms.] Freed who was conscious that she was intruding (and, perhaps, that she was being taped) may have closed the door softly to be inconspicuous.”

So the court found that whether Ms. Freed was responsible for making the recording — and by extension whether Ms. Freed intentionally intercepted the conversation between Dr. Lindberg and Ms. McCann in violation of the ECPA — was an issue for the jury, and not one for summary judgment.

play="true" align="" loop="true" quality="high"
TYPE="application/x-shockwave-flash"
PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer">

Lack of knowledge of interception causes ECPA claims against website owners to fail

Zinna v. Cook, No. 06-1733, 2010 WL 3604386 (D. Colo. September 7, 2010)

Plaintiff sued for violation of the Electronic Communications Privacy Act (ECPA) claiming that defendants intercepted his email messages and posted them to a website called ColoradoWackoExposed.com. Defendants moved for summary judgment. The court granted the motion.

It found that although similarities between messages and website content suggested that emails had been intercepted, there was no evidence showing the interception was “contemporaneous” with the messages’ transmission. (Several federal circuits require such contemporaneity. But see the Seventh Circuit’s recent opinion in U.S. v. Szymuszkiewicz for a different take.)

The court also held there was insufficient evidence to show that defendants knew the information posted on the website came about via any unlawful interception. The plaintiff’s assertions that defendants had worked with a non-party wiretapper failed to convince the court of this knowledge.

Setting up Outlook rule to intercept another’s email can be a federal crime

U.S. v. Szymuszkiewicz, — F.3d —, 2010 WL 3503506 (7th Cir. September 9, 2010)

Seventh Circuit upholds conviction of employee who secretly intercepted his boss’s email.

A federal jury convicted the defendant, who was an IRS revenue officer, of violating the Wiretap Act (or the Electronic Communications Privacy Act, as some like to call it — 18 USC 2511(1)(a). He had snuck onto his boss’s computer and set a rule in Microsoft Outlook to autoforward copies of all incoming email to his own account.

The defendant sought review of his conviction with the Seventh Circuit. On appeal, the court affirmed. Judge Easterbrook’s opinion is interesting reading. It is a nice accompaniment to the 2005 decision from the First Circuit in U.S. v. Councilman.

The court rejected the defendant’s argument that the Wiretap Act required that the “interception” of the email be “contemporaneous” with its transmission: “[d]ecisions articulating such a requirement are thinking football rather than the terms of the statute.” (Such decisions would include Fraser v. Nationwide Mutual (3d Cir.), Steve Jackson Games v. Secret Service (5th Cir.), Konop v. Hawaiian Airlines (9th Cir.) and United States v. Steiger (11th Cir).

In any event, the court found that the defendant’s interception of the messages in this case was “contemporaneous by any standard.” The evidence showed that the Outlook rules, though set within the email client, operated on the server. A message to the boss would go to an email server in Kansas City, and then be “flung across the network” as packets making up two copies, one for the boss and one for the defendant. It was this copying on the server that was the unlawful interception.

If you’re at all interested in this case and the Wiretap Act, then you must check out Orin Kerr’s post at the Volokh Conspiracy, especially the comments to that post. Very erudite discussion.

Email snooping can be intrusion upon seclusion

Analysis could also affect liability of enterprises using cloud computing technologies.

Steinbach v. Village of Forest Park, No. 06-4215, 2009 WL 2605283 (N.D. Ill. Aug. 25, 2009)

Local elected official Steinbach had an email account that was issued by the municipality. Third party Hostway provided the technology for the account. Steinbach logged in to her Hostway webmail account and noticed eleven messages from constituents had been forwarded by someone else to her political rival.

Steinbach sued the municipality, her political rival and an IT professional employed by the municipality. She brought numerous claims, including violation of the Federal Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. She also brought a claim under Illinois common law for intrusion upon seclusion, and the court’s treatment of this claim is of particular interest.

The defendant IT professional moved to dismiss the intrusion upon seclusion claim under Fed. R. Civ. P. 12(b)(6)(for failure to state a claim upon which relief can be granted). The court denied the motion.

The court looked to the case of Busse v. Motorola, Inc., 813 N.E.2d 1013 (Ill.App. 1st. Dist. 2004) for the elements of the tort of intrusion upon seclusion. These elements are:

  • defendant committed an unauthorized prying into the plaintiff’s seclusion;
  • the intrusion would be highly offensive to the reasonable person;
  • the matter intruded upon was private; and
  • the intrusion caused the plaintiff to suffer.

The defendant presented three arguments as to why the claim should fail, but the court rejected each of these. First, the defendant argued that the facts allegedly intruded upon were not inherently private facts such as plaintiff’s financial, medical or sexual life, or otherwise of an intimate personal nature. Whether the emails were actually private, the court held, was a matter of fact that could not be determined at the motion to dismiss stage. Plaintiff’s claim that emails from her constituents were private was not unreasonable.

The defendant next argued that Steinbach had not kept the facts in the email messages private. But the court soundly rejected this argument, stating that the defendant failed to explain how Steinbach displayed anything openly. Plaintiff asserted that she had an expectation of privacy in her email, and defendant cited no authority to the contrary.

Finally, the defendant argued that the intrusion was authorized, looking to language in the Federal Wiretap Act and the Stored Communications Act that states there is no violation when the provider of an electronic communication services intercepts or accesses the information. The court rejected this argument, finding that even though the municipality provided the email address to Steinbach, Hostway was the actual provider. The alleged invasion, therefore, was not authorized by statute.

The court’s analysis on this third point could have broader implications as more companies turn to cloud computing services rather than hosting those services in-house. In situations where an employer with an in-house provided system has no policy getting the employee’s consent to employer access to electronic communications on the system, the employer – as provider of the system – could plausibly argue that such access would be authorized nonetheless. But with the job of providing the services being delegated to a third party, as in the case of a cloud-hosted technology, the scope of this exclusion from liability is narrowed.

Email ribbon photo courtesy Flickr user Mzelle Biscotte under this Creative Commons License