Tag Archives: ecpa

Scope of Electronic Communications Privacy Act may not be so narrow

Brahmana v. Lembo, No. 09-106, 2009 WL 1424438 (N.D. Cal. May 20, 2009)

Plaintiff former employee Brahmana sued his former employer Cyberdata, claiming that Cyberdata violated the Electronic Communications Privacy Act (at 18 U.S.C. 2511) (“ECPA”). Brahmana claimed that Cyberdata used a keylogger to intercept the username and password for Brahmana’s personal email account.

Cyberdata moved to dismiss the claim under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. The court denied the motion, finding that the determination of whether there was a violation of the ECPA would best be made after discovery.

The ECPA makes it unlawful for any person to intentionally intercept, among other things, any “electronic communication.” An “electronic communication” is defined in the ECPA as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system that affects interstate or foreign commerce.”

An important question in this case was whether the keystrokes allegedly captured by the keylogging device met this definition of electronic communication.

An earlier case from another district (United States v. Ropp, 347 F.Supp.2d 831 (C.D. Cal. 2004)) held that keystrokes gathered by a hardware keylogger attached between a computer’s keyboard and central processing unit were not electronic communications because the system transmitting the information did not affect interstate commerce.

But another case questioned that opinion’s holding, finding that though the keystrokes themselves did not travel in interstate commerce, they did “affect interstate commerce” and therefore fell within the ECPA’s definition.

This court avoided ruling on the legal question of whether intercepting electronic data being transmitted from one piece of local hardware to another might be an electronic communication as defined by the ECPA. One must remember that a Rule 12(b)(6) motion merely tests the sufficiency of the pleadings. The court does not consider evidence at that stage, but merely tests whether the facts alleged by the plaintiff could plausibly support the legal claim.

In this case, the court found that Brahmana’s allegations did not specify whether the particular means of monitoring affected interstate commerce, but were sufficient to render plausible the claim that communications were monitored in some way. “The issue of how any alleged monitoring took place,” the court found, “and whether it allegedly affected interstate commerce is better resolved after some discovery.”

The case instructs us that this court is not willing to read the definition of “electronic communication” as narrowly as the court did in Ropp. No doubt there will be some interesting evidence produced in discovery that shows how the keystrokes were allegedly intercepted. But at least we know at this early stage in the litigation that the court will consider whether the transmission of electronic data within a system — and not crossing state lines — may still affect interstate commerce.

I-Spy photo courtesy Flickr user Leo Reynolds under this Creative Commons license.

Divorce spyware case moves forward

Court refuses to dismiss ECPA, SCA and CFAA claims against ex-spouse accused of delivering malicious code.

Becker v. Toca, No. 07-7202, 2008 WL 4443050 (E.D. La. September 26, 2008)

Plaintiff Becker sued his ex-wife, one Ms. Toca, claiming that Toca installed on Becker’s home and office computers a Trojan Horse that could steal passwords and send them to a remote computer. Becker claimed violations of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and Louisiana’s Electronic Surveillance Act.

Toca moved to dismiss for failure to state a claim upon which relief can be granted. The court dismissed the Louisiana state claim, but allowed the federal claims under the ECPA, SCA and CFAA to move forward.

In denying Toca’s motion on the ECPA claim, the court nodded to the general consensus established by cases such as Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994), United States v. Seiger, 318 F.3d 1039, 1047 (11th Cir. 2003), Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir.2001), and Bailey v. Bailey, 2008 WL 324156 (E.D. Mich. 2008) that ECPA liability requires the electronic communication to be intercepted contemporaneously with its transmission. Toca had argued that merely sending the Trojan Horse could not be considered an “interception” of an “electronic communication” under the ECPA. But the court held that allegations of stealing the passwords and transmitting them elsewhere, in conjunction with Becker’s computers being connected to the Internet, made it “reasonable … to infer that the Trojan Horse program may have collected information contemporaneous to its transmission.”

As for the SCA claim, Toca had argued Becker’s allegedly infected computers were not “a facility through which an electronic communication service is provided,” and thus not within the protection of the SCA. The court declined to dismiss the claim at the pleading stage because it was unclear to what extent the Trojan Horse may have accessed or retrieved information stored with an electronic communication service provider.

The court denied the motion to dismiss the CFAA claim, rejecting Toca’s arguments that the affected computers were not “protected” computers under the CFAA, and that the allegations were insufficient to show Toca intended to cause “damage.” The allegations that the Trojan Horse caused error messages and slow processing were sufficient on this point. Toca argued that an intent to damage the computers would be incompatible with a desire to retrieve information from them. But the court rejected this all-or-nothing damage approach.

The Louisiana statute claim failed simply because the court held that the statute covered only wire and oral communications, leaving electronic communications of the type at issue within the case outside its scope.