Facebook account protected from disclosure in discovery, for now

McCann v. Harleysville Insurance, — N.Y.S.2d —, 2010 WL 4540599 (November 12, 2010)

Unlike some recent cases such as Romano v. Steelcase, which seem to give the impression that the information in a person’s social networking account is always fair game for discovery in litigation, one New York court has come down on the side of protecting the privacy of a Facebook user’s content.

Plaintiff was injured in an automobile accident and filed a lawsuit over her injuries. In the course of discovery, defendant sought photographs from plaintiff’s Facebook account and “an authorization” to access the account. Defendant claimed the sought-after discovery related to whether plaintiff sustained a serious injury.

After plaintiff did not respond to the discovery requests, defendant moved to compel. The trial court denied the motion, finding the discovery to be overly broad, and finding that defendant had failed to show the relevancy of the information to be discovered. Defendant sought review with the appellate court. On appeal, the court affirmed.

The court held that the discovery sought was too broad and that defendant had failed to show the relevancy of the information. It affirmed the denial of the motion as to avoid a “fishing expedition.”

But the holding is anything but reassuring from the plaintiff’s perspective. It affirmed the denial without prejudice to serving additional discovery requests. So it sounds as if defendant tailors its discovery a bit more closely, and shows how accessing plaintiff’s Facebook account will provide relevant evidence, it may see some success.

Stored Communications Act protects Yahoo email account from subpoena

Chasten v. Franklin, 2010 WL 4065606 (N.D.Cal. October 14, 2010)

Plaintiff sued some corrections officers at the prison where her inmate son was killed. She learned in a deposition that one of the defendants had a Yahoo email account. So she sent a subpoena to Yahoo seeking all the email messages sent from that account during a period of more than two years.

Defendant moved to quash the subpoena, arguing that disclosure of the email messages would violate his rights under the Stored Communications Act (SCA). The court granted the motion to quash.

Subject to certain specifically-enumerated exceptions, the SCA (at 18 U.S.C. 2702(a) and (b)) essentially prohibits providers of electronic communication or remote computing services to the public from knowingly divulging the contents of their customers’ electronic communications or the records relating to their customers. The court found that no such exception applied in this case. Citing to Theofel v. Farey-Jones, it held that compliance with the subpoena would be an invasion of the specific interests that the SCA seeks to protect.

Emails on laptop not protected by the Stored Communications Act

Thompson v. Ross, 2010 WL 3896533 (W.D. Pa. September 30, 2010)

Messages from Yahoo and AOL email accounts saved on laptop computer were not in “electronic storage” as defined by Stored Communications Act.

Plaintiff’s ex-girlfriend kept his laptop computer after the two of them broke up. The ex-girlfriend let two of her co-workers access some email messages stored on the computer. Plaintiff filed suit under the Stored Communications Act. Defendants moved to dismiss. The court granted the motion.

Under the Stored Communications Act (at 18 U.S.C. 2701), one is liable if he or she accesses without authorization a facility through which an electronic communication service is provided and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.

The court held that the Stored Communications Act did not cover the email messages because they were not in “electronic storage” as defined at 18 U.S.C. 2510(17)(B). In relevant part, that section defines “electronic storage” as “any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”

The court looked to the plain language of the statute, finding that the definition was not met because the messages were not stored by an electronic communication service. It rejected plaintiff’s arguments that the fact the messages were in “backup storage” extended the scope of the definition.

Enhanced by Zemanta

Palin email hacker conviction survives motion for acquittal

U.S. v. Kernell, No. 08-CR-142 (E.D. Tenn. September 23, 2010)

A federal jury convicted defendant for a number of crimes related to his hacking into Sarah Palin’s Yahoo email account in September 2008. One of the crimes the jury convicted him of was the “destruction or alteration of a record or document with the intent to obstruct an investigation” (a violation of 18 USC 1519).

After hacking into Palin’s account, but before the formal FBI investigation began, defendant deleted some Palin family pictures he had downloaded from the account, uninstalled his web browser, and defragmented his hard drive.

Defendant moved for a “judgment of acquittal”, arguing that the evidence was insufficent to support his convictions. The court denied the motion.

The court found that the Government offered sufficient proof to support the conviction. Even though defendant preserved (did not destroy) his computer, spoke with an FBI agent investigating the matter and advised his friends to be truthful in what they said about the case, the court looked to the totality of the evidence as supporting defendant’s guilt.

Given that defendant deleted images from his computer that he had downloaded from Palin’s account, and had run web searches on “legalities email” and “soppenaing [sic.] ip addresses”, a rational jury could find him guilty. So the jury verdit stood.

Divorce attorney did not conspire to violate the Electronic Communications Privacy Act

Court declines to recognize secondary liability for civil ECPA violation, holding that defendant’s divorce lawyer could not be a conspirator in a civil action alleging email interception.

Garback v. Lossing, 2010 WL 3733971 (E.D.Mich. September 20, 2010)

Plaintiff sued his ex-wife’s attorney for violation of the Electronic Communications Privacy Act. He claimed that his ex-wife, her attorney and some other defendants (including a computer forensics firm) acted together to violate the ECPA by “hacking” into plaintiff’s email account. The ex-wife allegedly used information gathered in this process to negotiate a more favorable divorce settlement.

The defendant attorney moved to dismiss for failure to state a claim upon which relief may be granted. The court granted the motion.

The court found that in plaintiff’s “inartful” pleading, he had failed to allege that the defendant attorney had actually intercepted or knowingly used information obtained in violation of the ECPA. Plaintiff argued that this failure was not fatal, however, in that he had alleged that the defendant attorney conspired to intercept emails.

Rejecting this argument, the court observed that “normally federal courts refrain from creating secondary liability that is not specified by statute.” Finding no textual support in the ECPA for such secondary liability, the court declined to read ECPA’s scope so expansively. The court found the statute as being clear on who may be liable: those who intercept communications and those who get ahold of those communications knowing they were illegally obtained. So the ECPA claim failed and plaintiff was given leave to replead.

Doctor’s wiretapping case under ECPA heads to trial

McCann v. Iroquois Memorial Hospital, No. 08-3420 (7th Cir. September 13, 2010)

Mystery of how doctor’s dictation machine got turned on to record conversation between doctor and hospital employee is a question for the jury and should not have been decided on summary judgment.

Two hospital employees — Dr. Lindberg and the director of physician services, Ms. McCann — had a conversation behind the doctor’s closed office door that the two of them thought was private. In their conversation, the two of them criticized hospital administration. But they did not know that the doctor’s dictation machine was recording what they said.

Dictaphone was cylinder dictation machine from...
Image via Wikipedia

How that machine got turned on is a mystery. Dr. Lindberg had been dictating radiology reports a few minutes before Ms. McCann arrived, so he may have accidentally left the machine running. But the recording of the conversation started in mid-sentence, which discredits that theory.

A member of the hospital’s transcription staff, Ms. Freed, is alleged to have come into the room during this conversation to pick up some papers, and Dr. Lindberg and Ms. McCann believe she surreptitiously turned on the machine. That would seem a plausible explanation, given that Ms. Freed supposedly had an axe to grind with Dr. Lindberg.

The recorded conversation made its way to the transcription staff, and after it was typed out, Ms. Freed forwarded it to the hospital’s CEO. Dr. Lindberg and Ms. McCann filed suit against Ms. Freed and others under the Electronic Communications Privacy Act. They claimed that by secretly turning on the dictation machine and forwarding the transcript, Ms. Freed violated the statute.

The district court granted the defendants’ motion for summary judgment. Plaintiffs sought review with the Seventh Circuit. On appeal, the court reversed in part, finding there was a genuine issue of material fact as to whether Ms. Freed was in the room and secretly turned on the dictation machine.

The court of appeals held that whether Ms. Freed was in the office on the date the recording was made was merely the subject of a “swearing contest,” and that summary judgment is not appropriate to resolve such a contest. The lower court had based its grant of summary judgment largely on the contents of the recording. At the end of the conversation, one can hear the office door close as Ms. McCann leaves. But one cannot hear the door shut with Ms. Freed would have left, during the conversation and after she allegedly turned on the dictation machine.

Viewing the facts in the light most favorable to the plaintiffs, the court found that the absence of such a sound did not prove that Ms. Freed was not there: “[N]othing in the record tells us whether the door could have been closed silently; . . . [Ms.] Freed who was conscious that she was intruding (and, perhaps, that she was being taped) may have closed the door softly to be inconspicuous.”

So the court found that whether Ms. Freed was responsible for making the recording — and by extension whether Ms. Freed intentionally intercepted the conversation between Dr. Lindberg and Ms. McCann in violation of the ECPA — was an issue for the jury, and not one for summary judgment.

Court: privacy on social networking sites is wishful thinking

Defendant is permitted access to plaintiff’s social networking accounts as part of discovery in personal injury case.

Romano v. Steelcase Inc., — N.Y.S.2d —, 2010 WL 3703242 (N.Y.Sup. September 21, 2010)

Plaintiff sued defendant for personal injury that allegedly caused her to lose her enjoyment of life. During discovery, plaintiff refused to voluntarily turn over the contents of her Myspace and Facebook accounts. So defendant filed a motion to compel plaintiff to consent to having Facebook and MySpace turn over all current and deleted content from the accounts. (That consent was necessary because without it, the sites would violate the Stored Communications Act.) The court granted the motion to compel.

The court found that the information contained in the profiles was “material and necessary” to the case. In drawing its conclusion, the court dispensed with any notion that a user’s privacy settings should affect the analysis. Denying defendant access to the information, the court found, would not only go against New York’s policy favoring liberal discovery, but “would condone Plaintiff’s attempt to hide relevant information behind self-regulated privacy settings.” Plaintiff had put her physical condition at issue, so it was fair for defendant to get evidence that may contradict the assertions of injury.

The court rejected plaintiff’s argument that disclosure of the information would violate her right to privacy under the Fourth Amendment. Fatal to any assertion of privacy was the fact that plaintiff had voluntarily made her information available on the sites. The court looked to earlier New York cases dealing with email to find that plaintiff had no expectation of privacy in the social networking data.

And the court made a sweeping declaration about the state of online privacy that is worth noting. Quoting from a law review article, the court observed that in the social media environment, “privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.”

Lack of knowledge of interception causes ECPA claims against website owners to fail

Zinna v. Cook, No. 06-1733, 2010 WL 3604386 (D. Colo. September 7, 2010)

Plaintiff sued for violation of the Electronic Communications Privacy Act (ECPA) claiming that defendants intercepted his email messages and posted them to a website called ColoradoWackoExposed.com. Defendants moved for summary judgment. The court granted the motion.

It found that although similarities between messages and website content suggested that emails had been intercepted, there was no evidence showing the interception was “contemporaneous” with the messages’ transmission. (Several federal circuits require such contemporaneity. But see the Seventh Circuit’s recent opinion in U.S. v. Szymuszkiewicz for a different take.)

The court also held there was insufficient evidence to show that defendants knew the information posted on the website came about via any unlawful interception. The plaintiff’s assertions that defendants had worked with a non-party wiretapper failed to convince the court of this knowledge.

Illinois court sets standard for unmasking anonymous commenters

Maxon v. Ottawa Pub. Co., — N.E.2d —, 2010 WL 2245065 (Ill.App. 3 Dist. June 1, 2010)

The rules of civil procedure in Illinois permit an aggrieved party to file a petition with the court asking for an order requiring unknown potential defendants to be identified. This is called a Rule 224 petition.

A couple from Ottawa, Illinois got their feelings hurt over some anonymous comments left in response to content published by the local newspaper on its website. Wanting to sue for defamation, the couple filed a Rule 224 petition. The newspaper opposed the petition. (For something similar, see Enterline v. Pocono Medical Center.)

The trial court denied the petition, applying the standards articulated in Dendrite v. Doe and Doe v. Cahill, finding that the petitioners had not presented a strong enough case for defamation to justify the unmasking of the anonymous commenters. Those cases require, among other things, that a party seeking to identify an anonymous speaker make efforts to notify the anonymous party, and present enough evidence to establish a prima facie case of defamation (Dendrite) or survive a hypothetical motion for summary judgment (Cahill).

The aggrieved couple sought review with the Appellate Court of Illinois. Reviewing the decision to deny the Rule 224 petition de novo, the court reversed and remanded, ordering the identification of the anonymous speakers to be made.

In reaching its decision, the court rejected the newspaper’s (and amicis’) arguments that the trial court should apply the rigorous standards of Dendrite and Cahill. That’s not to say, however, that the court left anonymous speakers at great risk of having their First Amendment rights trampled upon.

The court held that the mechanics of Rule 224 adequately protect the potential First Amendment rights of anonymous internet speakers. Here’s why, according to the court:

  • The petition must be verified – the threat of the pain of perjury should keep out half-hearted claims.
  • The petition must state the reason discovery is necessary.
  • The discovery is limited only to learning the identity of the potential defendant.
  • Most importantly, before the discovery will be permitted, the court must hold a hearing and determine the petition sufficiently states a cause of action.

In this fourth step, the court is to apply the standard it would apply in a Section 2-615 motion. Such a motion is, essentially, the Illinois version of a motion to dismiss for failure to state a claim. That is no insignificant test, because unlike federal court and other state jurisdictions, Illinois requires fact pleading. That means the petition needs to include a significant amount of specific information to survive the motion to dismiss.

A troubling aspect of the ruling is the omission from the test of a requirement that the party seeking discovery attempt to notify the anonymous target of the inquisition. The appellate court held that a trial court may, in its discretion, impose such a requirement.

But it would be nice to know that the real party whose First Amendment interests are at stake (the anonymous speaker) is guaranteed a fair opportunity to argue from his or her perspective. After all, it’s that party with the real incentive to do so. Let’s hope the trial courts exercise that discretion wisely (and that they know in the first place that they have that discretion).

Photo courtesy Flickr user TheTruthAbout… under this Creative Commons license.

Access to private email server supports Stored Communications Act claims

Devine v. Kapasi, 2010 WL 2293461 (N.D. Ill. June 7, 2010)

Kapasi and Devine were equal shareholders in a corporation. In August 2009, the two decided to part ways. The corporation transferred one of its servers to Devine, and he immediately put it into the service of his new company.

After the server was transferred, Kapasi and some employees of the old company allegedly logged on to the server to access and delete email messages stored on that machine. Devine and his new company sued for violation of the Stored Communications Act (at 18 U.S.C. §2701) and the Computer Fraud and Abuse Act (at 18 U.S.C. §1030).

The defendants moved to dismiss under FRCP 12(b)(6) for failure to state a claim. The court denied the motion as to the Stored Communications Act claims but granted the motion (with leave to amend) as to the Computer Fraud and Abuse Act claims.

The Stored Communications Act claims

The defendants argued that the Stored Communications Act did not apply to access to the server because plaintiffs did not provide an electronic communications service to the public. Defendants relied on the case of Andersen Consulting LLP v. UOP, 991 F.Supp. 1041 (N.D.Il.1998) to support this argument. In that case, the court dismissed a Stored Communications Act claim for unauthorized disclosure of emails under 18 U.S.C. §2702. The Andersen Consulting court held that disclosure of emails obtained from the server of a company not in the business of providing electronic communications services to the public did not violate the Stored Communications Act.

This case, however, arose under 18 U.S.C. §2701, which does not impose the same scope on potential defendants – the term “to the public” does not appear in connection with the provision of electronic communication services in §2701. Section 2701 deals with unauthorized access, while §2702 deals with unauthorized disclosure.

So the court held that “[w]here, as here, a plaintiff pleads that it stores electronic communications on its own systems, and that a defendant intentionally and without authorization got hold of those stored communications through the plaintiff’s electronic facilities, the plaintiff states a claim under § 2701 of the [Stored Communications Act].”

The Computer Fraud and Abuse Act claims

The court dismissed the Computer Fraud and Abuse Act claims, finding that the plaintiffs failed to plead that they suffered a cognizable “loss” under the statute. The plaintiffs were required to plead that the defendants’ conduct “caused . . . loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Such allegations were simply missing from the complaint.

The defendants tried an interesting argument that the court rejected as premature at the motion to dismiss stage. They argued that since one of the plaintiffs was a technology company, it should have had a backup of all the data allegedly deleted. Therefore, any cost in excess of the $5,000 statutory threshold would not be a “reasonable cost.” Though it didn’t fly at the motion to dismiss stage, such an argument may fare better in a motion for summary judgment.

Photo courtesy Flickr user Jordiet under this Creative Commons License.

Posts navigation

1 2 3 4 5 6 7 8 9