Owners of Unsecured Internet Networks Have No Legal Duty to Prevent Illegal Peer-to-Peer Sharing Activity on Their Networks

Posted by on Nov 27, 2012 in Copyright, Data Security

AF Holdings, LLC owns the copyrights to various porn videos.  AF Holdings has filed numerous copyright infringement actions against individuals who download and share its videos illegally through BitTorrent, an online peer-to-peer sharing tool.  Besides targeting the individuals actively downloading and sharing files—whose identities are often unknown and therefore end up being named as “Doe” defendants—AF Holdings goes after owners of the Internet connections used in the torrent activity (the “Network Defendants”).   AF Holdings sued the Network Defendants under a negligence theory.  AF Holdings alleged that the Network Defendants breached their duty to secure their Internet connections from third parties who use the connections for unlawful activity.  In a pair of similar lawsuits, the courts rejected AF Holding’s negligence claims.  See AF Holdings, LLC v. John Doe and Josh Hatfield, 2012 WL 3835102 (N.D. Cal. Sept. 4, 2012); AF Hodlings, LLC v. John Doe and John Botson, 2012 WL 4747170 (N.D. Cal. Oct. 3, 2012)

No legal duty to secure Internet connection to prevent copyright infringement

AF Holdings argued that the Network Defendants owed it a duty to secure their Internet connections to prevent infringement of AF Holdings’ copyrighted works.  The duty at issue was one of “non-feasance,” or the failure to take certain steps, as opposed to “misfeasance,” which involves activity putting the plaintiff in a worse position, such as exposing the plaintiff to risk of peril.  A duty arises in non-feasance situations when the plaintiff has a special relationship with the defendant.  Finding no special relationship between the Network Defendants and AF Holdings, the court concluded that the Network Defendants owed no legal duty to protect AF Holdings against copyright infringement.  The courts therefore dismissed the negligence claims.

Copyright Act preempts negligence claims

Part of the Network Defendants’ defense was that the negligence claims are preempted by the Copyright Act of 1976 because they seek protection for the same exclusive rights that the Act protects.  A state law claim is preempted by the Act when (1) the work at issue comes within the subject matter of copyright, and (2) the rights granted by state law are equivalent to the exclusive rights of copyright holders under section 106 of the Act.  The Network Defendants cleared the first test easily because AF Holdings’ videos clearly are protected by copyright.  In analyzing the second issue, most courts determine whether the state law claim contains an “extra element” that is different or in addition to a claim based on the Copyright Act.  The only “extra elements” in AF Holdings’ negligence claim were the elements of duty and breach of duty.  Since the Network Defendants had no duty to secure their Internet connections to prevent copyright infringement, the negligence claims had no extra elements to be saved from being preempted.  Essentially, AF Holdings repackaged its copyright infringement claim into a negligence claim.

CDA immunity applies

The Network Defendants also claimed immunity under the Communications Decency Act (“CDA”).  The court in the Hatfield case found it unnecessary to decide the issue given the dismissal of the negligence action on other grounds, but the court in the Botson case ruled that the defendant had immunity.  A defendant qualifies for CDA immunity if (1) it is the provider or user of an interactive computer service; (2) the cause of action treat the defendant as a publisher or speaker of information; and (3) the information at issue is provided by another information content provider.  Botson met these qualifications, the court found.  AF Holdings alleged that Botson was the provider of a computer service (i.e., the Internet connection) to pirate the videos.  AF Holdings also treated Botson as a copyright infringer or a participant in the infringement.  Finally, the information at issue (the videos) were provided by another content provider, namely the “Doe” defendant.

Read More

The Need For a Disciplined Approach to Cyberbullying

Posted by on Nov 26, 2012 in First Amendment, Privacy, Schools, Social Media

The legal boundaries for school discipline for cyberbullying continues to be unclearR.S. v. Minnewaska Area School District No. 2149, 2012 WL 3870868 (D. Minn. Sept. 6, 2012); S.J.W. v. Lee’s Summit R-7 School District, 696 F.3d 771 (8th Cir. Oct. 17, 2012)

As much as cyberbullying is gaining media attention, clear guidance on what schools can do about it is still lacking.  In January, the U.S. Supreme Court declined to review three free speech challenges involving social media content posted by students.  As a result, courts continue to grapple with defining the boundaries of school discipline for student online conduct, particularly when it happens off-campus.  A pair of recent cases illustrates this trend.

R.S. v. Minnewaska Area School District No. 2149: A 12-year old sixth grader (R.S.) posted on her Facebook page that she “hated” her school’s adult hall monitor.  R.S. posted the comment from her home outside of school hours.  The comment somehow found its way to the principal, who considered the comment a form of bullying.  The principal gave R.S. detention and required her to apologize to the hall monitor.  In a second incident, R.S. posted a comment on her Facebook wall stating: “I want to know who the F%$# [sic] told on me.”  For this, R.S was suspended for a day and prohibited from going on a class ski trip.  On a third occasion, school officials learned that R.S. was communicating with a male student on the Internet about sexual topics (when confronted, the male student admitted that he initiated the conversation).  The school officials called R.S. out of class to meet with them and the deputy sheriff assigned to the school.  They demanded to know her email and Facebook usernames and passwords.  Feeling pressured, R.S. complied.  The school officials then logged into her Facebook account and viewed the public and private messages she had posted on the site.  The school did not formally discipline R.S. any further.

The punishment of R.S. violated her First Amendment right to free speech

Judge Davis of the federal district court of Minnesota looked to the Tinker line of cases for guidance and concluded that the First Amendment prohibits school authorities from punishing students for out-of-school statements the statements are true threats or reasonably calculated to reach the school environment and are so egregious as to pose a serious safety risk or other substantial disruption there.  R.S.’s Facebook posts were not threatening, the court found, and while the posts might have been reasonably calculated to reach a school audience, that possibility alone did not justify her punishment.  An out-of-court statement must be more than inappropriate.  It must potentially cause a substantial disruption in the school before it can be punished.

The school violated R.S.’s Fourth Amendment right to be free of unlawful searches and seizures

Students enjoy a Fourth Amendment right to be free from unreasonable searches and seizures by school officials.  But did R.S. have a reasonable expectation of privacy as to the information posted on her Facebook account that only her Facebook friends could see?  The court said yes.  There is no meaningful difference between a password-protected private Facebook message and other forms of private electronic correspondence.  The court also found that the school officials had no legitimate governmental interest for reviewing her private communications.  Notably, there was no threat that R.S.’s private posts would cause a disruption in the classroom.

R.S. had a viable claim against the school for invasion of privacy

Again, the court focused on R.S.’s expectation of privacy.  The court analogized private Facebook messages to email messages, to which there is a reasonable expectation of privacy.  The court summarily rejected the schools’ argument that R.S. used Facebook in violation of the site’s terms of use because she was a minor.  The court failed to see how a violation of a website’s terms of use could destroy an expectation of privacy.  Also unpersuasive was the school’s argument that R.S. compromised her privacy interest by allowing her mother and one other person view her Facebook account.  It would be unreasonable, the court explained, to conclude that a person gives up all expectation of privacy as to the contents of his or her password-protected email account just by showing an email to another individual.

S.J.W. v. Lee’s Summit R-7 School District: Twin brothers (the “Wilsons”) who were high school juniors created a website called NorthPress.  Part of NorthPress was a blog intended to discuss, satirize, and “vent” about events at the Wilsons’ school.  Because the site was hosted on a Dutch domain, the site would not show up in the results of a Google search by a user in the U.S., but anyone knowing the site’s URL could access it.  The Wilsons added posts to the NorthPress blog containing a variety of offensive and racist comments as well as sexually explicit and degrading comments about particular female classmates whom they identified by name.  The racist posts discussed fights at the school and mocked black students.  A third student added another racist post.

The Wilsons initially told only several of their friends about NorthPress and claimed they intended only their friends to know about it, but word about the site quickly spread to the study body at their school.  The school initially suspended the Wilsons for ten days, and after the matter went through further proceedings at the school district level, the Wilsons were suspended for 180 days but allowed to enroll in another school for the duration of their suspensions.  The Wilsons filed a lawsuit for a preliminary injunction to lift the suspensions.  The district court granted the preliminary injunction, but on appeal, the Eighth Circuit reversed.

Reviewing cases that analyze the applicability of Tinker to off-campus student speech, the Eighth Circuit ruled that the blog posts in question targeted the school, could reasonably be expected to reach the school or impact the environment, and caused considerable disturbance and disruption.  As a result, the Wilsons were unlikely to succeed on the merits, and so they were not entitled to an injunction.

LegalTXTS Lesson:  Cyberbullying is a serious issue, but schools should be careful not to overreact.  The reality is that much of the online material students post and share these days has a good chance of offending someone or being considered inappropriate by adults.  That doesn’t give schools the authority to police online content however they like.  Off-campus speech is punishable when it threatens to endanger danger to another student or cause substantial disruption in the school environment, but not merely because some would find it “inappropriate.”

How this rule is applied, however, depends on the sensitivity of the court.  The courts in R.S. and S.J.W. could have gone either way.  The court in R.S. could have concluded that the sexual conversations between two very young students presented a risk of substantial disruption in the classroom.  On the other hand, the court in S.J.W. could have held that the blog was never targeted at the school community, and therefore, its contents did not justify meting out school discipline.  Perhaps we’ll get more consistency in court rulings after Supreme Court decides to weigh in on the constitutional limits to combating cyberbullying.


Read More

Court Approves $22.5 Million Settlement of FTC Charge That Google Violated Privacy of Safari Users

Posted by on Nov 21, 2012 in Privacy

A $22.5 million settlement of FTC’s charges that Google secretly used cookies to track the activity of Safari users gained court approval last week.  The charges were based on an earlier settlement of charges that Google used the private information of Gmail users for its Buzz social network.  The FTC and Google settled those charges in October 2011 with a consent order prohibiting Google from future misrepresentations regarding (1) its collection and use of private information and its customers’ control over that information; and (2) its membership and compliance with privacy or security programs.

The FTC alleged that Google violated the Buzz consent order by assuring Safari users that the browser’s default settings would block Google tracking cookies, but overriding Safari’s blocking software and secretly collecting cookies from Safari users.  The FTC also alleged that Google’s use of Safari cookies without informing its users violated the code of conduct of the Network Advertising Initiative, of which Google represents it is a member.

The court approved the proposed consent order settling those charges in a decision issued last Friday (read the decision here).  The proposed consent order would require Google to pay a civil penalty of $22.5 million—the most a company has ever paid for violating an FTC order.  Google must also maintain systems that delete Google cookies from Safari browser users and report to the FTC on compliance with the consent order.  The consent order does not require Google to admit that it violated the Buzz consent order, however.

Amicus curiae Consumer Watchdog objected to the proposed consent decree on the grounds that it did not impose a permanent injunction on Google, that the $22.5 million penalty was too small, and that Google should be required to admit liability.  Judge Susan Illston of the U.S. District Court for the Northern District of California rejected Consumer Watchdog’s arguments, finding the settlement “fair, adequate and reasonable.”

Read More

CFAA: Recent Cases

Posted by on Nov 19, 2012 in Data Security, Employment and Labor, Financial Services

A round-up of recent developments in CFAA litigation is in order.  In the last three months, a series of cases have provided answers to important questions about the requirements for bringing a CFAA claim under the Computer Fraud and Abuse Act (CFAA).  The recent cases address three general questions:

1. What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?

2. What computers are subject to the protections of the CFAA?

3. What “losses” count toward the standing requirement to bring a civil claim under the CFAA?

What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?

The CFAA prohibits various activities involving the access of a computer “without authorization” or “exceeding authorized access.”  Whether the defendant’s actions constitute wrongful access is frequently litigated in CFAA cases.  The recent cases are no exception.  The cases considered three different factual situations and found that two of them satisfied the wrongful access requirements.

Downloading Information From a Publicly Accessible Website

Downloading information from a website that any member of the public could access via a hyperlink posted on another site does not constitute access “without authorization,” according to  CollegeSource, Inc. v. AcademyOne, 2012 WL 5269213 (E.D. Pa. Oct. 25, 2012).  The case involved two competing business that offered online access to college catalogs.  One of the plaintiff’s (CollegeSource) services was CataLink, which provides subscribing schools with a link to CollegSource’s digital archive of the school’s course catalogs.  The link could be inserted into the school’s homepage.  If a person browsing on the school’s homepage clicked on the link, he or she would be sent to CollegeSource’s website without being told that they were leaving the school’s web domain.  Unlike CollegeSource’s other offerings, CataLink is not a subscription-based service.

The defendant (AcademyOne) maintained an online course description database.  To populate its database, AcademyOne hired a company to collect college catalogs available on the Internet.  AcademyOne’s contractor obtained over 700 catalogs through CataLink.

The court was not persuaded by CollegeSource’s argument that AcademyOne accessed the CataLink service “without authorization” given that CataLink is available to anyone with an Internet connection.  The court also did not accept CollegeSource’s argument that AcademyOne exceeded its authorization to use CataLink because it violated the terms of use governing the CollegeSource website.  The terms of use were not binding on AcademyOne because the link to CataLink material appeared on the webpage of a school, and clicking on the link did not trigger a notice that the user was leaving the school website and being forwarded to the CataLink page.

Enlisting the Aid of a Person With Authorized Access to Obtain Restricted Information

Asking others to get you information that you’re not entitled to have will get you in trouble.  In Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), former employees of a medical devices company who formed a competing business obtained the company’s proprietary information from current employees of the company.  Inducing those with authorization to access a computer to retrieve and give information to a person who is not entitled to access such information constitutes access of a computer “without authorization,” the court held.

Hacking Into an Employees’ Email Account

This seems fairly obvious, but hacking into an employee’s email account could constitute a violation of the CFAA.  The litigants in Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), didn’t even bother to fight over whether the defendant-employer violated the CFAA by ordering an employee to hack into the plaintiff’s Gmail account.  The wrongfulness of the act was undisputed.  The parties instead dueled over whether the plaintiff sustained “loss” as a result of the unauthorized access (see below).

What constitutes a “protected computer”?

Various prohibitions in the CFAA are tied to the accessing of a “protected computer,” which has two definitions.  A “protected computer” could be a computer used exclusively by a financial institution or the U.S. government, or if not exclusively, then for a use affected by the conduct that violated the CFAA.  A “protected computer” could also be a computer “which is used in or affecting interstate or foreign commerce or communication ….”  18 U.S.C. § 1030.

In Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012), the court held that a computer with a connection to the Internet is enough to satisfy the definition of a “protected computer” because of its use in or effect on interstate commerce.  If a computer is connected to the Internet (and an allegation that the computer is used for email communications sufficiently establishes that fact), no additional link to interstate commerce needs to be shown.

What “losses” count toward meeting the standing requirement?

A claimant must have suffered “damage or loss by reason of a violation of” the CFAA to maintain a civil action under the CFAA.  18 U.S.C. § 1030(g).  One way to meet this standing requirement is to establish loss during any 1-year period aggregating at least $5,000.  § 1030(c)(4)(A)(i)(I). What costs qualify toward the threshold amount, and how they can be aggregated to meet the threshold, is a common issue.

The court in CollegeSource held that the costs to conduct an internal investigation, hire a computer expert, and implement subsequent security measures in response to an incident of unauthorized access count as qualifying “losses.”  To that list, Synthes added expenses to conduct damage assessments; identify and trace the information that has been misappropriated; and restore data, programs, systems, and information to the condition they were in before the defendant engaged in CFAA violation.  Legal expenses, however, are not “losses” unless necessary to remedy the harm caused by the violation.  So in Mintz, attorneys’ fees incurred by the plaintiff to issue subpoenas to confirm the identity of the person who hacked into his email account were not “losses” because the plaintiff already knew who the hacker was before the subpoenas issued.  The Mintz court contrasted another case (SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975 (N.D. Cal. 2008)) in which the victim of a hacked email account had to hire attorneys to identify the recipients of the victim’s confidential information that the hacker obtained and distributed.  The attorneys’ fees in that case were “losses” because the plaintiff needed to know whom it had to contact to mitigate the damage caused by the hacker.

In regards to whether losses can be aggregated, the Freedom Banc court held that qualifying “losses” need not flow from a single wrongful act.  Losses stemming from multiple CFAA violations could be added together to meet the threshold $5,000 amount.

Read More
%d bloggers like this: