(Photo credit: Wikipedia)
“Smile, you’re on Candid Camera.” Originally coined on the eponymous TV show, that catchphrase is becoming more of common refrain in the workplace. Any employee with a smartphone can easily record an office conversation in secret. But are such covert recordings legal? And what control, if any, does management have over the making of such recordings?
The Law of Recording Face-to-Face Conversations
A majority of states (approximately 37) follow the one-person consent rule for recording face-to-face conversations. This rule authorizes the recording of a conversation so as long as one person in the conversation consents. The consenting party can also be the person recording the conversation. Practically speaking, this means it is legal to record a conversation with another person without his or her knowledge.
Most other states require the consent of all participants in the conversation. Covert recording of face-to-face conversations would not be permitted in states that follow the all-party consent rule.
Workplace Bans on Covert Recordings
Even if covert recordings are legal, management may regulate the practice if done so consistently with the right of employees to engage in concerted activity, which is protected under Section 7 of the National Labor Relations Act (NLRA). A recent National Labor Relations Board decision illustrates this. Whole Foods Market, Inc., Case No. 01-CA-096965 (Oct. 30, 2013). The case involved a challenge to a company policy that banned employees from recording conversations without prior management approval. The company’s stated purpose for the policy was “to eliminate a chilling effect to the expression of views that may exist when one person is concerned that his or her conversation with another is being secretly recorded.”
The administrative law judge (ALJ) in the case upheld the policy. The ALJ noted that there is no protected right to record conversations in the workplace, but even if there were such a right, management may regulate the exercise of that right. It was not adopted in response to union activity, and it was clearly tied to the company’s core value of fostering open and honest dialogue about company matters. The ALJ disagreed that the policy could reasonably be interpreted as a restriction on using social media to communicate and share information about work conditions through video recordings made at the workplace. The policy regulated a means of communication as opposed to the protected activity itself. It also did not prohibit employees from making recordings during non-work time. The policy therefore did not violate Section 7 rights.
The Whole Foods Market decision suggests questions that management should consider when drafting a work rule against covert recordings to ensure that the rule does not violate the NLRA:
- Is the rule clearly linked to a purpose besides preventing employees from engaging in Section 7 activity?
- Does the rule leave open alternative channels for employees to communicate about Section 7 activity?
- Does the rule allow employees to make recordings during non-work hours?
A ban on covert recordings is more likely to withstand a legal challenge if management can answer “yes” to each of these questions.
Use of Competitor’s Name in Keyword Advertising Ruled Not a Violation of Publicity Rights – Habush v. Cannon, 2013 WL 627251 (Wis. Ct. App. Feb. 21, 2013)
Can your business competitor use your name to promote itself and never mention your name to the public? Keyword advertising makes that possible. A competitor can bid on keyword search terms consisting of your company name to make links to its website appear whenever a person searches for your name on the Internet. A law firm that fell prey to such an advertising strategy decided to sue its competitor for violating its publicity rights, which is a form of invasion of privacy.
Robert Habush and Daniel Rottier are shareholders in Habush Habush & Rottier, a well-known personal injury law firm in Wisconsin. Another Wisconsin law firm also specializing in personal injury law, Cannon & Dunphy (C&D), bid on the keyword search terms “Habush” and “Rottier” through Google, Yahoo!, and Bing. As a result, when a person searched for “Habush” or “Rottier” in one of the three search engines, links to C&D’s website would appear at the top of the list of “sponsored” results, i.e., those links produced by keywords that been bid on and paid for by advertisers. Sponsored results generally appear above the “organic results” generated by the search engine’s algorithm.
Habush and Rottier sued C&D for violating Wisconsin’s invasion of privacy statute. Under the statute, a person’s privacy could be invaded by “[t]he use, for advertising purposes or for purposes of trade, of the name . . . of any living person, without having first obtained the written consent of the person . . . .” The main question was whether C&D engaged in a “use” of Habush and Rottier’s names.
Habush and Rottier argued that any attempt to benefit from the commercial or other value of a person’s name or image is a “use.” Under this interpretation, C&D “used” the names of Habush and Rottier. C&D countered that the statute covers only “use” that is visible to the public. Under that perspective, bidding on names for keyword advertising purposes is not a “use” because the public does not see the use of the names.
The court found both interpretations reasonable, but adopted C&D’s interpretation. The court held back from ruling that unauthorized use of a name can never be an invasion of privacy unless the use is visible to the public, but it agreed with C&D that bidding on a competitor’s name to get one’s ad placed near links to the competitor’s website in search results is not a violation of the competitor’s publicity rights.
The court analogized competitive keyword advertising to “proximity advertising.” Examples of proximity advertising include: a new car dealership opens across the street from an established car dealership; a business advertises on billboards next to a competitor’s billboards; a lawyer places a Yellow Pages ad near the phone listing of competing lawyers. Although a competitor is trying to take advantage of the name of an established business in each of these scenarios, none involves an impermissible “use”, such as when a competitor puts the name of an established business in its ad or on its product. The court similarly did not see a problem with using a third party—in this case, a search engine—to engage in proximity advertising.
LegalTXTS Notes: This is a pretty novel case because most competitive keyword advertising cases are based on theories of trademark infringement or dilution. Since Habush and Rottier are personal names, they might not have acquired sufficient second secondary meaning to qualify for trademark protection, so publicity rights was invoked as a creative alternative.
Hawai‘i has its own publicity rights statute, so would the outcome have been different had the lawsuit been filed in Hawai‘i? Hawai‘i courts have not had the occasion to interpret the statute, but if you buy the reasoning of the court in Habush, the answer is probably not. The Hawai‘i statute is similar enough to the Wisconsin statute for the logic of Habush to apply.
As a partner in a law firm (and therefore a business owner), I’m not sure how I feel about Habush. I think the court rightly rejected the interpretation that any attempt to benefit from the commercial value of a person’s qualifies as a violation of publicity rights. That’s a pretty broad proposition. But something about the decision makes it hard to swallow. There’s an element of deception the court doesn’t adequately address. I wonder if, instead of claiming violation of publicity rights, Habush and Rottier could have sued under an unfair competition theory.
The Senate Judiciary Committee of the Hawaii legislature just voted to approve the “Steven Tyler Act” (SB465), an anti-paparazzi law named after the Aerosmith lead singer, who personally showed up to testify in favor of the bill at a hearing today. The Tyler Act, which apparently was prompted by Tyler’s experience with paparazzi near his Maui home, attracted written testimony from an assortment of celebrities including Britney Spears, Neil Diamond, Tommy Lee, and Avril Lavigne. My favorite testimony letter was Ozzy Osbourne’s because it had a little cartoon drawing of Ozzy in the bottom right corner.
Cartoon from written testimony on SB465 by Ozzy Osbourne, 2/6/13
The final fate of the Tyler Act remains uncertain, but now that it’s taken an important step forward, I thought I’d share my thoughts on the bill in its current form. (The Tyler Act isn’t exactly related to technology law, but I’m blogging about it because I also practice in First Amendment, privacy, and media law.)
It’s important to understand that the Tyler Act mimics California’s anti-paparazzi law (which is currently facing its own legal challenges). As much as legal commentators panned the California law, the Tyler Act should attract its fair share of criticism, if not more, because its language is much more loose and vague. And that’s not good when it comes to writing a law. You know the Aerosmith song “I Don’t Wanna Miss a Thing”? Well, there are quite a few things the Tyler Act misses. Here are some examples.
The centerpiece of the California law is the creation of a new tort called “constructive invasion of privacy.” This kind of invasion of privacy is “constructive” in that it doesn’t require the defendant to have physically trespassed onto the plaintiff’s property. Use of a “visual or auditory enhancing device” is enough. So, a person using a telephoto zoom lens to snap pictures of J-Lo on the balcony of her home could be liable for invasion of privacy without having stepped foot onto J-Lo’s property. The idea is that use of devices to intrude into someone’s private space is just as invasive as physically entering into their space.
The Tyler Act uses the term “constructive invasion of privacy,” but it doesn’t exactly track the theory behind the tort. Here’s the main liability section of the Tyler Act:
A person is liable for a civil action of constructive invasion of privacy if the person captures or intends to capture, in a manner that is offensive to a reasonable person, through any means a visual image, sound recording, or other physical impression of another person while that person is engaging in a personal or familial activity with a reasonable expectation of privacy.
See any reference to “visual or auditory enhancing device”? There is none. The Tyler Act says a person could commit a constructive invasion of privacy “through any means.” A cheapie disposal camera would do it. So would the audio recording app on your iPhone. And if devices lacking in any “enhancement” feature do the trick to capture a “visual image, sound recording, or other physical impression of another person,” query whether there was an invasion of personal space, constructive or otherwise. (Note that if an invasion into private space truly occurred, even in the absence of a physical invasion, Hawai‘i law already provides a remedy through the common law tort of intrusion into seclusion, which is a form of invasion of privacy.)
But the problems with the Tyler Act don’t stop there. The Act applies when the plaintiff is engages in a “personal or familial activity.” That language also appears in the California law, which is defined as “intimate details of the plaintiff’s personal life, interactions with the plaintiff’s family or significant others, or other aspects of the plaintiff’s private affairs or concerns.” Cal. Civ. Code § 1708.8(l). The definition excludes “illegal or otherwise criminal activity ….” The meaning of “personal or familial definition” is pretty vague even with that definition, but at least the California law includes a definition. The Tyler Act doesn’t! It’s anyone’s guess what “personal or familiar activity” means under the Tyler Act.
Similarly, the Tyler Act doesn’t define “offensive” or “reasonable expectation of privacy.” Nor does it contain an exception for publicizing matters of “legitimate public concern,” unlike the California law. This is problematic because it imposes liability for conduct not remotely resembling the opportunistic antics of paparazzi. Suppose a celebrity’s Kauai mansion catches on fire, spreading flames to her neighbor’s homes. The celebrity rushes out to the sidewalk with her kids, watching as firefighters put out the blaze. A photojournalist arrives on the scene and takes a picture of the celebrity and her kids from across the street. He then sells the photo to a local daily newspaper, which uses it alongside a front-page article about the fire. That’s hardly TMZ-style content, but under the vague language of the Tyler Act, the photojournalist and newspaper could be sued for constructive invasion of privacy.
Now, you might ask, why would the newspaper be liable? That’s because the Tyler Act says:
Any person who transmits, publishes, broadcasts, sells, offers for sale, uses any visual image, sound recording, or other physical impression, or who subsequently retransmits, republishes, rebroadcasts, resells, reoffers to sell, or reuses any visual image, sound recording, or other physical impression that was taken or captured in violation of this section shall constitute a violation of this section if:
(1) The person had actual knowledge that the visual image, sound recording, or other physical impression was taken or captured in violation of this section; and
(2) The person received compensation, consideration, or remuneration, monetary or otherwise, for the rights to the unlawfully obtained visual image, sound recording, or other physical impression.
Imposing liability for publishing information obtained in violation of the Tyler Act runs into First Amendment problems. Under Supreme Court precedent, the First Amendment protects speech that publishes the contents of a communication that was illegally intercepted as long as the publisher itself did nothing illegal to obtain the communication. See Bartnicki v. Vopper, 532 U.S. 514 (2001). Even more troubling is the Tyler Act’s authorization of courts to issue injunctions against future violations of the Act. Since publication of information obtained in violation of the Tyler Act could itself violate the Act, a court could literally issue an order “halting the presses.” That’s called a prior restraint, which is regarded by courts as the most offensive of First Amendment violations.
There are other problems with the way the Tyler Act is written – like the absence of an exception to liability for actions taken in a legitimate law enforcement investigation, or the fact that the Act is not limited to actions taken in Hawai‘i (unlike the California anti-paparazzi law, whose applicability is limited to actions within California) – but I think the point is made well enough. Although the Tyler Act is well-intentioned, more thought and care needs to go into making it a clear, constitutional law that doesn’t inadvertently turn well-meaning fans, reporters, and publishers into law-breakers.
It’s time for a roundup of recent Stored Communications Act (SCA) decisions. The issues addressed in these decisions include: (1) is a company network a “facility” subject to the prohibitions of the SCA; (2) what is “electronic storage”; (3) can there be secondary liability for violating the SCA; and (4) how broadly is “authorization” under the SCA defined.
Is a company network a “facility”?
Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012)
A terminated employee remotely accessed her ex-employer’s company computers to transmit spyware and monitor network communications. The company sued the ex-employee under the Computer Fraud and Abuse Act (CFAA) and SCA. (I discussed the CFAA claim in this case in an earlier post.) The SCA makes it an offense to intentionally access without authorization (or exceed one’s authorization to access) a “facility through which an electronic communication service is provided” and thereby obtain, alter, or prevent authorized access to a wire or electronic communication “while it is in electronic storage in such system.”
The company alleged that its computers are “facilities” because they enable the use of electronic communication services. The court rejects that interpretation of “facilities.” Information that an individual stores to his or her hard drive, such as images, personal information and emails that he or she has downloaded, is not in “electronic storage” as defined by the SCA. The “facilities” the SCA is designed to protect are not computers that enable the use of an electronic communication service, but facilities operated by electronic communication service providers and used to store and maintain electronic storage. The court dismissed the SCA claim.
(LegalTXT Note: This decision conflicts with a number of other federal district court decision that have held that private servers are within the scope of the SCA)
What is “electronic storage”?
Jennings v. Jennings, 2012 WL 4808545 (S.C. Oct. 10, 2012)
Gail Jennings initiated a divorce proceeding after discovering that her husband (Lee Jennings) was having an affair. Gail’s daughter-in-law (Broome) decided to help Gail by hacking into Lee’s Yahoo! email account to retrieve messages between him and his mistress. In the lawsuit that followed, the trial court granted summary judgment for the defendants on all claims, including those brought under the SCA. The court of appeals affirmed except as to the SCA claim against Broome. The court of appeals found that the emails at issue were in “electronic storage” as defined in 18 U.S.C. § 2510(17), and therefore within the SCA’s prohibition against unauthorized accessing of an electronic communication while it is in “electronic storage.”
The South Carolina Supreme Court disagreed that the emails in questions were in “electronic storage.” Part of the SCA’s definition of “electronic storage” involves storage of an electronic communication “by an electronic communication service for the purposes of backup protection of such communication.” The emails in Lee’s account were left on the Yahoo! server after they were opened. Keeping an email after opening it does not amount to storing it for “backup protection,” the court ruled.
Can there be secondary liability for violating the SCA?
Can a person have secondary liability for violating the SCA, such as by “aiding and abetting” a violation? A Florida court suggests that the answer is yes, but the federal district court for the District of Columbia says no.
Vista Marketing, LLC v. Burkett, 2012 WL 3860435 (M.D. Fla. Sept. 5, 2012)
Plaintiff’s wife (Burkett) accessed the webmail account of Plaintiff’s company (Vista) to read Plaintiff’s emails so as to gain a strategic advantage in their divorce proceeding. She did not have authorization to access the Vista email account. Vista alleged that told her divorce attorney (Park) what she had done, and that Park encouraged Burkett to continue accessing Vista’s webmail account and advised her to compile and print many of the communications for use in the divorce proceeding. Vista sued Park under Florida common law for conspiracy to violate the SCA. Park moved to dismiss, but the court denied the motion, holding that Vista adequately alleged facts supporting the conspiracy claim.
Council on American-Islamic Relations Action Network, Inc. v. Gaubatz, 2012 WL 4054141 (D.D.C. Sept. 17, 2012)
Chris Gaubatz obtained an internship with a national Muslim advocacy organization (CAIR-AN) under false pretenses to infiltrate the organization and collect information that would cast the organization in a negative light. Chris is the son of David Gaubatz, an investigator hired by the Center for Security Policy, Inc. (CSP) and the Society of Americans for National Existence (SANE) as an independent contractor to collect “field data” about CAIR-AN. Chris was able to collect thousands of documents, which he turned over to David. David disclosed the stolen information on his blog and in a book he co-authored. CAIR-AN sued Chris and David, CSP and its employees, and SANE and its employees. One of the claims in the lawsuit alleged that the Defendants “conspired with” or “aided and abetted” Chris in violating the SCA.
The court concluded that the text of the SCA did not support a theory of secondary liability. According to the court, the SCA’s “plain language shows that Congress had one category of offenders in mind—i.e., those who directly access, or exceed their authority to access, a facility through which an electronic communication service is provided.”
(LegalTXT Note: Although Vista Marketing discussed the SCA, the claim at issue there was based on Florida’s common law of conspiracy rather than the SCA itself. In contrast, Gaubatz squarely involved an SCA claim.)
What’s the scope of “authorization”?
Is after-the-fact authorization effective?
Shefts v. Petrakis, 2012 WL 4049509 (C.D. Ill. Sept. 13, 2012)
There is an exception to the SCA’s prohibitions for conduct authorized by the entity providing the electronic communication service that was accessed. But what if the authorization was provided after there has already been access? Is authorization effective if it is given after the fact?
The answer is yes, according to the court in Shefts. (Some of the facts relevant to the case are supplied by an earlier published decision, Shefts v. Petrakis, 758 F. Supp. 2d 620 (C.D. Ill. 2010). Access2Go, Inc., a telecommunications company, initiated a program to monitor the email and texting activity of its president after learning of concerns that he was sexually harassing Access2Go employees and violating his fiduciary duties. As part of the monitoring program, a shareholder and member of the Access2Go board of directors (Petrakis) accessed Shefts’ company email account. The board appointed Petrakis as its liaison of security. Petrakis collected emails allegedly showing Shefts engaged in sexually harassing behavior and other improper acts. Based on this and other evidence, the board suspended Shefts and recommended his termination.
When Shefts sued the board members under the SCA, the board members countered that the company had authorized access to his email account. Since Shefts’ company email account was maintained by and resided on Access2Go’s servers, Access2Go could legitimately authorize access to the account. The question is, when did Access2Go give the authorization? The board never voted to allow an employee to access another employee’s computer. However, the board members were aware that Petrakis had accessed Shefts’ company email account, and they relied on the emails that Petrakis collected in suspending Shefts and recommending his termination. Based on these facts, the court concluded that the board had “ratified” Petrakis’ actions, and such ratification qualified as “authorization” under the SCA.
You’re in, now what?
Cheng v. Romo, 2012 WL 6021369 (D. Mass Nov. 28, 2012)
Just because the owner of an email account gives you permission to access his account doesn’t mean you are “authorized” to read every email in there. In Cheng, the plaintiff (Cheng) and the defendant (Romo) and her husband worked for a medical imaging company. Cheng maintained a Yahoo! email account while working at the company, the password for which he shared with Romo. Although Cheng never qualified Romo’s access to his email account in any way, never stated a time limit on his grant of access to Romo, and never changed his password during the relevant time, his purpose in sharing his email account was to enable Romo to review radiologic images for their work. Romo testified that she would check Cheng’s email account to read consultant reports that radiologists emailed to Cheng. Initially, Romo did not look at any personal items in Cheng’s email account. But after Romo and her husband’s relationship with Cheng and others at the company deteriorated—leading ultimately to their separation from the company—Romo accessed Cheng’s account to find out about the state of the company. Romo shared with her husband the emails she printed from Cheng’s account. Cheng sued Romo for violations of the SCA and invasion of privacy under Massachusetts law.
The court denied Romo’s motion for summary judgment as to both claims. Regarding the SCA claim, the court found genuine issues of material fact as to whether Romo had authorization to access Cheng’s email account. The fact that Cheng had given Romo his password years earlier was not determinative, given the context in which the password was given and the later use that Romo made of it. It was up to the factfinder to look at the circumstances in which the password was given and to determine whether Romo was authorized, or exceeded her authorization, to access Cheng’s email account, the court said.
As for the privacy claim, the court held that it was cognizable, but there were genuine issues of material fact concerning whether Cheng had a reasonable expectation of privacy in his email messages and whether Romo’s actions interfered with Cheng’s privacy.
(LegalTXT Note: The court in Cheng noted that the term “authorization” in the SCA could have analogous meaning as the same term in the CFAA. The court summarized the different approaches court take in defining the term in the context of the CFAA, including those finding “authorization” where there was no breach of technical barriers to access, and those finding no “authorization” where permission to access was granted but the information collected via such access was misused (see my post on Wentworth-Douglass Hosp. v. Young & Novis Prof’l Ass’n, 2012 WL 2522963 (D.N.H. June 29, 2012), a case the Cheng court cites). Ultimately, the court does not indicate which approach it adopts, although its summary judgment ruling suggests that it considers the purpose behind the grant of access, and not the mere grant of permission itself, relevant to determining the existence of authorization.)
Not knowing others can see your Facebook comments doesn’t mean you can sue for invasion of privacy. — Sumien v. Careflite, 2012 WL 2579525 (Tex. Ct. App. July 5, 2012)
This case goes into the category of “what you don’t know can hurt you.” Two emergency medical technicians (Sumien and Roberts) had an exchange on the Facebook wall of another co-worker in which they made derogatory comments about a patient they had transported via ambulance. Haynes, the sister of a compliance officer of employer of the two technicians (CareFlite), saw Roberts’ comments and was offended. Haynes notified her sister (Calvert), who had access to the comments because she was Facebook friends with Roberts. After Haynes complained to the management of CareFlite, Sumien and Roberts were terminated. They sued CareFlite for unlawful termination and invasion of privacy. The trial court granted summary judgment to CareFlite on all claims, and one of the technicians (Sumien) appealed. The only issue in the appeal was whether the trial court should have granted summary judgment on the intrusion upon seclusion claim.
One of the requirements of an “intrusion into seclusion” claim is, unsurprisingly, an intentional intrusion into the seclusion or private affairs of another. Sumien argued that CareFlite intruded upon his seclusion because one of its employees read his comments. Sumien claimed to be unaware that Roberts’ Facebook friends (including Calvert) could see the comments he posted on Roberts’ wall. Too bad, said the court. The comments were visible to the Roberts’ friends, and so there was no intrusion into a private matter.
LegalTXTS Lesson: Know your privacy settings, and think through who could see what you share in the social media space. This seems rather obvious, but then again, there are those who don’t do this and then claim their privacy is invaded. The other point is that a intrusion into seclusion claim based on material posted on a social media network probably is difficult to win. Some courts, like the one who ordered Twitter to comply with a subpoena last week, simply don’t regard posts on social media private at all.