It’s time for a roundup of recent Stored Communications Act (SCA) decisions.  The issues addressed in these decisions include: (1) is a company network a “facility” subject to the prohibitions of the SCA; (2) what is “electronic storage”; (3) can there be secondary liability for violating the SCA; and (4) how broadly is “authorization” under the SCA defined.

Is a company network a “facility”?

Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012)

A terminated employee remotely accessed her ex-employer’s company computers to transmit spyware and monitor network communications.  The company sued the ex-employee under the Computer Fraud and Abuse Act (CFAA) and SCA.  (I discussed the CFAA claim in this case in an earlier post.)  The SCA makes it an offense to intentionally access without authorization (or exceed one’s authorization to access) a “facility through which an electronic communication service is provided” and thereby obtain, alter, or prevent authorized access to a wire or electronic communication “while it is in electronic storage in such system.”

The company alleged that its computers are “facilities” because they enable the use of electronic communication services.  The court rejects that interpretation of “facilities.”  Information that an individual stores to his or her hard drive, such as images, personal information and emails that he or she has downloaded, is not in “electronic storage” as defined by the SCA.  The “facilities” the SCA is designed to protect are not computers that enable the use of an electronic communication service, but facilities operated by electronic communication service providers and used to store and maintain electronic storage.  The court dismissed the SCA claim.

(LegalTXT Note: This decision conflicts with a number of other federal district court decision that have held that private servers are within the scope of the SCA)

What is “electronic storage”?

Jennings v. Jennings, 2012 WL 4808545 (S.C. Oct. 10, 2012)

Gail Jennings initiated a divorce proceeding after discovering that her husband (Lee Jennings) was having an affair. Gail’s daughter-in-law (Broome) decided to help Gail by hacking into Lee’s Yahoo! email account to retrieve messages between him and his mistress.  In the lawsuit that followed, the trial court granted summary judgment for the defendants on all claims, including those brought under the SCA.  The court of appeals affirmed except as to the SCA claim against Broome.  The court of appeals found that the emails at issue were in “electronic storage” as defined in 18 U.S.C. § 2510(17), and therefore within the SCA’s prohibition against unauthorized accessing of an electronic communication while it is in “electronic storage.”

The South Carolina Supreme Court disagreed that the emails in questions were in “electronic storage.”  Part of the SCA’s definition of “electronic storage” involves storage of an electronic communication “by an electronic communication service for the purposes of backup protection of such communication.”   The emails in Lee’s account were left on the Yahoo! server after they were opened.  Keeping an email after opening it does not amount to storing it for “backup protection,” the court ruled.

Can there be secondary liability for violating the SCA?

Can a person have secondary liability for violating the SCA, such as by “aiding and abetting” a violation?  A Florida court suggests that the answer is yes, but the federal district court for the District of Columbia says no.

Vista Marketing, LLC v. Burkett, 2012 WL 3860435 (M.D. Fla. Sept. 5, 2012)

Plaintiff’s wife (Burkett) accessed the webmail account of Plaintiff’s company (Vista) to read Plaintiff’s emails so as to gain a strategic advantage in their divorce proceeding.  She did not have authorization to access the Vista email account.  Vista alleged that told her divorce attorney (Park) what she had done, and that Park encouraged Burkett to continue accessing Vista’s webmail account and advised her to compile and print many of the communications for use in the divorce proceeding.  Vista sued Park under Florida common law for conspiracy to violate the SCA.  Park moved to dismiss, but the court denied the motion, holding that Vista adequately alleged facts supporting the conspiracy claim.

Council on American-Islamic Relations Action Network, Inc. v. Gaubatz, 2012 WL 4054141 (D.D.C. Sept. 17, 2012)

Chris Gaubatz obtained an internship with a national Muslim advocacy organization (CAIR-AN) under false pretenses to infiltrate the organization and collect information that would cast the organization in a negative light.  Chris is the son of David Gaubatz, an investigator hired by the Center for Security Policy, Inc. (CSP) and the Society of Americans for National Existence (SANE) as an independent contractor to collect “field data” about CAIR-AN.  Chris was able to collect thousands of documents, which he turned over to David.  David disclosed the stolen information on his blog and in a book he co-authored.  CAIR-AN sued Chris and David, CSP and its employees, and SANE and its employees.  One of the claims in the lawsuit alleged that the Defendants “conspired with” or “aided and abetted” Chris in violating the SCA.

The court concluded that the text of the SCA did not support a theory of secondary liability.  According to the court, the SCA’s “plain language shows that Congress had one category of offenders in mind—i.e., those who directly access, or exceed their authority to access, a facility through which an electronic communication service is provided.”

(LegalTXT Note:  Although Vista Marketing discussed the SCA, the claim at issue there was based on Florida’s common law of conspiracy rather than the SCA itself.  In contrast, Gaubatz squarely involved an SCA claim.)

What’s the scope of “authorization”?

Is after-the-fact authorization effective?

Shefts v. Petrakis, 2012 WL 4049509 (C.D. Ill. Sept. 13, 2012)

There is an exception to the SCA’s prohibitions for conduct authorized by the entity providing the electronic communication service that was accessed.  But what if the authorization was provided after there has already been access?  Is authorization effective if it is given after the fact?

The answer is yes, according to the court in Shefts.  (Some of the facts relevant to the case are supplied by an earlier published decision, Shefts v. Petrakis, 758 F. Supp. 2d 620 (C.D. Ill. 2010).  Access2Go, Inc., a telecommunications company, initiated a program to monitor the email and texting activity of its president after learning of concerns that he was sexually harassing Access2Go employees and violating his fiduciary duties.  As part of the monitoring program, a shareholder and member of the Access2Go board of directors (Petrakis) accessed Shefts’ company email account.  The board appointed Petrakis as its liaison of security.  Petrakis collected emails allegedly showing Shefts engaged in sexually harassing behavior and other improper acts.  Based on this and other evidence, the board suspended Shefts and recommended his termination.

When Shefts sued the board members under the SCA, the board members countered that the company had authorized access to his email account.  Since Shefts’ company email account was maintained by and resided on Access2Go’s servers, Access2Go could legitimately authorize access to the account.  The question is, when did Access2Go give the authorization?  The board never voted to allow an employee to access another employee’s computer.  However, the board members were aware that Petrakis had accessed Shefts’ company email account, and they relied on the emails that Petrakis collected in suspending Shefts and recommending his termination.  Based on these facts, the court concluded that the board had “ratified” Petrakis’ actions, and such ratification qualified as “authorization” under the SCA.

You’re in, now what?

Cheng v. Romo, 2012 WL 6021369 (D. Mass Nov. 28, 2012)

Just because the owner of an email account gives you permission to access his account doesn’t mean you are “authorized” to read every email in there.  In Cheng, the plaintiff (Cheng) and the defendant (Romo) and her husband worked for a medical imaging company.  Cheng maintained a Yahoo! email account while working at the company, the password for which he shared with Romo.  Although Cheng never qualified Romo’s access to his email account in any way, never stated a time limit on his grant of access to Romo, and never changed his password during the relevant time, his purpose in sharing his email account was to enable Romo to review radiologic images for their work.  Romo testified that she would check Cheng’s email account to read consultant reports that radiologists emailed to Cheng.  Initially, Romo did not look at any personal items in Cheng’s email account.  But after Romo and her husband’s relationship with Cheng and others at the company deteriorated—leading ultimately to their separation from the company—Romo accessed Cheng’s account to find out about the state of the company.  Romo shared with her husband the emails she printed from Cheng’s account.  Cheng sued Romo for violations of the SCA and invasion of privacy under Massachusetts law.

The court denied Romo’s motion for summary judgment as to both claims.  Regarding the SCA claim, the court found genuine issues of material fact as to whether Romo had authorization to access Cheng’s email account.  The fact that Cheng had given Romo his password years earlier was not determinative, given the context in which the password was given and the later use that Romo made of it.  It was up to the factfinder to look at the circumstances in which the password was given and to determine whether Romo was authorized, or exceeded her authorization, to access Cheng’s email account, the court said.

As for the privacy claim, the court held that it was cognizable, but there were genuine issues of material fact concerning whether Cheng had a reasonable expectation of privacy in his email messages and whether Romo’s actions interfered with Cheng’s privacy.

(LegalTXT Note: The court in Cheng noted that the term “authorization” in the SCA could have analogous meaning as the same term in the CFAA.  The court summarized the different approaches court take in defining the term in the context of the CFAA, including those finding “authorization” where there was no breach of technical barriers to access, and those finding no “authorization” where permission to access was granted but the information collected via such access was misused (see my post on Wentworth-Douglass Hosp. v. Young & Novis Prof’l Ass’n, 2012 WL 2522963 (D.N.H. June 29, 2012), a case the Cheng court cites).  Ultimately, the court does not indicate which approach it adopts, although its summary judgment ruling suggests that it considers the purpose behind the grant of access, and not the mere grant of permission itself, relevant to determining the existence of authorization.)

The legal boundaries for school discipline for cyberbullying continues to be unclearR.S. v. Minnewaska Area School District No. 2149, 2012 WL 3870868 (D. Minn. Sept. 6, 2012); S.J.W. v. Lee’s Summit R-7 School District, 696 F.3d 771 (8th Cir. Oct. 17, 2012)

As much as cyberbullying is gaining media attention, clear guidance on what schools can do about it is still lacking.  In January, the U.S. Supreme Court declined to review three free speech challenges involving social media content posted by students.  As a result, courts continue to grapple with defining the boundaries of school discipline for student online conduct, particularly when it happens off-campus.  A pair of recent cases illustrates this trend.

R.S. v. Minnewaska Area School District No. 2149: A 12-year old sixth grader (R.S.) posted on her Facebook page that she “hated” her school’s adult hall monitor.  R.S. posted the comment from her home outside of school hours.  The comment somehow found its way to the principal, who considered the comment a form of bullying.  The principal gave R.S. detention and required her to apologize to the hall monitor.  In a second incident, R.S. posted a comment on her Facebook wall stating: “I want to know who the F%$# [sic] told on me.”  For this, R.S was suspended for a day and prohibited from going on a class ski trip.  On a third occasion, school officials learned that R.S. was communicating with a male student on the Internet about sexual topics (when confronted, the male student admitted that he initiated the conversation).  The school officials called R.S. out of class to meet with them and the deputy sheriff assigned to the school.  They demanded to know her email and Facebook usernames and passwords.  Feeling pressured, R.S. complied.  The school officials then logged into her Facebook account and viewed the public and private messages she had posted on the site.  The school did not formally discipline R.S. any further.

The punishment of R.S. violated her First Amendment right to free speech

Judge Davis of the federal district court of Minnesota looked to the Tinker line of cases for guidance and concluded that the First Amendment prohibits school authorities from punishing students for out-of-school statements the statements are true threats or reasonably calculated to reach the school environment and are so egregious as to pose a serious safety risk or other substantial disruption there.  R.S.’s Facebook posts were not threatening, the court found, and while the posts might have been reasonably calculated to reach a school audience, that possibility alone did not justify her punishment.  An out-of-court statement must be more than inappropriate.  It must potentially cause a substantial disruption in the school before it can be punished.

The school violated R.S.’s Fourth Amendment right to be free of unlawful searches and seizures

Students enjoy a Fourth Amendment right to be free from unreasonable searches and seizures by school officials.  But did R.S. have a reasonable expectation of privacy as to the information posted on her Facebook account that only her Facebook friends could see?  The court said yes.  There is no meaningful difference between a password-protected private Facebook message and other forms of private electronic correspondence.  The court also found that the school officials had no legitimate governmental interest for reviewing her private communications.  Notably, there was no threat that R.S.’s private posts would cause a disruption in the classroom.

R.S. had a viable claim against the school for invasion of privacy

Again, the court focused on R.S.’s expectation of privacy.  The court analogized private Facebook messages to email messages, to which there is a reasonable expectation of privacy.  The court summarily rejected the schools’ argument that R.S. used Facebook in violation of the site’s terms of use because she was a minor.  The court failed to see how a violation of a website’s terms of use could destroy an expectation of privacy.  Also unpersuasive was the school’s argument that R.S. compromised her privacy interest by allowing her mother and one other person view her Facebook account.  It would be unreasonable, the court explained, to conclude that a person gives up all expectation of privacy as to the contents of his or her password-protected email account just by showing an email to another individual.

S.J.W. v. Lee’s Summit R-7 School District: Twin brothers (the “Wilsons”) who were high school juniors created a website called NorthPress.  Part of NorthPress was a blog intended to discuss, satirize, and “vent” about events at the Wilsons’ school.  Because the site was hosted on a Dutch domain, the site would not show up in the results of a Google search by a user in the U.S., but anyone knowing the site’s URL could access it.  The Wilsons added posts to the NorthPress blog containing a variety of offensive and racist comments as well as sexually explicit and degrading comments about particular female classmates whom they identified by name.  The racist posts discussed fights at the school and mocked black students.  A third student added another racist post.

The Wilsons initially told only several of their friends about NorthPress and claimed they intended only their friends to know about it, but word about the site quickly spread to the study body at their school.  The school initially suspended the Wilsons for ten days, and after the matter went through further proceedings at the school district level, the Wilsons were suspended for 180 days but allowed to enroll in another school for the duration of their suspensions.  The Wilsons filed a lawsuit for a preliminary injunction to lift the suspensions.  The district court granted the preliminary injunction, but on appeal, the Eighth Circuit reversed.

Reviewing cases that analyze the applicability of Tinker to off-campus student speech, the Eighth Circuit ruled that the blog posts in question targeted the school, could reasonably be expected to reach the school or impact the environment, and caused considerable disturbance and disruption.  As a result, the Wilsons were unlikely to succeed on the merits, and so they were not entitled to an injunction.

LegalTXTS Lesson:  Cyberbullying is a serious issue, but schools should be careful not to overreact.  The reality is that much of the online material students post and share these days has a good chance of offending someone or being considered inappropriate by adults.  That doesn’t give schools the authority to police online content however they like.  Off-campus speech is punishable when it threatens to endanger danger to another student or cause substantial disruption in the school environment, but not merely because some would find it “inappropriate.”

How this rule is applied, however, depends on the sensitivity of the court.  The courts in R.S. and S.J.W. could have gone either way.  The court in R.S. could have concluded that the sexual conversations between two very young students presented a risk of substantial disruption in the classroom.  On the other hand, the court in S.J.W. could have held that the blog was never targeted at the school community, and therefore, its contents did not justify meting out school discipline.  Perhaps we’ll get more consistency in court rulings after Supreme Court decides to weigh in on the constitutional limits to combating cyberbullying.

 

A $22.5 million settlement of FTC’s charges that Google secretly used cookies to track the activity of Safari users gained court approval last week.  The charges were based on an earlier settlement of charges that Google used the private information of Gmail users for its Buzz social network.  The FTC and Google settled those charges in October 2011 with a consent order prohibiting Google from future misrepresentations regarding (1) its collection and use of private information and its customers’ control over that information; and (2) its membership and compliance with privacy or security programs.

The FTC alleged that Google violated the Buzz consent order by assuring Safari users that the browser’s default settings would block Google tracking cookies, but overriding Safari’s blocking software and secretly collecting cookies from Safari users.  The FTC also alleged that Google’s use of Safari cookies without informing its users violated the code of conduct of the Network Advertising Initiative, of which Google represents it is a member.

The court approved the proposed consent order settling those charges in a decision issued last Friday (read the decision here).  The proposed consent order would require Google to pay a civil penalty of $22.5 million—the most a company has ever paid for violating an FTC order.  Google must also maintain systems that delete Google cookies from Safari browser users and report to the FTC on compliance with the consent order.  The consent order does not require Google to admit that it violated the Buzz consent order, however.

Amicus curiae Consumer Watchdog objected to the proposed consent decree on the grounds that it did not impose a permanent injunction on Google, that the $22.5 million penalty was too small, and that Google should be required to admit liability.  Judge Susan Illston of the U.S. District Court for the Northern District of California rejected Consumer Watchdog’s arguments, finding the settlement “fair, adequate and reasonable.”

Facebook is being sued in a $15 billion lawsuit alleging that the popular social media company secretly tracked the Internet activity of its users after they log off (the First Amended Complaint is available here).  The case is a consolidation of nearly two dozen lawsuits filed in ten states, including one here in Hawaii (Quinn v. Facebook, Inc., 1:11-cv-00623).  The lawsuit alleges violations of the U.S. Wiretap Act, the Stored Communications Act, and Computer Fraud and Abuse Act.

In July, Facebook filed a motion to dismiss the lawsuit on the ground that the plaintiffs failed to allege sufficient injury.  At the hearing on the motion on October 5, Facebook’s attorneys argued that the plaintiffs haven’t identified the websites they visited, the kind of information that Facebook collected, or whether Facebook disclosed any information to anyone else.  The lawyer representing the subscribers countered that generalized allegations of harm are sufficient at this stage of the case, and that Facebook’s alleged practice of tracking their users’ Internet activity was not disclosed as part of Facebook’s privacy policy.   The court’s ruling on the motion to dismiss is pending.

On September 5, the Federal Trade Commission published its first guide specifically with mobile app developers in mind.  Entitled “Marketing Your Mobile App: Get It Right From the Start,” the guide is not legally binding, but it does set out guidelines to help mobile app developers comply with truth-in-advertising and privacy laws.  In particular, the guide lays out seven principles for complying with federal data privacy requirements under statutes like the Graham-Leach-Bileley Act, the Fair Credit Reporting Act, the Child Online Privacy Protection Act, and the Federal Trade Commission Act.  Click here for the press release and a link to the guide.