a law blog covering electronic communications,
email, social networks, privacy, and more
The Randazza Fan Club
After the ruling was handed down, Eiland-Hall offered to return the domain name to Beck, stating in a letter that he defended against the UDRP action in order to prove a point and vindicate the First Amendment.
The cool part? Randazza now has a fan club. Randazza's filings were entertaining, and more importantly effective.
On the heels of the Glenn Beck win, Randazza also convinced a law professor who sued Above the Law to drop his claims.
In the midst of all this activity, he continues to blog up a storm. Head on over and check out his blog, if you haven't already.
Added: The Daily Beast as a nice piece on Eiland-Hall and the dispute.
Prof. Goldman Interviews Cindy Cohn of the EFF
- as far as organizations go, the EFF has probably been most influential in shaping the law in cyberspace (purveyors of adult content and other less mainstream content peddlers have been pretty influential but they obviously don't influence the law in a concerted policy-driven manner);
- great career advice - they chat in the interview about the "call that changes your career" .. great advice for students, lawyers, and people who are just looking to get into a particular area ("just do it" probably sums up the advice, but it's always always healthy to hear about how chance plays a role);
- good discussion on the Google Books Settlement and the privacy issues that the EFF brought to light;
- the discussion about whether she's a "geek" and what "geekiness" is was funny as well.
Starbucks Data Breach Plaintiffs Try Their Luck in the Ninth Circuit
Background: As described in the complaint, in 2008, someone stole a laptop containing the personal information of approximately 97,000 employees. Starbucks notified the police and affected employees (plaintiffs claim Starbucks was slow in effecting this notice). Starbucks also offered one year of free credit monitoring to affected employees. The plaintiffs fall into a couple of categories, but significantly, one of the plaintiffs was notified that someone tried to open a bank account without his authorization. It was never determined whether this attempt to open a bank account with the information of one of the plaintiffs was connected to the underlying breach.
Ruling by Judge Jones: Judge Jones granted the motion to dismiss filed by Starbucks, finding that Washington courts would not recognize a cause of action as asserted by plaintiffs. (Access a copy of the order by Judge Jones dismissing the claims here: [scribd].) After concluding that plaintiffs had standing (given the broad scope of Article III standing this wasn't a surprise), Judge Jones focused on the issue of whether plaintiffs stated cognizable claims in negligence under Washington law. Judge Jones noted that Washington courts don't typically recognize claims where the sole injury is "risk of future harm," and if Washington courts were to recognize a common law cause of action arising from a data breach, they would be alone in doing so. Judge Jones also noted that the overwhelming majority of courts that have looked at the issue have declined to find that plaintiffs could recover merely because their data was stolen, and those that have recognized a possible cause of action have typically ruled against plaintiffs due to insufficient proof of misuse of the data. In Judge Jones's view, the Washington Supreme Court would likely conclude that the issue is best left to the legislature. In a footnote, he notes the enactment of data breach laws in other states, but points out that none of those laws provide for private causes of action, "much less a private right to damages."
With respect to the plaintiffs who did not have any proof that their personal information was misused, the court found that they could "claim only monitoring costs" as a potential injury, and these wouldn't fly under Washington law. With respect to the plaintiff who presented proof that someone tried to open a bank account in his name, the court acknowledged that "the timing of the [events permitted] the inference that someone acquired [plaintiff's] personal information from the laptop and misused it." Nevertheless, the court concluded that he did not assert a cognizable claim because he didn't suffer any out of pocket loss. The plaintiffs also asserted a claim based on implied contract, but the court didn't need to address whether Starbucks breached any implied obligations since it found that plaintiffs did not suffer any type of injury for which Washington law affords a remedy.
What to Make of the Appeal? Plaintiffs' appeal brief (filed on Monday) sort of canvasses the various theories under which plaintiffs should be entitled to relief under Washington law. Plaintiffs spend a fair amount of space discussing how Starbucks breached its (implied) contractual obligations to plaintiffs - Starbucks obtained this information in the employment context, and had policies in place which required employees to safeguard employee information. Given that Starbucks failed to fulfill these obligations, plaintiffs argue that the law would fashion some sort of remedy for the injured plaintiffs. Plaintiffs also attack the trial court's dismissal of the negligence claim from all angles, pointing out that stolen data is often misused long after it is compromised, and the fact that the underlying data breach is unsolved means that Starbucks can't conclusively show that the data will not be misused at some point in the future.
The dispute raises the familiar issue of whether the harm in the data breach context lies in the breach, or the actual misuse of the data. Courts have pretty uniformly taken the view that the harm flows from the actual misuse of the data, rather than the loss of the data. That said, the outcome here depends on the vagaries of state law, and what the Ninth Circuit predicts the Washington Supreme Court would do. My anecdotal observation is that Washington courts are very privacy friendly, but somewhat middle of the road when it comes to crafting "new" causes of action. Plaintiffs also asked the Ninth Circuit to certify the issue to the Washington Supreme Court, something the Ninth Circuit did recently in a spam case (Kleffman v. Vonage).
The Ninth Circuit has dealt with this issue once in an unpublished decision (Stollenwerk v. Tri-West Healthcare Alliance, 254 Fed. Appx. 664 (9th Cir. 2007).) In that case the Ninth Circuit affirmed the dismissal of data breach claims brought by plaintiffs who did not allege misuse of their data, but reversed as to the plaintiff who made a basic showing that the data could have been misused. Stollenwerk was inconclusive in that the Ninth Circuit (again, in an unpublished decision) merely stated that if the plaintiff was able to show actual damages, he would be entitled to relief. Interestingly, Stollenwerk was settled shortly after remand, on the heels of the district court's denial of a motion for class certification. One possibility to consider is that a monitoring claim seems much easier to fit into a class. An "actual damage" claim may be less amenable to class resolution.
On a related note, there's talk of federal data breach legislation winding its way through Senate. (Two proposals are mentioned here.) To my knowledge, neither of the proposals contain a private right of action, and both merely speak to notification upon a breach. There's also the familiar call for a federal standard which would displace disparate state standards. This debate sounds somewhat similar to the one that surrounded the passage of the CAN-SPAM Act.
Related: Tom O'Toole has a post from a while back about Ruiz v Gap Inc., a case from the Northern District of California also involving the loss of employee/applicant data (coincidentally, from an unencrypted laptop): "Court Finds No Cognizable Damages in Gap Laptop Theft Case."
[Cross posted at Prof. Goldman's blog.]
Dane's Claims Against Gawker Look Flimsy
Fair use is fact
-specific and it's notoriously difficult to predict whether a court will ultimately conclude that someone is entitled to the fair use defense. I'm somewhat surprised that Gawker is taking a hard line on the fair use issue. Maybe they are taking a stand in order to show everyone that the disappearance of so-called "old media" entities will not leave institutional First Amendment interests hanging? They could have taken down the tape (although they published it after receiving a demand from Dane's lawyers) after-the-fact, and likely come to some sort of easy settlement with Dane and company. However, aggressively defending the case, as they seem to be doing, only escalates the stakes. (Good for them for sticking to their guns.)Dane's claims are somewhat curious. Celebrities have been fairly successful in preventing publication of these types of tapes (see, e.g., Michaels v. Internet Entertainment Group, 5 F. Supp. 2d 823 (C.D. Cal. 1998)). (News organizations successfully asserted a fair use defense as to excerpts of the tape, but the court determined that full blown commercial exploitation of the tape by IEG was likely to infringe.) That said, given the snippets of the tape published by Gawker, it can probably assert a colorable fair use defense. But what is odd about Dane's claims is that he is only asserting copyright claims, and Gawker's publication pre-dated Dane's registration of the copyright in the tape. In other words, Dane should only be entitled to actual damages, or so Gawker argues pretty persuasively in a motion to strike [pdf] Dane's request for statutory damages. This puts Dane in an awkward spot. If the court agrees with Gawker and Dane ends up with only actual damages I'm not sure what Dane will end up doing. Some cases define actual damages as lost licensing revenues, or damage to the owner's ability to license the work. Gawker can argue that its own commercial exploitation of the tape did not impair the market for the tape since Dane had no intent to commercialize it. End result: Dane is awarded nominal damages and doesn't get his fees either. Ironically, Gawker's publisher Nick Denton invoked the words of Dane's own lawyer when commenting on the lawsuit:
Coverage at THR, Esq. here and here.To quote the great Marty Singer - Eric Dane's lawyer – 'If you don't want a sex tape on the Internet, don't make one!'
In these circumstances, celebrities also bring privacy (and personality rights) based claims, but Dane didn't assert any such claims. (Access a copy of the complaint here: [pdf].)
On a related note, a funner battle would be if someone decided to run the photos and videos described here.
There are Email Gaffes..and Then There are Email Gaffes
The short version: they're engaged in a steamy discussion regarding the details of their affair when he accidentally copies the entire school listserv. The story is so crazy it's almost unbelievable. "Guest of a Guest" - which appears to have first noted the story - sums it up best [link]:
I'm not even sure what to say to that, except it's well outside the "everyone will have at least one email gaffe in their professional lives" rule that I believe is true.Everyone has had at least one bad email incident that they have had to learn from. Some involve, say, sending an invitation and forgetting to bcc everyone. Or worse, sending an email complaining about your boss to, er, your boss, named Sarah (instead of your best friend Sarah). But, NO ONE, and we mean NO ONE has had a worse email gaffe than John X did about an hour ago.
(h/t Gideon)
Verizon Privacy Failure
Unless you provide us with notice that you wish to opt out within 45 days of receiving this letter, we will assume that you give us the right to share your CPNI with the authorized companies described above.Who is the information shared with? "affiliates," "parent companies," and "agents". "Agents" (??) The policy also states that the information will not be shared with "unrelated third parties." Legal issues aside, I have no idea from reading this who exactly my information will be shared with.
Interesting Reads -- November '09
- The Law of Social Media: Glenn Manishin has a series of essays on the legal issues raised by social media ("The Law of Social Media").
- Do Employers Own Social Content Created by Employees?: Jeremiah Owyang has a post on this issue ("Your Company May Own Your Tweets, Pokes, and YouTube Videos"), with comments from Lisa Borodkin. What I want to know? Who owns the underlying relationships formed by employees through social media?
- Spammy Advertising on Facebook: An interesting guest post on TechCrunch on this topic: "How to Spam Facebook Like a Pro: An Insider's Confession"
- Privacy Class Actions: Wendy Davis @ MediaPost: "Are Consumers Being Stiffed in Privacy Case Settlements?" N.D. Cal. judge rejects proposed settlement in class action involving TD Ameritrade data breach.
- Online Communities: From Wired: "The Assclown Offensive: How to Enrage the Church of Scientology". Very interesting article on the dynamics of the ongoing battle between 4chan and Scientology.
- Sanford Wallace: Word to the Wise: "While I hate to actually say 'Sanford Wallace changed my life,' it's not that far from the truth"
- California: Threat Level: "Schwarzenegger Flips Off Lawmakers in Hidden Message"
- Blogging: Simple Justice: "Blogging is Alive, And Aggravating"
- Lawyers: Vanity Fair (Bryan Burrough): "Marc Dreier's Crime of Destiny"... $380mm stolen through fake paper, embezzled escrow funds, etc.
- Licensing Agreements: WSJ: "Lawyerese Goes Galactic as Contracts Try to Master the Universe"
- Social Networking: Seth Godin: "Dunbar's Number Isn't Just a Number, It's the Law" ("the typical human being can only have 150 friends")
- Law Firms: ATL: "Quinn Emanuel Believes in 'C.B.A.' (Check Blackberry Always)" ... good response here.
A Social Network / First Amendment Question
I use the word "censor" in quotes because that's not really government censorship in the classical sense. The typical definition of censorship is when the government prohibits a private party from saying something. Outright prohibition (whether through judicial action or laws which regulate speech) lies at one end of the spectrum. A law prohibiting certain type of speech is a good example of this. At the other end of the spectrum, the government can try to penalize you for your speech. Firing you from government employment is one example of this, and courts agree that this type of a penalty raises First Amendment concerns. These situations are often treated differently from the circumstance when the government itself is the speaker. Courts agree that government speech does not raise the same First Amendment concerns as government interfering with private speech. It raises other concerns (e.g., Establishment Clause), but that's a separate issue. The government may even subsidize private speech, subject to other considerations such as the Establishment Clause, but this is also not typically viewed through the same lens as outright prohibition or regulation. The case law on this is a maze, and not surprisingly, the Supreme Court is less than unanimous on this issue. But at least some members of the Court adhere to the view that there is a fundamental distinction between funding speech and "abridging" speech. (See this discussion (from 1998) of a case challenging NEA funding on the grounds that it improperly required consideration of "decency". The current wikipedia page for "government speech" contains some good discussion.)
So, how about the scenario where the government pays someone not to speak? Say for example, you regularly protest the war on the street corner on Main Street, USA. The government doesn't like this, and it can't prohibit you or try to regulate your speech, but the government can probably pay you not to speak? (There are cases dealing with whether the government can require you to waive constitutional rights as a condition to receiving certain benefits, but this seems different.) Can the government pay a newspaper not to run a story? How about the government paying Facebook to take down certain types of fan pages. How about the government paying Twitter to filter out certain types of tweets? Most likely this would be politically untenable, because the government could not keep this type of an arrangement secret, but how would this be analyzed from a First Amendment standpoint? Must the government be content-neutral when it engages in this conduct?
These are probably far-fetched hypotheticals, unless you live in certain countries (see "US lawmakers scold tech companies for China censorship"), but they are interesting to think about.
Court: Prosecutors Can't Rummage Around in a Defendant's Gmail Account
Interestingly, the defendant whose email was disclosed by the government as evidence in the Bear Stearns case prevailed in a motion to suppress the gmail evidence. (US v. Cioffi, et al., Case No. 08-CR-415 (FB) (E.D.N.Y.; Oct. 26, 2009).) (Access a copy of the ruling at Scribd [pdf] here; see the WSJ story here ("In Setback for Bear Stearns Case, Judge Suppresses Email").)
Facts: The government initially obtained an email sent through non-company email accounts between Cioffi and Tannin (the two defendants) talking about how the "subprime market looks prettyugly . . . ." The government used this email to support its allegation sthat Tannin used his personal (gmail) account to commit or further the crimes. The government's affidavit argued it needed to search the gmail account, but offered certain limitations on the access - for example,the search would be limited to emails created on or before the day prior to the defendant's retention of counsel, in order to avoid interception of privileged communications. The affidavit also noted that "the nature of electronically stored data" required the authorities (rather than Google) to search through the email account.
The magistrate judge issued the warrant, but did not attach the affidavit to the warrant. The government went to Google, which initially wrote to the government that "it was no longer able to extract the information requested in [the warrant] because Tannin's account had been deleted." Several months later, "on the eve of trial,"Google advised that it had located a copy of the account and delivered a copy of its contents to the government. (??)
The Court's Ruling: The critical issue in front of the court was whether the warrant was sufficiently particular as to minimize unnecessary invasions into the suspect's privacy. The court noted at the outset that Tannin had "a reasonable expectation of privacy in the contents of his personal email account." The government did not dispute this point. (This doesn't seem to be a settled issue,as noted in the case mentioned below.) Turning to particularity, the court notes that searches of documents, data, computers, and email accounts raise tricky issues as to what level of particularity is required. A couple of different approaches have been used to avoid a general search by the government: (1) providing keywords or other search parameters in advance; or (2) having a third party conduct the search and segregate responsive information from non-responsive information.
The court noted that an overly broad warrant may be cured by incorporation of an affidavit that would constrain the agents' search,but Second Circuit cases have been less receptive lately to this approach. (In the context of a digital search, it would seem that this wouldn't work as well as it would with respect to physical objects. Exposure to data that doesn't fall within the search warrant would compromise the suspect's privacy and would undermine the whole point of particularity in this context.) Regardless of whether the affidavit could have cured the warrant's particularity problem, the affidavit was not actually attached to the warrant, so this argument was not in play.
The court ultimately concludes that the warrant did not comply with the Fourth Amendment. The government sought to invoke exceptions in order to have the evidence admitted notwithstanding these issues, but the court rejected both of these attempts. With respect to the good faith exception, the court was emphatic:
[t]his case. . . is not about search terms or firewalls. It is, rather, about the fundamental and venerable prohibition on general warrants. Since 'it is obvious that a general warrant authorizing the seizure of evidence without mentioning a particular crime or criminal activity to which the evidence must relate is void under the Fourth Amendment . . . no reasonably well trained officer could believe otherwise.'As to inevitable discovery - the second exception - the court's ruling is also interesting. The court seemed to say that the government could only satisfy particularity after having seen the emails procured by the overbroad warrant: "the government's timing still presents a problem:[h]aving seen the November 23rd email, the government is now in a position to obtain a warrant with perfect particularity. There is, in other words, no way to purge the taint of its unconstitutionally overbroad search."
***
I can't tell if the government just dropped the ball here or whether there's something more to it. One view is that if the government had a narrow warrant application and the magistrate judge issued a narrow warrant, the government could have probably obtained the information they ultimately sought? On the other hand, the court is rightly skeptical that the government could have obtained the emails at issue by providing a set of keywords to Google. After all, wasn't this the argument the government used to justify the fact that the search needed to be conducted by the government, rather than by Google or by a third party? The court's rejection of the government's inevitable discovery argument seems significant. [My practice does not stray into the realm of criminal cases so take that with a grain of salt. I'm curious to see what people like Orin Kerr and Scott Greenfield have to say. Congrats to Professor Kerr, whose "Searches and Seizures in a Digital World" article is cited by the court. He has also posted extensively on a recent Ninth Circuit decision that bears on these issues: United States v. Comprehensive Drug Testing, Inc., 579 F.3d 989 (9th Cir. 2009).]
Interestingly, Professor Kerr notes a recent decision from federal court in Oregon where the court held that email was not covered by the Fourth Amendment. Pointing to the Google terms of service, the court held that most users expect their emails to be shared with Google employees and other third parties, and the account-holder was thus not entitled to notice before the government obtained a warrant to search someone's gmail account. I think the account-holder still has the ability to challenge the search after-the-fact (as did the defendant in Tannin). Either way, the ruling obviously raises issues around process in the garden variety case. When do you as the account-holder receive notice of a government search?Does Google have a consistent policy on this?
I'm still sticking with my instinct that using a third party service such as gmail raises the risk that your emails end up in the hands of prosecutors. I'm also curious about Google's policies for dealing with these sorts of issues.
Judge Rejects Attempts by Texas Plaintiffs to Intervene in Beacon Class Action
In orders issued today, Magistrate Judge Seeborg denied the request to intervene brought by the Texas plaintiffs and conditionally approved the class certification and settlement ironed out by the parties to the Northern District of California lawsuit. Judge Seeborg noted that although the lawsuits were "related," the Texas plaintiffs were aware of the California class action in September 2008. Thus, their request to intervene was untimely.
Quick thoughts on the ruling:
1. The court notes that to the extent the Texas plaintiffs have substantive objections to the settlement, these objections can be raised at a later date.
2. With the caveat that I'm not familiar with the nuances of class action procedure, I would guess it will become tougher to object to a settlement further down the road. As a practical matter, conditional approval will set in motion the process of notifying potential class members and providing them the opportunity to opt-out. A low number of opt-outs may be viewed as an indication that there's not really enough of a separate class that objects to the terms of the settlement conditionally approved by Magistrate Judge Seeborg to warrant a second class action. (On a related note, I wonder if the Texas plaintiffs will mount some sort of campaign to try to demonstrate that a substantial number of potential plaintiffs object and the settlement should not be given final approval. I'm guessing they won't set up a Facebook group as part of this campaign, but you never know!)
3. It's sort of awkward for a group of putative plaintiffs who filed their lawsuit first to have their claims extinguished by a later filed class action. Blockbuster was named in the second filed action (in California) and to the settlement in the California lawsuit is approved, my instinct is that this may effectively kill the class claims asserted in the Texas lawsuit against Blockbuster. (There was some activity in the Texas lawsuit about whether the claims are subject to arbitration. The court in Texas found that Blockbuster's terms of service were "illusory," and rejected Blockbuster's request to arbitrate. Blockbuster has appealed this ruling.)
4. The terms of the settlement in the California lawsuit do not provide for payment of compensation to non-named class members. (See the notice approved by the court here: [pdf].) On the other hand, the Texas lawsuit alleged violations of the Video Privacy Protection Act, which provides for statutory damages.
5. The notice of settlement will be published through newspapers, and of course, "through Facebook updates."
It will be interesting to see how this plays out. [Cross posted at Prof. Goldman's.]
