📽 Data Warrants From Across the Pond: Fighting Crime While Preserving Privacy

Congressional Internet Caucus Advisory Committee

Is an IP Number the Same as a Telephone Number? :: U.S. v Ulbright, 2nd Cir. May 31, 2017 (The Silk Road Case)

Both telephone numbers and IP numbers function as network addresses. Are they analogous in terms of law and policy? The recent Second Circuit decision U.S. v Ulbright (The Silk Road Case) concludes that they are. But of course the answer to this question depends on the context in which it is asked.

Source: Wikicommons

CASE SUMMARY: "Defendant Ulbricht appeals from a judgment of conviction and sentence to life imprisonment entered in the United States District Court for the Southern District of New York. A jury convicted Defendant of drug trafficking and other crimes associated with his creation and operation of Silk Road, an online marketplace whose users primarily purchased and sold illegal goods and services. He challenges several aspects of his conviction and sentence, arguing that (1) the district court erred in denying his motion to suppress evidence assertedly obtained in violation of the Fourth Amendment; (2) the district court committed numerous errors that deprived him of his right to a fair trial, and incorrectly denied his motion for a new trial; and (3) his life sentence is both procedurally and substantively unreasonable. Because the appellate court identified no reversible error, it AFFIRMED Defendant's conviction and sentence in all respects."

In this post, we look at Defendant's claim that evidence was obtained in violation of the Fourth Amendment, specifically that for purposes of Trap and Trace, an IP number is not functionally the same as a telephone number.

FACTS: Suspecting Defendant's involvement in Silk Road, law enforcement agents (LEAs) obtained five pen/trap orders pursuant to 18 U.S.C. § 3121-27. "The orders authorized LEAs to collect IP address data for Internet traffic to and from Defendant's home wireless router and other devices that regularly connected to Defendant's home router." "The pen/trap orders did not permit the government to access the content of Defendant's communications, nor did the government 'seek to obtain the contents of any communications.'"

"According to Defendant, the government's use of his home Internet routing data violated the Fourth Amendment because it helped the government match Defendant's online activity with DPR's use of Silk Road. Defendant argues that he has a constitutional privacy interest in IP address traffic to and from his home and that the government obtained the pen/trap orders without a warrant, which would have required probable cause."

RULE: "The government obtained the orders pursuant to the Pen/Trap Act, which provides that a government attorney "may make [an] application for an order . . . authorizing or approving the installation and use of a pen register or a trap and trace device . . . to a court of competent jurisdiction." 18 U.S.C. § 3122(a)(1). A "pen register" is defined as a "device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted," and "shall not include the contents of any communication." Id. § 3127(3). A "trap and trace" device means "a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication." Id. § 3127(4). Like pen registers, trap and trace devices may not capture the "contents of any communication." Id."

The level of legal process required is an application to a court, unlike a Fourth Amendment search and seizure that requires a warrant. LEAs receive transactional information about the communications, such as the communications' addressing. Courts have held that pursuant to the Third Party Doctrine, individuals have no expectation of privacy in transactional information - individuals turn this information over to network providers in order to set up and complete communications.

It is settled caselaw that telephone numbers are "addressing" that fall within this precedent. They are network addresses used by individuals given over to the network provider to set up and complete telephone calls. According to the Supremes,

Telephone users, in sum, typically know that they must convey numerical information to the phone company; that the phone company has facilities for recording this information; and that the phone company does in fact record this information for a variety of legitimate business purposes.

Smith v. Maryland, 442 U.S. 735, 743-44 (1979) .

ISSUE: Is an IP number an "address" analogous to a telephone number?

ANALYSIS: Federal courts have concluded that IP numbers provide the same function as telephone numbers and fall under the Third Party Doctrine in the same way as telephone numbers.

E-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users' imputed knowledge that their calls are completed through telephone company switching equipment. 442 U.S. at 742, 99 S.Ct. 2577. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information. Like telephone numbers, which provide instructions to the "switching equipment that processed those numbers," e-mail to/from addresses and IP addresses are not merely passively conveyed through third party equipment, but rather are voluntarily turned over in order to direct the third party's servers. Id. at 744, 99 S.Ct. 2577.

United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008).

The 2nd Circuit in Ulbright agrees with the 9th Circuit, stating that "the recording of IP address information and similar routing data, which reveal the existence of connections between communications devices without disclosing the content of the communications, are precisely analogous to the capture of telephone numbers at issue in Smith… The substitution of electronic methods of communication for telephone calls does not alone create a reasonable expectation of privacy in the identities of devices with whom one communicates."

HOLDING: IP numbers are analogous to telephone numbers for purposes of Trap and Trace and Pen Registers.

WHERE IP NUMBERS and TELEPHONE NUMBERS INTERSECT: There are other points where IP numbers and telephone numbers intersect. Recently the FCC in the 2015 Open Internet order revised the definition of " telecommunications service" to include networks that utilize the North American Numbering Plan as well as ICANN's IP address resource. When the FCC then applied privacy regulations to the Internet, the Internet Society adamantly argued that IP numbers are not analogous to telephone numbers. . However, ISOC elsewhere indicated support for the Open Internet. ISOC's concern appeared to be less about the analogy and more about applying "telephone era regulations to the Internet."

The analogy between IP numbers and telephone numbers has also arisen in the context of Regional Internet Registries (RIRs) who have grappled with address transfers and whether network addresses are the property of the assignee or of the network. FCC precedent has held that network addresses are the property of the network, not the subscriber - a policy necessary to ensure the efficient operation of the network. A policy that views network addresses as the property of subscribers encumbers the network resource in bankruptcy proceedings, trademark disputes, mergers and acquisitions, and speculations. Following the precedent of the telephone numbering resource, RIRs have contractual terms that state that IP numbers are the property of the RIRs and not assignees.

Finally, IP Numbers and telephone numbers intersect with VoIP. iVoIP providers need access to the telephone number resource in order to assign telephone numbers to their customers and must make number portability available. They also need to be able to interconnect with other North American Numbering Plan networks (in other words, reach other network end points addressable by telephone numbers). See also ENUM.

CITATION: U.S. v Ulbright, 2nd Cir. May 31, 2017 (The Silk Road Case)

⚖ Can You Legally Disclose Illegally Intercepted Communications to the Author of the Communication?

CRIMINAL LAW 101 EXAM (You have 1.5 hours)

QUESTION: Is it a violation of the Wiretap Act to disclose your own email to yourself?

(Stop laughing) (Seriously, you are being graded on this)

FACTS: "The action arises from the [PLAINTIFF and DEFENDANT]'s acrimonious divorce. DEFENDANT accused PLAINTIFF of serial infidelity, so in discovery PLAINTIFF asked DEFENDANT for all documents related to that accusation. DEFENDANT complied and produced copies of incriminating emails between PLAINTIFF and several other women..."

CAUSE OF ACTION: "PLAINTIFF alleges that DEFENDANT violated the Wiretap Act by surreptitiously placing an auto-forwarding 'rule' on his email accounts that automatically forwarded the messages on his email client to her. He also claims that DEFENDANT's divorce lawyer violated the Act by 'disclosing' the intercepted emails in response to his discovery request. The district judge dismissed the suit on the pleadings."

On this final exam, we concern ourselves only with the later action regarding disclosing of emails.

RULE: 18 USC s 511(1)(c) prohibits the disclosure of intercepted communications:

[A]ny person who- (c) intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; . . . shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5).

ANALYSIS: Getting past whether this was in fact an interception, is it disclosure? Couple problems, as the court points out:

• PLAINTIFF "already knew the contents of the intercepted emails."
• PLAINTIFF "invited their disclosure by requesting them in discovery in the divorce action" - the court suggests that requesting your own emails in discovery is tantamount to "consent" for disclosure of those communications.
• Then the Court pontificates, "to 'disclose' something means '[t]o make (something) known or public.'... [DEFENDANT's ATTORNEY] did not publicly disclose PLAINTIFF's emails, and their content was hardly unknown to PLAINTIFF. "

CONCLUSION: "[E]ven if the emails were unlawfully intercepted, [DEFENDANT's ATTORNEY] did not unlawfully disclose their content by producing them in response to PLAINTIFF's discovery request."

Nope, it aint a violation of the Wiretap Act to disclose the contents of a communication to the communicator of that communication.

NOTE: 18 USC 2511(1)(c) specifically states anyone who "intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication" has violated the Act. Here we have a play with three actors. We have the communicator, the interceptor, and the "other." PLAINTIFF is the communicator. DEFENDANT is the interceptor. For this tragedy to work, there needs to be one more person. There needs to be the "other" (and DEFENDANT's ATTORNEY counts in this play as DEFENDANT and does not count as "other."). Lacking the "other," the tragedy is incomplete and the cause of action fails.

Epstein v. Epstein, Court of Appeals, 7th Circuit 2016

As the Nebuad Litigation Turns.... Mortensen v. Bresnan Communications

The litigation fallout from ISPs partnership with Nebuad continues.  Today's decision is the latest chapter out a lawsuit against a Montana ISP:

In 2008, Bresnan [Defendant ISP] entered into a temporary arrangement with advertising company NebuAd, Inc. Under the arrangement, in exchange for a share of NebuAd's advertising revenue, Bresnan [Defendant ISP] allowed NebuAd to place an appliance in its Billings, Montana, network. The appliance allowed NebuAd to gather information and create profiles of subscribers in order to target them with preference-sensitive advertising. Bresnan contends that it provided specific notice to consumers about the NebuAd trial and allowed individuals to opt out. Under a heading labeled "About Advanced Advertising," the company website provided detailed information about the trial. It also gave a list of thirteen frequently asked questions with corresponding answers that assured customers that no personally identifying information, such as first and last name, physical street address, email address, telephone numbers, or social security numbers would be collected. Plaintiffs contend that this notice was misleading and that consent was never obtained.

Plaintiffs brought suit Defendant ISP for violations of the Electronic Communications Privacy Act (dismissed previously), the Computer Fraud and Abuse Act, Montana state privacy law (dismissed previously), and trespass to chattels. 

Today's decision takes a contortious turn, not on Internet law (my normal beat), but on the Supremacy Clause of the U.S. Constitution and Defendant ISP's choice of law provision in the terms of service.  Today's case involves a Montana subscriber, an ISP doing business in Montana, an action that transpired in Montana, and a claim for a violation of a Montana law.  Pop Quiz: what state's law should apply??

Hint: The ISP is headquartered in New York and incorporated in Delaware.

Hint two:  The terms of service say that the law of New York applies (thus a cause of action based on Montana law would be bupkis).

Hint Three: The terms of service says that all claims shall be submitted to arbitration pursuant to the Federal Arbitration Act.

Okay, that seems unfair.  The case involves a Montana subscriber, an ISP's operations in Montana, and a violation that purportedly transpired in Montana.  Why should New York's law apply?? 

And when its seems this unfair, and when the customer has no choice in the matter, we call this a contract of adhesion, void as a matter of public policy.  That's what the lower court concluded, stating that Montana citizens had a constitutional right to trail by jury and access to the courts. Therefore, Plaintiff's litigation should go forward.

Not so fast, said the appeals court.  You see, there is this federal law called the Federal Arbitration Act, and it strongly favors arbitration. "Any general state-law contract defense, based in unconscionability or otherwise, that has a disproportionate effect on arbitration is displaced by the FAA."  If you are going to say that a contractual provision requiring arbitration is unconscionable because of some Montana law, then that state law is preempted - you lose.

Now comes the twister:  The Federal Arbitration Act just kicked the legs out from Montana saying its citizens have a right to a trail over arbitration.  Okay, what about the choice of law?  Does Montana law or New York law apply?  "Montana uses the Restatement (Second) of Conflict of Laws § 187(2), which finds a choice-of-law provision overcome where 

(1) Montana has a materially greater interest in the transaction than the state whose law was selected by the parties and 
(2) application of the selected state's law would be contrary to Montana's public policy."

Does Montana have a greater interest in this case?  Sure, says the court.  "The contract was received by the consumers in Montana as part of their Welcome Kit, and the contract governed services provided in Montana to Montana residents. The subject matter of the contract and performance of it took place almost entirely in Montana."

But here's the problem.  With the preemption of Montana law by the Federal Arbitration Act, there is no longer a public policy conflict with Montana law.  New York law favors arbitration; Montana law does not - Montana's disfavorance of arbitration got the boot.  Lacking a public policy conflict, the test for overriding a choice-of-law provision in a contract now fails.


Outside of the legal holding and the status of this litigation, the Court provides background on how another Nebuad litigation was resolved:

After NebuAd's temporary arrangement with Bresnan to gather information from the subscribers ended, a class of plaintiffs, including those involved in the present action, brought suit in the United States District Court for the Northern District of California against NebuAd and several Internet service providers who hosted NebuAd appliances, including Bresnan. Bresnan and the other providers moved to dismiss the action for lack of personal jurisdiction and failure to state a claim. The district court granted this motion finding personal jurisdiction lacking. Valentine v. NebuAd, Inc., No. C08-05113 TEH, 2009 WL 8186130, at *3-10 (N.D. Cal. Oct. 6, 2009). NebuAd became the sole defendant in that action and eventually reached a court-approved settlement with the plaintiffs.

According to Wikipedia, "Due to fallout following public and Congressional concern, NebuAd's largest ISP customers have all pulled out. NebuAd closed for business in the UK in August 2008, followed by the US in May 2009. NebuAd UK Ltd was dissolved in February 2010."

Data and Text on Cell Phone Not Protected by Stored Communications Act #ECPA

Case: Garcia v. City of Laredo, Court of Appeals, 5th Circuit 2012

Issue:  Are data and text stored on a personal cell phone protected by the Stored Communications Act?

Rule:

18 USC § 2701 Access: (a) Offense.- Except as provided in subsection (c) of this section whoever-

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

Question:  Is a cell phone a "facility" as defined under the SCA?

Discussion:

The Eleventh Circuit's decision in United States v. Steiger provides useful guidance. 318 F.3d 1039, 1049 (11th Cir. 2003). In Steiger, when a hacker accessed an individual's computer and obtained information saved to his hard drive, the court held such conduct was beyond the reach of the SCA. Id. The court found that "the SCA clearly applies . . . to information stored with a phone company, Internet Service Provider (ISP), or electronic bulletin board system," but does not, however, "appear to apply to the source's hacking into Steiger's computer to download images and identifying information stored on his hard-drive." Id. It noted that "the SCA may apply to the extent the source accessed and retrieved any information stored with Steiger's Internet service provider." Id. (emphasis added).

A number of district courts that have considered this question have also concluded that "the relevant `facilities' that the SCA is designed to protect are not computers that enable the use of an electronic communication service, but instead are facilities that are operated by electronic communication service providers and used to store and maintain electronic storage." Freedom Banc Mortg. Servs., Inc. v. O'Harra, No. 2:11-cv-01073, 2012 WL 3862209, at *9 (S. D. Ohio Sept. 5, 2012) (emphasis added). Recently, the Northern District of California held that a class of iPhone plaintiffs had no claim under the SCA because their iPhones did not "constitute `facilit[ies] through which an electronic communication service is provided.'" In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1057-58 (N.D. Cal. 2012).^[5]

Thus these courts agree that a "home computer of an end user is not protected by the SCA." Kerr, supra, at 1215 (footnote omitted). As explained by Orin Kerr in his widely cited law review article, the words of the statute were carefully chosen: "[T]he statute envisions a provider (the ISP or other network service provider) and a user (the individual with an account with the provider), with the user's communications in the possession of the provider." Id. at 1215 n.47 (emphasis added) (citation omitted).

This reading of the statute is consistent with legislative history, as "Sen. Rep. No. 99-541 (1986)'s entire discussion of [the SCA] deals only with facilities operated by electronic communications services such as `electronic bulletin boards' and `computer mail facilit[ies],' and the risk that communications temporarily stored in these facilities could be accessed by hackers. It makes no mention of individual users' computers . . . ." In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 512 (S.D.N.Y. 2001) (quoting S. REP. No. 99-541, at 36, reprinted in 1986 U.S.C.C.A.N. 3555, 3590).

Ken Burns Prohibition: Olmstead

The name Olmstead should be familiar to those students of Wiretap Law.  The law struggles to keep up with technology.  This is nothing new; the law struggled to keep up with technology a century ago.  Today we are struggling with the question of whether an individual has an expectation of privacy in a communications network.  That same question confronted the judiciary during prohibition.  Then the answer was no.  The expectation of privacy granted by the Fourth Amendment applied to your home; since a wiretap took place on telephone lines outside Olmstead's home, concerning communications that were being transmitted outside of Olmstead's home, there was no expectation of privacy and no 4th Amendment protection.

Watch the full episode. See more Ken Burns.

The seeds of destruction of Olmstead were written within the Olmstead opinion. Justice Brandeis, in his famous dissented, opined that the court had failed to recognize the Constitution as a living document. The Founding Fathers could not have anticipated all that would come after their time, nor did they intend for the Bill of Rights to be applicable only to the threats that occurred during their time. Brandeis wrote,

When the Fourth and Fifth Amendments were adopted, "the form that evil had theretofore taken," had been necessarily simple. Force and violence were then the only means known to man by which a Government could directly effect self-incrimination. It could compel the individual to testify — a compulsion effected, if need be, by torture. It could secure possession of his papers and other articles incident to his private life — a seizure effected, if need be, by breaking and entry. Protection against such invasion of "the sanctities of a man's home and the privacies of life" was provided in the Fourth and Fifth Amendments by specific language. But "time works changes, brings into existence new conditions and purposes." Subtler and more far-reaching means of invading privacy have become available to the Government. Discovery and invention have made it possible for the Government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet.

It would take four decades for the courts to wake up and reverse Olstead, and another two more decades for Congress to extend this expectation of privacy beyond telephone networks to computer networks.

Today, once again, it is said that there is no expectation of privacy in modern electronic communications; we should get over it.  History repeats itself.

WiFi Nets are not "Readily Accessible to the Public;" Google's Motion to Dismiss EPCA Claim in SpyFi Case Denied

In re Google Inc. Street View Electronic Communications Litigation, No. C 10-MD-02184 JW., United States District Court, N.D. California, San Francisco Division. June 29, 2011.

PROCEDURE:  Defendant Google's Motion to Dismiss. Fed. Rule 12(b)(6)

BACKGROUND: "Plaintiffs bring this putative class action against Google, Inc. ("Defendant"), alleging three causes of action for violation of the federal Wiretap Act, 18 U.S.C. §§ 2511, et seq., violation of Cal. Bus. & Prof. Code §§ 17200, et seq., and violation of various state wiretap statutes. Plaintiffs allege that Defendant intentionally intercepted data packets, including payload data, from Plaintiffs' Wi-Fi networks utilizing specially designed packet sniffer software installed on Defendant's Google Street View vehicles."

ANALYSIS:

Wiretap Act

• Defendant: Plaintiffs have failed to plead that their Wi-Fi broadcasts were not "readily accessible" and thus, Defendant is entitled to exemption from liability under the Wiretap Act 18 U.S.C. § 2511(2)(g)(i) ("exemption G1");

• Plaintiff: 
• the Wiretap Act's statutory definition of "readily accessible" relied on by Defendant solely applies to "radio communications" under § 2511(2)(g)(ii) ("exemption G2") and is, thus, inapplicable to "electronic communications" under exemption G1 and the ordinary meaning of "readily accessible" should be used; 
• exemption G1 only applies to unlawful interception and access, and Plaintiffs allege that Defendant further used and disclosed the intercepted communications; 
• Court: 
• Congress defined "readily accessible to the public" in the context of radio communications.  18 USC § 2510(16). The District Court through statutory construction concludes that "radio communications" means traditional radio broadcast communications and not all wireless electronic communications, specifically not WiFi.
• "the Court finds that Congress did not intend Section 2510(16)'s narrow definition of "readily accessible to the general public" to apply for purposes of exemption G1."  In other words, the G1 exception would only apply to traditional radio, not something like Wifi.
• Motion to Dismiss Wiretap Act Claim denied
  

Preemption

• Defendant: Plaintiffs' claims based on state law wiretap statutes are preempted by the Wiretap Act and, alternatively, fail to state a claim; 
• Plaintiff: the state wiretap statutes are not preempted by the Wiretap Act either expressly, by field preemption, or by conflict
• Court: 
• "the Court finds that, while the ECPA contains no express preemptive statement on the part of Congress, the ECPA was intended to comprehensively regulate the interception of electronic communications such that the scheme leaves no room in which the states may further regulate."
• Motion to Dismiss as to this cause of action granted

State Cause of Action

• Defendant: Plaintiffs' "unlawful" and "unfair" Cal. Bus. & Prof. Code §§ 17200 claims are also preempted by the Wiretap Act and, alternatively, fail to state a claim or plead standing under Proposition 64. (Motion at 5-19.) 
• Plaintiff: claims under Cal. Bus. & Prof. Code §§ 17200, et seq., are not preempted by the Wiretap Act as they are qualitatively different and are properly pleaded. (Opp'n at 3-25.) The Court addresses each ground in turn.
• Court:  "the Court finds that Plaintiffs fail to plead facts sufficient to support Proposition 64 standing."  Motion to Dismiss as to this cause of action granted without prejudice.

ECPA Claim Dismissed: No Showing Def Was Connected to 3rd Party Who May Have Illegally Intercepted Email, Or That Def Knew Email May Have Been Illegally Intercepted

ZINNA v. Cook, Court of Appeals, 10th Circuit 2011:  In ECPA cause of Action, Def Motion for Summary Judgment granted where Pltf failed to provide evidence that 

• Def had any association with third party who may have illegally intercepted the email
• Def had any knowledge that email may have been illegally intercepted when Def disclosed the email

Facts: "Plaintiff Michael L. Zinna brought this action under the civil damages provision of the Federal Wiretap Act, 18 U.S.C. § 2520(a), claiming defendants conspired to intercept, disclose, or use certain electronic communications he had made. He alleged emails he sent to friends and associates on June 14, 2006, were intercepted by a third party and acquired by defendants, who posted information taken from them to an internet web site (ColoradoWackoExposed.com [no longer resolves]) later that evening in an effort to discredit him. The district court granted summary judgment for defendants, holding that Mr. Zinna failed to present evidence sufficient to create a triable issue that defendants either played a role in the alleged illegal interception or had knowledge of it when contents of the emails were posted on the internet. Mr. Zinna timely filed this appeal. As explained below, we affirm for substantially the reasons stated by the district court."

Analysis:

• RULE "Defendants could potentially be liable either for conspiring with [email interceptor] beforehand to intercept the emails or by conspiring to acquire the emails for the purpose of illegally disclosing and/or using them. See Thompson v. Delaney, 970 F.2d 744, 748-50 (10th Cir. 1992) (assessing claims of conspiracy to intercept and conspiracy to use or disclose in violation of Federal Wiretap Act)
• HOLDING: No competent evidence in the record ties defendants to the alleged interceptor, much less to show they conspired with him to engage in the illegal interception.
• RULE: Def could be liable for disclosure of emails that they knew were illegally intercepted.  "liability for use or disclosure of the contents of an intercepted communication requires both intentional conduct and knowledge that the information was obtained through the interception of a[n] . . . electronic communication in violation of [the statute]." Thompson, 970 F.2d at 748 (emphasis added and quotation omitted).
• HOLDING: Plaintiff has "not cited to any evidence in the record sufficient to support a reasonable inference that defendants knew the material posted on the web site derived from an illegal interception of email."

Hubbard v Myspace :: ECPA Cause/Action Dismissed

Hubbard v. MYSPACE, INC., Dist. Court, SD New York 2011

Cause of Action: Plaintiff claims Myspace's disclosure of member account information violated Stored Communications Act, on grants that magistrate issuing warrants lacked jurisdiction.

Procedure: Deft Motion to Dismiss

Holding: Georgia Magistrate has sufficient jurisdiction pursuant to 18 USC 2703(a) to issue warrants to Myspace Record Holder in California. Case dismissed.

In Which We Learn That an Email Stored on a Laptop is not in "Electronic Storage"

What is it about former-boyfriends or girlfriends and hacking into the ex's email account? There is a growing litany of caselaw developing in this area (would make a good law review article somebody!).

Today we review Thompson v. Kaczmarek, No. 2:10-cv-479 (Sept. 30, 2010). In the words of the court, the relationship between the Plaintiff and the Defendant "deteriorated." Defendant got her hands on Plaintiff's laptop and "became intent on embarrassing [Plaintiff] in revenge." Defendant allegedly turned over the alleged laptop to nefarious dudes with the skill to hack into the hard drive and retrieve allegedly embarrassing emails. Plaintiff sued them all.

As per normal, we are particularly interested in the causes of action based on federal law; in this case Plaintiff claimed that Defendants violated the Stored Communications Act (SCA).

I always struggle with the SCA and ECPA –doesn’t the SCA apply to email somehow magically in transit – and once you have downloaded the email to your own machine, whatever happens to that email is of no concern of ECPA/SCA? If accessing stuff on the Plaintiff's machine caused some type of consternation, wouldn’t that be more of a Computer Fraud and Abuse Act claim?

Let's go to the video tape and find out.

Before the Court is Defendant's Rule 12(b)(6) Motion to Dismiss for failure to state an SCA claim upon which relief can be granted. "[T]he question before the Court is whether the unauthorized access of previously received electronic mail messages ("e-mail") that had been downloaded by the recipient and saved to the hard drive of his personal laptop computer violates the Stored Communications Act." For purposes of this motion, Defendants assume "that Plaintiff did not provide them with authority to access the data saved to the laptop hard drive." The problem, Defendants argue, is that even if the access were unauthorized, this is not a situation covered by the SCA.

The relevant portion of the SCA 18 U.S.C. § 2701 states

whoever—

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

Once an email has been downloaded and saved to a person's laptop, the electronic communication (the email) is no longer in electronic storage at the electronic communications service.

Okay, a few definitions.

"The SCA defines electronic storage as either a) 'any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof', and b) 'any storage of such communication by an electronic communications service for purposes of backup protection of such communication.' 18 U.S.C. § 2510(17); see also 18 U.S.C. § 2711(1) (providing that terms defined in § 2510 apply to Title II of ECPA)." The SCA is anticipating the brief, temporary, temporal storage that is involved in electronic, store-and-forward communications. It is when the email is stored on the email server. It is when the email is stored in transit. It is not after it has been received, read, and saved. It is not when the email is on Plaintiff's laptop.

Next, “'electronic communications system' means any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of wire or electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications." 18 U.S.C. § 2510(14). In other word, this is a service in the business of communications – not an end user. Even if Plaintiff wants to claim that the act of backing up his email makes him a "facility," it does not, concludes the court, make him an "electronic communications service."

Defendants' Motion to Dismiss Plaintiff's SCA Cause of Action is granted.

This time the allegedly hacking romantic ex-partner wins. See Global Policy Partners, Inc. v. Yessin, (EDVa Nov. 24, 2009) where the hacking-ex-partner loses. Plaintiff did not apparently raise a Computer Fraud and Abuse Act cause of action. Would the outcome have been different under the CFAA?

[Disclaimer]

What Arlington Public Schools Get Wrong About Email Privacy

Someone in Arlington Public School has woken up to the fact that email is a marvelously insecure way of communicating. Email is an application that moves a text file from one computer to another. A text file requires no special application to be read. It’s kind of like sending a postcard, and anyone who handles the postcard can read the postcard. Worst yet, everyone who handles the postcard can retain a copy of the postcard. Worst yet, anyone who receives the postcard can forward it on to 50 over their closest friends. Not very private or secure.

APS handles a lot of messages between parents, teachers, students, and administrators. A good bit of those messages personal content and sensitive information.

[Paragraph One] + [Paragraph Two] = An APS Disclaimer:

"This communication was sent via the Arlington Public Schools mail system. Please be advised that email is not a secure form of communication. There should be no expectation of right to privacy in anything sent via electronic mail."

Excuse me? Did you just say I have no right to privacy?!?

Let’s go back to the chalk board. Simple because something is technically insecure does not mean that it is legally insecure. Just because I leave an apple out on a table does not mean that the government can legally swipe it.

The APS disclaimer uses two legal terms of art: “Expectation of Privacy” and “Rights.” An “Expectation of Privacy” and our Rights come from the US Constitution, and specifically here the 4^th Amendment. You will recall from public school social studies that the 4^th Amended states,

The right of the people to be secure in their persons, houses, papers, an effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

This right has been elaborated in wiretap law and the Electronic Communications Privacy Act (ECPA), which have developed the concept of an “Expectation of Privacy.” Where one has an Expectation of Privacy, the 4^th Amendment dictates that the government must have proper authority to search and seize our communications. ECPA specifically sets forth the subpoenas and warrants the government needs in order to access and read our email.

Add all this up: we have a Constitutional Expectation of Privacy in email, protected by the 4^th Amendment. It does not matter that it is woefully technically insecure. This is an Expectation of Privacy as against the government, and the government – this time APS – cannot take that away from us.

In other words, five years down the road, when FBI Agent Fox Mulder believes my kid is an alien, Agent Mulder may not simply go through APS email records related to my child. The emails may be insecure - but Mulder is barred by the Constitution from search and seizure without proper authority.

The US Supreme Court has time and again articulated the fundamental nature of privacy to our American experience:

The makers of our constitution undertook to secure conditions favorable to the pursuit of happiness... They sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the government, the right to be let alone – the most comprehensive of the rights and the right most valued by civilized men. – Justice Louis D Brandeis

APS gets it wrong. I would never put any sensitive information in an email; but that does not mean I don’t have an Expectation of Privacy in email or that the government can read it lacking proper authority.