CyberLaw P.C. - Internet and Technology Law Firm

The media has picked up on a case in the 9th Circuit that examines the definition of an “intercept” under the Wiretap Act. The district court judge in Bunnell v. Motion Picture Association of America found that a hacker had not “intercepted” messages when he simply copied messages being sent via company servers to a Google Mail account. The judge ruled that because the hacker “did not stop or seize” the messages, there was no intercept.

There are two reasons that such a decision should not stand. First, Judge Florence-Marie Cooper found that “under . . . the ordinary meaning of the word 'intercept,' [the hacker’s] acquisitions of the e-mails did not violate the Wiretap Act.” A quick look at the dictionary entry for the word “intercept,” however, seems to disagree. The second entry for intercept reads “to see or overhear (a message, transmission, etc., meant for another): We intercepted the enemy's battle plan.” The hacker in this case “saw or overheard” e-mail messages, so the “ordinary meaning” argument falls somewhat flat. This is particularly true when Section 2510(4) of the Wiretap Act defines the word “intercept” as being the “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”

Second, the (seemingly) clear policy initiative of the Wiretap Act is that “Interception and disclosure of wire, oral, or electronic communications [are] prohibited.” It’s hard to fathom that Congress intended to allow such “copy and forward” procedures. Particularly when the headings in the Wiretap Act are as concerned with “disclosure” as “interception.”

While the 9th Circuit’s decision won’t be binding on other Circuits, it’s worth watching. A decision upholding the lower court will definitely lead to renewed privacy fears in both a criminal and civil vein.

A new bill, entitled “Technologies for Restoring Users' Security and Trust” (TRUST) in Health Information Act, has been introduced as House Resolution 5442. The bill regulates the use of information technology within the American health care system and seeks to protect the privacy and security of patient medical information. According to Congressman Markey, one of the bill’s sponsors, TRUST:

• Empowers patients to keep their medical records out of health IT systems unless they first give their consent;

• Requires patients to be notified if systems containing their health information are breached and their records are exposed;
• Mandates the use of data security safeguards such as encryption and other technologies that render information unreadable to individuals who are not authorized to access it;
• Authorizes grant funding to enable the purchase and enhance the use of qualified health IT systems;
• Establishes a public-private partnership to make recommendations concerning health IT standards, criteria for the electronic exchange of personal health information and related purposes to encourage the creation of a nationwide interoperable health information technology infrastructure.

This is a welcome bill, which has been endorsed by numerous privacy and medical groups. There have been some questions about electronic personal health records and how they may be covered under existing privacy law, such as the Health Insurance Portability and Accountability Act (HIPAA). In addition, virtually anyone that studies privacy matters agrees that health privacy is one of the most sacred privacies and should be subject to greater protections than, for example, marketing studies or other commercial privacy concerns.

The Washington Post has a feature on the story of Megan Meier, the girl who committed suicide based on messages she received from a group of cyberbullies. The feature tells the entire story of the saga from start to end, and nicely illustrates the mentality and organization of online groups with questionable intentions.

Also of interest is the limited statutory options prosecutors had in attempting to charge the cyberbullies. This tragic story will likely be a watershed point in cyberbullying and one would hope that it would at least help to prevent similar stories from occurring in the future.

To address important consumer privacy concerns associated with online behavioral advertising, the Federal Trade Commission recently released a set of proposed principles for advertisers to follow.

The “principles” include (a) that web sites that collect behavioral data should prominently display this fact and give consumers the option to “opt-out” of the collection, (b) any data that is collected should be “reasonably protected” by the collector and the collector should retain the data only for legitimate business or law enforcement needs, (c) companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising, and (d) companies should obtain affirmative express consent from affected consumers as a result of materially different privacy policies or other changes.

The FTC’s concentration on this issue is good news. Whether an online advertiser or a user of the “Web 2.0” type sites, there is a need for more clarity as to the issues that arise in behavioral advertising. The FTC’s initial proposed principles make sense for all involved parties.

The devil, as usual, is in the details. Defining information that qualifies as “behavioral data” and similar tasks are still in front of the FTC and parties that choose to comment on the proposed principles. The initial suggestions are reasonable, however, and we can expect to see changes, if any, in the details as opposed to the broad policy principles.

Organizations that maintain personal data are spending more money and time on improving security, but many are finding that investments are too late or insufficient.

Various watchdog groups report that the number of compromised records in 2007 reached 162 million records worldwide. The groups reported that 2007 was a record year for the number of privacy security breaches.

While the numbers are interesting, there are two issues worthy of note. First, the numbers provided by the watch dog groups are primarily “reported” breaches. The likelihood that there were millions of additional breaches that never made it into the public view is quite likely.

Secondly, one of the most telling statistics is the high level of breaches caused by inappropriate handling or human error, compared to attempts by hackers to compromise data. While security as to outside threats must continue to be a priority, organizations must give equal importance to appropriate training and security practices for all personnel who handle sensitive data.

E911 location tracking, a service initially mandated by the federal government of wireless providers to track missing persons and for other purposes, is now being used by the wireless providers to earn a profit. Sprint Nextel provides a "loopt" that sends an alert when a friend is near, and Verizon’s Chaperone service allows parents to set up a "geofence" around a defined area and receive an automatic text message if their cell phone carrying child travels outside that area.

While these services can be useful for consumers that opt in to tracking, they are beginning to offer some legal problems when law enforcement attempts to mandate their use to track criminal activity. Many attempts have been rebuffed by Federal magistrates as insufficiently specific to allow for such tracking. Many of these rulings, typically not fit for publication in legal reporters, are being published by judges in an effort to create a standard. Other judges have granted requests for data without a probable cause standard as to suspect’s location so long as the data is limited to identifying the cellular tower servicing the suspect, which is a less precise method of tracking an individual.

It seems surprising that this issue is as polarizing as it is. The probable cause standard is still the standard required for requests for surveillance. On the other hand, there are some areas of law that don’t require probable cause at all, such as public surveillance, which law enforcement can argue is appropriate when tracking open wireless signals.

The vast differences in rulings among federal judges suggest that a more formal ruling as to the appropriate standard is now appropriate. Hopefully federal appeals courts and perhaps eventually the Supreme Court can help to settle the differences seen in the current climate.

Seeking to follow the successful example of the FTC’s “Do Not Call” list, a variety of privacy groups have now proposed a “Do Not Track” list that seeks to create a list for consumers that would prefer to “opt-out” of being tracked for behavioral marketing campaigns.

The proposal surmises that consumers would want to avoid having their online activities monitored for marketing purposes and mandates that advertisers respect the wishes of the consumers on the list. Being on the list, however, would not lead to any reduction in “direct advertising.” The results of being on the list would be mostly translucent to a consumer.

Advertisers generally do not support the proposal. Most argue that targeted advertising is beneficial to consumers, who benefit from ads that are more relevant to their interests and needs. Advertisers also warn that targeted ads help to support free content on the Internet and elsewhere. A reduction

These are the types of issues that the FTC will likely begin to focus upon in the upcoming years. Both sides have good arguments for their respective positions. The likely result, however, is the eventual implementation of a “Do Not Track” style list. The FTC will likely determine that consumers are the ones who should ultimately decide which of the two sides of the issue is correct. Those that agree with the privacy groups will join the list, those that agree with the advertisers will simply avoid the list to encourage the more targeted advertising.

Internet advertisers’ attempts at self regulation as to privacy matters are not meeting the necessary standard says FTC Commissioner Jon Leibowitz. Advertisers predictably feel differently, stating that regulation of the industry would stifle the red-hot industry.

While these comments were only those of one commissioner, they demonstrate that privacy matters related to online advertising are very far from being out of the regulatory spotlight. Mergers such as Google and Doubleclick have further highlighted these issues. Online advertisers have had a very free realm in which to operate over the years and the end or virtually unbridled freedom may be a bit closer than it once was. While it is unlikely that there would be serious overarching regulations, the FTC is likely to take action as to more “risky” behavior like swapping data and targeting customers based on medical and financial data.

Bottom Line: While the FTC may be moving towards more regulation in the upcoming years it is unlikely that any such rulemaking would be suffocating to online advertising. Only online advertisers that deal in very private matters, such as medical and financial advertising, would likely have anything to fear.

In a first, the Justice Department has arrested a man for committing identity theft on a peer to peer (P2P) network. The accused, a Seattle man, used the P2P service to search for sensitive documents that were unwittingly shared by other users. While the victims were likely searching for movies or music to download the accused man was searching for tax returns and other sensitive information that would contain social security numbers, employment records and more.

While such a scheme seems somewhat simple, the fact that it is now “in the wild” will likely mean that there will be numerous copycat identify thieves. Of course, such security breaches could be easily avoided if users would simply pay attention to the security of their files when using peer-to-peer networks. Very simple techniques, such as password protecting sensitive directories and only sharing files with popular media extensions are simple and effective ways to prevent attempted identity thefts.

Bottom Line: While users are likely more conscious of their privacy on P2P networks because of this story, it is also quite likely that copyright owners are quietly cheering this development. Any additional risk on P2P networks, which allow users to easily share copyrighted works, is a boon for IP holders who would hope to see a reduction in use of P2P networks based on this news.

Congress recently passed an expansion of the Wiretap Act entitled “Protect America Act of 2007.” The act intends to provide government agencies greater freedom to survey certain types of communications. The government receives more freedom in creating surveillance programs and is less likely to be subject to court review for surveillance programs.

The key component of the new law is the definition of “electronic surveillance.” Individuals reasonably believed to be outside the United States no longer fall under the auspices of the term, thus providing greater freedoms for government investigations. Also particularly relevant is the ability of the government to approve “broad” surveillance policies, as opposed to having to approve proposed spying on a case-by-case basis.

Private telecommunications firms are also affected. Telecom firms are immune from lawsuits when assisting legitimate government surveillance. Such firms are similarly required to cooperate with government agencies that request assistance from telecommunications providers.

The new law expires in 6 months, as many members of Congress were concerned about implementation of some of the legislation’s provisions on a long-term basis.

Bottom Line: While much has been made about the expansion of surveillance rights, the Protect America Act of 2007 has not yet reached the point where it should be considered over-reaching. For example, wholly domestic communications are not bound by this new legislation, instead subject to court interpretation of the Fourth Amendment.

In addition, the legislation is temporary. While a permanent extension of the act might require more detailed review, many members of Congress have serious questions about the long-term viability of the legislation as currently written. There is a an excellent chance that longer term legislation will be more watered-down than the version passed in haste before Congress departed for summer vacation. We can expect substantial editing when Congress revisits this issue.

A new survey on cyberbullying reports that about one third of teens have been victims of cyberbullying tactics such as receiving threatening messages, having private text messages or e-mails forwarded without consent or having rumors about them spread online.

The survey also found that girls are more likely than boys to be targets. In addition, teens who share their identities and thoughts online, such as on a blog, social networking site, or message boards, are more likely to be targets than are those who lead less active online lives.

Despite the reports, nearly two thirds of the teens reported that most bullying still occurs offline, in “classic” bullying locations such as schoolyards, locker rooms and lunch tables.

Bottom Line: While disappointing to see that cyberbullying is prevalent, the results of the study show that teens do have some control over their exposure to risk. Making efforts to reduce personal written communications with adversaries and conservative participation on sites such as MySpace and Facebook will provide some protections to teens. Just as in other spheres of life simple precautions can help lead to reduced exposure to personal privacy and security risks.

The European Union and United States have announced a new effort to share passenger name records (PNRs) for purposes of providing more information about terrorist threats. The European Union will ensure that air carriers operating passenger flights in foreign air transportation to or from the United States of America will make available PNR data contained in their reservation systems as required by DHS.

The EU agreed to the data sharing based on assurances from the Department of Homeland Security that the PNR data would be acceptably protected. The sole use of passenger data, according to the DHS, is as follows:

DHS uses EU PNR strictly for the purpose of preventing and combating: (1) terrorism and related crimes; (2) other serious crimes, including organized crime, that are transnational in nature; and (3) flight from warrants or custody for crimes described above. PNR may be used where necessary for the protection of the vital interests of the data subject or other persons, or in any criminal judicial proceedings, or as otherwise required by law. DHS will advise the EU regarding the passage of any U.S. legislation which materially affects the statements made in this letter.

Bottom Line: Assuming that the data will be protected according to DHS assurances this agreement appears to be a win-win situation. Both political organizations will see greater opportunity to investigate potential terrorist attacks and the marriage of data between the EU and US will assist inevitable future efforts to swap data and protect personal information.

BEUC, Europe's major consumer group, is following the lead of the U.S. based Electronic Privacy Information Center in questioning the privacy effects of a proposed merger/acquisition between Google and DoubleClick.

Bottom Line: More pressure on privacy matters will do little to help the acquisition which is already playing defense on privacy matters within the United States. While unlikely to stop the deal, the firms will almost certainly have to adjust their privacy practices to alleviate the concerns of the growing number of complainants.

Apple recently announced that it would be reducing the restrictive digital rights management (DRM) encoded in songs purchased via the iTunes service. However, Apple has not changed its practice of encoding each purchased track with personal data about the purchaser. The result is that each file purchased can identify the original purchaser of the track or album. This practice was less of an issue with the DRM encoded tracks because the files could not be easily shared. DRM is not a license for piracy, of course, but fewer restrictions lead to a greater likelihood that files will become more fluid.

Some suggest that the embedded data assists Apple in tracking users who illegally share their files. Others maintain that the data is intended to be a record of sale for the consumer. The evidence suggests that the reality is closer to the former than the latter.

From Apple’s point of view, there is virtually no reason to install personal data on user purchasers. Apple certainly maintains its own internal records of sales and the consumer is not entitled to any additional benefit by having their information encoded than not. More curiously, Apple and the Recording Industry Association of America both declined comment on the issue when asked to provide some background on the arrangement.

Bottom Line: Given no actual need to encode files with data, one cannot help but suspect that the practice is to track files outside of the instant transactions between the consumer and iTunes. Whether Apple and the RIAA have immediate plans to prosecute wrongdoers or simply want to “keep their options open” remains to be seen.

Further proof that Google can expect more serious oversight on its acquisitions and marketing practices, the European Union has launched an investigation into whether the Google search engine violates European privacy rules.

The primary concern is Google's practice of keeping information on user searches for up to two years after the performed search. The EU believes that this is too long a time period to retain records because it would likely create a very full picture of an individual's preferences in most every facet of life. The two-year retention policy is an improvement, however, considering that Google used to keep the data indefinitiely.

Google has defended itself by noting that it anonymizes the records after 18 months. Google also argues that longer-term retention helps to protect against hacking attempts and maintains the integrity of its "Adwords" and related advertisiing services.

Bottom Line: Google can expect to be under the regulation microscope in the foreseeable future. Its explosive growth and ongoing consolidation plans keep it in the lawmakers' limelight. While U.S. regulators are one thing, Google should be especially wary that the stricter EU has become interested in Google's activities. While the seach engine's business success is unquestionable, it may be time to remove its foot from the accelerator for a short while.

The Communications Decency Act (CDA) has long been unjustly applied by courts all over the nation. Now, the Ninth Circuit may have finally construed the hot-button statute (almost) correctly in its opinion in Fair Housing Council v. Roomates.com.

As the court notes:

The touchstone of section 230(c) is that providers of interactive computer services are immune from liability for content created by third parties.

The idea is to hold ISPs free of liability for defamatory and similarly troublesome content created and posted by third party users. For example, if User A of a message board on sitexyz.com posted a defamatory note about User B, User B could not sue sitexyz.com for providing the message board to User A, because the site had no part in creating the content that was defamatory. This makes perfect sense, because an ISP could not reasonably review every single message on a message board in real time to try to protect against defamatory content.

The problem, however, is that courts have virtually universally construed the statute to be overly protective of ISPs, finding that if the content is created in whole or in part by a third party user, the ISP is totally immune.

One can see the fallacy of such a standard if applied in certain other scenarios: ISP knowingly contracted with a customer the ISP knew would use its services to send millions of pieces of unlawful spam? ISP is protected. ISP has a customer that routinely sends death threats to others as a joke, and the ISP has been notified of the practice numerous times? ISP is protected. ISP has a customer that hosts material advocating the overthrow of the United States government and actively provides specific and detailed information about vulnerable targets, and provides detailed bomb-construction tools and materials? Protected.

To this point, nothing has been enough to pierce an ISP’s immunity, so long as a third party is involved in providing the content. This construction, quite the contrary to long-established negligence-based defamation law applicable to newspapers and other media, has mystified many legal scholars and online defamation victims for years.

The argument against a negligence standard, or course, is that the statutory standard provided in the CDA does not contemplate negligence as a standard.

The facts in the Roommates.com matter are similar to our fictitious message board scenario. A user posted discriminatory comments in a “free form” box that was provided by the website, and entered other information via “drop down” boxes. The primary claim in the matter was that the site encouraged discriminatory content by telling its users to describe their interests and dislikes in a roommate. The exact text provided next to the “free form” box by the site was: “we strongly recommend taking a moment to personalize your profile by writing a paragraph or two describing yourself and what you are looking for in a roommate.”

Based on the facts, the Court correctly finds that the prompts provided by roommates.com, which were far from actively encouraging discriminatory content, were not sufficient to hold the site liable. In doing so, the Court finally provides language that properly applies the statute.

While Carafano is written in broad terms, it must be read in light of its facts. Carafano provided CDA immunity for information posted by a third party that was not, in any sense, created or developed by the website operator—indeed, that was provided despite the website’s rules and policies. While Carafano is written in broad terms, it must be read in light of its facts. Carafano provided CDA immunity for information posted by a third party that was not, in any sense, created or developed by the website operator—indeed, that was provided despite the website’s rules and policies. We are not convinced that Carafano would control in a situation where defamatory, private or otherwise tortious or unlawful information was provided by users in direct response to questions and prompts from the operator of the website.

This is a correct construction. Carafano was a matter in which a malicious user of a dating website forged a personal profile of Carafano, an actress of Star Trek fame, without any prompt whatsoever from the dating site. The key point, of course, was the Court's accurate recognition that when an ISP actively encourages or allows the damaging third party content, the ISP can face liability.

The Court also finds that:

by categorizing, channeling and limiting the distribution of users’ profiles, Roommate provides an additional layer of information that it is ‘responsible’ at least ‘in part’ for creating or developing.

This is correct, in theory, but the Court fails to provide the circumstances under which liability should and should not occur. If a site stores the defamatory content in a database with no reasonable knowledge of its harm and uses standard categorizing and channeling methods, electronic or not, it makes no sense to hold the site liable. If a site were liable for these methods without knowledge one could see search engines, message board operators, bloggers and others incurring liability for simple, standard practices, such as archiving, providing search results and more.

On the other hand, if a site knows of the content, or should have known about the content using standard reasonble precautions and “republishes” the content as explained by the Court, then liability is appropriate just as it would be when it encourages the content. This is in line with standard defamation law while still recognizing the substantial fluidity of information on the Internet.

Bottom Line: Section 230 of the CDA continues to be one of the most misguided statutes in electronic law. The 9th Circuit makes some promising strides towards a correct interpretation by recognizing that complete immunity is unworkable. The court's opinion oversteps its bounds, however, which will distract from the language that finally sets out the appropriate Section 230 standard for ISP immunity.

A recent article explains the increased levels of anonymous sexual threats that women bloggers are receiving online. Like any other entity with power, prestige or wealth, women in the blogosphere are becoming targets of stalkers and other predators. Threats received by women are sexual in nature up to 25 times those received by men, according to the University of Maryland.

This issue brings salience to the ever-increasing problems of cyber-civility. Whether abusers are sexual predators in the comments section of a blog, webmasters posting slanderous information about a competing colleague on the web or cyberbullys on a high school’s chat room, the interests of safety, security and truth on the Internet are in danger of becoming perilously scarce.

In the early days of the Internet, Congress was concerned about interfering with the growth and evolution of the medium. This led to legislation such as the Communications Decency Act of 1996, which protects online publishers from liability for content provided and created by others:

(c) Protection for “Good Samaritan” blocking and screening of offensive material. (1) Treatment of publisher or speaker: No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” 47 USC §230(c)(1)

The rationale for the legislation was ensuring free speech and protecting content providers from having to police all areas of their content at all times. While well-conceived, the practical application of that statute instead led to cases where the online publisher is notified of very obvious defamatory materials, does nothing about it, and still avoids liability.

Another survey cited in the article, conducted by the Pew Internet & American Life Project, found that the proportion of Internet users who took part in chats and discussion groups plunged from 28 percent in 2000 to 17 percent in 2005. While many of the battles over online defamation are fought in the press and federal courtrooms, many more are fought outside of the public eye. The results of those invisible battles are seen, at least in part, in the decline in participation in online chats and discussion groups.

Law enforcement has similar problems. It is difficult to spend serious time and energy on threats that are generalized or simply repulsive. Without clear and present dangers, it is difficult to use limited law enforcement resources to protect those who feel threatened.

Bottom Line: While online predators will never be eliminated, there are opportunities to reduce the problem. Revision of the Communications Decency Act to hold publishers to a “notice” standard would be one such step. Law enforcement’s attention to the shifting nature of defamation would also help to reduce web stalkers. Finally, reevaluation of policies and and reallocation of enforcers would be a welcome result in an effort to address the still-growing problem of online predators.

While Microsoft has raised its concerns about antitrust considerations in the Google acquisition, a prominent privacy group, the Electronic Privacy Information Center (EPIC) has raised concerns about the privacy implications.

While the antitrust issues are less concerning, the privacy issues are of greater worry. The privacy concerns are present whether the acquisition is approved or not, but the proposed acquisition offers a convenient stage on which the issues can be addressed.

There are two matters of concern: (1) data that is collected without user input, and (2) data that is collected with user input. EPIC’s concerns arise from the first category, data collected and stored about a user based on their personal use and preferences, in which the user has no “personal interest” in having the data collected.

For example, if one were to go to Google and search for “information technology law,” Google would run the search, display the results, and also maintain certain data that would allow Google to display relevant ads in the future. DoubleClick has similar practices. Both firms use cookies, IP addresses, and similar practices to continue to maintain data on web browsers. EPIC and others believe that having the combined might of both firms’ information would overstep a reasonable privacy line. While that concern is something of a value judgment, it is one that deserves attention by regulators in considering the market effects of the acquisition.

The second kind of privacy concern, data provided by the user, is also of concern. Google has made very purposeful strides in an attempt to become much more than a search engine, with very successful results. Popular services include GMail and Google Calendar. New attempts to provide spreadsheet and word processing services online are also part of Google’s plan to attract as man people as possible to at least one of its services.

While useful and “free,” these types of services allow Google to maintain very personal data on hundreds of millions of people. While one could argue that this is true of Yahoo or Hotmail, Google’s success in providing virtually every service required by a typical web user increases a user’s likelihood of using the services as a bundle, and decreases the likelihood that a use will provide personal information in a diffuse manner: a little here and a little there, spread out between different services.

At it’s root, there is no problem with this. The concern is the degree of damage if there were a data breach by Google itself or hackers. If Google can maintain high levels of security and privacy protection, the problem is likely minimal. The more powerful Google becomes, however, the greater the threat.

Bottom Line: There are substantial privacy concerns in the proposed acquisition of DoubleClick by Google. Even if the merger fails to come to fruition, the data privacy practices of Google and DoubleClick are still worth examining more closely than previously thought.