The Federal Trade Commission has been closely watching the privacy issues of the day—online targeted advertising, mobile data tracking, geolocation information, facial recognition technology, and other similar issues that impact consumers. The increasing use of web browsing and other user data has stirred some users to reconsider the unspoken "bargain" that exists on social media and other interactive websites, namely, that privacy sacrifices in the form of targeted marketing and data collection subsidize free content and services and promote a robust online ecosystem. However, beyond the larger debate over digital privacy, new practices and technologies have emerged—some of which cross ethical norms—that do not neatly fit within the boundaries of existing privacy laws.
This article will discuss several contemporary privacy issues, including: whether accidental access to another's email account constitutes unauthorized computer access; whether the use of a fictitious online identity can lead to civil liability; and whether the account holder of an unsecured home Wi-Fi network can be found liable for infringing activities by third parties using the network.
There are a host of federal and state computer privacy laws that protect networks and devices from hacking and unauthorized access or otherwise prohibit unlawful destruction of data by unauthorized parties. For example, the Federal Stored Communications Act (SCA) prohibits, under certain circumstances, unauthorized access to a person's email communications. See, e.g., Lazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013) (former supervisor who without authorization read ex-employee's personal Gmail account messages following the employee's return of her company Blackberry device may be liable for those emails that plaintiff had yet to open before the defendant did so because these emails could be defined as "stored" under the SCA).
However, computer privacy laws become more difficult to apply in cases of "accidental" access.
For example, in Marcus v. Rogers, 2012 WL 2428046 (N.J. App. Div. June 28, 2012) (unpublished), a teacher in the computer room inadvertently bumped the mouse of an adjoining computer and the screen opened to a superior's personal email inbox, with subjects discussing the teacher's current dissatisfaction with his salary. The teacher printed out the email threads and used them during the debate at the next teacher's association meeting. The email account holder and others in the email thread brought claims under several New Jersey state computer fraud statutes, including the Computer-Related Offense Act (CROA) and the Wiretapping and Electronic Surveillance Control Act (WESCA). Regarding the CROA claim, relating to the unauthorized taking of computer data, the court found that the plaintiffs failed to prove they were "damaged in business or property," as required by the statute. Concerning the WESCA claim, which requires, in part, "knowingly accessing without authorization a facility through which an electronic communication service is provided," the issue was whether the defendant knowingly acted without authorization or exceeded authorization. The court refused to overturn the jury's finding of "tacit authorization" to access the email account, based upon the fact that the inbox was displayed on the screen automatically and the various messages were accessible without the need for a username and password.
In Marcus, the court stressed that it was possible for the jury to determine that access wasn't necessarily unauthorized because the email account was immediately accessible on the computer screen. The case brings up a related issue of whether the same logic would apply to someone snooping into another's smartphone that was left "unlocked," or whether leaving out a tablet computer unprotected by any passcode gives a third party implicit permission to access the data that appears on the screen after being activated. In the above hypotheticals, it is also uncertain whether such apparent authorization might end when a third party takes an extra step to view data, such as tapping an icon to load an app, thereby discovering personal information.
"Catfishing" is a term used to describe "[t]he phenomenon of internet predators that fabricate online identities and entire social circles to trick people into emotional/romantic relationships (over a long period of time)." See http://www.urbandictionary.com/define.php?term=Catfishing (last visited July 1, 2013). The term came into the public consciousness during a noteworthy incident involving a college football player named Manti Te'o, who had reportedly played in a game after learning that his grandmother and girlfriend died on the same day. Upon further investigation, two reporters learned that, despite some contrary statements, the player had only interacted with his long-term girlfriend online, and in fact, her entire existence was a hoax. The controversy surrounding the catfishing scheme embarrassed Te'o and purportedly affected his selection position in this year's NFL draft.
The question of whether a catfishing prank can result in liability or other adverse consequences depends upon the circumstances, as such hoaxes range from harmless prank and hyperbole to financial scams and harassment. In many cases, despite the equities of the situation, plaintiffs may have difficulty in finding a viable cause of action. For example, in Bonhomme v. St. James, 970 N.E.2d 1 (Ill. 2012), the Illinois Supreme Court considered only one issue: Does an individual commit fraudulent misrepresentation by assuming a fictitious online identity and fomenting a virtual romance with a gullible individual that ends with genuine heartbreak and quantifiable monetary loss? The plaintiff brought fraudulent misrepresentation, intentional infliction of emotional distress, and related claims stemming from a fraudulent two-year online relationship that defendant allegedly maintained by creating a fictitious love interest named "Jesse." Jesse and plaintiff exchanged photos, handwritten letters, and the plaintiff sent $10,000 in gifts, and during telephone calls, the defendant used a voice-altering device to disguise her female voice. When plans on moving in together ended with Jesse's supposed demise, the parties met and the charade unraveled.
On appeal, the only surviving issue was whether plaintiff's fraudulent misrepresentation claim was viable, since the plaintiff was procedurally barred from raising an intentional infliction of emotional distress claim. The court granted the defendant's motion to dismiss, finding that the claim traditionally applied to business transactions and has never been recognized in a "purely personal" setting:
[W]hat lies beneath this case is two private persons engaged in a long-distance personal relationship…built wholly on one party's relentless deceit…. Indeed, all of the hallmarks of ordinary human relationship [were] present…[yet], [p]laintiff and defendant were not engaged in any kind of business dealings or bargaining, and the veracity of representations made in the context of purely private personal relationships is simply not something the state regulates or in which the state possesses any kind of valid public policy interest.
In another case, a catfishing prank resulted in the suspension of two students from a university. In Zimmerman v. Board of Trustees of Ball State Univ., 2013 WL 1619532 (S.D. Ind. April 15, 2013), two students perpetrated a catfishing prank on an ex-roommate that involved creating a Facebook page for a fictitious teenage girl named "Ashley," hiring a local teenager to impersonate "Ashley" in pictures sent to the victim, and initiating online conversations with the victim. After setting up a movie date, the students videotaped the victim entering the theater, informed him of the hoax, and then posted the video to a social media site with the title "[the Victim] is a pedophile." After receiving the students' signed admissions of fault, the university determined that the students violated the school Code of Conduct prohibiting harassment and invasion of privacy and suspended the students for one year. The students brought suit seeking to overturn the suspension or enjoin the school from enforcing its Code of Conduct on several grounds, including due process and claims that their conduct was not objectionable under the Code. The court dismissed the suit, concluding that the university had the authority to regulate the students' conduct, that their conduct violated the Code's provisions, and that their actions were plainly objectionable.
Open Wi-Fi Connections
High-speed wireless connections have been widely adopted by more and more users who want Internet connectivity across many devices in their home. However, a home Wi-Fi network presents certain security risks if the account holder fails to secure the wireless network, including leaving computers vulnerable to monitoring or malicious attacks by anyone within range of the wireless access point. An unsecured Wi-Fi access point also allows others to potentially use the open connection for infringing activity—though an individual piggybacking on another's Wi-Fi signal has little expectation of privacy concerning the signals emanating from his or her device. See generally United States v. Stanley, 2012 WL 5512987 (W.D. Pa. Nov. 14, 2012) (Wi-Fi piggybacker did not have a legitimate expectation of privacy in the wireless signal he caused to emanate from his computer to his neighbor's wireless router and the wireless signal he received back from the neighbor's wireless router in order to connect to the Internet; the police's use of "Moocherhunter" software to detect the defendant's use of his neighbor's Wi-Fi router and thereby locate the defendant did not constitute a search in violation of the Fourth Amendment).
Several recent cases have considered the issue of whether an individual who allows others to access his Wi-Fi network can be liable for the copyright infringement of others using the network. In Liberty Media Holdings v. Tabora, 2012 WL 2711381 (S.D.N.Y. July 9, 2012), an adult film producer brought negligence and copyright claims against a Wi-Fi account holder for knowingly allowing his roommate to regularly download copyrighted content and failing to put a stop to it. The court found that the negligence claim was preempted by the Copyright Act because the rights that the plaintiff sought to vindicate by its negligence claim—the imposition of liability on one who knowingly contributes to a direct infringement by another—were already protected by the Copyright Act under the doctrine of contributory infringement. See also AF Holdings v. Rogers, 2013 WL 358292 (S.D. Cal. Jan. 29, 2013) (to the extent that a negligence claim alleges that the account holder failed to properly secure his Wi-Fi connection or failed to properly monitor the use of the secured Internet connection by others, such a claim failed because there was no underlying duty to ensure that the Internet connection was not used to infringe the plaintiff's copyright).
In another case involving a Wi-Fi account holder facing negligence claims over allowing a third party to download infringing material over his Wi-Fi network, the court dismissed the claim based upon immunity under §230 of the Communications Decency Act (CDA). See AF Holdings v. Doe, 2012 WL 4747170 (N.D. Cal. Oct. 3, 2012). CDA §230 provides: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." 47 U.S.C. §230(c)(1). Among the many grounds for dismissal, the court found that the Wi-Fi account holder was entitled to CDA immunity because the negligence cause of action treated him as the publisher of damaging content based on his alleged role as the provider of a conduit or Internet connection for the objectionable material and that the infringing material was distributed or provided by an unknown third party downloader who was using the defendant's Wi-Fi network.
Richard Raysman is a partner at Holland & Knight and Peter Brown is the principal at Peter Brown & Associates. They are co-authors of “Computer Law: Drafting and Negotiating Forms and Agreements” (Law Journal Press).