Email and Text Messaging Protected from Law Enforcement and Employers

A June 18, 2008  Ninth Circuit Court holding in Quon v. Arch Wireless establishes that law enforcement needs a probable cause warrant to access stored copies of electronic messages less than 180 days old (regardless of whether they've been downloaded or read) and would also prevent employers from obtaining the contents of employee emails or text messages from the service provider without employee consent.  The case was decided under the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA) of 1986.  The SCA prevents “providers” of communication services from divulging private communications to certain entities or individuals.

Historically, prosecutors have argued that, once a recipient accesses his messages --whether they be email or texts--, the message is no longer in “electronic storage” as the SCA defines it, an argument the Ninth Circuit rejected.  Thus, if an archived message was created as a backup copy of an electronic communication sent through an Electronic Communications Service, that copy continues to receive ECS protection, even if it was downloaded, read and "has expired in the normal course" such that the copy is no longer performing any archival/backup purpose.  For the same reason, even if an employer pays for the use of third party text or email service, the employer cannot obtain copies of messages from the provider without the recipient's permission.

Additionally, the Ninth Circuit addressed whether text messages are protected by the Fourth Amendment, insofar as prosecutors often argue that, because email and text messages are stored by third parties that have the ability to read them, senders and recipients have no expectation of privacy in those messages and thus are entitled to no constitutional protection from unreasonable searches and seizures.  The Ninth Circuit rejected this view, joining the Sixth Circuit in Warshak v. US, holding that text messages are akin to letters or packages, and are protected even though the shipper could open them.

Further, the panel considered the effect of acceptable use policies, monitoring policies or other terms of service that state that the service provider or employer reserves the right to monitor or audit the messages. While those policies may give employers or service providers the right to read messages, the question was whether law enforcement could, therefore, do so as well. The Ninth Circuit panel applied its ruling in United States v. Heckenkamp, which held that a student did not lose his reasonable expectation of privacy in information stored on his computer, despite a university policy that authorized the university to access his computer in limited circumstances while connected to the university’s network. The Court rejected the argument that user consent to access for some purposes destroyed the expectation of privacy for every purpose, including warrantless or unreasonable government searches.  (Note: Compare this outcome to the "abandonment theory" applied by a Pennsylvania court, which held that consent given to a third-party PC repair service to install a DVD player (including testing associated therewith) constituted a waiver of expectation of privacy for every purpose - Click here).

Another victory for First Amendment Website expression

Hat-tip to the Rocky Mountain Appellate weblog.

In a decision issued in Utah Lighthouse Ministry (UTLM) v. Foundation for Apologetic Info. & Research (FAIR), the Tenth Circuit examined the issue of whether hyperlinking can render a non-commercial opinion, critical or parody Website liable for infringement under the Lanham Act.  The resulting holdings afforded Website parodies (such as, e.g., People Eating Tasty Animals (PETA))¹ some protection.

Following the Ninth Circuit's reasoning in Bosley Medical Institute v. Kremer, the Tenth Circuit concluded that, because the parody Website in question contained critical commentary as well as links to articles critical of plaintiffs and, because the links to plaintiffs' Web site were to its homepage and not directly to its bookstore, the "roundabout path" to the advertising or commercial use of others was simply "too attentuated" to invoke the trademark protections of the Lanham Act.

_______________________________
¹  This example appeared in n.5 of the Tenth Circuit's opinion.

Reasonable Suspicion not Required for Laptop Search at Int'l Airport

Generally, border search agents are given wide lattitude to conduct searches relative the reasonableness of suspicion¹ and, which provides an exception to the warrant requirement.² 

Some time ago, I posted a story concerning a border exception to the warrant requirement, where a border agent inspected a laptop and discovered contraband (click here).  From the Ninth Circuit, U.S. v. Arnold, we have a similar underlying fact situation, except that the question before the court concerns the reasonableness of the intrusion:  In its April 21st opinion, the Court held that reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border.  The Court found unavailing defandant's numerous arguments --some bearing stretch marks-- such as that “laptop computers are fundamentally different from traditional closed containers,” and analogizes them to “homes” ² and the “human mind.”³  Consequently, the Court reversed the trial court's suppression order, thereby permitting prosecution to proceed.

________________

¹ See, generally, United States v. Montoya de Hernandez, 473 U.S. 531 (1985).

² Under the border search exception, the government may conduct routine searches of persons entering the United States without probable cause, reasonable suspicion, or a warrant.  For Fourth Amendment purposes, an international airport terminal is the "functional equivalent" of a border.

³  Defendant’s analogy of a laptop to a home was based on a conclusion that a laptop’s capacity allows for the storage of personal documents in an amount equivalent to that stored in one’s home.

⁴  Defendant urged that a laptop is like the “human mind” because of its ability to record ideas, e-mail, internet chats and web-surfing habits.

Facebook and Privacy: Blockbuster Sued Over Alleged Privacy Breach

An interesting privacy lawsuit has been filed, in what seems to be perfect timing for our section -- between Kate Andresen's CLE at our April meeting, "Is Privacy a Realistic Goal in the Digital Age of the Internet and Social Networking Sites?" and Michael Fleming's CLE for our upcoming Annual Meeting, "Privacy Regulation by Proxy: How Customers Can Ensnare Their Vendors in Data Security Laws."

A Dallas woman has sued Blockbuster over its participation in Facebook's Beacon marketing program.  According to the complaint, the woman rented videos from Blockbuster, who passed along her rental info to Facebook, who then distributed the rental info on the Internet through its Beacon system. The plaintiff alleges that this was a violation of the Video Privacy Protection Act, 18 U.S.C. § 2710 (summary).

This is a fascinating glimpse into the types of privacy issues that may arise when companies jump into the "next big thing" -- here, social networking -- without fully considering potential adverse effects. This case will be closely watched by other players in this area (e.g., MySpace), as well as their partner companies.

Minneapolis Photographer Uses Metadata to Successfully sue for Copyright Infringement

Minneapolis photographer Chris Gregerson recently prevailed in a copyright infringement suit against a real estate photographer who used his photos on a Website and in advertising.  More interesting than the $19,462 award: (1) the plaintiff won at trial even though he was pro se and (2) the photos at issue used digital watermarking, where a copyright notice was placed inside the EXIF metadata. Judge Montgomery found that the defendant willfully removed both the visibible watermark, as well as the EXIF metadata, resulting in an award of statutory damages.  The findings include some other good flavor: the defendant allegedly forged a falsified contract with an allegedly fictitious seller, and the notary for the contract resigned his notary license. 

Prior to digital watermarking, photos just had to look the same.  Add Metadata to the mix, and a plaintiff can have near-conclusive proof of infringement.

Decision, coverage, and Gregerson's site documenting the ordeal.

Law Firm's Faulty IT Policy Not Excusable Neglect to Avoid Sanctions

In this U.S. Magistrate's July, 2007 Order (which I just discovered today), the court found that attorneys' non-receipt of emails from the U.S. Court, District of Colorado, caused by a firewall setting, was not excusable neglect to avoid the sanction of attorney fees for the firm's attorneys' failure to appear at a settlement conference.

The court heard evidence from the firm's IT administrator that the firewall setting was modified —without notice to these particular attorneys— in response to complaints from some of the firm's employees concerning sexually explicit junkmail.  Moreover, although the administrator added the Colorado state courts to the whitelists, he failed to add the cod.usCourts.gov (U.S. Court, District of Colorado) domain.

Although the magistrate found that the neglect was not willful or wanton, he nevertheless found that the attorneys were, "the responsible persons to adopt internal office procedures that ensure the court’s notices and orders are brought to their attention once they have been received."  Thus, under Fed.R.Civ.P. 16(f), they were jointly and severally sanctioned for attorney fees and costs relating to the settlement conference and the additional hearings incident thereto.

This decision, `though not a precedent, is another salient reminder that attorneys are increasingly being required to keep up with technology that often is out-of-scope for their training and expertise or, alternatively, to retain competent staff.

Ethical Considerations for Law Firm ESI

Last year, I posted a lengthy article (here) concerning potential ethical obligations that attorneys and computer forensics professional might owe each other and where the separation of duties may be blurred.

Along similar lines, a ethics opinion released recently by the Maine Board of Bar Overseers addressed the ethical implications of using a third-party to process and store a law firm's electronically stored information (ESI). (Hat tip to The Legal Profession Blog for this one). The opinion provides, in pertinent part:

With the pervasive and changing use of evolving technology in communication and other aspects of legal practice, particular safeguards which might constitute reasonable efforts in a specific context today may be outdated in a different context tomorrow. Therefore, rather than attempting to delineate acceptable and unacceptable practices, this opinion will outline guidance for the lawyer to consider in determining when professional obligations are satisfied.

At a minimum, the lawyer should take steps to ensure that the company providing transcription or confidential data storage has a legally enforceable obligation to maintain the confidentiality of the client data involved. See ABA Ethics Opinion 95-398 (lawyer who allows computer maintenance company access to lawyer's files must ensure that company establishes reasonable procedures to protect confidentiality of information in files, and would be "well-advised" to secure company's written assurance of confidentiality); N.J. Sup. Comm. Prof. Ethics Opinion 701 ("Lawyers may maintain client files electronically with a third party as long as the third party has an enforceable obligation to preserve the security of those files and uses technology to guard against reasonably foreseeable hacking.")

In the U.S., there is presently neither a universal code of professional conduct or responsibility nor a national licensing body for computer forensics examiners or legal technologists. Certainly, there is none that I know of for data warehousing. In addition to the suggestions I made in the earlier post (which included working under a well-drafted contract), one consideration in selecting an expert is whether he or she belongs to a professional organization (e.g., IACIS, HTCIA, etc.) that imposes a code of ethics on its members and offers hortarory guidelines for separation of duties, among other things.

Communications Decency Act held to immunize gripe site operator from liability for hosting allegedly defamatory content authored by third party

In this October 2007 ruling from the U.S. Court for the District of Arizona, the court ruled that, although, "At common law, publishers are generally liable for the defamatory statements authored by third-parties," the Communications Decency Act (CDA) shields gripe site operators from liability of this nature. In so doing, the court evaluated the function of "author," as opposed to, "publisher," noting that it is, “well established that notice of the unlawful nature of the [content] provided is not enough to make it the [website operator’s] own speech” (quoting Universal Commc’n Sys., Inc. v. Lycos, 478 F.3d 413, 420 (1st Cir. 2007)) and that "Defendant’s failure to remove the three statements was an 'exercise of a publisher’s traditional editorial functions' and does not defeat CDA immunity." Zeran v. America Online, Inc., 129 F.3d 327, 330 (4th Cir. 1997).  Finally, the court noted, "minor and passive participation in the development of content will not defeat CDA immunity, which can even withstand more active participation."

$8.5M sanction for e-discovery violations

For the current 'good faith' discovery system to function in the electronic age, attorneys and clients must work together to ensure that both understand how and where electronic documents, records and emails are maintained and to determine how best to locate, review, and produce responsive documents.

So said the Court in Qualcomm v. Broadcom, (S. D. Calif.) in its Jan. 7, 2007 Order imposing sanctions and referring six attorneys to the State Bar of California Office of Chief Disciplinary Counsel because plaintiff failed to produce emails that were clearly requested in discovery and witnesses testified falsely on an issue that "became crucial to the...litigation."

One witness identified twenty-one emails that were believed to be both substantially probative and relevant, yet counsel did not produce the emails or conduct a further search. After the trial, Qualcomm's general counsel "admitted Qualcomm had thousands of relevant unproduced documents and that their review of these documents 'revealed facts that appear to be inconsistent with certain arguments that [counsel] made on Qualcomm's behalf at trial and in the equitable hearing following trial' " There were over 46,000 such documents. The Court further noted:

It is inconceivable that these talented, well-educated, and experienced lawyers failed to discover through their interactions with Qualcomm any facts or issues that caused (or should have caused) them to question the sufficiency of Qualcomm's document search and production...the Court finds that these attorneys did not conduct a reasonable inquiry into the adequacy of Qualcomm's document search and production and, accordingly, they are responsible, along with Qualcomm, for the monumental discovery violation.

The Court ordered Qualcomm to pay $8.5M to Broadcom but, because "the attorneys’ fees sanction is so large," the Court declined to fine Qualcomm, noting that, "If the imposition of an $8.5 million dollar sanction does not change Qualcomm’s conduct, the Court doubts that an additional fine would do so."

The court referred six attorneys to the attorney regulation counsel, finding:

the Sanctioned Attorneys assisted Qualcomm in committing this incredible discovery violation by intentionally hiding or recklessly ignoring relevant documents, ignoring or rejecting numerous warning signs...the Sanctioned Attorneys then used this lack of evidence to repeatedly and forcefully make false statements and arguments to the court and jury.

Third party PC technician's discovery of contraband held admissible

In this case, Commonwealth v. Sodomsky, an individual delivered his PC to CircuitCity to have a DVD drive installed.  Although he did not ask for any software to be installed, he was informed that installation of the DVD drive would necessarily include testing the DVD drive. While testing the DVD-drive, the technician subsequently discovered contraband and reported it to the police. The police seized the evidence under the plain view doctrine.

Significantly, the Pennsylvania Superior Court held that defendant's acquiescence to the installation of a DVD drive was a de facto acquiescence to the installation of software (whether he knew it or not). The court reasoned that he, therefore, "volitionally relinquished any expectation of privacy in that item by delivering it to CircuitCity employees knowing that those employees were going to install and test a DVD drive."

In arriving at this conclusion, the court employed the legal theory of "abandonment," whereby an individual evidences an intent to relinquish control over personal property ("whether a person prejudiced by the search had voluntarily discarded, left behind, or otherwise relinquished his interest in the property in question so that he could no longer retain a reasonable expectation of privacy with regard to it at the time of the search") (quoting Commonwealth v. Shoatz, 366 A.2d 1216, 1220 (1976)).

Yet, although the court explained that the legal construct "revolves around the issue of intent," it rejected defendant's assertion that he did not intend for CircuitCity employees to access his personal video cache any more than he expected them to access his personal financial information or other files.  The court specifically noted that defendant "failed to either inquire as to how the DVD drive would be tested or otherwise restrict the employees' access to his computer files."  The court also noted that CircuitCity was employing a commercially acceptable manner for testing the DVD drive, rather than setting out to discover illicit contraband.

While I take no position on the ruling of the court, it occurs to me that this is an instance where "ignorance" commands a higher premium than "intent."  Another such case was Long v. Marubeni America Corporation, 2006 WL 2998671 (S.D.N.Y., October 19, 2006), where that court held that both the attorney client and work product privileges were waived by employees using a company computer system to transmit otherwise privileged communications to private counsel, which communications were sent from private password-protected accounts (not from the employer's email system).   Significantly, a cache of the emails were retained by the company's system as "temporary internet files." Because the company could and did obtain these emails by reviewing its own system, the court held that the waiver was created through employees' failure to maintain the confidentiality of these communications with regard to the company's electronic communications policy, which policy advised employees not to use the company system for personal purposes and warned that they had no right of privacy in any materials sent over the system. The court reached this result notwithstanding its factual finding that employees were without knowledge that a cache of their email communications had been retained.

Thus, in these cases, and including the recent In Re Boucher (defendant, who used PGP to encrypt alleged contraband not required to divulge passphrase), we see where a presumption of a reasonable expectation of privacy can be overcome by a defendant's failure to take specific precautions to safeguard property or communications. The phrase, "knew or reasonably should have known" is employed in these cases to mean that lack technological expertise on the part of a layperson may result in waiver.