CYBERLAW UPDATE

Chapter 10. Privacy Rights and Security Issues

 P. 275. Add to end of page after "Case Questions"

In United States v. Angevine, No. 01-6097, 2002 U.S. App. LEXIS 2746 (10th Cir. 2002), the court of appeals affirmed the district court's conviction after a conditional plea of guilty by the defendant (defendant reserved his right to appeal the district court's denial of motion to suppress evidence of pornography seized from defendant's school's computer). The defendant was a professor of architecture at the Oklahoma State University. At his place of employment, the university had furnished the defendant and other professors with computers linked to the Internet. Defendant downloaded about 3,000 pornographic images of young boys, viewed and printed some of them. Oklahoma, operating with the cooperation of defendant's wife, procured a search warrant to look for pornographic files at the defendant's university office. The university has a posted policy that warns employees against misuse of the computer, including the accessing of obscene materials, and that the university monitors the network to determine whether there has been a violation of university policy.

      The court found no violation of the Fourth Amendment's guarantee against unreasonable searches and seizure, holding that the professor had no reasonable expectation of privacy. The university's policy was reasonable, which posted policy clearly warned of possible criminal penalties for computer misuse. The added fact that the defendant attempted to delete the files did not suffice to render a reasonable expectation of privacy.  

            In U.S. v. Bunnell, Crim. No. 02-13-B-S, 2002 U.S. Dist. LEXIS 9090 (D.Me, May 10, 2002), Bunnell was charged with three counts of knowingly possessing child pornography images. The defendant, Bunnell, a student, had requested and was granted use of the University of Maine computers. The university discovered that Bunnell had used the computers to access images and listings associated with child pornography. The university then contacted the local police department and advised it of the downloading of the images. Search warrants were granted to the police to search the defendant's home computer, which also revealed the downloading of child pornography. The defendant asked the court to suppress the evidence for alleged violation of the U.S. Constitution's Fourth Amendment prohibition against unreasonable searches and seizures. The court denied the request stating that the student "had no generic expectation of privacy for shared usage on the university's computers..." The grant by the university of student-user passwords does not create an expectation of privacy but were intended to safeguard the university's system from unauthorized users. The issuance of the search warrant was not improper inasmuch as there was a sufficient showing that the defendant may have committed the crime for which he was later indicted. 

P.   283. Add after "Case Questions"

New York State's Civil Rights Law Section 50 makes it a misdemeanor criminal offense for a person to misappropriate a person's name of likeness for commercial purposes without his or her consent. It provides:

A person, firm or corporation that uses for advertising purposes, or for the purposes of trade, the name, portrait or picture of any living person without having first obtained the written consent of such person...is guilty of a misdemeanor.

The said statute, Section 51, authorizes an aggrieved person to institute a lawsuit for injunctive relief and damages against the offending party. To what extent that such prohibition runs afoul of the First Amendment of the Constitution? What about casual or incidental use of such likeness in a news story or advertisement where the likeness is only incidentally utilized?

In Stern v. Delphi Internet Services, 165 Misc.2d 21 (Sup. Ct. N.Y. Cty, April 20, 1995), Howard Stern, the famed or infamous radio and television personality, sued the defendant Internet service provider for wrongful use of a semi-obscene photograph of him in defendant's advertisement for its online bulletin board service. The advertisement was set up to debate Stern's brief excursion into politics, namely his candidacy for governor. The defendant used the photograph in full-page advertisements in New York Magazine and in the New York Post asking readers to communicate their views as to the plaintiff's merit and qualifications. The issues discussed by the court were whether the defendant's service was analogous to a news disseminator and whether the defendant was entitled to First Amendment protections with respect to its advertisements.

            The court decided in favor of the defendant in its dismissal of the plaintiff's lawsuit. It cited the Cubby case (see text, pp. 106 and 205) that noted that a computerized database was similar to that of a traditional newsvendor and, thus, is entitled to comparable protections. Accordingly, New York's "incidental advertising exception" is applicable, namely, that "privileged or incidental advertising use by a news disseminator of a person's name or identity does not violate" the said statute. The court indicated:

The New York courts are consistently cautioned that the protections of Civil Rights Law @ 50 and 51 shall be construed narrowly "so as not to apply to publications concerning newsworthy events or matters of public interest...." It is well established that "the constitutional guarantees of freedom of speech and of the press stand in the way of imposing" strict liability on distributors for the content of the reading materials they carry...

The court noted that Stern's name was used with respect to a debate on his candidacy. It reviewed cases including that of the dismissal of a lawsuit by famed author Ayn Rand, whose name appeared on the front cover of a book in an excerpt from a review of the said book without her permission. The intent of the law is to protect persons against selfish, commercial exploitation of their name and likeness rather than against the said usage for the promotion of a news event.

A case concerning the tort of misappropriation of plaintiff's right of publicity is Perfect 10, Inc. v. Talisman Communications, Inc., No. CV 99-10450 (RAP)(Mcx), 2000 U.S. Dist. LEXIS 4564 (S.D.Ca., March 29, 2000). The plaintiff is the producer, publisher, and distributor of Perfect 10 products and services including a magazine and an Internet website at >www.perfert10.com. Plaintiff hired several models for photographic purposes which models assigned their rights of publicity to the plaintiff as to their likenesses and names. Defendant operated a website at "supersex.com" and had a comparable Internet domain name. Defendant copied plaintiff's photographs of the models together with their names from the plaintiff's magazine without its consent to advertise defendant's goods and services. The court found that the defendant violated plaintiff's copyright as well as the right of publicity that had been assigned to it. The court awarded maximum statutory damages together with attorneys' fees.

In Cornwell v. Sachs, 99 F. Supp.2d 695 (E.D.Va. 2000), the plaintiff, a well-known author of crime novels, sued the defendant asserting a variety off claims including defamation, violation of the Lanham Act and Virginia's privacy statute. Sachs had alleged that the plaintiff had abrogated his ideas for use in her novel, "The Last Precinct" from a novel he had written entitled "The Virginia Ghost Murders." After seeing the advertisement of the plaintiff's novel in Publisher's Weekly, the defendant commenced a series of harassing letters to the plaintiff's agent alleging the alleged theft of his ideas. The defendant then made alleged defamatory statements against the plaintiff on his website, which also promoted his novel that was published through his own publishing company. He also placed stickers on his novel containing the allegation that the novel was the one that the plaintiff threatened to destroy.

The court issued a preliminary injunction barring the defendant from further using the said stickers, requiring vendors to remove or make illegible the stickers, amend the website to remove the offending material, and to stop using his press from disseminating false and misleading advertising. The court determined that Cornwell would suffer irreparable harm of the preliminary injunction were not issued, having determined that the statements made on the website and on the stickers were false and misleading. The court noted that any judgment for money damages obtained against the defendant would not be collectible because the defendant could not even afford an attorney to defend against the lawsuit. The court found a likelihood of confusion because of the false nature of the accusations. With respect to invasion of privacy, the Virginia statute is similar to other state statutes respecting the use of a name, portrait, or picture being used without consent for advertising purposes. The court determined that the plaintiff was likely to succeed in proving that the defendant wrongfully used her name and likeness without consent for commercial purposes.

P.   283. Add after the above section:

Corporations and Right of Privacy

            Does a corporation have the right to sue for privacy invasion? In the following case decided by the Supreme Court of Indiana, the court distinguished the privacy right of individual professors from that of the university in which they were members.

FELSHER V. UNIVERSITY OF EVANSVILLE

755 N.E.2d 589 (Sup.Ct. Ind. 2001)

FACTS: Dr. William Felsher, the defendant in the above action, appeals from a grant of summary judgment in favor of the plaintiff university and its officials. The judgment and order of the trial court permanently enjoined Felsher from creating and use e-mail addresses and websites that have the appearance of an association with the university. Felsher wrote a number of articles alleging wrongdoings by the president and other officials of the university. He created e-mail accounts and sent mail to a number of universities nominating each of the plaintiff university's officials for various academic positions. The university sought an order from the trial court enjoining Felsher prohibiting him from certain Internet activities which order was granted. The trial court decided that both the university and its officials possessed privacy rights to the exclusive use of their identities and that Felsher invaded their rights by appropriating their names for use in e-mail correspondence for his benefit.

ISSUES: Whether a corporate entity is entitled to claim an invasion of privacy?

DECISION: The court held that the right of privacy may only be claimed by individuals and not by corporations.

REASONING: Justice Shepard

[The court recited the four torts set forth in the Restatement of Torts (Second), Sections 652A-E. (See pp. 277-278 of text)]. The only injury at issue here is appropriation. The University argues that it may maintain an action for appropriation because the claim address a property interest rather than personal feelings... The University also relies on Restatement Section 652I, which says, "Except for the appropriation of one's name or likeness, an action for invasion of privacy can be maintained only by a living individual whose privacy is invaded."

While we agree that an appropriation claim involves a privacy issue "in the nature of a property right," we think the University's reliance on the exception set forth in the Restatement is misplaced. Each of the comments to Restatement Section 652I negates the inference that a corporation is entitled to an appropriation claim.

The first comment states that the privacy right is personal. The comment then states a rule: "The cause of action is not assignable, and it cannot be maintained by other persons..." Restatement (Second) of torts, Section 6521 cmt. A (1977). The appropriation exception that follows addresses this rule, not the personal character of the right.

The second comment discusses the general requirement that "the action for the invasion of privacy cannot be maintained after the death of the individual whose privacy is invaded." Id., cmt. B. This comment states an exception for appropriation actions due to its "similarity to [an] impairment of a property right..." The exception is clarified as a recognition of survival rights in an appropriation action.

Finally, the third comment declares, without exception, "A corporation, partnership, or unincorporated association has no personal right of privacy." Id., cmt. C. The comment then states that a corporation has "no cause of action for any of the four forms of invasion covered by Sections 652B to 652E." Id. The following sentence in the comment indicates that although these sections (including section 652C) do not entitle a corporation claim, a corporation has "a limited right to the exclusive use of its own name or identity in so far as they are of use or benefit, and it receives protection from the law of unfair competition." Id. This comment suggests the existence of an analogous right that corporations may be afforded by the law of unfair competition... Therefore, we think these Restatement sections do not support the position that a corporation may bring an appropriation claim resting on notions of privacy.

Our assessment of the Second Restatement is consistent with an overwhelming majority of other states that have addressed the issue of corporate actions for invasion of privacy...           

[The court stated that] an appropriate remedy for the misappropriation of a corporation name or likeness is found under the state unfair competition law and trademark statutes, as well as common law torts unrelated to notions of privacy, such as tortious interference with business relations... Indiana courts have created a cause of action for unfair competition, defined as "the attempt to create confusion concerning the source of the unfair competitor's goods."... This common law tort was historically considered "a subspecies of the class of torts known as tortious interference with business or contractual relations."... [The court refused to apply the theory to the within case because the plaintiffs had not requested relief under this theory. The court then upheld injunctive relief in favor of the university officials who did possess privacy rights that were invaded by Felsher but denied relief to the university].

P. 287. Add before "Legislative Enactments"

            In Garrity v. John Hancock Mutual Life Ins. Co., No. 00-12143-RWZ (D. Mass., May 7, 2002), the plaintiff was an employee of the defendant whose employment was terminated when the defendant discovered that the plaintiff and others had violated its e-mail policy prohibiting the forwarding of sexually explicit messages through the company's office computers. The company's policy known to all employees stated that the company had the right to access all e-mail files and that the misuse of the e-mails could result in termination of employment. The federal district court rejected the defendant's claim of privacy invasion and violation of the Massachusetts Wiretap Act. It stated that the plaintiff did not have a reasonable expectation of privacy because of the use of the company's e-mail system. The company's instruction to employees on the use of passwords and personal e-mail folders did not suffice to overcome the said expectation. The court further stated that the Massachusetts Wiretap Act was not violated because the messages were not intercepted during their transmission but were discovered after the receipt of the e-mails.

P. 284. Add after "Case Questions."

            In Weld v. Glaxo Wllcome Inc., 746 N.E.2d 522, 2001 Mass. LEXIS 207 (Sup. Jud. Ct. Ma., May 1, 2001), the plaintiffs filed a class action suit against a number of pharmaceutical companies. It was alleged that CVS Pharmacy had developed a patient compliance program that enabled a number of pharmaceutical manufacturers to send letters to certain of CVS's customers. The plaintiffs alleged that their confidential medical information was improperly disclosed and tortiously misappropriated by CVS and the said companies for commercial gain. Manufacturers provided CVS with specific selection criteria for mailing of its advertisements. Thus, CVS identified its customers that had certain medical conditions based on prescription histories or prescriptions filled and gave the data to the pharmaceutical companies. The merger of the database was performed at CVS headquarters and by a marketing company. The letters sent to the consumers were on CVS letterheads. At the bottom of the letterheads were the names of the pharmaceutical companies. Each letter recommended drugs or other data by the sponsoring company.

            The discussion of the case centered on the question of whether a class action was appropriate and whether the plaintiff had sufficient standing. The Massachusetts appeal court determined that the class action was appropriate inasmuch as CVS had contracted with the said pharmaceutical manufacturers, though separately and individually, using almost identical contractual obligations with comparable financing, selection criteria, and letter content in exchange of CVS's promise to send the letters to the identified customers. There was a single course of conduct by the defendants that can be adjudicated particularly with respect to the issue of the duty owed by CVS to its customers.

P.291. Add before "Right to Financial Privacy Act"

Cookies as Violation of the ECPA.

The federal district court, in a case entitled In re Doubleclick Inc. Privacy Litigation, 154 F. Supp.2d 497 (S.D.N.Y. 2001), decided that the use of cookies did not violate the Electronic Communications Privacy Act nor did it violate the Computer Fraud and Abuse Act or the Wiretap Act. Doubleclick placed cookies on its websites enabling it to gather information concerning users of the site and directing specific advertising to those users who were potential customers. The information gathered was only the information received through the website. Doubleclick gathered three types of information including the data received by a customer's inquiry, the responses made to inquiries, and the users' later movements through the website. Through the use of the data, Doubleclick is able to determine what advertisements may be of interest to the user and the specific advertisements are thereby directed to them.

            The court dismissed the claims noting that users were able to prevent Doubleclick from gathering the said information by reviewing the opt-out cookie on Doubleclick's website. The ECPA provides that it is a violation to "access...without authorization a facility through which an electronic information service is provided...and thereby obtain...access to a wire or electronic communication while it is in electronic storage in such system..." The statutory exception concerns "conduct authorized...(2) by a user of that service with respect to a communication of or intended for that user (18 U.S.C. Section 2701(c)(2)."  The court said that the plaintiffs did provide access to their websites, Doubleclick's client web sites were authorized users and that Doubleclick's cookies came within the exception to the statute. Moreover, the statute applies to electronic communications that concerned only to communications that were temporarily stored for a limited time and, thus, did not apply herein because the cookies were placed for a prolonged period on plaintiffs' hard drive. The Wiretap Act did not apply because one of the parties to the communication had given prior consent. There was no purpose of committing a criminal or tortious act. The Computer Fraud and Abuse Act did not apply because the plaintiffs failed to meet the statutory damage threshold of $5,000.         

            In Fischer v. Mt. Olive Lutheran Church, 207 F. Supp.2d 914 (W.D.Wis.2002), the defendant church had employed the plaintiff, Fisher, as its Minister of Youth and Children's Ministries, whose function was to provide counseling services to minors and adults. The named defendants included the church's secretary, its pastor, and business manager. The plaintiff opened a personal account with an ISP, using the church's computer terminal for access thereto. The plaintiff shared an office with the defendant secretary. The plaintiff, responding to e-mail from a male friend, used the associate pastor's telephone to call him. The defendant secretary took a cordless telephone with her and, when she used the phone, she overheard a highly sexual conversation between the plaintiff and his male friend. The defendant secretary fearing the plaintiff's possible misuse of his position as church counselor gave the telephone conversation to the business manager who also heard the continuing sexual conversation the plaintiff was conducting with his male friend. The police were called in to investigate and the church's computers were accessed to see if the plaintiff had engaged in sexually related e-mail transmissions. Ultimately, the plaintiff was dismissed from his employment with the church. The plaintiff sued alleging violation of the Electronic Communications Privacy Act, the Wisconsin Communication Privacy Act, the Electronic Communication Storage Act, the Computer Fraud and Abuse Act, and invasion of privacy.

            The court refused to dismiss the allegations of the plaintiff concerning the Electronic Communications Privacy Act, stating it is to be left to the trial court to determine whether the Act was violated by virtue of the fact that the private conversation was overheard and not discontinued. The court noted that it was unclear how a sexually related conversation would raise safety concerns for church personnel or possible liability for improper contact with church personnel and a minor. It appeared herein that the conversation was with another adult. The Act prohibits the intentional interception or disclosure of the contents of a wire, oral or electronic communication by a person who knows or should have known that the information obtained through the interception violates the Act. The trier of fact has to determine if the conversation was personal in nature and therefore covered by the Act or business in nature and not covered by the statute. For the same reasons, the court refused to dismiss the ground of violation of the Wisconsin Communication Privacy Act, which statute is very similar to the federal statute.   

            The court granted motions to dismiss under the Electronic Communication Storage Act as to two of the four defendants, which makes it a violation for anyone to intentionally access a facility without authorization to obtain, alter, or prevent access to a wire or electronic communication while it is in electronic storage in such system. Electronic storage is defined as either temporary, intermediate storage incidental to the electronic transmission. The messages herein were stored in the church's server. It appears that the two of the defendants did access the plaintiff's ISP account but there was no proof that they had obtained, altered, or prevented authorized access to the e-mail account. Nevertheless, it was left to the trial court to gather evidence concerning this issue. The court dismissed the claims under the Computer Fraud and Abuse Act because there was no evidence that the plaintiff suffered monetary losses of at least $5,000. The court also refused to dismiss the claim of invasion of privacy noting that there was evidence of possible violation of the plaintiff's privacy by the intentional intrusion into the plaintiff's e-mail account.                  

P. 292. Add to end of "Driver's Privacy Protection Act"

            The U.S. Supreme Court was called upon to determine the constitutional validity of the Driver's Privacy Protection Act (DPPA) in Reno v. Condon, 528 U.S. 141 (2000). In holding for a unanimous court and reversing the decision of the U.S. Court of Appeals, Chief Justice Rehnquist wrote:

We hold that in enacting this statute Congress did not run afoul of the federalism principles enunciated [in prior cases].... The DPPA regulates the disclosure and resale of personal information contained in the records of state DMVs [Department of Motor Vehicles]. State DMVs require drivers and automobile owners to provide personal information, which may include a person's name, address, telephone number, vehicle description, Social Security number, medical information, and photograph, as a condition of obtaining a driver's license or registering an automobile. Congress found that many States, in turn, sell this personal information to individuals and businesses... These sales generate significant revenues for the States...

The DPPA establishes a regulatory scheme that restricts the States' ability to disclose a driver's personal information without the driver's consent. The DPPA generally restricts any state DMV, or officer, employee, or contractor thereof, from "knowingly disclosing or otherwise making available to any person or entity personal information about any individual obtained by the department in connection with a motor vehicle record...."

The United States asserts that the DPPA is a proper exercise of Congress' authority to regulate interstate commerce under the Commerce Clause, U.S. Const., Art. I, Section 8, cl. 3. The United States bases its Commerce Clause argument on the fact that the personal, identifying information that the DPPA regulates is a "thing in interstate commerce," and that the sale or release of that information in interstate commerce is therefore a proper subject of congressional regulation... We agree with the United States' contention. The motor vehicle information which the States have historically sold is used by insurers, manufacturers, direct marketers, and others engaged in interstate commerce to contact drivers with customized solicitations. The information is also used in the stream of interstate commerce by various public and private entities for matters related to interstate motoring. Because drivers' information is, in this context, an article of commerce, its sale or release into the interstate stream of business is sufficient to support congressional regulation...

...[T]he DPPA does not require the States in their sovereign capacity to regulate their own citizens. The DPPA regulates the States as the owners of databases. It does not require the South Carolina Legislature to enact any laws or regulations, and it does not require state officials to assist in the enforcement of federal statutes regulating private individuals...

P. 298. Add to "Safe Harbor Provision"

            The European Union asked the United States to clarify the authority and policies of the Federal Trade Commission in the online privacy area. The E.U. asked the FTC (1) whether it had jurisdiction in the event transfers of employment-related data violated the U.S. safe harbor principles; (2) whether it has jurisdiction over non-profit privacy seal programs; (3) whether the Federal Trade Commission Act applied equally to off-line and online data; and (4) what would occur if the FTC's jurisdiction overlapped with other law enforcement agencies.

            The FTC responded by letter to the European Union on July 14, 2000 (http://www.export.gov/safeharbor/FTCLETTERFINAL.htm). It stated that it was empowered under Section 5 of the Federal Trade Commission Act to investigate and prosecute violations of deceptive practices. "...[T]he Commission has taken the position it may challenge particularly egregious privacy practices as unfair under Section 5 if such practices involve children, or the use of highly sensitive information, such as financial records and medical records...The FTC will give priority to referrals of non-compliance with self-regulatory guidelines received from organizations such as BBB Online and TRUSTe...." Priority will also be given to referrals from the E.U. concerning alleged breach of safe harbor principles permitted by the E.U. The letter cited its complaint against GeoCities and the settlement reached concerning Internet misrepresentation of information. Similarly, it noted its complaint and consent agreement with ReverseAction.com, an online auction site that procured its consumers' personally identifying information from competitors and then sent unsolicited e-mail messages to the said consumers. The FTC reported that it had a Consumer Response Center to receive complaints from consumers.

            With respect to employment data, the FTC assured the E.U. that it did have statutory and case law authority to investigate and promulgate enforcement actions in employment-related data situations. It did note, however, that traditional labor disputes would be referred to the National Labor Relations Board for its ultimate determinations. Concerning "seal" programs, the FTC does have jurisdiction over seal programs administering dispute resolution mechanisms and that it would enforce applicable rules in cases of misrepresentation. It will do so whether the entity is a profit or non-profit entity. The FTC will seek remedies against both online and offline persons with respect to consumer privacy. It cited its action against TouchTone Information, Inc., which allegedly obtained illegally consumers private financial information.

            Concerning overlapping jurisdiction with other law enforcement agencies, the letter noted that the FTC has "strong working relationships with numerous other law enforcement agencies, including the federal banking agencies and state attorneys general." Investigations are coordinated and appropriate referrals are made. Thus, the FTC believes that it can meet the standards of the safe harbor provisions of the E.U. and institute appropriate enforcement procedures to assure compliance.