Important Issues in Internet Privacy Law
By Douglas A. Kewley
TABLE OF CONTENTS
To understand the impact of the Internet on privacy law, you must first understand what the Internet is and how it works. Footnote 1. “The Internet is a decentralized, global communications medium linking people, institutions, corporations, and governments all across the world.”
American Library Association, et al. v. Pataki, et al., 969 F. Supp. 160, (S.D.N.Y. 1997). “About 40 million people used the Internet at the time of trial, a number that is expected to mushroom to 200 million by 1999.”
Reno v. ACLU, U.S ., 117 S.Ct. 2329, 138 L.Ed.2d 874 (1997).
The Internet is a network of individual computers and computer networks. No one controls the Internet. The content of the Internet is whatever anyone wants to put on the Internet.
A person gains access to the Internet by a variety of sources. Schools can provide access for their students and faculty. Businesses may provide access for their employees. Libraries may provide Internet access. There are even “Internet Cafes” which provide access.
Most individuals access the Internet either through an on-line service, such as CompuServe or America-on-Line, or an Internet service provider. Anyone with a subscription to an Internet service provider or on-line service and a computer, a modem and a telephone can access the Internet.
Once connected to the Internet, a person can communicate with pictures, text and moving pictures in several ways including:
(1) electronic mail to an individual (e-mail);
(2) electronic mail to a group (e-mail with a mail exploder or listserv);
(3) posting or receiving messages on database (newsgroup or bulletin board);
(4) real time communication (chat rooms); and
(5) information retrieval (ftp, gopher, and the World Wide Web).
No matter how a person accesses the Internet, any communication will involve at least two or more computers located anywhere in the world.
The Internet affects a person’s expectation of privacy by the very way the Internet works. Assume Mary wants to send Ann an e-mail letter. Mary uses CompuServe as her Internet service provider. Ann uses America-On-Line. Mary writes the letter on her computer. Her computer retains a copy of the letter. Mary “e-mails” the letter to Ann, which means CompuServe copies the letter onto CompuServe’s computer in Ohio. CompuServe transmits the letter to America-On-Line, where America-On-Line copies it onto America-On-Line’s computer in Virginia. Finally, Ann retrieves the letter from America-On-Line, and copies it onto her computer. In this example, the Internet caused the letter to be written on a minimum of four computers. In reality, the Internet could have written it on many more computers as it works its way through the Internet.
The use of the Internet might also affect which law applies and where someone can be sued. Assume Mary and Ann both live in New Orleans. In theabove example, Mary subscribed to CompuServe, whose computers are located in Ohio. Ann subscribed to America-On-Line, whose computers are located in Virginia. A copy of the letter resides in three states. Which state’s law controls? It is possible that the Internet could route a letter through another country. Which country’s law controls?
If a defamatory statement is placed on a web page or newsgroup, anyone can access it on the Internet, anywhere in the world. Now whose law and jurisdiction apply? Someone may put something on the Internet that would qualify as protected speech in the United States, but might violate the law of another country. If someone in the other country sees the posting, is the author subject to the laws and jurisdiction of that other country?
The Privacy Protection Act, 42 USC §2000aa,
et seq., and Title II of the Electronic Communications Privacy Act, 18 USC §2701,
et seq., provide some privacy protection for electronic communications.
The Privacy Protection Act, subject to certain exclusions, makes it:
. . . unlawful for a governmental officer or employee, in connection with the investigation of a criminal offense, to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or similar form of public communication, in or affecting interstate or foreign commerce. . .
42 USC §2000aa(a). The same law also applies to documentary materials.
See 42 USC §2000aa(b).
Does material on the Internet constitute:
1. work product materials or documentary materials
2. to be disseminated to the public
3. by public communication
4. in or affecting interstate or foreign commerce?
Is the information superhighway more than a highway in name only? A New York court has already determined that the Internet is an instrument of interstate commerce.
The inescapable conclusion is that the Internet represents an instrument of interstate commerce, albeit an innovative one; the novelty of the technology should not obscure the fact that regulation of the Internet impels traditional Commerce Clause considerations.
American Library Association, et al. v. Pataki, et al., 969 F. Supp. 160, 173 (SDNY 1997).
Are Internet materials work product materials? The Privacy Protection Act defines “work product materials” as materials that are:
1. prepared, produced, authored or created in anticipation of communicating the materials to the public;
2. are possessed for the purpose of communicating with the public; and
3. include the mental impressions, conclusions, opinions or theories of the preparer, producer, author or creator.
See 42 USC §2000aa-7(b). Documentary materials include “mechanically, magentically [sic] or electronically recorded card tape or discs.”
See 42 USC §2000aa-7(a).
In 1990, the Secret Service seized a computer in which Steve Jackson Games maintained a bulletin board and other materials.
The evidence establishes the actual information seized, including primary source and back-up materials of the draft of Gurps Cyberpunk, a book intended for immediate publication (within days to weeks), drafts of magazine and magazine articles to be published, business records of Steve Jackson Games, Incorporated (including contracts and drafts of articles by writers of Steve Jackson Games, Incorporated), the Illuminati bulletin board and its contents (including public announcements, published newsletter articles submitted to the public for review, public comment on the articles submitted and electronic mail containing both private and public communications).
. . .
However, the evidence is clear that on March 1, 1990, “work product materials,” as defined in 42 U.S.C. 2000aa-7(b), was obtained as well as materials constituting “documentary materials” as defined in the same provision.
Steve Jackson Games, Inc. v. United States Secret Service, 816 F.Supp. 432, 439-440 (W.D.Tex.1993), aff’d
Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994). While the
Steve Jackson Games case did not involve the Internet, the similarity between the materials seized makes it reasonable to assume that the Privacy Protection Act would apply to Internet materials. Web pages and newsgroup postings are meant to be disseminated to the public, as are materials contained in ftp and gopher sites.
The Privacy Protection Act would probably not protect private e-mail. This is because no one intends it to be disseminated to the public. Also one is probably not disseminating e-mail to the public using a mail exploder or listserv.
While the Privacy Protection Act does not protect e-mail, e-mail is protected by the Title II of the Electronic Communications Privacy Act, 18 USC §2701,
et seq. (“ECPA”). The ECPA makes it illegal to:
(1) intentionally access without authorization a facility through which an electronic communication service is provided, or
(2) intentionally exceed an authorization to access that facility;
whereby a person obtains, alters or prevents authorized access to a wire or electronic communication while it is in electronic storage.
See 18 USC §2701(a). E-mail sitting on a server is an electronic communication in electronic storage. A violation of the ECPA is punishable by a fine and/or imprisonment.
See 18 USC §2701(b). Exempt from the prohibitions of the ECPA are the provider of the service and the user.
See 18 USC §2701(c).
Neither a service provider nor a remote computing service can divulge the contents of a communication.
See 18 USC §2702(a). However the contents can be divulged to the addressee or intended recipient, their agent or with their permission. The contents can also be divulged to a person employed or authorized or whose facilities are used to forward the communication or as necessary to render the service or protect the rights or property of the service provider.
See USC 18 §2702(b).
A governmental entity may compel the divulging of electroniccommunications under certain circumstances. If the governmental entity wants to obtain a communication from a service provider that has been stored for one-hundred and eighty days or less, the governmental entity must obtain a warrant under the Federal Rules of Criminal Procedure or comparable state statute.
See 18 USC §2703(a).
If the governmental entity wants to obtain a communication from a service provider has been stored for more than one-hundred and eighty days or from a remote computing service, the governmental entity has a choice. The governmental entity can obtain a warrant pursuant to the Federal Rules of Criminal Procedure or similar state warrant. Alternatively, the governmental entity can give notice and use an administrative subpoena authorized by federal or state statute or a federal or state grand jury or trial subpoena.
See 18 USC §2703(a) and (b), The notice can be delayed under certain circumstances.
See 18 USC §2705.
A service provider or a remote computing service can provide records pertaining to subscribers or customers to
anyone except a governmental entity.
See 18 USC §1703(c)(1)(A). The governmental entity can only obtain those records if it obtains a warrant pursuant to the Federal Rules of Criminal Procedure or similar state warrant, obtains a court order or obtains the permission of the subscriber or customer.
See 18 USC §1703(c)(1)(B). Certain information can be disclosed to a governmental entity under an administrative subpoena authorized byfederal or state statute or a federal or state grand jury or trial subpoena. Footnote 2.
See 18 USC §2703(a)(1)(C).
The Court in
Steve Jackson Games found that the ECPA applied to the e-mail found on the computer. The court awarded each plaintiff the statutory $1,000.00 damage. However, courts have upheld the defense of good faith in barring recovery in an ECPA case involving the seizure of a computer containing e-mail messages.
See Davis v. Gracey, 111 F.3d 1472 (10th Cir. 1997).
A navy volunteer received an e-mail message regarding the toy-drive that she was coordinating for the U.S.S. Chicago’s crew members’ children. The message box stated that it came from the alias “boysrch,” but “Tim” signed the text of the e-mail. Through an option available to the volunteer subscriber, the volunteer searched through the “member profile directory” to find the member profile for this sender. The member profile specified that “boysrch” was named Tim, and Tim lived in Honolulu, Hawaii, worked in the military, and identified his marital status as gay. However, the profile did not include any further identifying information such as full name, address or phone number. The Navy, in seeking to obtain information on a sailor’s sexual orientation asked for and obtained a record from the on-line service provider identifying the sailor to his pseudonym “boysrch.” However, the Navyfailed to obtain the required warrant or subpoena. The court found that the Navy had violated the ECPA in obtaining the record.
Timothy R. McVeigh v. William Cohen, et al., 983 F.Supp 1315 (D.D.C, 1998).
It should be noted that the ECPA will not protect materials on the Internet or a bulletin board that is open to the public and normally accessed by use of an alias or pseudonym. A Sega employee obtained copyright violation evidence from a bulletin board service gaining access to the bulletin board under a pseudonym, using information supplied by an authorized user who was an informant. The court found Sega did not violate the ECPA because Sega was, either directly or indirectly, an authorized user.
Sega Enterprises Ltd. v. Maphia, et al., 857 F.Supp 679 (N.D.Ca. 1994).
State statutes may also apply to Internet search and seizure. Quad/Graphics, Inc. learned that many of its employees were using company computers to access the Internet. The access required long distance phone calls to a library which, in turn, provided free Internet access. The library required the employees to obtain library cards and personal identification numbers. The employer sought the employee’s identification through a freedom of information act request. The library refused, citing New York statute CPLR 4509. The court upheld the library’s refusal.
In the Matter of Quad/Graphics, Inc., v. Southern Adirondack Library System, 174 Misc. 2nd 291 664 N.Y.S. 2d 225 (N.Y. Sup, 1997).
Quad/Graphics is not a true Internet case since the library was not necessarily an Internet service provider or remote computing service. Had it been, then the ECPA would have applied and would not have prevented the production of the records to a non governmental entity. However, the state law did.
Many employers operate e-mail systems for their employees. While business e-mail systems do not necessarily involve the Internet, they can. Furthermore, the experience with employer e-mail cases provides insight into privacy concerns with Internet service providers.
In a Pennsylvania case, a business maintained an e-mail system to promote internal corporate communications between its employees. The business repeatedly assured its employees, including plaintiff, that all e-mail communications would remain confidential and privileged. The business further assured its employees, including plaintiff, that the business would not intercept and use e-mail communications against its employees as grounds for termination or reprimand. The employee sent an e-mail message from his home to his supervisor, over the business’ e-mail system. The e-mail message contained what the business considered inappropriate and unprofessional language. The business intercepted the e-mail. Apparently, the supervisor was not involved in the interception. The business terminated the employee for using inappropriate and unprofessionallanguage in the business e-mail.
Like Louisiana, Pennsylvania is an at-will employment state. However, the Pennsylvania court was willing to consider privacy issues. The court found no reasonable expectation of privacy.
In the first instance, unlike urinalysis and personal property searches, we do not find a reasonable expectation of privacy in e-mail communications voluntarily made by an employee to his supervisor over the company e-mail system notwithstanding any assurances that such communications would not be intercepted by management. Once plaintiff communicated the alleged unprofessional comments to a second person (his supervisor) over an e-mail system which was apparently utilized by the entire company, any reasonable expectation of privacy was lost. Significantly, the defendant did not require plaintiff, as in the case of an urinalysis or personal property search to disclose any personal information about himself. Rather, plaintiff voluntarily communicated the alleged unprofessional comments over the company e-mail system. We find no privacy interests in such communications.
Michael A. Smyth v. The Pillsbury Company, 914 F.Supp. 97 (E.D.Pa. 1996). Therefore, the court permitted the search and seizure by the employer.
Should the ECPA have prevented the intrusion? Probably not. First, the business was not providing an e-mail service to the public, so it might not be subject to the ECPA.
Andersen Consulting L.L.P. V. UOP and Bickel & Brewer, 991 F.Supp. 1041 (E.D.Il. 1998). Also, even if the ECPA applied to a business, the business would be the provider, and, therefore allowed to review communications.
As originally created, the Internet was not for commercial purposes. However, with the rapidly expanding usage of the Internet, commercial use was inevitable. The Internet levels the commercial playing field to a certain extent. The size or profitability of your business does not control your presence on the Internet. You can create a web site to rival those of Fortune 500 businesses. You do not even need an office. Your web site can attract customers from all over the world. You can mail brochures with text, pictures, sound and motion, all at little or no cost to yourself. This capability of the Internet led to “junk e-mail.”
The United States Postal System has long had to deal with junk mail. However, because the United States Post Office is a governmental entity, it is subject to the freedom of speech mandate of the First Amendment. At least traditional junk mailers had to go to the expense of printing their message and postage.
On the Internet, there is no printing cost and no postage. Sending the same message to millions of people by simply pushing a computer key is possible. This became known as the practice of spamming. Footnote 3.
Unfortunately, spamming has a cost to the Internet service provider and the recipient. Computing capacity is a finite figure. When the spam deluged the various servers, the sheer volume slowed the processing of all activity on those servers, if not shut them down completely. Several service providers, particularlyin the early years of public access to the Internet, charged their subscribers based on the time the subscriber was on the Internet. If a subscriber spent time reading through his spam, not only did he waste his time, he wasted his money as well. As a result, he complained to his Internet service provider about the spam.
Usually, the Internet service provider would ask the spammer to cease sending spam to his subscribers. Most likely, this did not have the desired effect. Next, the Internet service provider would block the delivery of spam by blocking out all spam bearing the spammer’s identity. The spammer would counter this by using a fake identity. Sometimes the Internet service provider would send “e-bombs” to the spammer, such as bulk e-mailing all the undelivered spam back to the spammer. The e-bombs would result in the spammer’s Internet service provider’s equipment slowing or shutting down. This, in turn, made the spammers less desirable subscribers. Finally, this led to litigation.
Perhaps the most notable spammer was/is Sanford Wallace, sometimes known as Spamford Wallace, and his company, Cyber Promotions, Inc (“Cyber”). Mr. Wallace had been sending unsolicited e-mail to America-On-Line’s (“AOL”) subscribers. On January 26, 1996, AOL sent a letter to Cyber, advising Cyber that AOL was upset with Cyber’s dissemination of unsolicited e-mail to AOL members over the Internet. AOL subsequently sent “e-mail bombs” to Cyber’s Internet service providers. On March 26, 1996, Cyber filed suit against AOL in response to AOL’s e-mail bombing. Cyber alleged that, because of AOL’s e-mail bombing, twoof Cyber’s Internet service providers terminated their relationship with Cyber and a third provider refused to enter into a contract with Cyber. On April 8, 1996, AOL filed a ten-count Complaint against Cyber, alleging service and trade name infringement, service mark and trade name dilution, false designation of origin, false advertising, unfair competition, violations of the Virginia Consumer Protection Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act and the Virginia Computer Crimes Act. AOL sought injunctive relief and damages.
Cyber argued that the free speech principles of the First Amendment prevented AOL from interfering with Cyber’s spam. AOL argued that the First Amendment applied to governmental entities, and AOL was a private business. Cyber countered that AOL performed a quai-governmental function. The court agreed with AOL.
The Court declares that Cyber Promotions, Inc. does not have a right under the First Amendment to the United States Constitution or under the Constitutions of Pennsylvania and Virginia to send unsolicited e-mail advertisements over the Internet to members of American Online, Inc. and, as a result, American Online, Inc. may block any attempts by Cyber Promotions, Inc. to do so.
Cyber Promotions, Inc. v. American Online, Inc., 948 F.Supp. 436, 447 (E.D.Pa. 1996). Cyber lost this same battle in California and Ohio.
Concentric Network Corporation, Inc. v. Wallace and Cyber Promotions, Inc., Case No.: C-96 20829- RMW(EAI), (N.D.Ca. 1996) and
CompuServe Incorporated, v.Cyber Promotions,Inc. and Sanford Wallace, 962 F. Supp. 1015 (S.D.Oh. 1997).
Mr. Wallace finally won a case. However, it was not against someone blocking his spam. Cyber used Apex Global Information Services (“AGIS”) as its own Internet service provider. AGIS alleged that in response to Cyber’s spamming activities, AGIS was subjected to massive “pinging” attacks. “Pings” are generated by a software program and are designed to be used by Internet users to check network connections. These “pings” are also used illegitimately to disable computers attached to the Internet by flooding them with repeated information requests. Without prior notice, AGIS terminated Cyber’s access. Cyber’s contract with AGIS called for a thirty-day termination notice. The court upheld the contract and enjoined AGIS from terminating Cyber.
Cyber Promotions, Inc. v. Apex Global Information Services, Inc., 1997 WL 634384, (E.D.Pa., 1997).
Spamming can damage a company that was not an Internet service provider. Plaintiff owned the domain name “flowers.com.” Defendant spammers used fake return addresses to prevent blocking of their spam. Unfortunately for the plaintiff, defendants used “flowers.com.” Because many thousands of the Internet addresses which defendant sent his spam to were not valid addresses, thousands upon thousands of copies of junk mail were “returned” to the plaintiff. This massive, unwanted delivery of the defendants’ garbage to the plaintiffs’ doorstep inflicted substantial harm, including substantial service disruptions, lost access to communications, lost time, lost income and lost opportunities. The court enjoined defendants and awarded damages to the plaintiff.
Tracy Laquey Parker, et Al. V. C.N. Enterprises and Craig Nowak, No. 97-06273 (345th JDC, Tx. 1997).
In response to the spam abuse, there are several bills pending in the United States Congress. Footnote 5. These proposals attempt various “fixes” such as requiring truthful return addresses and various opt-out proposals. Many states have also either passed laws or are considering laws involving spam. Footnote 6. Therefore, it seems that spam’s heady days are numbered.
The law of defamation as to the speaker is no different on-line than it is off-line. The same issues and defenses exist. There will be no attempt to review those issues here. However, the Internet does provide a different context for traditional defamation issues.
On the Internet, most “authors” use pseudonyms. Therefore, determining the true identity of the author is extremely difficult, if not impossible. Furthermore, the ability to anonymously post a defamatory statement to millions of people at once and at no cost was previously unheard of before the Internet. This inability to determine the true identity of the “authors” led to attempts to hold the on-line services liable.
The first such case involved CompuServe. CompuServe maintains various special interest “forums,” which consist of electronic bulletin boards, interactive online conferences, and topical databases. One forum was the Journalism Forum, which focused on the journalism industry. One publication available as part of the Journalism Forum is Rumorville USA (“Rumorville”), a daily newsletter that provided reports about broadcast journalism and journalists. CompuServe did not review Rumorville’s contents. In 1990, plaintiffs developed Skuttlebut, a computer database designed to publish and distribute electronically news and gossip in the television news and radio industries. Plaintiffs intended to compete with Rumorville. Plaintiffs claimed that, on separate occasions in April 1990, Rumorville published false and defamatory statements relating to Skuttlebut, and that CompuServe carried these statements as part of the Journalism Forum.
The New York court applied traditional defamation ideas to the Internet to decide if CompuServe was a “publisher,” and therefore liable, or a “distributor,” and, therefore, not liable, for the defamatory remarks. The court found that CompuServedid not exercise any editorial control over Rumorville and could not review Rumorville before it appeared on CompuServe. Therefore, the court held that CompuServe was a distributor, and, absent a showing that CompuServe knew or should have known of the defamatory statements, CompuServe would not be liable.
Cubby, Inc., et al. v. CompuServe Inc., et al., 776 F. Supp. 135 (S.D.N.Y. 1991).
The next challenge was against Prodigy. The situation was different with Prodigy. Where CompuServe did nothing to exercise editorial control, Prodigy did.
The key distinction between CompuServe and PRODIGY is twofold. First, PRODIGY held itself out to the public and its members as controlling the content of its computer bulletin boards. Second, PRODIGY implemented this control through its automatic software screening program, and the Guidelines which Board Leaders are required to enforce. By actively utilizing technology and manpower to delete notes from its computer bulletin boards on the basis of offensiveness and “bad taste”, for example, PRODIGY is clearly making decisions as to content (see, Miami Herald Publishing Co. v Tornillo, supra), and such decisions constitute editorial control. (Id.) That such control is not complete and is enforced both as early as the notes arrive and as late as a complaint is made, does not minimize or eviscerate the simple fact that PRODIGY has uniquely arrogated to itself the role of determining what is proper for its members to post and read on its bulletin boards.
Stratton Oakmont, Inc., et al. v. PRODIGY Services Company, et al.,1995 WL 323710, 4 (N.Y. Sup. 1995). The Court held Prodigy to be a publisher, and therefore liable for the defamatory statements.
The CompuServe-Prodigy test was a triumph of old world defamation law, but a public policy disaster. The courts protected the company that did absolutelynothing to prevent defamatory statements and punished the company that did, all while public outcries about obscenity on the Internet were growing.
Enter the United States Congress and the Communications Decency Act of 1996. In 1996, Congress passed the Communications Decency Act of 1996 to regulate pornography on the Internet. One thing the act did was to effectively overrule
Stratton v. Prodigy.
No provider . . . of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.
47 USC §230(c)(1). It further provides:
No cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.
47 USC §230(d)(3). Therefore, absent knowledge, an on-line service is not liable for defamatory statements published on the on-line service.
Courts have upheld the on-line service’s immunity under the Communications Decency Act, even when the acts occurred before the effective date of the act.
Doe V. America Online, Inc., 1997 WL 374223 (Fla. Cir. Ct. 1997). This protection exists even when there is a specific state law to the contrary.
Zeran v. America Online, Inc., 958 F.Supp. 1124 (E.D.Va., 1997).
One word of warning. The United States Supreme Court struck down portions of the Communications Decency Act on First Amendment grounds.
Reno v. ACLU, U.S., 117 S. Ct. 2329, 138 L.Ed.2d 874 (1997). However, theSupreme Court merely affirmed the District Court’s striking of 47 USC §223(a)(1) and 47 USC §223(d). The Act contained a severability clause.
See 47 USC §608. Therefore, the protection provided the on-line services is probably still intact.
Similar to the law of defamation, the law regarding trade secrets does not change just because trade secrets may now involve or be transmitted by the Internet. If something was a trade secret before the Internet, it will be one after the Internet. The same defenses to a trade secret case will still exist.
Particularly hard hit in Internet trade secret litigation, is the Religious Technology Center, one of the formal entities constituting the Church of Scientology. A number of documents that the Religious Technology Center considered trade secrets have appeared on the Internet. While such trade secrets may have been otherwise protected, the fact that the Religious Technology Center had trouble keeping the documents leaking out in other media prevented them from successfully suing Internet sites publishing the documents.
Religious Technology Center v. F.a.c.t.Net, Inc., 901 F.Supp. 1519 (D.Co.1995); and
Religious Technology Center v. Netcom On-line Communication Services, Inc., 923 F.Supp. 1231 (N.D.Ca. 1995) .
The development of the Internet has created a new area for trade secrets, i.e, the development of web sites. A Massachusetts case involved an employee of a company that sold computers and computer components over the Internet. The employee wanted to work for a direct competitor. Unfortunately for the employee, the employee had signed a non-compete agreement. The trade secrets at issue were related to Internet technology.
The defendant was exposed to highly confidential information relating to this currently fast-emerging, even revolutionary, industry, and therefore, the non-competition and non-disclosure clauses are necessary to protect the plaintiff’s legitimate business interests. . . Through his employment with the plaintiff, the defendant learned all of the techniques NECX used to compete effectively in the on-line marketplace. The defendant became familiar with the computer programs and used them to assist in the collecting, organizing, re-formatting and re-presentation of the data and information all part of the content management aspect of the business. The successfulcontent management techniques that the plaintiff has developed and the defendant has learned allow the plaintiff to market over 25,000 products in a way that is generally considered within the industry to be superior. . . .
New England Circuit Sales, Inc., v. Scott Randall and the Internet Shopping Network, Inc., CIVIL ACTION NO.: 96-10840-EFH, (D.Ma., 1996). The District Court issued an injunction to enforce a non-compete clause.
It is possible that a hacker could break into a company’s computer over the Internet and steal trade secrets. However, should that occur, almost certainly the defendant would face not just trade secret theft issues, but use of the wires and crossing interstate lines issues as well.
United States of America v. Robert J. Riggs and Craig Neidorf, 743 F.Supp. 556 (N.D. Ill. 1990).
There are many areas of the Internet where a person waives their privacy rights. This can occur without the user even knowing it.
If you send or receive e-mail, many people besides the author and recipient can read it without liability. Under the Electronic Communications Privacy Act, the provider of the service may read the communication.
See 18 USC §2701(c)(1). Also, any person employed or authorized or whose facilities are used to forward thee-mail to its destination can read the communication.
See 18 USC §2702(b)(4). Additionally, the communication can be read as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of the service.
See 18 USC §2702(b)(5).
The expectation of total privacy of e-mail is obviously limited. In fact, in some jurisdictions, it is a violation of an attorney’s ethical code to send sensitive attorney-client materials by e-mail. Other jurisdictions will allow such transmission, but only if the material is sent encrypted.
Besides allowing someone to read your e-mail, you waive your privacy in other ways. Both your communication service provider and any remote computing service can reveal your records (other than the content of the communications themselves) to anyone other than a governmental entity.
See 18 USC §2703(c)(1)(A).
A person can waive some of their privacy on the World Wide Web as well through the use of “cookies.” Cookies are pieces of information one computer stores on another computer for later retrieval.
The way cookies work is that you log on to a particular web site. That web site may ask you questions and it tracks your use of the web site. It will then put this information into a cookie and plant it on your computer. The next time you logon to that web site, it retrieves the cookie it put on your computer. By doing this, the web site attempts to send you information customized to your prior usage.
If you do not want cookies to be installed on your computer, you can gain some protection. The more modern web browsers can be set to notify you when a web site wants to install a cookie. You can then choose whether you want the cookie installed or not.
European countries have passed significant data protection laws. Unfortunately, the United States lags behind in this crucial area of the law.
The traditional liability issues for violations of privacy exist on the Internet. However, there are some new wrinkles. As already discussed, on-line providers must be found to have known or should have known of defamatory remarks before they will be found liable for defamation.
See 47 USC §230(c)(1).
Obvious new wrinkles are in the area of e-mail violations. Much of the new liability grows out of the Electronic Communication Privacy Act.
A nonexempt person who reads a communication for commercial advantage, malicious destruction or damage, or private commercial gain can be fined or imprisoned for not more than a year, or both for the first offense. Subsequent offenses can be sentenced to imprisonment for up to two years.
See 18 USC§2701(b)(1). If the violation were for any other purpose, any sentence to imprisonment cannot exceed six months.
See 18 USC §2701(b)(2).
The ECPA also provides for civil causes of action. The relief includes such preliminary and other equitable or declaratory relief may be appropriate, damages
and reasonable attorneys’ fees and litigation costs.
See 18 USC §2707(b). The damages include actual damages plus any profits made by the defendant, but in no case less than $1,000.00. If the violation were wilful or intentional, the court can impose punitive damages.
See 18 USC §2707(c). Furthermore, if an agency or department of the United States is involved and the court finds that the violation may have been wilful or intentional, the agency or department must initiate a proceeding to determine if the violation warrants disciplinary action.
See 18 USC §2707(d).
The ECPA also provides various defenses. Besides the exemptions discussed above, the ECPA provides for a good faith defense to both civil and criminal liability. The good fait defense must be based on:
1.A court warrant or order, a grand jury subpoena, a legislative authorization or a statutory authorization;
2.a request of an investigative or law enforcement officer under 18 USC §2511(3), or
3.a good faith determination that 18 USC §2511(3) permitted the conduct.
See 18 USC §2708(e). A civil action must be brought within two years of discoveryor reasonable opportunity to discover the violation.
See 18 USC §2708(f).
The Privacy Protection Act provides a civil cause of action for violations. The successful party can obtain actual damages, but in no event less than $1,000.00. The successful party may also recover reasonable attorneys’ fees and litigation costs.
See 42 USC §2000aa-6(f).
There is no liability under the Privacy Protection Act if the officer had a good faith belief in the lawfulness of his conduct.
See 42 USC §2000aa-6(b). Other than for a judicial officer, neither the United States, a state nor any other governmental entity can claim immunity.
See 42 USC §2000aa-6(c).
More than the obvious statutory liabilities, it is the unexpected liabilities that one is exposed to on the Internet. Internet communication crosses state and national boundaries without notice. Usually, there is nothing on a web site or e-mail connection that alerts a user to where the Internet location originates. Therefore, you do not know where you can be sued, let alone what jurisdiction’s law will apply.
A Louisianian creates a web page, which he maintains on a Louisiana server. Someone in another state sits at their own computer and conducts a web search. One of the web sites that is hit is the Louisianian’s web site. The Louisianian has no other contact with that state. Now the other person sues theLouisianian. Does the presence of a web site accessible on the Internet in other states subject the Louisianian to personal jurisdiction in the other states? Some courts have held that the existence of a web site, without more, does not establish sufficient contacts for a court to establish jurisdiction. More courts have held that a web page does constitute sufficient contacts. Footnote 9.
If there are sufficient contacts for jurisdiction, choice of law cannot be far behind.If a United States court can find jurisdiction based on the existence of a web site, why not a foreign country? When you or your client put together a web site, post a message to a newsgroup or send e-mail, have you considered every possible jurisdiction around the world?The Internet is a brave new world.
Footnote 2: This information includes name, address, local and long distance telephone toll billing records, telephone number or other subscriber number or identity, the length of service and the types of service
Footnote 5: Netizens Protection Act of 1997 (H.R. 1748); Data Privacy Act of 1997 (H.R. 2368); E-Mail User Protection Act of 1998 (H.R. 4124); Digital Jamming Act of 1998 (H.R. 4176); Unsolicited Commercial Electronic Mail Choice Act of 1997 (S. 771); Electronic Mailbox Protection Act of 1997 (S. 875); and Anti-Slamming Amendments Act (S. 1618/H.R. 3888)
Footnote 6: Alaska House Bill 491 (1997); California Assembly Bill 1629 (1998); California Assembly Bill 1676 (1998); Colorado House Bill 1284 (1997), enacted 4/24/97, effective 7/1/97; Connecticut House Bill 6558 (1997); Kentucky Bill Resolution 337/House Bill 41 (1998); Maryland House Bill 140/Senate Bill 222 (1998), enacted 4/13/98; Maryland House Bill 1114 (1998); Massachusetts House Bill 4581 (1997); Nevada Senate Bill 13 (1997), enacted 7/8/97; New Hampshire House Bill 1633 (1997); New Jersey Assembly Bill 295 (1998); New Jersey Assembly Bill 513 (1998); New York Senate Bill 3524/Assembly Bill 6805 (1997); North Carolina House Bill 1744 (1997); Rhode Island Senate Bill 1073 (1997); Virginia House Bill 1325 (1998); Washington House Bill 2752 (1998), enacted 3/25/98; effective 6/11/98; and Wisconsin Senate Bill 283 (1997).
Footnote 7: The Court found that defendant’s publication of potential trade secrets was protected because the default had found the texts on the internet.
“While the internet has not reached the status where a temporary posting on a newsgroup is akin to publication in a major newspaper or on a television network, those with an interest in using the Church’s trade secrets to compete with the Church are likely to look to the newsgroup. Thus, posting works to the Internet makes them “generally known” to the relevant people – the potential “competitors” of the Church.”
Religious Technology Center v. Netcom On-line Communication
Services, Inc., 923 F. Supp. at 1256
Footnote 8: The defendant did not help his case by broadcasting exactly what he intended to do. The defendant company issued a press release stating that their web site was undergoing a major redesign and then set forth numerous characteristics of the plaintiff’s web site.
Footnote 9: Cases that have held there are insufficient contacts for jurisdiction are Weber v. Jolly Hotels, No. 977 F. Supp. 327 (D.N.J., 1997) Bensusan Restaurant Corporation v. Richard B. King, 937 F.Supp. 295 (S.D.N.Y., 1996), and Pres-Kap, Inc. v. System One, Direct Access, Inc., 636 So.2d 1351 (Fla. App. 3rd Dist., 1994). Cases holding that a web site constitutes sufficient contacts are CompuServe, Incorporated v. Richard S. Patterson, 89 F.3d 1257 (6th Cir, 1996), Tom Thompson v. Handa-Lopez, Inc., No. CIV.A. SA97-CA1008EP. 998 F. Supp 738 (W.D.Tx.1998), Inset Systems, Inc. v. Instruction Set, Inc., 937 F. Supp. 161 (D.Ct. 1996), Maritz, Inc. v. Cybergold, Inc., 947 F.Supp. 1328 (E.D.Mo., 1996), Panavision International, L.P., a Delaware Limited Partnership v. Dennis Toeppen, 938 F. Supp. 616 (C.D.Ca. 1996), State of Minnesota v. Granite Gate Resorts, Inc., 576 N.W.2nd 747(Ct.Ap.Mn. 1997) and Blake Hall v. Brad Laronde, 56 Ca. App. 4th 1342, 66 Ca. Rpt. 2nd 399; 2d.Cir.Ct.App.Ca., 1997).
CITATIONS OF AUTHORITIES
I. FEDERAL DECISIONS
A. SUPREME COURT DECISIONS
Reno v. ACLU, ___U.S. ___, 117 S.Ct. 2329, 138 L.Ed.2d 874 (1997)
B. COURT OF APPEAL DECISIONS
CompuServe, Incorporated v. Richard S. Patterson, 89 F.3d 1257 (6th Cir, 1996)
Davis v. Gracey, 111 F.3d 1472 (10th Cir. 1997)
Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994)
C. DISTRICT COURTS
American Library Association, et al. v. Pataki, et al., 969 F. Supp. 160, (S.D.N.Y. 1997)
Andersen Consulting L.L.P. V. UOP and Bickel & Brewer, 991F.Supp. 1041 (E.D.Il. 1998)
Bensusan Restaurant Corporation v. Richard B. King, 937 F.Supp. 295 (S.D.N.Y., 1996)
CompuServe Incorporated, v.Cyber Promotions, Inc. and Sanford Wallace, 962 F. Supp. 1015 (S.D.Oh. 1997)
Cubby, Inc., et al. v. CompuServe Inc., et al., 776 F. Supp. 135 (S.D.N.Y. 1991)
Inset Systems, Inc. v. Instruction Set, Inc., 937 F. Supp. 161 (D.Ct. 1996)
Maritz, Inc. v. Cybergold, Inc., 947 F.Supp. 1328 (E.D.Mo., 1996)
Michael A. Smyth v. The Pillsbury Company, 914 F.Supp. 97 (E.D.Pa. 1996)
New England Circuit Sales, Inc. v. Scott Randall and the Internet Shopping Network, Inc., CIVIL ACTION NO.: 96-10840-EFH, (D.Ma., 1996)
Panavision International, L.P., a Delaware Limited Partnership v. Dennis Toeppen, 938 F. Supp. 616 (C.D.Ca. 1996)
Religious Technology Center v. F.a.c.t.Net, Inc., 901 F.Supp. 1519 (D.Co.1995)
Religious Technology Center v. Netcom On-line Communication Services, Inc., 923 F.Supp. 1231 (N.D.Ca. 1995)
Sega Enterprises Ltd. v. Maphia, et al., 857 F.Supp 679 (N.D.Ca. 1994)
Steve Jackson Games, Inc. v. United States Secret Service, 816 F.Supp. 432, 439-440 (W.D.Tex.1993)
Timothy R. McVeigh v. William Cohen, et al., 983 F.Supp 1315 (D.D.C., 1998)
Tom Thompson v. Handa-Lopez, Inc., 998 F. Supp 738 (W.D.Tx.1998)
United States of America v. Robert J. Riggs and Craig Neidorf, 743 F.Supp. 556 (N.D. Ill. 1990)
Weber v. Jolly Hotels, 977 F. Supp. 327 (D.N.J., 1997)
Zeran v. America Online, Inc., 958 F.Supp. 1124 (E.D.Va., 1997)
II. STATE COURT
Blake Hall v. Brad Laronde, 56 Ca. App. 4th 1342, 66 Ca. Rpt. 2nd 399 (2d.Cir.Ct.App.Ca., 1997)
Doe V. America Online, Inc., 1997 WL 374223 (Fla. Cir. Ct. 1997)
In the Matter of Quad/Graphics, Inc., v. Southern Adirondack Library System, 174 Misc. 2nd 291, 664 N.Y.S. 2d 225 (N.Y. Sup., 1997)
Pres-Kap, Inc. v. System One, Direct Access, Inc., 636 So.2d 1351 (Fla. App. 3rd Dist., 1994)
State of Minnesota v. Granite Gate Resorts, Inc., C6-97-89, 576N.W.2nd 747(Ct.Ap.Mn. 1997)
Stratton Oakmont, Inc., et al. v. PRODIGY Services Company, et al.,1995 WL 323710 (N.Y. Sup. 1995)
III. FEDERAL STATUTES
18 USC §1703(c)(1)(A)
18 USC §1703(c)(1)(B)
18 USC §2701
18 USC §2702
18 USC §2703
18 USC §2705
18 USC §2707
18 USC §2708(e)
18 USC §2708(f)
42 USC §2000aa
47 USC §223(a)(1)
47 USC §223(d)
47 USC §230(c)(1)
47 USC §230(d)(3)
47 USC §608