Privacy
Video Privacy Protection Act (1988)
"A videotape service provider who knowingly discloses, to any person, personally identifiable information concerning a consumer of such provider is liable." There is a circuit split for this act. Some follow the "ordinary person" test while others follow the "reasonably foreseeable and likely to reveal" test to define what qualifies as "personally identifiable information."
Fifth Amendment Applied to the Internet
"No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation."
The Fourth Amendment Applied to the Internet
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." For UNREASONABLE government searches, a warrant is required. If the search is reasonable, a warrant is not required. There are some exceptions to the Fourth Amendment such as consent, plain view, third-party doctrine (i.e. bragging about a bank robbery), public use, knowing exposure, assumption of risk, exigent circumstances, inevitable disclosures, contraband specific rules, workplace malfeasance, etc.
California v. Greenwood (1988)
- 4th Amendment does not prohibit the warrantless search and seizure of garbage left for collection outside the curtilage of a home - No reasonable expectation of privacy for trash on the side of the street
Privacy Torts
1. False Light 2. Public Disclosure of Private Facts 3. Appropriation 4. Intrusion on Seclusion
Impersonation
An act of pretending to be another person for the purpose harming the other's reputation.
Golb v. Attorney General of the State of NY (2d Cir. 2017) [Golb II]
Same facts as Golb I. The criminal impersonation statute criminalizes "[i]mpersonat[ing] another ... with intent to obtain a benefit or to injure or defraud another." This particular email asking about the scrolls only was not meant to cause an injury even though he was misrepresenting his identity. However, the rest were. Only that charge is reversed.
Penn Right of Publicity
One's name or likeness should not be used for commercial or advertising purposes without written consent. This does not apply when person appears as a member of the public, associated with newspaper, or is expressive work.
Boring v. Google
P alleged invasion of privacy for street view program that photographed house and yard. The court held no invasion of privacy because it was not a highly offensive intrusion. No negligence because Google had no duty. Trespass but only nominal damages because lack of harm. No unjust enrichment because Google received no value.
Fisher v. Mt. Olive
Phone call of youth pastor was intercepted by the Defendant member of the Lutheran Church. He received an email from a tutor he had known in college and was helping him out in a sexual identity crisis. Defendant overheard the call and thought it was inappropriate and called the police. The church then examined the pastor's email files suspecting improper communications with minors. He was then terminated. Intercepting the call was an ECPA violation according to the court. The email access is the type of conduct that the SCA meant to address, but it must be shown that person accessing email obtained, altered, or prevented his access, but these are fact questions for the jury.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation is a massively broad statute in the EU that protects privacy rights. It is a regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. Generally, it imposes a duty to "implement and maintain reasonable security procedures." It goes into effect on 1/1/20.
"Personally Identifiable Information"
There is a circuit split regarding what constitutes personally identifiable information. (1) Information reasonably and foreseeably likely to reveal What videos a person has obtained is a much broader test. iPhone data qualified here. The First Circuit uses this test. (2) The ordinary person test is a narrower test that is harder to meet that asks whether information that would readily permit an ordinary person to identify a specific individual's video-watching behavior. The Third Circuit adopted this test in Spokeo with regard to IP addresses, which do not qualify, since an ordinary person cannot use. The 9th Circuit in this case followed.
California Consumer Protection Act (CCPA)
This Act enhances consumer privacy rights in California and gives consumers the right to know what businesses are doing with their personal information, know whether it is sold or disclosed and to know, say no to the sale of personal data, access their personal data, request their data be deleted, and not be discriminated against for exercising their privacy rights. Signed into law in 2018, it goes into effect in 2020.
United States v. Warshak (6th Cir. 2010)
Warshak committed fraud by enrolling customers in subscriptions for erection pills without their consent. The government obtained Warshak's emails through ISPs. This violated the Fourth Amendment because Warshak had a reasonable expectation that his emails were private. A subscriber of an ISP service enjoys a reasonable expectation of privacy in the contents of emails "that are stored with, or sent or received through, a commercial ISP" under the SCA. Applying the Katz test, Warshak subjectively had an expectation of privacy that was objectively reasonable. The court also said certain notice provisions of the SCA were unconstitutional.
Two Main Types of Fourth Amendment Privacy Claims Applied to the Internet Context
1. Physical Searches of Private Devices 2. Remote Searches of Data Through Third-Party Devices
Olmstead v. US
1928, the government can tap your phone without a warrant. This is different from looking at letters, which are sealed.
Google Spain v. Agencia (European Court of Justice)
A Spanish national's name appeared in a newspaper on a Google search, and he requested that the page be altered or removed under his "right to be forgotten." The national had a right to be forgotten in the EU, and Google Spain should remove his personal data. But this only applies on one continent-Europe. The right to be forgotten is EU only.
Pen Register
A device that records electronic impulses to identify the numbers dialed for outgoing calls. Pen register is a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication, but such term does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business.
Patel v. Facebook (9th Cir. 2019)
An Illinois class alleges a violation of BIPA against Facebook for retaining facial recognition information based on the tag suggestion feature. This qualifies under BIPA as "face geometry." The court held that BIPA protected the users' concrete privacy interests and violations of the act actually harmed or posed a material risk of harm to those privacy interests under the Spokeo test. Actual harm is not required. The development of a face template using facial-recognition technology without consent (as alleged in this case) invades an individual's private affairs and concrete interests. Also, the panel rejected Facebook's argument that Illinois's extraterritoriality doctrine precluded the district court from finding predominance. The court was in its discretion in certifying the class. Facebook now faces a $35 billion facial recognition lawsuit.
United States v. Miller (1976)
Bank records are not subject to protection from searches under the Fourth Amendment.
Gawker Media LLC v. Bollea (Fl. 2014)
Bollea, Hulk Hogan, had an affair and a sex tape was released by Gawker Media. Bollea never consented. Gawker did not create the tape. The court balances Bollea's privacy interest with Gawker's First Amendment interest. Here, Bollea has openly discussed the affair. Gawker has not attempted to commercialize the tape. The tapes were linked to an ongoing public discussion so no invasion of privacy. It was not an unlawful interception by Gawker either because that is prior restraint. Remanded. Gawker later lost on the jury trial and became bankrupt.
False Light Tort
D (1) published information widely, (2) publication identifies P, (3) it places P in false light that would be highly offensive to a reasonable person, and (4) D was at fault. Similar to defamation.
Intrusion on Seclusion
D intentionally invaded the private affairs of P. Standard is (1) highly offensive to a reasonable person and (2) whether there was a reasonable expectation of privacy. The matter was private. There must have been some harm.
Eichenberger v. ESPN (9th Cir. 2017)
ESPN service disclosed P's serial Roku number and the videos he watched. The court held there was no VPPA violation because it adopted the "ordinary person" test in which "personally identifiable information" is only that information that would readily permit an ordinary person to identify a specific individual's video-watching behavior. The serial number and video content watched did not qualify because an ordinary person could not tell from this information alone P's video watching behavior.
United States v. Spencer
FBI obtained a warrant to search Spencer's home on suspicion of possessing child porn. It sought to decrypt certain devices it found. Spencer argued that requiring him to give the password to decrypt the device was a violation of the 5th Amendment since he would be incriminating himself. The court holds that a rule that the government can never compel decryption of a password protected device would lead to absurd results and compelling him to decrypt the devices here is not testimony protected by the 5th Amendment but rather surrender. The government may compel him to decrypt the devices, and this is not testimony protected by the 5th Amendment.
Fourth Amendment - Physical Searches of Private Devices
Generally, a warrant is needed to physically search a personal device such as a cell phone.
Fourth Amendment - Remote Searches of Data through Third Parties
Generally, a warrant is needed to remotely search data through third parties, such as obtaining location data from phone carriers or emails from ISP. This may also violate the SCA.
Knowing Exposure Doctrine
Generally, there is no privacy protection for information that is knowingly exposed to the public (Katz). A person traveling in an automobile does not have a reasonable expectation of privacy in his movements from one place to another (Knotts). No expectation of privacy for aerial viewing of the curtilage (Dow Chemical, Riley).
Cloud Act
In Microsoft v. U.S., the question in an SCA violation claim was that the server was in Ireland. CLOUD Act later amended the ECPA/SCA. It allows federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data is stored on U.S. or foreign soil.
United States v. Jones (2012)
Law enforcement officials cannot place a GPS device on a vehicle to monitor its movements based on their own discretion without obtaining a warrant or having another proper justification.
Appropriation
Must show that (1) permission for use of your identity was not given, (2) D used some protected aspect of your identity, and (3) use of identity was for D's immediate and direct benefit. Celebrities often sue over this. Consider the Bette Midler singer impersonator, Vanna White robot look-alike, Michael Jordan, and Johnny Carson "Here's Johnny" toilets. It is often wrapped up with trademark law.
Smith v. Maryland (1979)
No Fourth Amendment privacy interest in dialing information. A warrant is not needed.
Title III - Pen Register and Trap and Trace Device Statute
No person may obtain a pen register or trap device without authorization. Telephone source/destination numbers, email header info, source and destination info and IP addresses are plainly included. Subject lines of emails and content of downloadable files are plainly excluded. Exceptions include maintenance, operation, testing of electronic or wired communication service, protection of rights or property of such providers, or protection of users, to record the fact that wired or electronic communication occurred to protect a user or provider, and consent.
Publicity Given to Private Life
One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be (1) highly offensive to a reasonable person and (2) not of legitimate concern to the public.
Riley v. California (2014)
Police searched the cell phones of suspects without a warrant. The court recognizes that cell phones pose new Fourth Amendment challenges. Although there is a concern for obtaining evidence, a warrant is required to search a cell phone because such devices carry so much personal information about one's life such as location data, medical information, contacts, and other personal information. A warrant is necessary even if an arrest is made unless extreme exigent circumstances make a warrantless search absolutely necessary.
Private Providers
Private providers, such as Georgetown email service or network, have more freedom to monitor than public providers.
Title I - The Wiretap Act (1968)
Probable cause is needed for "interception" of "wire" or "oral" communications. Intercepting oral or wired communications is prohibited unless it is during the normal course of employment, the person is acting under color of law where consent was given, or the interception was of something generally accessible to the public. If wiretapping is justified, it generally must be approved by a judge. "Interception" requires: (1) acquisition of content (2) through the use of a device.
Foregone Conclusions Test
Prohibits categorical demands for documents the government believes but does not know exists.
People v. Golb (NY 2014) [Golb I]
Scholar of Dead Sea Scrolls publishes article about NYU professor who lectured about the scrolls but did not give the scholar credit pseudonymously. He then impersonated professor to contact faculty at NYU saying he should have been given credit. He did the same thing at other universities. He was convicted of 14 counts of criminal impersonation. There is enough evidence to show that D impersonated someone with the intent to harm the reputation of another.
FTC Section 5
Section 5 of FTC Act prohibits unfair and deceptive trade practices (which the FTC interprets to include privacy practices). It does not impose an affirmative obligation to protect privacy but does require privacy statements be accurate and not misleading. It applies to both online and offline commerce.
In Re Snapchat (FTC 2014)
Snapchat has app where users can send images that disappear, but there are several alternative ways in which users can save images. Snapchat promised to delete images but did not deliver, promised screenshot notification but did not deliver, collected location data it said it did not, and overstepped on contact information. This resulted in consent decrees in which Snapchat agreed to change its practices.
Trap and Trace Device
Surveillance device that displays the caller's phone number. Trap and trace device is a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any communication.
Privacy Challenges on the Internet
Technology has changed our expectation of privacy. Things in public used to not be expected to be shared, but now everyone has a camera phone. Things meant to be private can become public much more easily now. Something can be disclosed one time but then widely distributed. Also, things are searchable through online services such as Google that may be a de factor publisher. Before, information had to be published through print, which was a much slower and more difficult process.
Biometric Information Privacy Act (BIPA)
The first statute, in Illinois, to regulate the collection of biometric information. It requires those who possess biometric information, such as fingerprints, facial recognition, etc. to have a written policy available to the public, guidelines for destroying the information when its purpose has been satisfied or after 3 years (whichever is sooner). Entities must also have informed the subject its information is being collected, why, and for how long and receives a written release.
Carpenter v. United States (U.S. 2018)
The government arrested suspects who robbed RadioShack and T-Mobile stores. It obtained location data from their cell phone carriers without a warrant. A person has a reasonable expectation of privacy in his location and movements as long as it is not shared with others. Going to the phone carriers to obtain location data was not publicly shared information. A warrant is required in the rare case where the suspect has a legitimate privacy interest in records held by a third party. The government should have obtained a warrant here. If the government had this power, only those without cell phones could evade tracking by the government.
Katz v. United States (1967) (2-Part Test)
The government electronically listening to and recording words of Katz in a phonebooth violated his reasonable expectation of privacy that he relied on. This constituted a search and seizure under the Fourth Amendment. The court followed a two-part test: (1) Does the Citizen Manifest a Subjective Expectation of Privacy? (2) Is that Expectation Objectively Reasonable?
Reasonable Expectation of Privacy
The objective standard developed by courts for determining whether a government intrusion into an individual's person or property constitutes a search because it interferes with the individual's interests that are normally protected from government examination. It is the main question to ask in privacy claims.
Right to be forgotten
The right to be forgotten is the EU's answer to the persistency and wide dissemination problems (Streisand effect) that the Internet poses in the privacy setting. This is enshrined in the GDPR. Europeans have the right to be forgotten, but this does not apply in the U.S. The right to be forgotten leads to allowing individuals to have information, videos, or photographs about themselves deleted from certain internet records so that they cannot be found by search engines.
Two Main Privacy Interests
The two main privacy interests, according to the Supreme Court, are the right to be left alone and the right to conceal personal information from others.
Online Anonymity
There are many ways to be anonymous online and many ways to get through those efforts of anonymity. IP addresses generally show location, but they can be forged. IP addresses can be given to a proxy, such as a VPN, which is a better way of being anonymous than actually forging an IP address. Other ways to be anonymous include email addresses, cookies, Mac addresses, SIM cards, etc. There generally is a right to be anonymous unless a plaintiff can show that a person's identity is centrally needed, attempt of notification was made, exact statements are specific enough, and there is an adequate showing of claims.
ECPA and Providers
There are two types of providers. Public providers, such as Google, and private providers, such as Georgetown email service. Consent of parties usually stems from a user agreement. Any provider may freely read stored email files of its customers.
Doe I v. Individuals (D. Conn. 2008)
Unidentified female Yale students brought suit against unidentified defendants who posted harassing and defamatory comments of a sexual nature on AutoAdmit, an Internet discussion board. The plaintiff seeks to subpoena the defendants to reveal themselves. Although the First Amendment protects freedom of speech, it does not extend to harassment speech. Factors to consider in whether to require disclosure of the defendants' identities include (1) plaintiff's efforts to notify anonymous posters, (2) whether the plaintiff has identified the exact statements made (specificity), (3) whether there is a central need for the information in the case, (4) what the subpoenaed person's reasonable expectation of privacy was, and (5) whether P has made an adequate showing of claims against the anonymous defendants. Here, the plaintiff has shown sufficient evidence supporting a prima facie case for libel, and thus the balancing test of the plaintiff's interest in pursuing discovery in this case outweighs the defendant's First Amendment right to speak anonymously. Disclosure is required.
Ehling v. Monmouth-Ocean Hospital Service Corp. (D.N.J. 2012)
A hospital nurse posted on Facebook to a paramedic coworker that he should have let a white supremacist shooter of Holocaust museum die. The coworker took screenshots of the messages, and she was later terminated when her employer found out. Under the SCA, Facebook wall posts are electronic communications transmitted through an electronic service. While private Facebook wall posts with privacy settings on are not meant to be public, the SCA "does not apply with respect to conduct authorized (1) by the person or entity providing a wire or electronic communications service; [or] (2) by a user of that service with respect to a communication of or intended for that user." The coworker to whom she sent the message was an authorized user. Therefore, her employer is not liable for violating the SCA.
Electronic Communications Privacy Act (ECPA)
A law passed by Congress in 1986 establishing the due process requirements that law enforcement officers must meet in order to legally intercept wire communications. It includes three main parts: (1) the Wiretap Act, (2) the Stored Communications Act (SCA), and (3) the Pen Register and Trap and Trace Device statute.
Public Providers
A public provider, such as an ISP, may not freely disclose customer content to others unless there is consent, it is necessary to protect property rights, it is given to law enforcement for a criminal investigation, or there is an imminent threat of death or serious injury.
O'Brien v. O'Brien (Fl. 2005)
A wife installed spyware to intercept communications between her husband and another woman on Yahoo dominos chat. Intercept, under the ECPA, means "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." By looking at what federal courts have done, the Florida court rules that an interception must be acquired contemporaneously with transmission and that electronic communications are not intercepted within the meaning of the Federal Wiretap Act if they are retrieved from storage. Because the spyware installed by the Wife intercepted the electronic communication contemporaneously with transmission, copied it, and routed the copy to a file in the computer's hard drive, the electronic communications were intercepted in violation of the Florida Act.
Title II - Stored Communications Act (SCA)
o No Access to Stored Wired or Electronic Communication without Authorization (§ 2701) - The Act generally prohibits intentional access of stored information through a wired or electronic communication service or intentionally exceeding access given. o Exceptions (§ 2701) - Access by the Person or Entity Providing the Wire or Electronic Communication Service - Access by User of Service with respect to a Communication of or Intended for that User o Voluntary Disclosures (§ 2702) Person running an electronic communications service or remote computing service should not knowingly divulge information in electronic storage with some exceptions. o Required Disclosures (§ 2703) - Access in Content through Electronic Storage or Remote Computing Storage • A warrant is always required. If less than 180 days, notice is required. If more, than it is not. For content access, warrant is always needed. For non-content access, a warrant is not needed. - Access in Non-Content • For non-content access, a warrant is not needed to gain access from a provider. A warrant may be one way to get it, but other ways include a court order, consent, formal law enforcement request, or seeks information in formal process as described in the Act. o Required Preservation of Evidence (§ 2703) A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process. They should be preserved for 90 days and an additional 90 days if renewed.