Halting Unauthorized Access to Personal Data

The National Law Journal

March 5, 2001 (In Focus: Computer Law, p. B13)

Halting Unauthorized Access to Personal Data

Private parties use computer crime and
wiretapping laws to stop Internet
privacy invasions.

By David J. Federbush
Special to The National Law Journal

The online harvesting of personal information on consumers, the placing of cookies to track their surfing activity for marketing purposes, and the furnishing of such information to third parties raise serious privacy concerns when undertaken without consumers’ consent. Common-law claims for invasion of privacy do not appear to be applicable.

In states which have adopted the “intrusion upon seclusion” category of the tort (found in § 652B of the Restatement (2d) of Torts), the intrusion must be “highly offensive to the reasonable person.” That standard could be difficult to meet in the Internet privacy context. (1) The “public disclosure of private facts” category – found in § 652D - has a similar requirement, and it also requires that disclosure be to the public in general or at least to a large number of people. (2)

Several new federal laws, however, address such practices. For example, the 1998 Children’s Online Privacy Protection Act (“COPPA”) (3) establishes a framework of notice, disclosure, parental consent and Federal Trade Commission enforcement for collecting personal information on children. Regulations promulgated pursuant to 1999 federal privacy legislation (4) prohibit financial institutions from furnishing customer account numbers to unaffiliated third parties for e-mail marketing. The final regulation governing the privacy of online and offline medical information under the Health Insurance Portability Act of 1996 was issued in December 2000, to become fully effective in 2002. (5) These laws and regulations, however, are not applicable to the full range of Internet privacy invasions as to the general public.

Federal computer-crime and wiretapping laws such as the Computer Fraud and Abuse Act (CFAA) (6) and the Electronic Communications Privacy Act (“ECPA”) (7) were enacted before the widespread public use of the Internet. They increasingly are being used by private parties in civil actions to stop Internet privacy invasions.

No unauthorized access

The CFAA prohibits unauthorized intentional access to, and obtaining information from, a computer used in interstate or foreign commerce or communication. Its civil liability provisions provide for injunctive and other equitable relief and compensatory damages. (8)

There are a few reported decisions on the use of the CFAA in the context of Internet privacy in actions brought by one e-business against another. For example, in America Online Inc. v. LCGM Inc., (9) LCGM, which operated pornographic Web sites and also was a member of America Online (AOL), used extractor software programs to harvest the e-mail addresses of other AOL members, contrary to AOL’s terms of service. LCGM subsequently sent more than 92 million bulk e-mails advertising its pornographic Web sites to other AOL members.

The federal district court held that the extraction constituted unauthorized access to AOL’s computer(s) under CFAA and that AOL was entitled to injunctive relief. Through the application of CFAA, AOL achieved prospective privacy protection for its own members, which is better protection than the members could have obtained on their own. The decision left for trial AOL’s monetary-damages claim for technical costs, lost customer goodwill and revenue. After a bench trial, AOL obtained judgment for the monetary damages claim for more than $215,000.

Another court, however, recently denied summary judgment to AOL, on a similar CFAA claim based on address harvesting and “spamming” – the sending of unsolicited e-mail – on the ground that AOL had not shown conclusively that it had suffered the requisite type of damages. (10)

Because CFAA’s statutory definitions do not state that the computer accessed must be plaintiff’s, it appears that individual AOL members could bring their own damages actions. Proving damages, however, would be difficult. Although Internet service providers have used common law trespass-to-chattels claims to redress spamming directed at their computers, (11) it is not clear whether subscribers can bring such claims to challenge the initial harvesting of their e-mail addresses.

One federal district court did grant a temporary restraining order to a Web-based dating service, holding that the plaintiff had stated a claim under the CFAA when it alleged that one of its former employee accessed the service’s site and entered code that hijacked visitors to a separate, pornographic Web site. (12) The court found a likelihood of irreparable harm to the service’s goodwill. The invasion of privacy appeared to be the unwanted exposure to offensive material, as well as potential unwanted inclusion of identifying information in a generalized online pornography data base.

In civil actions in other contexts, courts have discerned a Congressional intent that CFAA be construed broadly. (13)

The ECPA steps in

Title I of ECPA (14) imposes liability on any person who intentionally intercepts or endeavors to intercept any electronic communication or intentionally uses, or endeavors to use, the contents of any electronic communication, knowing or having reason to know that the information was obtained through a prohibited interception. Last July, a class action was filed in the Southern District of New York against Netscape and AOL, illustrating that the law may potentially be used to vindicate individual privacy rights.

The class action complaint (15) was brought on behalf of “all…United States persons or entities who maintain Web sites on the Internet providing ‘zip’ or ‘exe’ files for download by visitors to the site”. It alleges that Netscape’s SmartDownload software uses a cookie, placed in the user’s computer the first time the user accesses the Internet through Netscape’s browser, to send Netscape data on each downloaded exe or zip file. This allegedly permits Netscape to create a continuing profile of the class members’ and each visitor’s file transfers over time.

The legal theory underlying the suit is that the cookie’s secret transmission to Netscape of information on the exe and zip files that the user downloads, together with the user’s identifying information, is an interception of an electronic communication. The complaint seeks damages under the ECPA civil liability section (16) that provides for monetary damages or statutory damages in a specific amount per day for each violation. (17)

Title II of the ECPA prohibits intentionally accessing (without authorization) a facility through which an electronic communication service is provided. Title II may apply if a third party manages to obtain e-mail messages, without authorization, from an Internet service provider. The statute provides a civil cause of action by the service provider, subscriber or other aggrieved person to recover actual damages and profits gained by a knowing violator, with a minimum recovery of $1,000. It also provides for recovery of attorney fees and costs, and punitive damages for willful or intentional violations. (18)

In addition to lawsuits between businesses, individual consumer and class actions have been brought under the CFAA and the ECPA. For example, DoubleClick has been alleged to have deployed cookies to track consumers’ surfing habits in order to personalize site ads. DoubleClick has also been alleged to have acquired a direct marketing company so that it could combine its online personal information with the marketing company’s off-line date base on consumer purchasing patterns. (19)

Other actions have targeted Toys ‘R’ Us, which allegedly used an outside firm to place cookies and monitor the Internet surfing of visitors to the retailer’s Web site. (20) Similar privacy class actions have reportedly been filed against Amazon.com, RealNetworks and Buy.com. (21)

It ain’t fair

Most of the FTC’s administrative and federal court Internet privacy enforcement actions allege deception, (22) but the FTC has also brought an unfairness claim. The FTC’s first such action was against GeoCities in 1998, (23) alleging that it maintained false representations on its Web site. GeoCities’ Web site stated that identifying and other personal information would not be disclosed to third parties without the member’s permission. The complaint, together with a consent order, alleged that such information was actually maintained by third parties hosted on the site and marketed to e-mail advertisers other than those approved by the member.

In another action, the FTC filed a federal court complaint and consent agreement enjoining bankrupt e-tailer Toysmart.com (24) from holding an online auction of its customer information as a step in resolving its bankruptcy obligations. The complaint alleged deceptive practices in that the company represented to its customers that information would never be shared with a third party.

In yet another FTC action, International Outsourcing Group (25) and other defendants sold medical consultations and prescription medications, including Viagra and Propecia, online. International Outsourcing’s Web site requested personal medical history information from users; represented that it would be encrypted and securely transmitted to its own physicians; and represented that prescriptions were actually filled by an on-site pharmacy. The federal court complaint alleged that the information was not encrypted and prescriptions were actually filled by an independent, off-site pharmacy. The defendants simultaneously entered into stipulated final orders for permanent injunctions.

The FTC filed a federal court complaint and consent agreement in January 2000, alleging unfairness as well as deception against Reverseauction.com, (26) an Internet auction service. Although it may signal a substantial expansion of the FTC’s Internet privacy enforcement activity, unfairness claims must still meet the commission’s three-pronged test: (1) the practice causes or is likely to cause substantial injury to consumers; (2) the injury is not outweighed by offsetting benefits to consumers or competition that the practice produces; (3) and consumers could not have reasonably avoided the injury. (27)

The complaint alleged that ReverseAuction registered as a user of eBay and obtained the e-mail addresses, user IDs and feedback ratings of other registered eBay customers. It then disseminated unsolicited commercial e-mail to them, allegedly falsely representing that their eBay registrations would expire soon and promoting the new ReverseAuction Web site. The complaint claimed that such a use of member information was an invasion of privacy and violated the eBay User Agreement and Privacy Policy, and that it led many eBay customers to believe eBay had provided their e-mail addresses and user IDs to ReverseAuction. In a concurring statement filed on the public record simultaneous with the federal court filings, one FTC commissioner maintained that the real harm was decreased consumer confidence in eBay and, in turn, the (entire) electronic marketplace.

Two of the five Commissioners, however, filed a statement on the FTC’s public record, indicating their dissent to the majority’s decision to include the unfairness claim in the complaint. They reasoned that consumers had already agreed to make their information available to other eBay members and that a substantial portion of the information was available without restriction to visiting nonmembers. The two dissenters also concluded that merely obtaining consumers’ e-mail addresses without their explicit consent and sending them e-mail solicitations do not cause substantial injury.

In its consent agreement, ReverseAuction agreed to delete and refrain from using user IDs, e-mail addresses and feedback ratings of eBay users, and it also agreed to post on its Web site a notice that it would take those steps and that eBay had lacked knowledge of or participation in ReverseAuction’s actions.

The key question in individual damages actions under the states’ “little FTC acts” will be whether Internet privacy invasions cause actual, compensable damages in the absence of demonstrable monetary loss. Although some statutes require loss of money or property, (28) at least one provides for (multiple) damages for mental anguish caused by knowing, prohibited conduct. (29)

1 Compare Doe v. High-Tech Institute, 972 P.2d 1060, 1067 (Colo. App. 1998) with Smith v. Jack Eckerd Corp., 400 S.E.2d 99, 100 (N.C. App. 1991).

2 See, e.g., Morrow v. II Morrow, Inc., 911 P.2d 964, 968 (Or. App. 1996).

3 15 U.S.C. §§ 6501 et seq.

4 15 U.S.C. § 6801 et seq.; 16 CFR Part 313.

5 See www.hhs.gov/ocr/hipaa.html; Robert O’Harrow, Jr., “Patient Files Opened to Marketers, Fundraisers,” Washington Post, Jan. 16, 2001 at p. E1.

6 18 U.S.C. 1030 et seq.; see U.S. v. Sablan, 92 F.3d 865, 868 n.1 (9th Cir. 1996).

7 18 U.S.C. 2510-2522, 2701-2711; see Wesley College v. Pitts, 974 F. Supp. 375, 385 n. 7 (D. Del. 1997).

8 See 18 U.S.C. 1030(a)(2)(c), (g), (e)(8)(A).

9 America Online Inc. v. LCGM Inc., 46 F. Supp. 2d 444 (E.D. Va. 1998).

10 America Online v. National Health Care Discount, 121 F. Supp.2d 1255, 1276 (N.D. Iowa 2000)(discussing civil liability under the Virginia Computer Crimes Act).

11 See America Online Inc. v. IMS, 24 F. Supp.2d 548, 550 (E.D. Va. 1998).

12 Yournetdating, LLC v. Mitchell, 88 F. Supp. 2d 870 (N.D. Ill. 2000) (citing AOL v. LCGM).

13 Shaw v. Toshiba America Information Systems Inc., 91 F. Supp.2d 926, 935 (E.D. Tex. 1999); Shurgard Storage Centers v. Safeguard Self Storage, 119 F. Supp.2d 1121, 1128 (W.D. Wash. 2000).

14 18 U.S.C. 2510, 2511.

15 Specht v. Netscape and America Online; www.techlawjournal.com/courts/specht/20000706.htm.

16 18 U.S.C. 2520.

17 See 18 U.S.C. 2520(b)(2), (3); (c)(2).

18 18 U.S.C. 2701(a), 2707. See Steve Jackson Games Inc. v. U.S. Secret Service, 36 F.3d 457, 463 (5th Cir. 1994) (seizure of computer on which email messages stored).

19 See www.nylj.com/stories/00/06/062900a4.htm (federal cases consolidated in S.D.N.Y.; In re DoubleClick Inc. Privacy Litigation, No. 00-641); www.zdnet.co.uk/news/2000/8/ns-13766.html. For DoubleClick’s current privacy policy, see www.doubleclick.com/us/corporate/privacy.

20 See www.bergen.com/news/toysrus200008217.htm; www.wired.com/news/business/0,1367,38244,00.html.

21 See, e.g., test01.ljextra.com/na.archive.html/99/11/1999_1113_59.html.

22 FTC’s Deception Statement: 103 F.T.C. at 174-97.

23 FTC File No. 982 3015. Copies of FTC complaints and consent orders are available at www.ftc.gov.

24 www.ftc.gov/os/2000/07toysmartconsent.htm

25 FTC File No. 992-3245; No. CV-S-00-0861-JBR (D. Nev. July 6, 2000). See also Liberty Financial Cos., FTC File No. 982-3522.

26 FTC v. Reverseauction.com, Inc., Civil No.000032 (JHG) (D.D.C., filed January 6, 2000), FTC File No. 002 3046 (www.ftc.gov/os/2000/01/reversecmp.htm).

27 See FTC Unfairness Statement, 104 F.T.C. at 1071-76; 15 U.S.C. 45(n).

28 See, e.g., Conn. G.S.A. § 42-110g(a).

29 See, e.g., Tex. Bus. & Com. Code Ann. (Vernon) §17.50(a), (b).

This article is reprinted with permission from the March 5, 2001 edition of The National Law Journal © 2001 NLP IP Company. All rights reserved. Further duplication without permission is prohibited.

The Law Office of David J. Federbush
4977 Battery Lane, Suite 913
Bethesda, Maryland 20814
Telephone: (301) 657-4680
Facsimile: (301) 657-4684
Email: federbus@erols.com