By Andrew Crocker

EPIC Sues FTC Over Google’s Impending Privacy Changes

The Electronic Privacy Information Center (EPIC) has filed suit against the Federal Trade Commission (FTC) in an attempt to force the FTC to step in before Google changes its user privacy policy on March 1, reports PC World. EPIC’s complaint alleges that Google’s privacy changes will violate the consent order that the company reached with the FTC last year in settlement of the Commission’s investigation of Google Buzz. EPIC is seeking a temporary restraining order and preliminary injunction against the FTC, a move the Los Angeles Times calls “an unusual end run” to get the Commission to act. According to the Washington Post blog, the suit has been fast-tracked, and a preliminary ruling is expected before the new policy goes into effect.

Court Refuses to Shut Down MP3 Resale Site

Ars Technica reports that a federal district judge has refused Capitol Records’ motion for a temporary injunction against the music website ReDigi. ReDigi is a “used” MP3 site that allows users to resell music purchased through Apple’s iTunes store to other users. According to the ReDigi site, the sale is accomplished through a proprietary verification process that ensures no illegal copying takes place. ReDigi claims the service is protected by the first sale doctrine, which allows legal owners of physical works to sell or rent them to others. CNET reports, however, that Capitol has argued that ReDigi must make copies during its verification process, a use not covered by the first sale doctrine.

Washington D.C. Repeals Online Gambling Law

The Washington D.C. city council has voted to repeal the city’s online gambling law, according to the Washington Post. The measure, which had not yet gone into effect, was the first law passed by an American jurisdiction to create a city-run poker site for bettors located within the jurisdiction. Although online gambling has been controversial and a number of poker sites have been ruled to violate state and federal law, Reuters reports that D.C. legislators voted to repeal because of a lack of transparency in how the contract to run the site was awarded.

What Changed in Google’s Privacy Policy

Google recently announced changes to its privacy policy and terms of service, prompting concerns by a bipartisan group of congressmen over the future safety of customer data. Reuters reports that Pablo Chavez, Google’s director of public policy, responded directly to the lawmakers’ questions in a letter, stating that “the updated privacy policy does not allow us to collect any new or additional types of information about users.” The Electronic Frontier Foundation (“EFF”) applauded Google’s efforts to notify its customers of the changes, but criticized the company for not adequately explaining what it meant until after the congressional inquiry. According to EFF, the major substantive changes include (1) combining all of Google’s separate product policies into one, (2) removing the separation between customer data sets stored in each of those products, and (3) using the information obtained from one product in another. The new privacy policy goes into effect on March 1, 2012.

Intel Purchases $120M in Patents from RealNetworks

Intel agreed to pay RealNetworks $120 million for 190 patents and 170 patent applications covering RealNetworks’s streaming video codec technology. The Wall Street Journal reports that this is the latest in a set of large patent purchases by major technology companies, which peaked in June with the Nortel Networks patent auction. Competition in the smartphone and tablet markets has become more intense and patents more important as companies, including Intel, expand their businesses into the mobile sector. According to ZDNet, Intel called some of the patents “foundational,” indicating its belief that that some are important to the company’s efforts in the mobile media space. In addition to the sales agreement, Intel acquired the video codec’s development team, and the two companies signed a memorandum of understanding to develop next-generation video software and related products.

New Mobile Device Privacy Act Proposed

Rep. Edward Markey released draft legislation this week that would require mobile phone carriers to reveal if they are employing tracking software such as Carrier IQ. Wired reports that under the Mobile Device Privacy Act, consumers would have to give their consent before data—including web usage, call history, and text messages—can be sent to third parties. According to Ars Technica, the controversy started when a developer publicized the widespread use of Carrier IQ software on smartphones a few months ago. Rep. Markey said such software should only be used with the consumer’s “express consent,” and emphasized that the legislation is just a “discussion draft” right now. Sprint and Apple both recently announced they are dropping Carrier IQ, but T-Mobile and AT&T still use it. Verizon does not.

Twitter Reveals 4,400+ DMCA Takedown Notices Last Year

Twitter partnered with Chilling Effects, a project sponsored by the Electronic Frontier Foundation and the Berkman Center for Internet & Society, to publish all Digital Millennium Copyright Act (“DMCA”) takedown notices it has received since November 2010. Ars Technica reports that the site lists 4,410 takedown notices in that time frame. While Twitter regularly deletes tweets to gain safe harbor under the DMCA, the company stated that it wants to “be transparent with users.” The Huffington Post breaks down the requests by sender, showing that Magnolia Pictures, a New York film distributor owned by Mark Cuban, was responsible for a third of them. Web Sheriff, a third-party that automates takedown notices for its customers, sent at least half of all the requests in the list.

Dealertrack, Inc. v. Huber, Nos. 2009-1566, 2009-1588, 2012 WL 164439 (Fed. Cir. Jan. 20, 2012)
Slip Opinion

The Court of Appeals for the Federal Circuit affirmed the U.S. District Court for the Central District of California’s grant of summary judgment regarding the invalidity of Dealertrack’s U.S. Patent 7,181,427 (filed Sep. 3, 1997) (“the ’427 patent”), which had claims that covered an automated clearinghouse system for car dealerships. The district court had applied the then-definitive “machine-or-transformation” test from In re Bilski, 545 F.3d 943 (Fed. Cir. 2008) (en banc) (“Bilski I”), requiring the claimed process either to be tied to a particular machine or apparatus or to transform an article into a different state or thing. Dealertrack had not argued that its claim effected a transformation, and the district court found that Dealertrack’s patent did not involve a particular machine as required by Bilski I’s test because the computer involved was a general purpose computer that was not “specially programmed.” For this reason, the district court held that the subject matter of Dealertrack’s patent was not eligible for protection under 35 U.S.C. § 101 of the Patent Act because Dealertrack had claimed an abstract idea.

Reviewing the patentable subject matter issue de novo, the Federal Circuit held that Dealertrack had claimed “an abstract idea preemptive of a fundamental concept or idea that would foreclose innovation in this area,” and therefore its patent was invalid. The court found that the claim’s language was too broad in scope, and that neither including a general computer to the method nor restricting the method to a particular field of use saved the patent’s validity.

PatentlyO provides an overview of the case and discusses the case in context of other recent Federal Circuit decisions. 

Dealertrack sued David L. Huber, Finance Express, LLC, and RouteOne for infringement of Dealertrack’s patents after the defendants had sold products that involved loan management services that passed communication over the Internet. Among several alleged infringed patents, Dealertrack’s ’427 patent claimed a computer-aided method for receiving, processing, and forwarding credit application information for the car loan business. The method claimed was comprised of three steps: (1) receiving credit information from a remote device, (2) processing and selectively forwarding the data, and (3) forwarding reply data back to the original remote device. In essence, this claim describes the concept of processing information through a clearinghouse, a repository that gathers, stores, and distributes information.

The majority of the panel began its opinion by recognizing that because of a “clear Congressional mandate that a very broad swath of inventions be eligible for patent protection,” § 101 is a “coarse grain filter” for patentable subject matter. Most of the work in determining patentability is accomplished by the rest of the Patent Act. Nevertheless, the court found that the claims in the ’427 Patent covered an abstract idea, which is patent-ineligible under § 101. In finding that the claims were overly broad, the majority argued that their preambles’ limitation of being “computer-aided” did not sufficiently limit the claims because they did not specify “how a computer aids the method, the extent to which a computer aids the method, or the significance of a computer to the performance of the method.

In addition to considering the limitation of a computer, the court considered it significant that the claims did not require a specific application, specific machine, or particular algorithm, even though the patent included language specifying that the method was for car loan applications. Relying on Bilski v. Kappos, 130 S. Ct. 3218, 3231 (2010) (“Bilski II”), the court found that directing an abstract idea to one field of use did salvage the claimed invention’s patentability.

Dissenting-in-part from the majority’s holding regarding the ’427 Patent, Judge Plager argued that, as a matter of judicial efficiency, courts should only consider patent invalidity claims under § 101 when absolutely necessary, and should instead insist that litigants make invalidity claims under the remaining sections of the Patent Act.

This decision extends the reasoning from Cybersource Corp. v. Retail Decisions, Inc., 654 F.3d 1366 (Fed. Cir. 2011), to another abstract idea implemented with a computer, potentially giving more force to future claims of patent invalidity under § 101.

Laura Fishwick is a 2L at the Harvard Law School.

Falana v. Kent State Univ., No. 2011-1198, 2012 WL 171550 (Fed. Cir. Jan. 23, 2012)
Slip Opinion

The Federal Circuit affirmed in part the ruling of the U.S. District Court for the Northern District of Ohio, which held that Dr. Olusegun Falana should have been listed as co-inventor on a patent that described the use of his protocol for controlled synthesis of a category of chemical compounds for use in liquid crystal displays (“LCDs”).

Judge Linn, joined by Judge Prost and Judge Reyna, affirmed the district court’s order to add Falana as co-inventor to U.S. Patent No. 6,830,789 (filed Sept. 24, 2001) (“the ’789 patent”). The court found that Falana “envisioned the structure of a novel chemical compound and contributed to the method of making it” because he developed a procedure for synthesizing a new class of compounds that was later used to synthesize a compound that exhibited a desired temperature independence. Slip op. at 13. In so holding, the court considered Falana’s contribution to “the entire class of compounds covered by the plain language of the claims” and rejected the defendants’ narrow reading of the claims to be limited to compounds that can perform “across a temperature range of +10°C to +50°C.” Id. at 7, 9.

PatentlyO provides an overview of the case. IP Frontline criticizes the decision because as applied to patents “with countless claims [it] opens the door to the possibility that at least one of the claims was jointly invented by someone not named in the patent,” which might enable patent defendants to recruit unlisted co-inventors as part of a patent litigation defense strategy. 

Falana, a former researcher with Kent Displays, Inc. and Kent State University, filed an action against his former employers and colleagues to be added as inventor to the ’789 patent, which the defendants had filed after his resignation. Slip op. at 2–5. Falana had developed a synthesis protocol for making naphthyl substituted TADDOLs—a new class of chemical compounds. Id. at 4. Using this protocol, Falana synthesized Compound 7, which did not exhibit sufficient temperature independence to be used in LCDs, but presented “significant progress.” Id. After Falana’s departure, his supervisor used Falana’s protocol to synthesize Compound 9, which was similar to Compound 7 but exhibited the aspired temperature independence. Id. at 5. Though the ’789 patent’s claims did not refer to the temperature independence of the invented compounds, the defendants argued that unless this reference was inferred from the specification “the claimed compounds ‘would be commercially worthless.’” Id. at 8. However, the court found no reason to go beyond the plain language of the claims because even the specification provided that “the temperature dependence . . . is a modifiable characteristic of the claimed compounds.” Id. at 9. Having construed the claims not to be limited to Compound 9, the court further found that Falana sufficiently contributed to the invention because he envisioned the claimed subset of the naphthyl substituted TADDOLs and provided a method for making these compounds that was “more than the use of ordinary skill in the art.” Id. at 15, 17.

This decision is significant because it clarifies that a co-inventor’s contribution will depend on the scope of the claims. Indeed, the court relied on Fina Oil & Chem. Co. v. Ewen, 123 F.3d 1466 (Fed. Cir. 1997), to determine whether Falana contributed to the conception of the claimed compounds. Falana was able to meet the Fina test regarding contribution to the invention’s conception because the court construed the claims to cover more than Compound 9. Thus, the court’s holding potentially incentivizes narrower drafting of claims when someone could possibly assert co-inventorship. However, that will only be possible when there is “some open line of communication during or in temporal proximity to [co-owners’] inventive efforts.” Falana, slip op. at 16 (citing Eli Lilly & Co. v. Aradigm Corp., 376 F.3d 1352, 1359 (Fed. Cir. 2004)). Moreover, the court carefully pointed out that an inventor would not qualify as co-inventor for all future inventions that rely on her method to make new compounds because the disclosure of her method makes it “ordinary skill in the art.” Id. at 17–18.

Yana Welinder is a LLM at the Harvard Law School.

United States v. Jones (U.S. Jan. 23, 2012)
2012 WL 171117; No. 10-1259

In a hotly anticipated decision, the Supreme Court unanimously found that the Government’s warrantless attachment of a Global Positioning System (GPS) tracking device to a vehicle to monitor its movement constituted a Fourth Amendment violation. While unanimous in judgment, the Court split on both its underlying reasoning and with regards to whether the tracking amounted to a search at all. The Court also did not reach the question of whether the search was reasonable. Due to the Court’s fractured analysis, it remains unclear when the Government must obtain a warrant to track a vehicle’s movements, particularly in the case of short-term monitoring. In concurrence, Justice Alito also suggests that if the public views the losses of privacy brought on by new technologies as inevitable, his Katz analysis would be different in future cases. 

Facts and Procedural History: In 2004, respondent Antonie Jones, owner and operator of a nightclub, was suspected of and investigated for trafficking in narcotics. Based on information the government gathered through their investigation, they applied for a warrant authorizing the use of a GPS device on a Jeep registered to Jones’s wife. The warrant was issued, authorizing the Government to install the GPS device on the Jeep in the District of Columbia within 10 days. Agents, however, did not abide by those requirements, installing the GPS device on the eleventh day and not in the District of Columbia but in Maryland. Nonetheless, for the next 28 days agents used the device to track the vehicle’s location, collecting over 2,000 pages of data. Eventually, Jones was charged with, among other things, conspiracy to distribute and possess with intent to distribute five kilograms or more of cocaine. Before trial, Jones filed a motion to suppress evidence obtained through the GPS device. The District Court granted the motion in part, suppressing only the data obtained while the vehicle was parked in Jones’s garage; the remaining data was held admissible because “[a] person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another.” Jones’s 2006 trial produced a hung jury.

Then, in 2007, a grand jury returned another indictment against Jones. The Government used the same GPS data, which connected Jones to a stash house that contained $850,000 in cash, 97 kilos of cocaine, and 1 kilo of cocaine base. This time the jury found Jones guilty, and the court sentenced him to life imprisonment.

The United States Court of Appeals for the District of Columbia Circuit reversed the conviction, finding the installation of the GPS device and collection of GPS data without a valid warrant to violate the Fourth Amendment. A rehearing en banc was denied and the Supreme Court granted certiorari.

Opinion of the Court: Writing for the Court, Justice Scalia, joined by Chief Justice Roberts and Justices Kennedy, Thomas, and Sotomayor, focused on the fact that the Government physically trespassed on private property for the purpose of obtaining information. Because the physical trespass was on property expressly protected by the Fourth Amendment, Justice Scalia found the reasonable-expectation-of-privacy test from Katz v. United States, 389 U. S. 347, 351 (1967) inapposite. Instead, Justice Scalia revitalized and then used a common-law trespassory test. Under this trespassory test, it was irrelevant whether Jones had a reasonable expectation of privacy in data about where his car had traveled – it was enough that the Government’s trespass on Jones’s “effect” would have constituted a “search” within the original meaning of the Fourth Amendment.

Justice Sotomayor Concurrence: While Justice Sotomayor joined the majority opinion, her separate concurrence makes clear that while she found the reasonable-expectation-of-privacy test unnecessary in this case, had a Katz test been necessary, she would have found a reasonable expectation of privacy violated. The majority of her concurrence was then dedicated to articulating her Katz analysis.

But, before moving on to her Katz analysis, it is interesting to note that Justice Sotomayor’s articulation of the majority’s holding deviated slightly, though potentially significantly, from the majority’s own articulation. The majority found that a trespass becomes a search when the trespass is done for the purpose of or with an attempt to find something or obtain information. Justice Sotomayor, however, stated that she “agree[s] that a search within the meaning of the Fourth Amendment occurs, at a minimum, ‘[w]here, as here, the Government obtains information by physically intruding on a constitutionally protected area.’”  By making no reference to the purpose or aim of the trespass, Justice Sotomayor’s articulation suggests somewhat broader Fourth Amendment protection.

Justice Sotomayor’s Katz analysis further showed her broad reading of the Fourth Amendment by making clear that, unlike Justice Alito, she would likely find even short-term GPS monitoring, regardless of physical trespass, a violation of a reasonable expectation of privacy. Justice Sotomayor observed that incredibly sensitive information can be deduced from a person’s movements (e.g., trips to psychiatrists, abortion clinics, AIDS treatment centers, gay bars, and places of worship). And, given how easy and cheap it is for the government to collect and then store and mine that data for years, she found such monitoring particularly likely to chill free expression.

Justice Sotomayor then again went further than the other Justices by stating that a reconsideration of the third-party doctrine may be required. Referring specifically to Internet browsing records, she found that people would find warrantless disclosure of browsing information to the Government unacceptable. By stating that secrecy should not be a prerequisite for privacy, Justice Sotomayor cast welcome doubt on the third-party doctrine.

Justice Sotomayor presents an incredibly pro-privacy position that will likely resonate with a generation that finds an expectation of privacy reasonable when paired with nuanced privacy settings, passwords, and encryption.

Justice Alito Concurrence: Justice Alito dismissed the majority’s reliance on a trespassory test and instead analyzed the case through Katz. Finding Jones’s reasonable expectation of privacy violated, Justice Alito, joined by Justices Ginsburg, Breyer, and Kagan, concurred in judgment.

Justice Alito began by criticizing the majority for not adequately explaining how the attachment or use of the GPS device constituted either a search or a seizure. There was no seizure because there was no meaningful interference with Jones’s possessory interest. And, as for a search, Justice Alito expressed skepticism: the placing of a GPS device on the car was not a search by itself, and the use of the device did not seem like a search either. He also faulted the majority for disregarding the central issue of the case: the use of GPS for long-term tracking, regardless of whether that tracking amounts to physical trespass.

In contrast to the majority, Justice Alito found that the Fourth Amendment should simply be understood as prohibiting every unjustifiable intrusion by the government upon an individual’s privacy, where physical trespass and technical search and seizure are neither necessary nor sufficient for finding such a Fourth Amendment violation. Through his analysis, Justice Alito found that while relatively short-term monitoring of a person’s movements on public streets does not violate a reasonable expectation of privacy, long-term GPS monitoring in investigations for most offenses does.

However, Justice Alito noted that technological changes may fundamentally alter popular privacy conceptions and, as a result, future applications of the Katz test. Specifically, while the public may find privacy losses brought on by new technologies as unwelcome, they may also accept them as inevitable. And, the belief that privacy losses are inevitable will then alter what counts as a reasonable expectation of privacy. Justice Alito thus ended by suggesting that legislation and not Fourth Amendment protection may be the better way to deal with these technological intrusions in the future.

Heather Whitney is a 2L at the Harvard Law School.

U.S. v. Kim Dotcom et al., 1:12-cr-3 (E.D. Va.)
Indictment

The Department of Justice recently brought a criminal indictment against Megaupload.com and related websites in the Eastern District of Virginia on three different counts of copyright infringement as well as money laundering and racketeering.

The indictment calls the operators of Megaupload.com and its environs the “Mega-Conspiracy” and describes it as a “worldwide criminal organization.” The government estimates that $175 million in profits from subscriptions and advertising comes directly from the large volume of copyrighted material illegally posted on the website. Among the individuals indicted were Megaupload.com founder Kim Dotcom and several of the sites’ main employees and officers.

Currently, when users attempt to access any of the “Mega” sites, they are confronted with an FBI Piracy Warning, which explains that the domain has been seized, states that the “individuals and entities” associated with the crimes have been indicted, and lists the charges. 

The Digital Millennium Copyright Act (“DMCA”), provides a “safe harbor” for companies that comply with the Act, immunizing them from liability for copyright infringement. Digital Millennium Copyright Act, 17 USC § 512 (1998). In its indictment, the government argues that the Mega sites are not protected by the safe harbor because the employees and operators of the website knew their site hosted copyrighted material, benefitted from this material, and uploaded some of the infringing material themselves.

The government accuses the Mega sites of failing to delete copyrighted material using the same technology and methods it uses to ensure that terrorism propaganda videos and child pornography do not remain on the site. It also accuses the individuals indicted of uploading “at least one infringing copy of a copyrighted work to a Mega Site.”

Prior cases holding host websites or technology companies liable for large-scale copyright infringement by its users include a case in which the court found the most incriminating evidence to be that company owners and employees shared copyrighted material themselves and advertised to a user base that was trying to access the copyrighted material. MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005). The government alleges that similar facts apply here. They argue that owners and operators of the Mega sites uploaded copyrighted material themselves, that the Mega sites didn’t fully comply with the DMCA, and that they paid frequent downloaders for their use of the site when they knew that some of the material was infringing valid copyrights.

Jennifer Granick, General Counsel for Worldstar LLC and blogger on the website of the Center for Internet and Society at Stanford Law School, points out an essential difference between the Grokster case and the case at hand: Grokster was a civil case, but the individuals in charge of the Mega sites are facing a criminal indictment. Granick questioned whether the indicted individuals can be criminally convicted for what has been, until now, a subject for civil litigation. For the owners and operators of the Mega sites to be criminally culpable, they must have willfully violated a legal duty. If they honestly believed that they were complying with the DMCA, then the willfulness requirement may not have been met. Granick also points out that the conspiracy statute does not hold third parties liable for their users’ copyright infringement. These issues, she argues, makes the government’s case hard to prove beyond a reasonable doubt.

Ars Technica also reports that Chris Sprigman, law professor at the University of Virginia, is worried that this case will curtail further technological development. Courts have wrestled with this aspect of copyright law since Sony Corp. v. Universal City Studios, 464 U.S. 417 (1984), one of the first cases involving third-party liability for copyright infringement, but the evolution of case law and the passage of the DMCA suggests that curtailing technological innovation will be only a secondary consideration in the Mega site case.

Daniella Adler is a 1L at the Harvard Law School.

U.S. v. Fricosu, No. 10-CR-00509 (D. Colo. Jan. 23, 2012)
Slip Opinion hosted by Internet Cases

Judge Robert E. Blackburn of the United States District Court for the District of Colorado granted the government’s motion to compel Ramona Camelia Fricosu to provide an unencrypted copy of her hard drive for evidentiary purposes. The court considered whether the act of producing the unencrypted hard drive was privileged and not whether the contents of the hard drive were privileged.

Judge Blackburn held that the Fifth Amendment is not implicated by requiring Fricosu to provide the government with the unencrypted contents of her laptop pursuant to a valid search warrant.  He reasoned that Fricosu was not being compelled to self-incriminate because the government had already met its burden of proof by demonstrating that it knew of the location and existence of the relevant computer files and it knew that Fricosu was the sole or primary user of the laptop.  Additionally, the government offered immunity to Fricosu, under which it could not use her production of the unencrypted contents against her. The production of the unencrypted hard drive could thus not be incriminating in and of itself.

Time Techland provides a brief overview of the case. Internet Cases features a concise analysis of Judge Blackburn’s reasoning. The Electronic Frontier Foundation, who filed an amicus brief in the case, criticizes the court for “dodg[ing] the question of whether requiring Fricosu to type a passphrase into the laptop would violate the Fifth Amendment” and failing to recognize the potential testimonial value of the encrypted data. CNet News summarizes the long-debated issue of whether a defendant can legally be compelled to decrypt his or her computer files as well as the likelihood that the debate will continue. 

Fricosu and her husband, Scott Whatcott, were indicted for mortgage fraud in 2010. On the day following the search by law enforcement that resulted in the seizure of the relevant laptop, Fricosu spoke with an incarcerated Whatcott on the phone about her laptop and its security system. The conversation was recorded. In holding as he did, Judge Blackburn reasoned that this recorded phone conversation referencing a password-protected computer, in addition to the fact that the relevant laptop was identified as “RS.WORKGROUP.Ramona.” and was the only encrypted laptop of the three seized laptops, satisfied the government’s burden of proving that Fricosu owned the relevant laptop. This conclusion was vital to Judge Blackburn’s determination that the production of the unencrypted hard drive would not be incriminating.

In his opinion, Blackburn relied heavily upon a few analogous court decisions in existence. He primarily relied upon In re Grand Jury Subpoena to Boucher, 2007 WL 4246473 (D. Vt. Nov. 29, 2007) (Boucher I) and In re Grand Jury Subpoena to Boucher, 2009 WL 424718 at *2 (D. Vt. Feb. 19, 2009) (Boucher II). In Boucher I, the District of Vermont held that the defendant could not be compelled to provide his computer password because the act of providing a password is testimonial and thus privileged under the Fifth Amendment and relevant Supreme Court precedent. But in Boucher II, the same court held that the defendant could be compelled to provide the unencrypted contents of his computer because the government knew both of the location and existence of the relevant computer files and that the defendant owned the computer. Also in Boucher II, the government agreed that it was precluded from using the production of the unencrypted contents against the defendant.

Despite this court’s holding, recent commentary indicates that the long-debated issue over whether a defendant can legally be compelled to decrypt his or her computer files remains largely unresolved. On the one hand are concerns about incentivizing criminals to encrypt all of their computer files, and on the other are concerns about increasingly serious encroachments on the right to privacy and the right against self-incrimination. The issue will only become more pressing as data and encryption increase in complexity.

Brittany Horth is a 1L at the Harvard Law School.

Google Privacy Revisions Stir Debate
Google announced a new privacy policy last Monday, raising the concerns of privacy advocates, the Washington Post reports. The policy will allow the web giant to collect information across Google services including search, Gmail and YouTube. Google alleges that the changes will “provide, maintain, protect and improve” Google’s functionality as well as generate “more relevant search results and ads” for users. So far the policy has received mixed reviews. Digital rights organizations like Common Sense Media criticized the policy, calling it “frustrating and a little frightening,” and suggesting the inability to opt out of the policy may violate the company’s agreement with the FTC. However, the Telegraph reports that Viviane Reding, the European Commissioner for Justice, who advocates for laws on Internet privacy and data protection, made a statement praising the policy and commending Google’s forward thinking.

Facebook Prepares for IPO Filing
The WSJ reports that Facebook might file for an initial public offering as early as this week in what could be one of the biggest debuts for a U.S. company ever. The 7 year old website, which boasts 800 million members and was famously founded in a Harvard College dorm room, could raise as much as $10 billion and be valued upwards of $100 billion. According to the WSJ, Facebook Chief Executive Mark Zuckerburg had been reluctant to go public, fearing it would pose a distraction to the staff. Likely another factor that has kept the young company from going public is the public disclosure requirements. However, as the company fast approaches 500 shareholders, at which point the company would have to publicly report financial information anyway, public disclosure seems inevitable. Morgan Stanley is expected to underwrite the deal, beating out Goldman Sachs who appeared to have the edge on the underwrite a year ago. Morgan Stanley is the leader in Internet stock underwrites with clients including Groupon and LinkedIn Corp.

Feds Arrest Megaupload Execs, Anonymous Retaliates
Seven executives connected to the popular file sharing website Megaupload were arrested last week and the website was shuttered, Wired.com reports. The individuals were indicted on charges including criminal copyright infringement, conspiracy to commit money laundering and racketeering. The government says that the company facilitated in excess of $500 million in harm to copyright holders. Hacker collective “Anonymous” claimed responsibility for retaliatory attacks on the websites of the Justice Department, Recording Industry Association of America, and Universal Music that occurred shortly after Megaupload was taken down. Megaupload’s controversial founder, Kim Schmitz, aka Kim Dotcom, was among the arrests. The site’s chief executive, Swizz Beatz, was not implicated.

“CyberPatrol, ” “SniperSpy,” and “IamBigbrother” are the names of keyloggers that might be installed on your office computer. These easy to use and inexpensive hardware or software devices record keystrokes and allow a monitor to access email, and other password-protected accounts of an unsuspecting typist. Employers are using keyloggers more often in the workplace to oversee employees without their knowledge. Managers argue that computer surveillance is important to ensure productivity, but alternative tools like website blockers, remote desktop access and time audits allow employers to determine whether an employee deviated from her task without risking the same breach of trust or employee humiliation associated with keyloggers.

Although keyloggers facilitate a major invasion of privacy, they are legal in many jurisdictions. There is currently no federal law that has been interpreted to prohibit their surreptitious use. The Electronic Communications Privacy Act (ECPA), which includes the Federal Wiretap Act (FWA) and the Stored Communication Act (SCA), could potentially prevent keystroke theft, but thus far the protections it offers have not been extended to keyloggers. However, there is evidence that this may soon change. Several recent cases have suggested a broader interpretation of the ECPA than what has previously been held. Additionally, in the absence of a consensus about federal law prohibiting keyloggers, some courts have interpreted state statutes to protect the public from having their strokes stolen. The conflict of interpretations between jurisdictions leaves people in many states vulnerable to invasive employer spying. It also creates a lack of clarity for employers and employees regarding what is considered lawful conduct. The surreptitious use of keyloggers should be subjected to wider regulation by state or federal law. In a few cases courts have diverged from precedent and adopted this position. 

The Limited Interpretation of the Federal Wiretap Act

In September 2011, the Southern District Court of Indiana heard the case of a woman whose privacy was violated through the use of a keylogger. The defendants in Rene v. G.F. Fishers, Inc authorized plaintiff Lisa Rene to access her personal checking account and personal email from an office computer without disclosing to her that they had equipped the computer with keylogger software. Id. The software allowed the defendants to obtain passwords for Rene’s personal accounts, which they viewed, forwarded, and discussed amongst themselves. Id. Rene sued G.F. Fishers, claiming their actions violated the FWA, the SCA, and the Indiana Wiretap Act (IWA). Id.

The FWA claim was dismissed. The FWA punishes a person who “intentionally intercepts” an “electronic communication.” 18 U.S.C. § 2511(1)(a) (2011). Rene argued that the defendants violated the FWA by intercepting her keystrokes as she typed her passwords on the computer. Rene at *2. However, the court found that the capture of keystrokes does not constitute “interception” as understood by the FWA. Id. at *2. Though the statute does not compel this interpretation, courts have generally determined the FWA requires interception happen “contemporaneously” with transmission of the information.[i] The “contemporaneous” requirement was part of the definition of interception with respect to wire and oral communications prior to the enactment of the ECPA and was originally intended to keep answering machine tapes seized by police from falling within the scope of the law. U.S. v. Turk. When the ECPA amended the FWA to include electronic communications, several courts concluded that Congress intended the “contemporaneous” requirement be retained. See Konop v. Hawaiian Airlines Inc. for a summary of early cases. Because many keyloggers store the captured information on their host computer to be subsequently retrieved by a monitor, Rene could not demonstrate that the information seized was contemporaneously transmitted in violation of the FWA.

The court also concluded that Rene’s keystrokes failed to meet the FWA’s requirements for “electronic communication,” Rene at *2, defined by the FWA as signs and signals, etc. “transmitted…by a…system that affects interstate or foreign commerce.” 18 U.S.C. §2510(12)(2011). Since the keylogger did not transmit Rene’s private information beyond the office computer, the court found that Rene’s employers’ action did not implicate a system affecting interstate or foreign commerce. This interpretation of the Commerce Clause was developed in United States v. Scarfo, and United States v. Ropp, two of the first cases to address the legality of keyloggers. In Scarfo a New Jersey federal court ruled that the FBI’s use of a keylogger to “eavesdrop” during an investigation into mob boss Nicodemo Scarfo’s alleged criminal gambling and loan sharking activities was not in violation of the FWA. The FBI claimed they did not record any of Scarfo’s keystrokes while his computer was connected to a modem; therefore, a system that affected interstate commerce was not involved. Scarfo at 582.

However, the presence of a network connection may not be sufficient to put keylogger use in violation of the FWA. In Ropp a California district court found that an employer did not violate the FWA even when the keylogger he installed was not disabled while the computer had a network connection. The court determined that “the reasoning used in Scarfo is flawed in some respects” and opted for an even narrower construction of the statute. Ropp at 835. The court considered the possibility that any computer with a modem could be considered a system that affects interstate commerce and concluded that “[a]lthough this system is connected to a larger system–the network–which affects interstate or foreign commerce, the transmission in issue did not involve that system. The network connection is irrelevant.” Id. at 838. The court found the statute required not only that the system be capable of affecting interstate commerce at the time of interception, but that those capabilities be incorporated to the keystroke capture. The Rene court agreed with this interpretation of the FWA. Rene at *3.

Counter-arguments in favor of finding that keyloggers fall within the Commerce Clause were rejected by the Ropp and Rene courts. These two courts could have adopted a more holistic view of the system in which the keylogger becomes integrated with the computer it is installed on. If the keylogger had not been installed on a networked computer the employee would not have been typing her email and checking account passwords for the keylogger to record. These courts instead found the connection was incidental, opting for a compartmental view of the system, and concluding the keylogger’s function was decidedly separate from the computer’s powerful networking function despite knowledge that the network function was precisely what the employer was seeking to exploit. The Ropp court defended its position by insisting that only Congress should be covering new technological terrain, but in the seven years since Ropp legislation has become more inadequate as keylogger technology has become more invasive. Id. at 838.

Newer keyloggers available to average consumers offer complete remote access, allowing a monitor to harvest stolen keystrokes online.[ii] This keylogger software is capable of transmitting the captured keystroke information to a website where the typist can be monitored in real time. These keyloggers both use a network connection more directly and intercept more plainly in accordance with the dominant FWA interpretations. This new technology calls attention to what could be an arbitrary distinction made in FWA interpretations. The difference between nabbing an employee’s keystrokes contemporaneously with transmission or a short while later does not seem significant if the keystrokes provide the same access. This could explain why the legislature did not include the “contemporaneous” provision when drafting the FWA.

The Inadequacy of Regulating Keyloggers Under the SCA

Plaintiffs filing claims involving keyloggers can bring suit under both the FWA and SCA. Though Rene’s FWA claim was dismissed, her SCA claim survived summary judgment. According to the court, obtaining her passwords through a keylogger did not violate federal law, but using a password to read her email might. Rene at *6. However, SCA claims, which address the unauthorized accessing of “electronic communication while it is in electronic storage,” do not provide a reliable alternative to federal or state keylogger regulation because courts do not agree on how the SCA should be applied to email. 18 U.S.C. § 2701(a) (2011). Due to ambiguity in the law, the crucial question in many cases to determine whether emails are in “electronic storage” is whether the emails have previously been read. Courts have gone in many different directions addressing whether accessing someone’s email is an SCA violation, with some tending towards prohibition under the SCA[iii] and others less inclined to extend SCA coverage.[iv] The kaleidoscope of decisions means that SCA claims are unpredictable and don’t offer a substitution for FWA claims in this context. SCA claims also do not prevent pirating into the myriad password accounts to which a keylogger can provide access, such as checking accounts and networking sites.

“Affecting Commerce”: Broader Interpretations of the FWA

The narrow interpretation of the Commerce Clause and the “contemporaneous” interception requirement has led to the defeat of numerous claims of FWA and state wiretap act violations involving keyloggers.[v] It has also been noted by commentators as paramount to why the ECPA is ineffective for keylogger oversight.[vi] There are indications, however, that this interpretation of the FWA may be losing its strong hold.

At least one court has been critical of the Ropp interpretation of the FWA. In Potter v. Havlicek, a case of spousal spying using a keylogger, an Ohio district court found that the Ropp court read the statute too narrowly by requiring the communication to be traveling in interstate commerce, as opposed to merely affecting interstate commerce. Id. at *8. The Havlicek court held that messages sent on a networked computer, consisting of keystrokes, do affect interstate commerce. Therefore, the Commerce Clause requirement might be fulfilled. Id. at *9. This interpretation has gathered some momentum in keylogger cases. Brahmana v. Lembo, a California workplace spyware case involving a keylogger and “network analyzers” (which allow for the keystrokes to be recorded over a network) cited the Havlicek interpretation and likewise suggested that the Ropp court read the FWA too narrowly. The District Court for the North District of California concluded that the “means of monitoring” might support the finding that the keystrokes had affected interstate commerce and allowed the claim to go to discovery. Id. at 3. In Langston v. Langston, a Texas district court indicated that the case law on the legality of keyloggers is unclear and referenced Brahmana and Havlicek as courts that have found that keyloggers could constitute electronic communications sufficient to violate the ECPA. Id. at n.*22. These decisions allude to a possible shift in the willingness of courts to protect the privacy rights of individuals from surreptitious keystroke theft under federal law.

Broader Interpretations of State Wiretap Acts

State wiretap acts lack the impediment of the interstate Commerce Clause, and thus their applicability hinges on the interpretation of a different set of terms. In Rene the court found that keystroke theft might constitute a violation of the IWA absent the “affecting interstate commerce” language. Id. at *4. The defendant in Rene argued that because Rene’s FWA claim failed, her claim under the IWA must also fail, because the definition of “intercept” under the IWA is “nearly identical” to the definition of interception under the FWA. Id. at *4. The court in Rene rejected the defendant’s argument, stating that while the provisions may echo each other, the definitions are “hardly identical”. Rene at *4.  The IWA defines “intercept” as “the intentional recording or acquisition of the contents of an electronic communication by a person other than a sender or receiver of that communication, without the consent of the sender or receiver” with “electronic communication” not requiring that the system at issue affect interstate commerce, as the FWA does, and without the contemporaneous requirement grafted on it. Ind.Code 35–33.5–1–5.

In State v. Walters, the defendant’s roommates installed a keylogger on his computer to read his emails. The New Hampshire superior court hearing the case found that keyloggers installed surreptitiously violate New Hampshire wiretap legislation, which defines intercept as “the aural or other acquisition of, or the recording of, the contents of any telecommunication or oral communication.” N.H. Rev. Stat. Ann. § 570-A:1. The court explained the keylogger allowed the roommates to “intercept and record the defendant’s Internet user password” in violation of the statute. Walters at *1.

In Rich v. Rich Leslie Rich installed a keylogger on his wife’s computer unbeknownst to her. The keylogger not only copied passwords but entire blocks of text as she typed. Rich’s wife sued claiming that the Massachusetts Wiretap Act, which prohibits the interception of oral or wire communications, can be applied to cases involving keyloggers. Id. at *1. Again, the defendant argued that because the FWA does not cover keyloggers, nor should the MWA, because of the interception requirement. Id. at *4. “Intercept” as defined by the MWA means to “secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through the use of any intercepting device by any person other than a person given prior authority by all parties to such communication …” Id. at *5 (citing G.L.c. 272, § 99B(4)). The Massachusetts superior court found that even under the narrow federal FWA reading, in which the keylogger programs typically were used only to learn passwords, Leslie’s acquisition would constitute interception, because the communications were not stored in email and retrieved later but copied in their entirety and, therefore, contemporaneous with transmission.

Narrower Interpretations of State Wiretap Acts

Although unburdened by the Commerce Clause, some states have chosen not to extend coverage of their wiretap acts to keyloggers installed without knowledge or consent. The Pennsylvania Wiretap Act has been interpreted not to prohibit the use of keyloggers.[vii] Pennsylvania courts have interpreted “intercept” to have the same meaning in the PWA as it does in the FWA including the “contemporaneous” requirement, although the statute does not on its face require it. 18 Pa.C.S.A. § 5703. See Lane v. CBS Broad. Inc. (“If a keylogger does not intercept electronic communications under the federal act, it cannot be deemed to do so under the terms of the parallel state statutes.”) Similarly, the Louisiana District Court interpreted the the Louisiana Electronic Surveillance Act to exclude the regulation of keyloggers. Becker v. Toca at *6. These cases illustrate that subtle differences in wording or interpretation can permit wholly different results in the success of state law claims. An additional complication is that, due to limited case law in this area, many states have privacy statutes that have not been tested by difficult cases.

Conclusion

Courts in some jurisdictions have declined to take the step to prohibit the surreptitious use of keyloggers, despite the apparent option to apply state legislation. This posture leaves individuals vulnerable to having their private information exploited by their employers. The most cohesive way to fortify employee privacy rights against keyloggers would be for courts to interpret the FWA more broadly. In the absence of ECPA coverage, states should examine their statutes and consider the public policies they are mean to protect. Given alternative methods of surveillance, lack of federal regulation, and advancing technology, extending state statutes is necessary and just.

- The Digest Staff

JOLT Print Preview: Tragedy of the Data Commons
Jane Yakowitz

The data that fuels most of the quantitative health and policy research in this country is publicly available data that has undergone some sort of anonymization process. This is the data commons, and unwittingly, we are all in it. Our tax returns, medical records, and school records, among other things, seed its pastures and facilitate a wide range of empirical studies.

In theory the data commons gives us the best of both worlds by allowing researchers to test hypotheses and produce generalizable results without exposing anybody’s personal information. But in practice, we all shoulder some risk that a bad actor might use auxiliary information to reidentify us, and discover our private information. The looming policy question, raised by Paul Ohm and the Federal Trade Commission, is whether current data privacy policies in the United States strike the right balance between the risks of reidentification attacks and the utility of data-sharing. Paul Ohm and other scholars believe the risk is too high, that we need stronger privacy laws to protect data subjects. This article comes to the exact opposite conclusion: the utility of public research data is so great, and the realistic risks so small, that the law should foster the sharing of anonymized data. 

The value of the data commons is frequently overlooked. As soon as publicly available research data produces a useful study, little attention is paid to the provenance of the underlying data sources. Public data has been used to support and dispel a wide range of theories about education, welfare reform, and capital punishment. Anybody who has gotten a flu shot or waited at a traffic light has benefited, indirectly, from anonymized data. The data commons has played a particularly critical role in the exposure and redress of race and sex discrimination. The data commons is vital to what George Duncan calls “information justice.” It reveals what cannot be discerned through any one individual’s experience alone.

But against this abundant utility, the risks to data subjects must be balanced. The most compelling evidence that anonymized data poses great risk are the Netflix de-anonymization study and the reidentification of Governor Weld.

These studies demonstrate that malfeasors might be able to link the values in an anonymized research database to information reported in publicly available identified records— e.g. voter registration records or IMDb profiles. The media accepted uncritically the conclusions and purported implications of the de-anonymization attack literature despite significant limitations and flaws in the studies. Paul Ohm, too, interprets these studies to forebode the formation of a “database of ruin” composed of previously deidentified pieces of information. As a result, the public labors under a false impression that reidentification attacks on anonymized data are accurate and scalable.

The evidence of impending risk is wanting. Reidentification attacks would be costly and riddled with false match error, which no doubt explains why a wide-scale reidentification attack has not happened. Moreover, an intruder can exploit lower-hanging fruit—data security systems to be breached and personal computers to be hacked. The marginal value of anonymized data even to a truly nefarious actor is trivial.

Since the social utility of research data greatly outweighs the risks, law ought to encourage the flow of probative research data by creating a safe harbor for data producers who share research data responsibly. The proposal advanced by this Article has three aspects to its design. First, federal regulations should clarify what a data producer is expected to do in order to anonymize a dataset sufficiently and avoid the dissemination of Personally Identifiable Information (“PII”).  Second, federal law should immunize the data producer from privacy-related liability of most (not all) sorts, and third, law should penalize any recipient of anonymized data who reidentifies a data subject in the dataset and further discloses the subject’s PII.

These proposals run against tide of data privacy scholarship, which generally seeks to curb the spread of data and to give consumers more control over its flow. To be sure, the preservation and growth of the data commons will appeal only to those who are enthusiastic about health and social science research. Since this research as critical to sound policymaking, the article concludes that we have a civic responsibility to contribute our personal information to the data commons—the digital fields that describe none of us and all of us at the same time.