Articles Posted in Internet Law

by
Defendants created a publicly searchable “Inmate Lookup Tool” into which they uploaded information about thousands of people who had been held or incarcerated at the Bucks County Correctional Facility since 1938. Taha filed suit, alleging that the County and Correctional Facility had publicly disseminated information on the internet in violation of the Pennsylvania Criminal History Record Information Act, 18 Pa. Cons. Stat. 9102, about his expunged 1998 arrest and incarceration. The district court granted Taha partial summary judgment on liability before certifying a punitive damages class of individuals about whom incarceration information had been disseminated online. The court then found that the only remaining question of fact was whether defendants had acted willfully in disseminating the information. After the court certified the class, the defendants filed an interlocutory appeal. The Third Circuit affirmed the class certification order, rejecting an argument that the district court erred in granting Taha partial summary judgment on liability before ruling on class certification. The court upheld conclusions that punitive damages can be imposed in a case in which the plaintiff does not recover compensatory damages, that punitive damages can be imposed on government agencies, and that the predominance requirement under FRCP 23(b)(3) was met so that a class could be certified. View "Taha v. County of Bucks" on Justia Law

by
While investigating Doe concerning online child pornography, agents executed a warrant and seized iPhones and a computer with attached hard drives, all protected with encryption software. Forensic analysts discovered the password for the computer and found an image of a pubescent girl in a sexually provocative position, logs showing that it had been used to visit sites with titles common in child exploitation, and that Doe had downloaded thousands of known child pornography files, which were stored on the encrypted external drives and could not be accessed. Doe's sister related that Doe had shown her hundreds of child pornography images on those drives. A magistrate, acting under the All Writs Act, ordered Doe to produce his devices and drives in an unencrypted state. Doe did not appeal the order but unsuccessfully moved to quash, arguing that his decrypting the devices would violate his Fifth Amendment privilege. The magistrate held that, because the government possessed Doe’s devices and knew the contents included child pornography, the decryption would not be testimonial. Doe did not appeal. Doe produced the unencrypted iPhone, which contained adult pornography, a video of Doe’s four-year-old niece wearing only underwear, and approximately 20 photographs focused on the genitals of Doe’s six-year-old niece. Doe stated that he could not remember the hard drive passwords and entered incorrect passwords during the examination. The court held Doe in civil contempt and ordered his incarceration. The Third Circuit affirmed, noting that Doe bore the burden of proving that he could not produce the passwords and had waived his Fifth Amendment arguments. View "United States v. Apple Macpro Computer" on Justia Law

by
The district court dismissed, for lack of jurisdiction, a constitutional challenge to an electronic surveillance program operated by the National Security Agency (NSA) under the authority of Section 702 of the Foreign Intelligence Surveillance Act (FISA), 50 U.S.C. 1881a. The court noted that the plaintiff failed to plead facts from which one might reasonably infer that his own communications had been seized by the federal government. The Third Circuit vacated and remanded. The second amended complaint alleged that because the government was “intercepting, monitoring and storing the content of all or substantially all of the e-mail sent by American citizens,” plaintiff’s own online communications had been seized in the dragnet. That allegation sufficiently pleaded standing to sue for a violation of plaintiff’s Fourth Amendment right to be free from unreasonable searches and seizures. Plaintiff may lack actual standing to sue; the government may, on remand to make a factual jurisdictional challenge to that pleading. The alleged facts—even if proven—do not conclusively establish that a dragnet on the scale alleged by plaintiff. On remand, the court must closely supervise limited discovery. View "Schuchardt v. President of the United States" on Justia Law

by
Under the Facebook account name “Billy Button,” Browne began exchanging messages with 18-year-old Nicole. They met in person and exchanged sexually explicit photographs of themselves through Facebook chats. Browne threatened to publish the photos online unless Nicole engaged in oral sex and promised to delete the photos only if she provided him the password to her Facebook account. Using that account, Browne made contact with four minors and solicited explicit photos. Once he had their photos, he repeated the pattern, threatening to publish their images unless they engaged sexual acts. Alerted by the Virgin Islands Police Department, Department of Homeland Security (DHS) agents investigated, arrested Browne, executed a search warrant on his residence, and seized a cell phone from which text messages and photos of the minors were recovered. Browne admitted ownership of the phone and Facebook account. Facebook provided five sets of chats and a certificate of authenticity executed by its records custodian, which were admitted at trial. The Third Circuit affirmed his convictions for child pornography and sexual offenses with minors. While rejecting the government’s assertion that, under Rule 902(11), the contents of the communications were “self-authenticating” as business records accompanied by a certificate from the records custodian, the court found that the record reflected sufficient extrinsic evidence to link Browne to the chats and satisfy the prosecution’s authentication burden under a conventional Rule 901 analysis. View "United States v. Browne" on Justia Law

by
Plaintiffs filed a class action alleging that defendants, who run internet advertising businesses, placed tracking cookies on the plaintiffs’ web browsers in contravention of their browsers’ cookie blockers and defendant Google’s own public statements. Essentially they claimed that the defendants acquired the plaintiffs’ internet history information when, in the course of requesting webpage advertising content at the direction of the visited website, the plaintiffs’ browsers sent that information directly to the defendants’ servers. They cited the Wiretap Act, 18 U.S.C. 2510; the Stored Communications Act, 18 U.S.C 2701; the Computer Fraud and Abuse Act, 18 U.S.C. 1030; and, against Google, violation of the privacy right conferred by the California Constitution, intrusion upon seclusion, the state Unfair Competition Law, the California Comprehensive Computer Data Access and Fraud Act, the California Invasion of Privacy Act, and the California Consumers Legal Remedies Act. The district court dismissed. The Third Circuit affirmed as to the federal claims, stating that fraud or deceit does not amount to wiretapping; the alleged conduct implicated no protected “facility” under the Stored Communications Act; and the plaintiffs alleged no damages under the Fraud Act. The court vacated dismissal of the state law claims against Google. View "In Re: Google Inc Cookie Placement Consumer Privacy Litig." on Justia Law

by
Munroe was an English teacher, generally considered to be effective and competent. The District granted Munroe tenure in 2010. In 2009, Munroe began a blog, using the name “Natalie M.” She did not expressly identify where she worked or lived, the name of the school or the names of her students. According to Munroe, her blog was meant to be viewed by friends that she had asked to subscribe. There were fewer than 10 subscribed readers, but no password was required for access. Most of the blog posts were unrelated to her school or work. Some postings included complaints about students, her working conditions, and related matters. The District administration first learned of Munroe’s blog in February 2011 when a reporter from a local newspaper began to ask questions; students apparently were commenting on social media.” Munroe was placed on paid suspension and, later, fired. The District had no regulation specifically prohibiting a teacher from blogging on his or her own time. The Third Circuit affirmed dismissal of Munroe’s 42 U.S.C. 1983 suit; under the Pickering balancing test, Munroe’s speech, in both effect and tone, was sufficiently disruptive so as to diminish any legitimate interest in its expression, and did not rise to the level of constitutionally protected expression. View "Munroe v. Central Bucks Sch. Dist." on Justia Law

by
Wyndham has licensed its brand name to approximately 90 independently owned hotels, each having a system that processes consumer information, including names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Wyndham manages the systems and requires the hotels to configure them to its specifications to connect to Wyndham’s network. The FTC filed suit under 15 U.S.C. 45(a), alleging that Wyndham engaged in unfair cybersecurity practices that, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft. The company: allowed Wyndham-branded hotels to store payment card information in clear readable text and allowed use of easily guessed passwords; failed to use “readily available security measures,” such as firewalls; allowed hotel systems to connect to its network without taking appropriate cybersecurity precautions; and did not follow “proper incident response procedures,” so that hackers used similar methods in three attacks, but has published a privacy policy on its website that overstates its cybersecurity. Hackers stole information for hundreds of thousands of consumers leading to $10.6 million in fraudulent charges. The district court denied Wyndham’s motion to dismiss. On interlocutory appeal, the Third Circuit agreed that the FTC has authority to regulate cybersecurity under the unfairness prong of section 45(a); and, that Wyndham had fair notice its specific practices could fall short of that provision. View "Fed. Trade Comm'n v. Wyndham Worldwide Corp" on Justia Law

by
Aaron’s stores sell and lease residential and office furniture, consumer electronics, and appliances. Byrd leased a laptop computer from Aspen, an Aaron’s franchisee. Although Byrd asserts that she made full payments, an Aspen agent came to repossess the laptop, claiming that the payments had not been made. The agent allegedly presented a screenshot of a poker website Byrd had visited as well as a picture of Byrd taken by the laptop’s camera. Aspen obtained the picture and screenshot through spyware named “PC Rental Agent” that can collect screenshots, keystrokes, and webcam images from the computer and its users. Between November 16, 2010 and December 20, 2010, the Byrds alleged that this spyware secretly accessed their laptop 347 times on 11 different days. According their putative class action, alleging violation of the Electronic Communications Privacy Act, 18 U.S.C. 2511, 895 customers had surveillance conducted through PC Rental Agent. Concluding that the proposed classes were not ascertainable, the district court denied class certification. The Third Circuit reversed. The court erred by: misstating the rule governing ascertainability; engrafting an “underinclusive” requirement; finding that an “overly broad” class was not ascertainable; and improperly applying precedent to the issue of whether “household members” could be ascertainable. View "Byrd v. Aaron's Inc" on Justia Law

by
Erdely was investigating online distribution of child pornography when he discovered a computer on a peer-to-peer network sharing 77 files that he suspected contained child pornography. With information available to anyone, he found the Internet protocol address (IP address) through which it connected to the internet. Searching publicly available records, Erdely determined that the IP Address was registered to a Comcast subscriber and obtained a court order. Comcast gave Erdely the Neighbor’s name and Pittsburgh address. Erdely executed a warrant. None of the Neighbor’s computers contained child pornography or the file-sharing software; his wireless router was not password-protected. Erdely deduced that the computer sharing child pornography was connecting without the Neighbor’s knowledge. With the Neighbor’s permission, Erdely connected a computer to the router for remote access. Later, while working in Harrisburg, Erdely learned that the computer was again sharing child pornography on the Neighbor’s IP address. Erdely determined the mooching computer’s IP address and MAC address, which belonged to an Apple wireless card. Erdely had not discovered any Apple wireless devices in the Neighbor’s home, so he decided to use a “MoocherHunter” mobile tracking software tool, which can be used by anyone with a directional antenna. Not knowing which residence the signal was coming from, Erdely proceeded without a warrant. From the sidewalk the MoocherHunter’s readings were strongest when aimed at Stanley’s apartment. Erdely obtained a warrant for Stanley’s home. When officers arrived, Stanley fled, but returned and confessed that he had connected to the Neighbor’s router to download child pornography. Erdely seized Stanley’s Apple laptop and recovered 144 images and video files depicting child pornography. Stanley was charged with possession of child pornography, 18 U.S.C. 2252(a). The district court denied a motion to suppress. The Third Circuit affirmed. Use of the MoocherHunter was not a search under the Fourth Amendment. View "United States v. Stanley" on Justia Law

by
Apple introduced the iPad in 2010. To send and receive data over cellular networks (3G), customers had to purchase a data contract from AT&T and register on an AT&T website. AT&T prepopulated the user ID field on the login screen with customers’ email addresses by programming servers to search for the user’s Integrated Circuit Card Identifier to reduce the time to log into an account. Spitler discovered this “shortcut” and wrote a program, the “account slurper,” to repeatedly access the AT&T website, each time changing the ICC-ID by one digit. If an email address appeared in the login box, the program would save that address. Spitler shared this discovery with Auernheimer, who helped him to refine the account slurper, which collected 114,000 email addresses. Auernheimer emailed the media to publicize their exploits. AT&T fixed the breach. Auernheimer shared the list of email addresses with Tate, who published a story that mentioned some names of those whose email addresses were obtained, but published only redacted email addresses and ICC-IDs. Spitler was in California. Auernheimer was in Arkansas. The servers t were physically located in Texas and Georgia. Despite the absence of any connection to New Jersey, a Newark grand jury indicted Auernheimer for conspiracy to violate the Computer Fraud and Abuse Act, 18 U.S.C. 1030(a)(2)(C) and (c)(2)(B)(ii), and identity fraud under 18 U.S.C. 1028(a)(7). The Third Circuit vacated his conviction. Venue in criminal cases is more than a technicality; it involves “matters that touch closely the fair administration of criminal justice and public confidence in it.” View "United States v. Auernheimer" on Justia Law