I’ve been remiss in posting on the recent stories about potential employers requesting social networking login information in job interviews, but I see that noted cybercrime expert Orin Kerr, a law professor at George Washington University, was on C-SPAN’s Washington Journal this morning, and his comments in the first few minutes of this recording basically sum up what I had to say on this issue: it’s unclear, but such activity may be prohibited by federal law. I just have one additional point to add: although the specific policy result here may seem obvious, the larger question of when use of a dodgily-obtained password violates unauthorized access statutes is actually a much more difficult one.
The civil case Orin refers to in the recording is Pietrylo v. Hillstone Restaurant Group, No. 06-5754 (FSH), 2009 WL 3128420, 2009 U.S. Dist. LEXIS 88702 (D.N.J. Sept. 25, 2009). In Pietrylo, the District of New Jersey upheld a jury verdict against the defendant employer under the Stored Communications Act, 18 U.S.C. § 2701, which prohibits any person from “intentionally access[ing] without authorization a facility through which an electronic communication service is provided . . . and thereby obtain[ing], alter[ing], or prevent[ing] authorized access to a wire or electronic communication while it is in electronic storage in such system.” Pietrylo and other employees participated in a private chat group on MySpace in which they were critical of Hillstone management. One of the managers requested that one of the participants give him her password, which she did, on the reasonable supposition that she “felt that [she] probably would have gotten in trouble” if she refused. Continue reading “Can a Prospective Employer Request Facebook Login Information?”
Now available online, the recently published student comments in the Marquette Law Review cover a wide range of topics. They include Nathan Petrashek’s comment on the impact of online social networking on Fourth Amendment privacy. Since social networking sites like Facebook and MySpace attract both criminals (e.g., sexual predators, identity thieves) and the police who investigate them, the question whether users have a reasonable expectation of privacy in their voluntary disclosures under the well-established Katz test is poised to become a significant issue in the near future. Petrashek relies on Fourth Amendment doctrine, as well as the First Amendment right of association and good public policy, to argue that user content should be shielded from police scrutiny in the absence of a warrant.
Meanwhile, Marvin Bynum’s Golden Quill-winning comment addresses the feasibility of establishing offshore wind farms in Lakes Michigan and Superior. Continue reading “New Law Review Comments Cover Social Networking, Wind Farms, Deceptive Trade Practices Act, Open Records Law, and Purchase Money Security Interests”
Yesterday, the United States Supreme Court heard oral argument in the public employee informational privacy case of NASA v. Nelson (oral tanscript here). Rather than reinvent the wheel on this one, I want to direct reader’s to Prof. Lior Strahilevitz’s (Chicago Law) excellent analysis of the oral argument on PrawfsBlawg.
Here are some highlights:
Having read the transcript, it seems likely that the Court will reverse the Ninth Circuit and hold that the government may ask open-ended questions as part of a security clearance process for government employees. Beyond that, though, very little is clear . . . .
Continue reading “NASA v. Nelson and Public Employee Informational Privacy”
Let’s say you’re the plaintiff in a civil case against a neighbor, an employer, or a company you’ve done business with. One of the many pains of litigation is the discovery process–the process whereby each side collects information that it believes will help it win the case. Discovery can come in many forms, such as conducting depositions (sworn testimony from witnesses), requesting documents, or even requesting permission to visit a site and look around.
But let’s say that you have a Facebook account. The other side believes that some of your Facebook communications might be relevant to the case, so they specifically request access to your account. You refuse, and the issue goes to the court to sort out (if you’re in federal court, under Rule 37, for those of you playing at home). How should the court rule? Specifically, what should the court order you to do? Do you have to give the password for your account over to a party that, to put it mildly, you are probably not on the best of terms with?
Surprisingly, at least one court has said yes [Update: see comments below], and I believe similar requests are being made in courts all around the country. I believe this is a deeply disturbing development and is the result of either a failure to understand social networking technology, the rules of civil procedure, or both. Continue reading “Can You Be Forced to Turn Over Your Social Network Passwords in a Civil Case?”
In the past, I have written about my belief that public employees’ rights to sexual privacy should enjoy the same protection afforded First Amendment rights to speech and religion.
So far, courts have been unreceptive to my claims that post-Lawrence v. Texas, the right to sexual privacy represents a heightened constitutional right which should lead only to employer interference with that right if the employer has a legitimate and substantial justification for so doing. The most recent example of courts’ lack of receptivity to this argument comes from the Eleventh Circuit yesterday. Continue reading “Intimate Associations and Public Employment”
The United States Supreme Court granted cert today in the public employee privacy case of NASA v. Nelson, No. 09-530 (petition for cert here). The case will consider whether NASA, a federal agency, violated the informational privacy rights of employees, who worked in non-sensitive contract jobs, by asking certain invasive questions during background investigations.
General Kagan, for the government, filed the petition for cert and is asking the Court to overturn the 9th Circuit decision which directed a district court to issue a preliminary injunction on behalf of contract workers at NASA’s Jet Propulsion Laboratory (JPL) operated by the California Institute of Technology under a contract with the federal government. The General maintains that the privacy expectations of the employees are minimal because they have are in the government employment context, these are standard background forms that the government is using, and the Privacy Act of 1974 protects this information from disclosure to the public.
The case was originally brought in 2007 by twenty-eight scientists and engineers employed as contractors at JPL on behalf of a potential class of 9,000 employees that NASA classifies as low-risk employees. Questions included in the background check ask about “any treatment or counseling” for illegal drug use, and forms issued to references seek “adverse information” about the workers’ employment, residence, and activities regarding violations of the law, financial integrity, abuse of alcohol or drugs, mental or emotional stability, general behavior, and “other matters.”
This will be an interesting case for a number of reasons. Continue reading “Supreme Court Takes Public Employee Informational Privacy Case”
Danielle Citron over at Concurring Opinions invited me to write a guest post expanding on a comment I wrote yesterday on her post on the Google Buzz story. I’m reposting it here with more of the links enabled, which got lost in translation:
Google’s new social networking service, Google Buzz, has obviously been all over the news lately, in part for various complaints about Google’s privacy practices. Those complaints have focused on the way in which Buzz, enrollment in which was automatic for Gmail users, initially defaulted to effectively sharing users’ email contacts with the public. EPIC has filed a complaint with the FTC arguing that this combination of automatic enrollment and “opt-out” of information-sharing was an unfair or deceptive trade practice in violation of Section 5 of the FTC Act.
But that’s not what caught my attention in Danielle’s post. What really set off alarm bells in my head was Danielle’s recounting how her children and their friends, all under the age of 13, suddenly had their Gmail accounts turned into Google Buzz accounts, and then proceeded to upload all sorts of information about themselves using the service. That raises the prospect that Google Buzz, by collecting such information without getting the appropriate parental consent, violated the Children’s Online Privacy Protection Act, or COPPA. I haven’t seen any discussion of this issue anywhere else.
COPPA is one of the few privacy statutes with real bite: it has strict rules that require substantial effort to follow, and the FTC has shown itself to be a vigorous enforcer. Indeed, the FTC has gone after two social networking sites for COPPA violations recently, and in one case imposed a fine of $1 million. So is Google violating COPPA? The answer is unclear but there’s definitely risk for Google here. Continue reading “Does Google Buzz Violate COPPA?”
No, this post is not about the singer Rockwell or that annoying Geico commercial, but about whether you should just assume that your boss monitors your email.
A new Wall Street Journal article suggests that is what exactly may be happening, but now there is some push back from employees and their advocates:
Big Brother is watching. That is the message corporations routinely send their employees about using email.
But recent cases have shown that employees sometimes have more privacy rights than they might expect when it comes to the corporate email server. Legal experts say that courts in some instances are showing more consideration for employees who feel their employer has violated their privacy electronically . . .
In past years, courts showed sympathy for corporations that monitored personal email accounts accessed over corporate computer networks. Generally, judges treated corporate computers, and anything on them, as company property.
Now, courts are increasingly taking into account whether employers have explicitly described how email is monitored to their employees.
That was what happened in a case earlier this year in New Jersey, when an appeals court ruled that an employee of a home health-care company had a reasonable expectation that email sent on a personal account wouldn’t be read.
To be honest, I don’t think this a new trend at all (though it makes a nice theme in a WSJ story). Since I was practicing management side employment law back in the late 90s, we would advise clients routinely that they had to have clear language in their employee handbooks that employees had no expectation of privacy in their computers, internet browsing, or emails.
Nothing new, but still a good practice for employers to follow if they want to avoid this type of lawsuit.
Hat Tip: Joe Seiner
Sean Samis has posted a lengthy response to my post expressing “different” thoughts on the Iowa decision on same-sex marriage. I thank him for his response and, while I think he has got it wrong, he’d get a great grade for his efforts in my Law & Theology seminar or Wisconsin Supreme Court class and so he deserves a response. Given the length of the remarks that I am about to make, I once again thought it better to post separately.
I have come to believe that the underlying presumptions of proponents and opponents of same-sex marriage are almost ontological in their differences about the nature of the law and the way in which it shapes and is shaped by society. We are all hard-wired now days to think of constitutional law as, largely, the mediation between the “rights” of individuals and the “demands” of the state. The former are seen as radically subjective, while the latter are the sum of their legal incidents. The former are not to be judged, and the latter are often examined for their “fit” without regard for their interaction with extralegal norms and institutions.
We also are steeped in an almost eschatological view of the law in which we see the claims of some new “discrete and insular minority” as analogous to those advanced during the civil rights movement and somehow validated by an Hegelian move toward “equality” and progressivism. Continue reading “More Thoughts on Marriage”
According to this breathless story on CNET, sinister congressional forces are afoot attempting to impose a record-keeping requirement on home networks. But as I warn my Internet Law students every year, you just can’t rely on CNET posts on legislative developments, particularly the more sensational the headline. And that turns out to be true here as well. I doubt anyone in Congress actually intends to require home network users to maintain visitor logs. If that unexpected result does come about, it’s because Congress and the courts are miscommunicating. There’s a deeper problem with the relevant statutory language here, but it’s one that’s been around for a while.
Here’s the situation: wrongdoing on the Internet is often difficult to track down, because often the only reliable traces a malfeaser leaves behind is their computer’s IP address. It’s a bit like having someone’s phone number show up on caller ID. But unlike phone numbers, IP addresses often change. If the phone company didn’t keep any track of who had what phone numbers, the police or victims of harassment wouldn’t have any way of using the number to track the perpetrator down. It’s the same with IP addresses. Usually internet access providers keep track of who they assign IP addresses to, but there’s no requirement that they do so. There’s also no requirement that they keep such information for any particular length of time—it’s purely up to them, and storing data costs money, so ISPs purge their logs on a regular basis. So suppose a kidnapper logs into Gmail and sends an email with a ransom demand to the victim’s family. If Google chooses not to keep any access logs, there may be no way for the police to track the kidnapper down, even if the kidnapper took no steps to cover his or her tracks.
Enter the Internet SAFETY Act, yet another in the long line of recent Congressional bills with cutesy acronyms.
Continue reading “Is Congress About to Require Home Users to Keep Wi-Fi Logs?”
This recent post over at Consumerist caught my eye: A person loses his cell phone. Before he lost it, he set it up to blind-copy him on all emails sent from the cell phone. Let’s assume for the sake of argument that he did this (as the post recommends) as a “pretty brilliant low-tech security solution for tracking down a lost/stolen phone or laptop.” Pretty soon, someone finds the cellphone and begins using it, evidently with no attempt to locate the owner. The readers of Consumerist are collectively able to track the finder down within 55 minutes and get him to promise to return the phone, which he actually did.
Naturally, I had the same reaction to this story that anyone else would: Is that a violation of the Wiretap Act?
Continue reading “Can You Bug Your Own Cellphone?”
Over on Concurring Opinions, Dan Solove reports on a recent Wisconsin Court of Appeals case involving Wisconsin’s video voyeurism law, Wis. Stat. § 942.09(2)(am). The case is State v. Jahnke, 2007AP2130-CR (Dec. 30, 2008). Wisconsin is one of a number of states that have adopted such statutes, which generally bar videotaping someone without their consent who is in a situation in which they have a “reasonable expectation of privacy.” Wisconsin’s version makes a violation a Class I felony.
Dan comments on the heartening aspect of the opinion, which is that it avoids the “trap” of assuming that privacy is all or nothing. In Jahnke, the defendant recorded his then-girlfriend as they were having sex without her permission. She obviously consented to being viewed naked by the defendant, but did not consent to it being recorded. The issue before the court was whether the girlfriend had a “reasonable expectation of privacy” under the statute.
The majority said yes, and Dan cogently explains why that’s a good outcome as a policy matter. But of course, judges don’t usually get to make policy decisions, they make interpretation decisions, and their power to interpret is cabined by all sorts of rules. That’s where the dissent, authored by Judge Charles P. Dykman, veers off from the majority opinion.
Continue reading “Wisconsin Court of Appeals Decides Important Video Privacy Case”