Oral Argument Prep Flashcards
“The SCA was enacted because the advent of the Internet presented a host of potential privacy breaches that the Fourth Amendment does not address.” Your interpretation of “facility” reaches beyond the scope of what was unprotected by the Fourth Amendment and into items, i.e. a plaintiff’s personal computing device, that already has Fourth Amendment protection. (“Data and files on Personal Devices, however, are already protected by the Fourth Amendment and thus outside the SCA’s scope.”) How is this consistent with the purpose of the SCA?
The SCA was clearly intended to do more than just make sure the Fourth Amendment applies to the stored communications. If that was the case then there wouldn’t be a civil cause of action and there wouldn’t be any applicability at all to private actors. In addition, it would only apply to hacks which took place over the Internet. Instead, the SCA had a broader purpose – to protect the privacy of Americans’ stored electronic communications – whether the violation of their privacy was attempted by government actors or private actors – and whether they were attempting to communicate over the Internet or over internal communications networks that aren’t the broader Internet to which people usually refer when they think of electronic communications.
Defendants are also just plain wrong when they argue that “Data and files on Personal Devices are already protected by the Fourth Amendment and thus outside the SCA’s scope.” We believe Data and files on personal devices deserve Fourth Amendment protection, but it remains an open legal question – one which the Supreme Court is set to answer in its current term in two cases, United States v. Wurie and Riley v. California, and in which the Justice Department and State of California argue that smart phones are not covered by the Fourth Amendment.
However, if you assume that Defendants’ argument is true – that the SCA was designed to protect “data and files on Personal Devices not already protected by the Fourth Amendment” – and you look at the current state of the law regarding police searches and Personal Devices, this Court then must still conclude that the Act was intended to cover personal devices.
Plaintiffs’ Brief states that websites qualify as ‘users’ of electronic communications. Do the Defendants qualify as users?
They do to the extent they are part of an authorized communication. Defendants argument that they are users hinges on this Court’s acceptance of their argument that they were a party to the plaintiffs’ communications when the plaintiffs were using web-browsers designed specifically to block communications with the Defendants, but Defendants hacked their way past those blocking mechanisms – attempting to manufacture their own exception to the criminal and civil statutes at issue.
On the SCA “facilities” issue, you’re essentially saying that almost all of the other courts to look at this have gotten it wrong. Why should we upset what looks to be a growing consensus that Personal Devices aren’t facilities?
There’s not a growing consensus. This is an issue that hasn’t been litigated very many times. And several courts have held that “facilities” includes Personal Devices or anything which serves as a conduit for electronic communications services. The Ninth Circuit got it right in Quon when it explained that a “facility” is anything which served as a “conduit.” The Chance v. Avenue A Court got it right on this issue. Expert Janitorial and Becker v. Toca got it right on this issue. And so did the Court in In re: Intuit Privacy Litigation. Defendant cites cases which hold otherwise, but there’s no clear consensus. And it’s worth noting that none of these decisions – either the ones cited by the Defendants or the ones cited by Plaintiffs – are binding on this Court. This is a question of first impression in this circuit.
Plaintiffs ask for a common sense reading of the statute and additional consideration of both the broad purpose of the SCA (that it was designed to create a cause-of-action against computer hackers) and even the more narrow purpose urged by the Defendants (that it was designed to protect information not protected by the Fourth Amendment at the time of the SCA’s passage). From these, it’s obvious that the Act was intended to cover Personal Devices and any other thing that fits the definition of that “through which an electronic communication service is provided” – including browser-managed files on a personal computer.
The plaintiffs’ definition doesn’t require this Court to add words to the statute that just aren’t there. The Defendant’s, however, ask this Court to add words to the statute on its own. Read closely the Defendants’ leading case for its argument on facilities. In Garcia, the Fifth Circuit said a Personal Device can’t be a provider because the SCA is not designed to protect Personal Devices “that enable the use of an ECS, but instead are facilities that are operated by ECS providers and used to store and maintain electronic storage.” Then look at the actual statute. Where does the statute say a facility only counts if its operated by an ECS? The statute doesn’t include the words “operated by” anywhere with regards to the term “device.” Instead, a device is that “through which an ECS is provided.”
The words “operated by” don’t appear anywhere in the statute. And the reason is simple. The purpose of the statute is to protect the communications of end users. The statute accomplishes this goal by limiting the circumstances in which ECS providers may share a user’s information AND by protecting all facilities through which the ECS is provided.
It seems the plaintiffs have pled mutually exclusive facts. Under the Wiretap Act, you have to show an interception while a communication is in the course of delivery. Under the SCA, you have to show access to a communication while it is in storage. How is it possible to have both?
Because modern technology, specifically, packet-switching, allows a communication to be both ‘in transit’ and ‘in storage’ at the same time. The best explanation of this technology and its implications for the ECPA can be found in United States v. Szymuszkiewicz, 622 F.3d 701 (7th Cir. 2010). Either way, Plaintiff’s have the right to file pleadings in the alternative and this is a factual issue to be resolved by expert testimony, not by a Motion to Dismiss for failure to state a claim.
**It’s highly unlikely this question will be asked given that none of the Defendants’ raised it as an issue. However, just in case the Court raises it on its own, I think a quick reference to Szymuszkiewicz would be sufficient and efficient.
The plaintiffs’ personal computers and browser-managed files don’t provide an ECS, so how can they qualify for protection under the SCA?
The SCA does not require that a facility be something that’s under the complete control of an ECS. Rather, it only says a facility is that “through which an ECS is provided.” If plaintiffs’ didn’t have computers, browser-managed files, or smartphones, HOW WOULD THEY ACCESS THE INTERNET TO TAKE ADVANTAGE OF AN ELECTRONIC COMMUNICATION SERVICE? They couldn’t. These facilities are vital to the provision of an ECS.
Explain why a URL isn’t just addressing information subject to Pen Register but not Wiretap?
This was the issue addressed directly by the FISA Court in the recently Declassified NSA opinion plaintiff’s provided to this Court. In that case, the NSA contended that “dialing, routing, addressing, or signaling information” and “contents” are “mutually exclusive” categories. The terms “dialing, routing, addressing, or signaling information” is important because interception of this information is governed by the Pen Register Act, not the Wiretap Act.
The Defendants in this case make the same argument that the NSA did – and the FISA Court rejected it. A court, which plaintiffs’ note, was designed specifically to determine issues like this with regard to foreign intelligence practices of the United States government.
The FISA Court was right. A URL contains both “DRAS” information and content. The DRAS component comes from the fact that the URL is necessary for the browser and the server to pull up the relevant information. But it’s also “content” because it includes “any information concerning the substance, purport, or meaning of a communication.”
Consider the examples: www.oprah.com/health/Stop-Drinking-How-to-Get-on-the-Path-to-Sobriety or
http://progressivehealth.hubpages.com/How-Do-I-Reduce-Herpes-Breakouts. Clearly these URLs contain information about the substance of the communications between a person who requests such pages and the websites that send the information back.
It is beyond doubt that, with regard to emails, the to/from line of an email is “DRAS” information and the subject line is “content.” URLs essentially combine the to/from line with the subject line. In the examples mentioned today, the web address of oprah.com and hubpages.com, the parent websites present at the start of a URL is the equivalent of the to/from line and the file names of “Stop Drinking – How to Get on the Path to Sobriety” and “How Do I Reduce Herpes Outbreaks” are akin to the subject lines of an email.
Plaintiff cites explosive or embarrassing URLs, but most of the time it’s probably boring stuff which no one really cares about. How does this rise to the level of a cause-of-action?
The Wiretap Act and case law are clear. It doesn’t matter whether the intercepted content is exciting or mundane. An intentional interception is enough. A plaintiff doesn’t even need to show that the information obtained is valuable. That’s because the statute is designed to protect privacy and the inherent dignity that comes along with it. We protect privacy because it’s a fundamental American value – and that protection is given teeth against intruding private parties by the Wiretap Act.
In Zynga, the Ninth Circuit held that URLs are not content. Why is this case different?
The Zynga opinion supports the plaintiffs’ position in this case. The URLs involved in the Zynga case were all Facebook URLs which followed the template of: www.facebook/username or www.facebook.com/groupname. These Facebook URLs are akin to a URL like a bare www.nytimes.com or www.washingtonpost.com. The URLs at issue in this case contain content because of the detailed file names. The Zynga Court was careful to point out that “under some circumstances, a user’s requests” could contain contain – such as “a search term or similar communication made by the user.” The URLs in this case fall under the circumstances outlined by the Zynga Court.
You said the Defendants cases were inapposite because they were Fourth Amendment cases and not Wiretap case. How does the analysis differ?
The Wiretap Act provides statutory protections beyond the minimums guaranteed by the Constitution. The Wiretap Act nowhere limits its protections to mere “expectations of privacy.” “Content” within the Wiretap Act’s protection is not co-extensive with expectations of privacy. Defendant Google is well aware of this distinction. In the Gmail scanning litigation in California, Google successfully argued that Gmail users have no “reasonable expectation of privacy” in emails. The court agreed, and dismissed a state eavesdropping claim. See In re: Google Inc. Gmail Litig., 2013 WL 5423918, at *22 (N.D. Cal. 2013). However, the court allowed a federal Wiretap Act claim to proceed. Id. at *24.
There are cases clearly holding that search terms are “content” and thus, protected. But this case is about more than search terms. Why should we extend the protection beyond search terms?
Full-string URLs that contain information like “How to I Reduce Herpes Breakouts” are akin to a search term. In fact, if the plaintiff had typed that very information into their browser, there’d be no doubt that it would be content. Or if they had included it as the subject line of an email. Technology has sped up the process and allows plaintiffs to merely click on a link with those same particular words – but the intent of the web user is the same – they are making a communication to hubpages.com seeking information on how to avoid herpes outbreaks.
This is normal, everyday, commonplace activity endorsed by DoubleClick. How does this fall outside that holding?
Double-Click, Inc. (“DoubleClick”), founded in 1995 in New York was one of the first internet ad-serving companies. It quickly became the dominant industry player, and, later, a subsidiary of Defendant Google Inc. (“Google”). DoubleClick’s third-party tracking cookies enabled the interception of users’ communications with external websites, typically without the users’ knowledge. A class action filed in New York on January 31, 2000 alleged that the tracking violated the SCA, the Wiretap Act and the CFAA, along with various state law rights. The Court dismissed the case on the theory of implied consent: “DoubleClick will not collect information from any user who takes simple steps to prevent DoubleClick’s tracking . . . [including] configuring their browsers to block any cookies from being deposited.” In re: DoubleClick Privacy Litigation, 154 F. Supp. 2d 497, 505 (S.D.N.Y. 2001); see also id. at 519 (finding that plaintiffs “consent to DoubleClick’s interceptions” under the Wiretap Act). DoubleClick turned largely on the notion that a user implicitly consents to tracking by not enabling the browser’s easily activated cookie blocking mechanism.
Plaintiffs’ case differs greatly from DoubleClick. Plaintiffs here, unlike the plaintiffs in DoubleClick, used browsers set to block tracking cookies. CAC ¶ 69 (A101). But starting in 2011 (or possibly as early as 2009), five unrelated online ad-serving companies, including the four Defendants-Appellees , developed a multi-step method to secretly hack past the already set, default cookie blocking settings on the Safari and Internet Explorer browsers of many users. Covert tracking followed.
Explain how the alleged interceptions worked in plain English.
Safari
The Apple Safari web-browser was designed to block third-party cookies. However, it had an exception for cookies placed by third-party websites after a user filled out a form to that third-party. The Defendants in this case tricked the plaintiffs’ web-browsers by filling out an invisible form that the Defendants’ purported to be the action of the plaintiffs. With this fake form filled out, Safari allowed the third-party defendants to place their tracking cookies.
IE Internet Explorer was also designed to block third-party tracking cookies. However, it allowed an exception where a third-party website’s privacy policy was written in a language that IE did not understand. The defendants in this case knew their cookie privacy policies violated the terms of IE’s third-party tracking cookie rule. However, rather than honestly informing IE of their privacy policies through computer code that IE would recognize, the Defendants wrote their policies in plain English on a part of the Internet that real-world users would never read. Because IE did not understand plain English, it was tricked into permitting Defendants to place their cookies on the plaintiffs’ computers.
Defendants argue that iPhone and plaintiffs and this case are reading an “intent” requirement into the one-party consent rule. They say the plain text of the statute does not contain the requirement.
** Vibrant’s Response claims, “When one person communicates something to another, the recipient is, in plain English, a party to that communication – regardless of what caused the communication or whether the sending party intended for the communication to happen. Here, then, it is simply irrelevant for purposes of the Wiretap Act how or why the URLs in question were communicated by Plaintiffs to (Defendants) because, as parties to those communications, (Defendants) were exempted from Wiretap Act liability by the one-party-consent rule, no matter what circumstances led to their receiving the URLs.
The Defendants’ logic is essentially, “We received what the Plaintiff’s sent, therefore we are a recipient.” Accepting the Defendants’ logic, there is no such thing as a Wiretap anywhere. They’ve created a wonderful tautology from their point of view: if you receive it, then you are a party to it. This, however, turns the statute on its head.
Consider a real-world Wiretap where law enforcement gets judicial permission to place a tap on a suspect’s phone. Then, unbeknownst to the subject, when the subject dials a number, the contents of their conversations go to two separate locations – once to the intended recipient of their call, and also to the law enforcement officer tapping their phone call. Under the Defendants’ logic, that law enforcement officer, because he received the communication from the plaintiffs’ phone isn’t actually conducting a wiretap at all. This is absurd logic, which, if accepted, would effectively repeal the Wiretap Act.
Or consider an example from the world of computers. What if the Defendants’ had tricked the plaintiffs’ email programs into sending a copy of every email the plaintiffs sent or received to the Defendants from the plaintiffs’ email program? Under the Defendants’ logic, because the Plaintiffs’ email program had sent the communication, the Defendants would be parties to the communications regardless of what caused that communication. And the Defendants’ would be immune from suit. Defendants’ clever argument was present in the case of United States v. Szymuszkiewicz, where the 7th Circuit found that a Defendant was liable under the Wiretap Act under these exact circumstances.
Why aren’t the Wiretap Act and Stored Communications Act mutually exclusive?
Because modern technology, specifically, packet-switching, allows a communication to be both ‘in transit’ and ‘in storage’ at the same time. The best explanation of this technology and its implications for the ECPA can be found in United States v. Szymuszkiewicz, 622 F.3d 701 (7th Cir. 2010).
Crispin v. Christian Audiger, Inc., 717 F.Supp.2d 965, 971 (C.D. Cal. 2010)
• Congress enacted the SCA “because the advent of the Internet presented a host of potential privacy breaches that the Fourth Amendment does not address.”
Theofel v. Farey-Hones, 359 F.3d 1066, 1072-73 (9th Cir. 2004)
• For elements of claim.
Cousineau v. Microsoft Corp., Case No C11-143B-JCC (W.D. Wash. June 22, 2012)
- Congress chose a broad term – facility – because it intended the statute “to cover a particular function, such as Internet access, as opposed to a particular piece of equipment providing that access.”
- SINCE ABANDONED in No. C11-1438, 2014 WL 1232593 at 7 (W.D. Wash. Mar. 25, 2014) (Holding that the plaintiff’s phone – which did not provide ‘services to other users in a server-like fashion, but instead received the relevant services from Microsoft” – was not a facility).
Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 902 (9th Cir. 2008)
• Case law provides that under 18 U.S.C. 2701(a), any conduit for an electronic communications service is an SCA “facility.”
Chance v. Avenue A, 165 F.Supp.2d 1153, 1161 (W.D. Wash. 2001)
• “[V]iewing this factual dispute in the light most favorable to the non-movant … it is possible to conclude that modern computers, which serve as a conduit for the web server’s communication to Avenue A, are facilities covered under the act.
Expert Janitorial, LLC v. Williams, 2010 WL 908740 at 5 (E.D. Tenn. 2010); Becker v. Toca, 2008 WL 4443050 at 4 (E.D. La. 2008).
- “Plaintiff’s computers on which the data was stored may constitute ‘facilities’ under the SCA.”
- “[T]he language of § 2701 of the SCA does not require that a plaintiff’s computers be ‘electronic communications service provider[s],’ rather, what the statute requires is that a plaintiff’s computers or workplace be a ‘facility’ through which an ECS is provided.” Expert Janitorial.
In re: iPhone Application Litigation, 844 F.Supp.2d 1040, 1058 (N.D. Cal. 2012)
• District Court conflated “facility” with an “ECS” just as the court did in the iPhone App case
In re: Intuit Privacy Litigation, 138 F.Supp.2d 1272, 1282, n. 3 (C.D. Cal. 2001)
• SCA “does not require that plaintiffs’ computers be ‘communication service providers’ only that they be a facility through which an electronic communications service is provided.”
Crowley v. Cybersource Corp., 166 F.Supp.2d 1263, 1270 (N.D. Cal. 2001)
• A fundamental point that the District Court overlooked is that most websites clearly qualify as “users” of electronic communication services because, in order to communicate with Internet users, web sites must use the services of some other entity. Crowley v. Cybersource Corp, 166 F.Supp.2d 1263, 1270 (N.D. Cal. 2001)(Amazon.com was a “user” of an ECS, not a provider.)
Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F.Supp.2d 817, 820 (E.D. Mich. 2000)
• Purpose of SCA “to create a cause of action against computer hackers.”
Freedman v. AOL, 325 F.Supp.2d 638, 643 (E.D. Va. 2004)
• The SCA prohibits disclosures of subscriber information and the contents of subscriber communications by electronic communication service providers “unless the disclosure comes within one of the six exceptions set forth in § 2702(c).”
Garcia v. City of Laredo, Tex., 702 F.3d 788, 792 (5th Cir. 2012); Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 901-03 (9th Cir. 2008); U.S. v. Steiger, 318 F.3d 1039, 1049 (11th Cir. 2003)
- Courts to consider the question have consistently held that ECS providers are third-party entities that provide a service enabling their users or subscribers to send or receive electronic communications.
- REPLY: Agree with requirements. Apple Safari and Microsoft IE fit the requirements.
Garcia v. City of Laredo
- “The relevant ‘facilities’ that the SCA is designed to protect are not computers [or mobile devices] that enable the use of an ECS, but instead are the facilities that are operated by [ECS] providers and used to store and maintain electronic storage.”
- REPLY: This adds words to the statute that just aren’t there. The stature prohibits access to “a facility through which an ECS is provided.” The words “operated by” don’t appear anywhere in the statute. And the reason is simple. The purpose of the statute is to protect the communications of end users. The statute accomplishes this goal by limiting the circumstances in which ECS providers may share a user’s information AND by protecting all facilities through which the ECS is provided.
iPhone Application Litigation
- Personal Devices are not “operated by” ISPs or other ECS providers. The notion that Personal Devices (or files stored on them) are “operated by” web-browsers – the purported ECS providers here – is even more preposterous.
- REPLY: Again, Defendants attempt to add a requirement to the statute that just doesn’t exist in real-life. The statute says, “a facility through which an ECS is provided.” It does not say “a facility operated by an ECS provider and through which such ECS is provided.”
Cousineau – 2014
- Holding that cell phones could be facilities would “lead to the anomalous result that [the relevant ECS provider] could grant third parties access to Plaintiff’s cell phone.”
- REPLY: Wrong. ECS provider could grant access to facility only to extent to which it’s used for purpose of providing the ECS – and limited to circumstances listed in statute and business reality.
Crowley
- “It would certainly seem odd that the provider of a communication service could grant access to one’s home computer to third-parties, but that would be the result of [plaintiff’s] argument.”
- Defendant Amazon had not “accessed plaintiff’s computer” at all because the plaintiff had “sent his information to Amazon electronically.” As in Crowley, the allegations here show that Defendants merely “received a voluntary transmission of information Plaintiff’s web-browsers.”
- REPLY: Wrong. ECS provider could grant access to facility only to extent to which it’s used for purpose of providing the ECS – and limited to circumstances listed in statute and business reality.
United States v. Steiger, 318 F.3d 1039, 1049 (11th Cir. 2003)
- The SCA “does not appear to apply to … hacking into [a personal] computer.”
- Child porn case. SCA portion only a tiny part.
Freedom Banc Mort. Servs., Inc. v. O’Harra, No. 11-1073, 2012 WL 3862209 at 9 (S.D. Ohio Sept. 5, 2012); Shefts v. Petrakis, No. 10-1104, 2013 WL 489610 at 4 (C.D. Ill. Feb. 8, 2013).
• “The relevant facilities that the SCA is designed to protect are not computers that enable the use of an ECS, but instead are facilities that are operated by ECS providers and used to store and maintain electronic storage.”
C.A.I.R. v. Gaubatz, 793 F.Supp.2d 311, 334-35 (D.D.C. 2011)
• No SCA claim if access was only to plaintiffs’ computers.
Fraser v. Nationwide Mut. Ins. Co., 135 F.Supp.2d 623, 636 (E.D. Pa. 2001)
• The SCA “covers a message that is stored in intermediate storage temporarily, after the message is sent by the sender, but before it is retrieved by the intended recipient.” Communications in “post-transmission storage” are “not in temporary, intermediate storage.”
Danvers Motor Co., Inc. v. Ford, 432 F.3d 286, 291 (3d Cir. 2005)
“Injury-in-fact is not Mt. Everest.”
Warth v. Seldin, 422 U.S. 490, 500 (1975)
- The strength or weakness of the merits have nothing to do with standing.
- Defendants’ privacy invasions, in violation of statutory prohibitions, suffice for statutory standing, with or without plaintiffs’ financial harm.
- For statutory standing, “the question” is simply whether the statutes under which plaintiffs alleged their claims “grant persons in the plaintiff’s position a right to judicial relief.” If plaintiffs are subject to those statutes’ protections, plaintiffs have standing to claim under them. Merits come later.
Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992)
• Defendants’ privacy invasions, in violation of statutory prohibitions, suffice for statutory standing, with or without plaintiffs’ financial harm.
