Accidental Access, 'Catfishing' and Unsecured Wi-Fi

There are a host of federal and state computer privacy laws that protect networks and devices from hacking and unauthorized access or otherwise prohibit unlawful destruction of data by unauthorized parties. For example, the Federal Stored Communications Act (SCA; http://bit.ly/GO8eBX) prohibits, under certain circumstances, unauthorized access to a person's e-mail communications. See, e.g., Lazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013) (former supervisor who without authorization read ex-employee's personal Gmail account messages following the employee's return of her company Blackberry device may be liable for those e-mails that plaintiff had yet to open before the defendant did so because these e-mails could be defined as “stored” under the SCA).

However, computer privacy laws become more difficult to apply in cases of “accidental” access.

For example, in Marcus v. Rogers, 2012 WL 2428046 (N.J. App. Div. June 28, 2012) (unpublished), a teacher in the computer room inadvertently bumped the mouse of an adjoining computer and the screen opened to a superior's personal e-mail Inbox, with subjects discussing the teacher's current dissatisfaction with his salary. The teacher printed out the e-mail threads and used them during the debate at the next teachers' association meeting. The e-mail account holder and others in the e-mail thread brought claims under several New Jersey state computer fraud statutes, including the Computer-Related Offense Act (CROA), N.J. Code '2A:38A-3 and the Wiretapping and Electronic Surveillance Control Act (WESCA), P.L. 1999, c.151 (A-3014). Regarding the CROA claim, relating to the unauthorized taking of computer data, the court found that the plaintiffs failed to prove they were “damaged in business or property,” as required by the statute. Concerning the WESCA claim, which requires, in part, “knowingly accessing without authorization a facility through which an electronic communication service is provided,” the issue was whether the defendant knowingly acted without authorization or exceeded authorization. The court refused to overturn the jury's finding of “tacit authorization” to access the e-mail account, based upon the fact that the inbox was displayed on the screen automatically and the various messages were accessible without the need for a username and password.

In Marcus, the court stressed that it was possible for the jury to determine that access wasn't necessarily unauthorized because the e-mail account was immediately accessible on the computer screen. The case brings up a related issue of whether the same logic would apply to someone snooping into another's smartphone that was left “unlocked,” or whether leaving out a tablet computer unprotected by any passcode gives a third party implicit permission to access the data that appears on the screen after being activated. In the above hypotheticals, it is also uncertain whether such apparent authorization might end when a third party takes an extra step to view data, such as tapping an icon to load an app, thereby discovering personal information.

'Catfishing'

“Catfishing” is a term used to describe “[t]he phenomenon of [I]nternet predators that fabricate online identities and entire social circles to trick people into emotional/romantic relationships (over a long period of time).” See , www.urbandictionary.com/define.php?term=Catfishing (last visited July 1, 2013). The term came into the public consciousness during a noteworthy incident involving a college football player named Manti Te'o, who had reportedly played in a game after learning that his grandmother and girlfriend died on the same day. Upon further investigation, two reporters learned that, despite some contrary statements, the player had only interacted with his long-term girlfriend online, and in fact, her entire existence was a hoax. The controversy surrounding the catfishing scheme embarrassed Te'o and purportedly affected his selection position in this year's NFL draft.

The question of whether a catfishing prank can result in liability or other adverse consequences depends upon the circumstances, as such hoaxes range from harmless prank and hyperbole to financial scams and harassment. In many cases, despite the equities of the situation, plaintiffs may have difficulty in finding a viable cause of action. For example, in Bonhomme v. St. James, 970 N.E.2d 1 (Ill. 2012), the Illinois Supreme Court considered only one issue: Does an individual commit fraudulent misrepresentation by assuming a fictitious online identity and fomenting a virtual romance with a gullible individual that ends with genuine heartbreak and quantifiable monetary loss? The plaintiff brought fraudulent misrepresentation, intentional infliction of emotional distress, and related claims stemming from a fraudulent two-year online relationship that defendant allegedly maintained by creating a fictitious love interest named “Jesse.” Jesse and plaintiff exchanged photos, handwritten letters, and the plaintiff sent $10,000 in gifts, and during telephone calls, the defendant used a voice-altering device to disguise her female voice. When plans on moving in together ended with Jesse's supposed demise, the parties met and the charade unraveled.

On appeal, the only surviving issue was whether plaintiff's fraudulent misrepresentation claim was viable, since the plaintiff was procedurally barred from raising an intentional infliction of emotional distress claim. The court granted the defendant's motion to dismiss, finding that the claim traditionally applied to business transactions and has never been recognized in a “purely personal” setting.

In another case, a catfishing prank resulted in the suspension of two students from a university. In Zimmerman v. Board of Trustees of Ball State Univ., 2013 WL 1619532 (S.D. Ind. April 15, 2013), two students perpetrated a catfishing prank on an ex-roommate that involved creating a Facebook page for a fictitious teenage girl named “Ashley,” hiring a local teenager to impersonate “Ashley” in pictures sent to the victim, and initiating online conversations with the victim. After setting up a movie date, the students videotaped the victim entering the theater, informed him of the hoax, and then posted the video to a social media site with the title “[the Victim] is a pedophile.” After receiving the students' signed admissions of fault, the university determined that the students violated the school Code of Conduct prohibiting harassment and invasion of privacy and suspended the students for one year. The students brought suit seeking to overturn the suspension or enjoin the school from enforcing its Code of Conduct on several grounds, including due process and claims that their conduct was not objectionable under the Code. The court dismissed the suit, concluding that the university had the authority to regulate the students' conduct, that their conduct violated the Code's provisions, and that their actions were plainly objectionable.

Open Wi-Fi Connections

High-speed wireless connections have been widely adopted by more and more users who want Internet connectivity across many devices in their home. However, a home Wi-Fi network presents certain security risks if the account holder fails to secure the wireless network, including leaving computers vulnerable to monitoring or malicious attacks by anyone within range of the wireless access point. An unsecured Wi-Fi access point also allows others to potentially use the open connection for infringing activity ' though an individual piggybacking on another's Wi-Fi signal has little expectation of privacy concerning the signals emanating from his or her device. See generally, United States v. Stanley, 2012 WL 5512987 (W.D. Pa. Nov. 14, 2012) (Wi-Fi piggybacker did not have a legitimate expectation of privacy in the wireless signal he caused to emanate from his computer to his neighbor's wireless router and the wireless signal he received back from the neighbor's wireless router in order to connect to the Internet).

Several recent cases have considered the issue of whether an individual who allows others to access his Wi-Fi network can be liable for the copyright infringement of others using the network. In Liberty Media Holdings v. Tabora, 2012 WL 2711381 (S.D.N.Y. July 9, 2012), an adult film producer brought negligence and copyright claims against a Wi-Fi account holder for knowingly allowing his roommate to regularly download copyrighted content and failing to put a stop to it. The court found that the negligence claim was preempted by the Copyright Act because the rights that the plaintiff sought to vindicate by its negligence claim ' the imposition of liability on one who knowingly contributes to a direct infringement by another ' were already protected by the Copyright Act under the doctrine of contributory infringement. See also, AF Holdings v. Rogers, 2013 WL 358292 (S.D. Cal. Jan. 29, 2013) (there was no underlying duty to ensure that the Internet connection was not used to infringe the plaintiff's copyright).

In another case involving a Wi-Fi account holder facing negligence claims over allowing a third party to download infringing material over his Wi-Fi network, the court dismissed the claim based upon immunity under '230 of the Communications Decency Act (CDA). See, AF Holdings v. Doe, 2012 WL 4747170 (N.D. Cal. Oct. 3, 2012). Among the many grounds for dismissal, the court found that the Wi-Fi account holder was entitled to CDA immunity because the negligence cause of action treated him as the publisher of damaging content based on his alleged role as the provider of a conduit or Internet connection for the objectionable material and that the infringing material was distributed or provided by an unknown third-party downloader who was using the defendant's Wi-Fi network.

Richard Raysman is a Partner at Holland & Knight. Peter Brown is a Partner at Baker & Hostetler and a member of this newsletter's Board of Editors. They are co-authors of Computer Law: Drafting and Negotiating Forms and Agreements (Law Journal Press).

The Federal Trade Commission (FTC) has been closely watching the privacy issues of the day ' online targeted advertising, mobile data tracking, geolocation information, facial recognition technology and other similar issues that impact consumers. The increasing use of Web browsing and other user data has stirred some users to reconsider the unspoken “bargain” that exists on social media and other interactive websites, namely, that privacy sacrifices in the form of targeted marketing and data collection subsidize free content and services and promote a robust online ecosystem. However, beyond the larger debate over digital privacy, new practices and technologies have emerged ' some of which cross ethical norms ' that do not neatly fit within the boundaries of existing privacy laws.

This article discusses several contemporary privacy issues, including: whether accidental access to another's e-mail account constitutes unauthorized computer access; whether the use of a fictitious online identity can lead to civil liability; and whether the account holder of an unsecured home Wi-Fi network can be found liable for infringing activities by third parties using the network.

Accidental Access

There are a host of federal and state computer privacy laws that protect networks and devices from hacking and unauthorized access or otherwise prohibit unlawful destruction of data by unauthorized parties. For example, the Federal Stored Communications Act (SCA; http://bit.ly/GO8eBX) prohibits, under certain circumstances, unauthorized access to a person's e-mail communications. See, e.g., Lazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013) (former supervisor who without authorization read ex-employee's personal Gmail account messages following the employee's return of her company Blackberry device may be liable for those e-mails that plaintiff had yet to open before the defendant did so because these e-mails could be defined as “stored” under the SCA).

However, computer privacy laws become more difficult to apply in cases of “accidental” access.

For example, in Marcus v. Rogers, 2012 WL 2428046 (N.J. App. Div. June 28, 2012) (unpublished), a teacher in the computer room inadvertently bumped the mouse of an adjoining computer and the screen opened to a superior's personal e-mail Inbox, with subjects discussing the teacher's current dissatisfaction with his salary. The teacher printed out the e-mail threads and used them during the debate at the next teachers' association meeting. The e-mail account holder and others in the e-mail thread brought claims under several New Jersey state computer fraud statutes, including the Computer-Related Offense Act (CROA), N.J. Code '2A:38A-3 and the Wiretapping and Electronic Surveillance Control Act (WESCA), P.L. 1999, c.151 (A-3014). Regarding the CROA claim, relating to the unauthorized taking of computer data, the court found that the plaintiffs failed to prove they were “damaged in business or property,” as required by the statute. Concerning the WESCA claim, which requires, in part, “knowingly accessing without authorization a facility through which an electronic communication service is provided,” the issue was whether the defendant knowingly acted without authorization or exceeded authorization. The court refused to overturn the jury's finding of “tacit authorization” to access the e-mail account, based upon the fact that the inbox was displayed on the screen automatically and the various messages were accessible without the need for a username and password.

In Marcus, the court stressed that it was possible for the jury to determine that access wasn't necessarily unauthorized because the e-mail account was immediately accessible on the computer screen. The case brings up a related issue of whether the same logic would apply to someone snooping into another's smartphone that was left “unlocked,” or whether leaving out a tablet computer unprotected by any passcode gives a third party implicit permission to access the data that appears on the screen after being activated. In the above hypotheticals, it is also uncertain whether such apparent authorization might end when a third party takes an extra step to view data, such as tapping an icon to load an app, thereby discovering personal information.

'Catfishing'

“Catfishing” is a term used to describe “[t]he phenomenon of [I]nternet predators that fabricate online identities and entire social circles to trick people into emotional/romantic relationships (over a long period of time).” See , www.urbandictionary.com/define.php?term=Catfishing (last visited July 1, 2013). The term came into the public consciousness during a noteworthy incident involving a college football player named Manti Te'o, who had reportedly played in a game after learning that his grandmother and girlfriend died on the same day. Upon further investigation, two reporters learned that, despite some contrary statements, the player had only interacted with his long-term girlfriend online, and in fact, her entire existence was a hoax. The controversy surrounding the catfishing scheme embarrassed Te'o and purportedly affected his selection position in this year's NFL draft.

The question of whether a catfishing prank can result in liability or other adverse consequences depends upon the circumstances, as such hoaxes range from harmless prank and hyperbole to financial scams and harassment. In many cases, despite the equities of the situation, plaintiffs may have difficulty in finding a viable cause of action. For example, in Bonhomme v. St. James, 970 N.E.2d 1 (Ill. 2012), the Illinois Supreme Court considered only one issue: Does an individual commit fraudulent misrepresentation by assuming a fictitious online identity and fomenting a virtual romance with a gullible individual that ends with genuine heartbreak and quantifiable monetary loss? The plaintiff brought fraudulent misrepresentation, intentional infliction of emotional distress, and related claims stemming from a fraudulent two-year online relationship that defendant allegedly maintained by creating a fictitious love interest named “Jesse.” Jesse and plaintiff exchanged photos, handwritten letters, and the plaintiff sent $10,000 in gifts, and during telephone calls, the defendant used a voice-altering device to disguise her female voice. When plans on moving in together ended with Jesse's supposed demise, the parties met and the charade unraveled.

On appeal, the only surviving issue was whether plaintiff's fraudulent misrepresentation claim was viable, since the plaintiff was procedurally barred from raising an intentional infliction of emotional distress claim. The court granted the defendant's motion to dismiss, finding that the claim traditionally applied to business transactions and has never been recognized in a “purely personal” setting.

In another case, a catfishing prank resulted in the suspension of two students from a university. In Zimmerman v. Board of Trustees of Ball State Univ., 2013 WL 1619532 (S.D. Ind. April 15, 2013), two students perpetrated a catfishing prank on an ex-roommate that involved creating a Facebook page for a fictitious teenage girl named “Ashley,” hiring a local teenager to impersonate “Ashley” in pictures sent to the victim, and initiating online conversations with the victim. After setting up a movie date, the students videotaped the victim entering the theater, informed him of the hoax, and then posted the video to a social media site with the title “[the Victim] is a pedophile.” After receiving the students' signed admissions of fault, the university determined that the students violated the school Code of Conduct prohibiting harassment and invasion of privacy and suspended the students for one year. The students brought suit seeking to overturn the suspension or enjoin the school from enforcing its Code of Conduct on several grounds, including due process and claims that their conduct was not objectionable under the Code. The court dismissed the suit, concluding that the university had the authority to regulate the students' conduct, that their conduct violated the Code's provisions, and that their actions were plainly objectionable.

Open Wi-Fi Connections

High-speed wireless connections have been widely adopted by more and more users who want Internet connectivity across many devices in their home. However, a home Wi-Fi network presents certain security risks if the account holder fails to secure the wireless network, including leaving computers vulnerable to monitoring or malicious attacks by anyone within range of the wireless access point. An unsecured Wi-Fi access point also allows others to potentially use the open connection for infringing activity ' though an individual piggybacking on another's Wi-Fi signal has little expectation of privacy concerning the signals emanating from his or her device. See generally, United States v. Stanley, 2012 WL 5512987 (W.D. Pa. Nov. 14, 2012) (Wi-Fi piggybacker did not have a legitimate expectation of privacy in the wireless signal he caused to emanate from his computer to his neighbor's wireless router and the wireless signal he received back from the neighbor's wireless router in order to connect to the Internet).

Several recent cases have considered the issue of whether an individual who allows others to access his Wi-Fi network can be liable for the copyright infringement of others using the network. In Liberty Media Holdings v. Tabora, 2012 WL 2711381 (S.D.N.Y. July 9, 2012), an adult film producer brought negligence and copyright claims against a Wi-Fi account holder for knowingly allowing his roommate to regularly download copyrighted content and failing to put a stop to it. The court found that the negligence claim was preempted by the Copyright Act because the rights that the plaintiff sought to vindicate by its negligence claim ' the imposition of liability on one who knowingly contributes to a direct infringement by another ' were already protected by the Copyright Act under the doctrine of contributory infringement. See also, AF Holdings v. Rogers, 2013 WL 358292 (S.D. Cal. Jan. 29, 2013) (there was no underlying duty to ensure that the Internet connection was not used to infringe the plaintiff's copyright).

In another case involving a Wi-Fi account holder facing negligence claims over allowing a third party to download infringing material over his Wi-Fi network, the court dismissed the claim based upon immunity under '230 of the Communications Decency Act (CDA). See, AF Holdings v. Doe, 2012 WL 4747170 (N.D. Cal. Oct. 3, 2012). Among the many grounds for dismissal, the court found that the Wi-Fi account holder was entitled to CDA immunity because the negligence cause of action treated him as the publisher of damaging content based on his alleged role as the provider of a conduit or Internet connection for the objectionable material and that the infringing material was distributed or provided by an unknown third-party downloader who was using the defendant's Wi-Fi network.

Richard Raysman is a Partner at Holland & Knight. Peter Brown is a Partner at Baker & Hostetler and a member of this newsletter's Board of Editors. They are co-authors of Computer Law: Drafting and Negotiating Forms and Agreements (Law Journal Press).