March 24, 2014

More Internet Privacy Cases Take Up Court Bandwidth

Shelia Watson  /  Charleston Digital News

Legal issues surrounding Internet privacy were hot topics in the courts recently, with high-profile companies defending their rights to access users' private information.

Last week, U.S. District Judge Lucy Koh tossed out efforts to win class-action status for a lawsuit that accused Google of violating the privacy of email users. The issue involves whether Google retrieved information from emails without permission. Similar lawsuits had been filed across the country and were consolidated into Koh's courtroom in San Jose.

In her ruling, Judge Koh noted that it is not possible to know which users consented to Google's privacy policies. Although she blocked any future filing of class-action lawsuits, she ruled that individual users may file their own lawsuits.

Another incident last week involved Microsoft's self-defense of an email search it conducted to identify the person who stole its trade secrets and sent them to an unidentified blogger based in France.

Upon receiving the secrets, the blogger sent it to a third party to verify its authenticity. The third party alerted Microsoft to a possible theft. Upon receiving that information, Microsoft searched the blogger's Hotmail account to identify the original sender. The ensuing criminal investigation led to one of Microsoft's employees being arrested for stealing and sending trade secrets to someone outside the company.

After Microsoft caught flak for reading a user's emails, the company defended its right to do so in a court complaint filed against the employee. John Frank, Microsoft's general counsel and vice president of legal & corporate affairs, took to Microsoft's legal blog on Thursday to explain the company's position.

"In this case, we took extraordinary actions based on the specific circumstances," Frank said.

However, being allowed to access email accounts may not be an extraordinary occurrence. Microsoft's terms of service agreement allow the company to access content "when Microsoft forms a good faith belief that doing so is necessary [to] protect the... property of Microsoft."

Microsoft is not alone in this policy. Other major email providers reserve almost exactly the same rights:

Yahoo requires its users to "acknowledge, consent and agree that Yahoo may access... your account information and Content... in a good faith belief that such access... is reasonably necessary to... protect the rights... of Yahoo."

Google's terms require that users "acknowledge and agree that Google may access... your account information and any Content associated with that account... in a good faith belief that such access... is reasonably necessary to... protect against imminent harm to the... property... of Google."

And Apple states that it "may, without liability to you, access... your Account information and Content... if we have a good faith belief that such access... is reasonably necessary to... protect the... property... of Apple."

Last week also saw the Federal Trade Commission file an amicus brief in a class action suit against Facebook regarding its use of teenagers' likenesses in "sponsored stories" posts.

The district court, in approving a settlement of the class action suit, ruled that objections raised by some potential class members on points of California state law were not valid. The original court ruling stated that provisions of the Children's Online Privacy Protection Act (COPPA) related to children under 13 and preempted state laws regarding the privacy of children older than 13.

In its brief, the FTC argued that "COPPA's preemption provisions do not apply to state privacy protections for teenagers, who are not covered by COPPA. COPPA's provisions apply to children under the age of 13. The FTC's filing does not address the merits of the underlying class action suit nor the merits of the settlement."

The Electronic Privacy Information Center also filed an amicus brief in the case on behalf of the users. EPIC, a 501c3 public interest research center in Washington, D.C., was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment and constitutional values. In 2009, EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the FTC that eventually required Facebook to improve its privacy practices.

The cases involving email and online privacy come just a few months after some of these same companies reached a compromise with the Department of Justice that will allow them to reveal more information about how often they are ordered to turn over customer information to the government in national security investigations.

In January, the DOJ reached agreements with Google, Microsoft, Yahoo, Facebook and LinkedIn that resolve the legal challenges the companies faced before the Foreign Intelligence Surveillance Court.

The companies had requested a ruling from judges that would allow them to disclose data on national security orders the companies have received under the Foreign Intelligence Surveillance Act. Some of these companies were among several U.S. Internet businesses identified as giving the NSA access to customer data under the program known as PRISM.

The companies said they wanted to make the disclosures in order to correct inaccuracies in news reports and to calm public speculation about the scope of their cooperation with the government. The companies insisted that only a fraction of their customers' accounts have been subject to legal orders.

The delivery of such customer information from the Internet companies to the government has been under scrutiny in the United States since leaks surfaced about National Security Agency surveillance by former NSA systems analyst Edward Snowden.