Computer Fraud and Abuse Act

An artist purchased old Razr cell phones and then published what he found on those phones in a new book after his original artistic idea fell through.

You can watch Andrew Horansky’s KHOU-TV story to learn more of what happened.

You can also read more on it here from Dwight Silverman’s TechBlog.

From the legal perspective, there are several issues that immediately come to mind:

Copyright.  Genrerally speaking, if you took the picture, you own the copyright.   If the picture you took made it in the book, you could claim a copyright violation.  You would have a difficult time claiming any damages, but you might be able to get an injunction if you really pushed.  There is a possibility that the artist’s use is a fair use for artistic/critical purposes or that using the image with the others is a transformative use.  It is also possible to claim the copyright was abandoned and so the images are in the public domain, but that usually requires an express declaration that you don’t care if people copy your images rather than simply being careless and leaving it on your phone.

You could also claim a copyright in the texts, but short phrases and titles are not subject to copyright and there is some requirement of originality.  “Can’t wait 2 C U 2night and by U I mean ur penis” may not cut it.

Invasion of Privacy.   Many states recognize a common law claim for invasion of privacy.  Generally, a plaintiff would have to show the artist intentionally intruded on the person’s private affairs in a highly offensive manner.  This claim would require the jury to look at the reasonableness of all parties and may blame the person who turned over his phone without wiping it clean.

The claim for misappropriation of likeness for a commercial likeness also falls under privacy claims.  Generally, you would have to show the artist purposefully appropriated your likeness or name in a way where your likeness can be identified for a commercial purpose without your permission.  This claim usually applies to the use of celebrities without their permission more than an Average Joe, but you could argue this is not art or newsworthy and the artist is merely trying to make money from using the picture of you.

Computer Fraud and Abuse Act.   The CFAA is usually anti-hacking statute, but you could argue the artist knew he did not have authority to access the images and text and therefore exceeded his authority on a protected computer.  Would these older Razr phones be considered a computer and could you ever prove the necessary $5,000 in damages to bring such a claim?  It could be worth exploring.

Based on the reports, the artist appears ready to work with anyone who may be upset with his book, so this may be an academic discussion.  In fact, it does sound like a law school essay question.  You would just have to add a few additional juicy facts like one of the images included a picture of a famous copyrighted picture while another was a video of a famous musician before they were famous singing someone else’s copyrighted song.   Thank goodness I’m not in law school anymore.

Lesson Learned.  The obvious lesson is to make sure you clean your cell phone or smart phone before you upgrade.  Imagine if these phones belonged to a lawyer, doctor or other regulated profession and it had personal information.   You should have a policy in place to prevent this type of mistake from happening.

Earlier this month, a federal judge ruled that when a company took over a departing employee’s LinkedIn account, the company did not violate the Computer Fraud and Abuse Act in the case of Eagle v. Edcomm.

I blogged about this case in my prior post Who Owns Your Twitter Followers and LinkedIn Connections?  While the ruling has gotten some publicity (The Technology and Marketing Law Blog’s, Kevin O’ Keefe and Ars Technica), it certainly does not answer the question of who owns the LinkedIn account and what rights do employers have.  The narrow ruling on the CFAA clarifies the application of the statute designed for hackers, but doesn’t come close to resolving what a simple agreement would solve.

Background of the Case

Linda Eagle had a “personal” LinkedIn account with thousands of connections related to her banking education business–Edcomm.  Eagle sold Edcomm, but stayed on as an employee.  When things soured, the new owners fired Eagle and immediately changed the password to the LinkedIn account locking out Eagle.  The company redirected Eagle’s account to go to the new CEO’s account with a new picture and contact information.

The company claimed it created and maintained the account and there was an unwritten policy that employees turned over their LinkedIn accounts when they left.   Eagle provided Edcomm with her LinkedIn password and allowed the company to help her manage the account.    

In an earlier ruling, the court said the LinkedIn connections were not a trade secret because anyone could see them as they were publicly displayed.  The court, however, allowed the misappropriation of an idea claim to go forward based on a dispute about whose idea it was to generate the content on the LinkedIn account.

The Ruling  

The court has now dismissed Eagle’s claim under the CFAA and the Lanham Act.  As mentioned, the CFAA was designed to address hacking and it requires more than $5,000 in a statutorily-defined “loss.”  So, the issue before the court was not really whether the CFAA was violated or who owned the account, but whether Eagle, who was acting pro se at the time, suffered a sufficient “loss.”

The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”  18 U.S.C. § 1030(e)(11).   

Eagle claimed she lost: (1) a $100,000 business opportunity because she could not access messages on LinkedIn; (2) monies to regain access to the account (she went at least 22 weeks without access); (3) damage to her reputation; and (4) loss of value to the account. 

The court responded: 

None of these allegations suffice to create a genuine issue of material fact as to the existence of cognizable damages under the CFAA for two reasons.  Primarily, Plaintiff is not claiming that she lost money because her computer was inoperable or because she expended funds to remedy damage to her computer.  Rather, she claims that she was denied potential business opportunities as a result of Edcomm’s unauthorized access and control over her account.  Loss of business opportunities, particularly such speculative ones . . . is simply not compensable under the CFAA.”

Thefore, the court dismissed the CFAA claim.  

The court summarily dismissed the Lanham Act claim because when anyone accessed Eagle’s account, they would find the new CEO’s name, photograph and new position so there could be no consumer confusion.

The court allowed the conversion, invasion of privacy and missappropriation state law claims to proceed in a trial that should be starting any day.  Those issues may actually shed light on who owns the account.

 But what is it all worth?

It seems to me that Eagle is spending a lot of efforts for loss of access to her account for 22 weeks.  She has already gone through two lawyers and is now pro se.  What was the real damage? From Edcomm’s perspective, what was the real gain?  If there were trade secrets on the account, there are prohibitions and ways to address that without seizing the entire account (or at least seizing it for that long). 

Who Owns What? 

If you’re a company and you want the account,  put it in a contract or employment policy.  If you’re an individual and you want the account, follow these guidelines:

  1. Have it under your name and don’t mix it with the company or brand.
  2. Set up the account yourself.
  3. Populate the content yourself.
  4. Don’t give out the password.

I’m looking forward to a case that parses through personal versus company accounts and when one can become the other.  As explained by Professor Goldman and Venkat Balasubramani, it is not even clear whether California’s new social media privacy law would help in this case because of the failure to make these factual distinctions.

Until there is precedential guidance, I think it is simply a balancing test as to who should own it.  For 99% of us, this won’t be an issue.  Why would anyone want my LinkedIn account or Twitter followers?  

If I amassed a million connections on followers under a LinkedIn Account or Twitter handle specifically referencing Looper Reed’s brand with Looper Reed’s assistance (think of media personalities), then it becomes a little more gray.  As any lawyer will tell you, eliminate the gray with a contract.

Usually the company gets in trouble for exceeding their authority and snooping around employee’s personal Facebook and email. This time, a company tried to claim the employee violated the Computer Fraud and Abuse Actfor accessing Facebook and personal email while at work without permission.

The employee was terminated and sued the company for pregnancy discrimination. The company counterclaimed under the CFAA. The company tried to take advantage of a recent court of appeals ruling that held an employee who uses the office computer for personal use in violation of existing policies “exceeds authorized access” which made the employee subject to criminal liability. The CFAA criminalizes such actions so why not file a counterclaim against the employee for “excessive internet usage” for spending too much time on Facebook and personal email.

The court explained the CFAA is a criminal statute originally designed to target hackers. The statute, however, is not geared for excessive personal use at the office. To make a CFAA civil claim, you have to prove damages to the data or the company. Creatively, the company argued lost productivity, but that argument was soundly rejected.

Had this been allowed, half my office with me included could be in trouble. “Exceeds authorized access” is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). Hence, it is a problem when the employer accesses the employee’s personal websites, but not when an employee accesses their own personal sites. She only visited personal websites and did not download trade secrets or destroy company data which is where employers usually make CFAA claims.