Friday, March 22, 2013

Webwatcher, Wiretapping and Interception


This post examines an opinion issued in a civil suit:  Luis v. Zang, 2013 WL 811816 (U.S. District Court for the Southern District of Ohio 2013).  It was initiated by Javier Luis, who originally filed his complaint in a federal court in Florida, but the defendants had the case “removed” to the federal court in Ohio.  Luis v. Zang, supra.  

In his complaint, Luis alleged that Awareness Technologies, “a software `maker’ in Los Angeles, California”,

`intentionally targets their product at spouses in their marketing campaigns enticing them with the lure of finding out everything that goes on in the targeted computer's private accounts,’ in a manner that goes `far beyond . . . the legal monitoring of children and employees.’ . . . 

[Luis] alleges Awareness `knew or should have known that their powerful and potentially dangerous product needed to have more stringent measures built in against illegal interception of communications,’ and that Defendant is `therefore guilty of negligence and product liability in that its product was unsafely put in the hands of consumers who [Awareness] knew or should have known would use it for illegal purposes, and targeted . . . this behavior in their marketing campaigns.’ . . .

In the same paragraph . . ., [Luis] references an alleged settlement agreement between the Federal Trade Commission and a different company (non-party CyberSpy, LLC) concerning what [he] alleges to be similar marketing practices for a similar product called `RemoteSpy.’

With respect to [Awareness Technologies’] software product, [Luis] alleges that his own computer (in Florida) `may have been infected’ with spyware, through [his] internet communications with Cathy Zang. . . . [He] alleges that his own oral, email, and instant message communications with Ms. Zang were wrongfully intercepted by Defendant Joseph Zang, both through the use of WebWatcher software, and via other audio and video recording devices.

Luis v. Zang, supra.  (The opinion notes that “Joseph Zang is one of the individually named Defendants” in the lawsuit”, but Cathy Zang is not.”  Luis v. Zang, supra.)

As to Luis’ legal claims, the opinion explains that in his complaint, he alleged that

Awareness Technologies . . . is responsible for all `marketing and production’ of a computer software product called `WebWatcher.’ . . . [Luis] alleges that Awareness violated federal . . . wiretapping laws when other individual defendants -- unaffiliated with Awareness -- purchased and installed WebWatcher software on a home computer in Ohio, for the purpose of permitting Joseph Zang to conduct electronic surveillance of his then-wife, Cathy Zang.

Although [Luis] alleges he has never met Cathy Zang in person, he alleges that he virtually met her, via a `Metaphysics’ internet chat room, in January or February 2009. . . . Shortly thereafter, [Luis] alleges that he began to have `daily’ communications, in the course of a `caring relationship’ with Ms. Zang via the telephone and computer. . . .

Luis v. Zang, supra.    

As noted above, Luis claimed that Awareness Technologies violated “the federal Wiretap Act . . . by intercepting [his] oral and electronic communication” and that he was entitled to “monetary damages and filed a Rule 12(b)(6) motion to dismiss Luis’ wiretapping cause of action for failure to state a claim.  Luis v. Zang, supra.  As Wikipedia notes, a Rule 12(b)(6) motion “is how lawsuits with insufficient legal theories underlying their cause of action are dismissed from court.”  If a lawsuit sufficiently alleges a viable legal claim, and has issues of fact to be determined, it will go to a trial (absent settlement).  If it does not allege a viable legal claim, the case cannot go forward. 

In its motion to dismiss, Awareness Technologies argued that WebWatcher does not

`intercept’ any communications, such as that term consistently has been defined under the federal Wiretap Act and parallel state statutes. Additionally, [it] argues that as a mere manufacturer, it cannot be held liable under any of the theories asserted by [Luis] for the alleged wrongful use of its software product. 

Luis v. Zang, supra.    

The federal district court judge who has this case referred it to a U.S. Magistrate Judge to assess the merits of the motion to dismiss and write an opinion explaining whether it should be granted.  Luis v. Zang, supra.  She began her opinion by explaining that

[t]o survive a Rule 12(b)(6) motion to dismiss, a plaintiff must provide more than `labels and conclusions, and a formulaic recitation of the elements of a cause of action.’  Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007).  The complaint must contain `either direct or inferential allegations respecting all the material elements to sustain a recovery under some viable legal theory.’ Lewis v. ACB Business Servs., Inc., 135 F.3d 389 (U.S. Court of Appeals for the 6th Circuit 1998).

Luis v. Zang, supra. 

The Magistrate Judge then addressed the issues in this case, noting that the

Federal Wiretap Act18 U.S. Code § 2510 et seq., . . . prohibit[s] the interception of `any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.’ 18 U.S. Code § 2510(4). However, when the federal wiretap law known as Title III of the Omnibus Crime Control and Safe Streets Act of 1968 was first enacted, it was designed to protect telephone communications, not email . . . or other forms of electronic, internet-based communication. . . .

In 1986, Congress enacted the Electronic Communications Privacy Act (`ECPA’) to extend the reach of the existing wiretap law to transmissions of electronic data by computer. The ECPA did this through . . . Title I, known as the Wiretap Act, and an entirely new section in Title II, called the Stored Communications Act, see 18 U.S. Code §2701, et seq.  In general, the Stored Communications Act protects communications that are `stored’ electronically on computers, but does not provide the same degree of protection as offered by Title I (the Wiretap Act). 

Luis v. Zang, supra. 

The Magistrate Judge explained that the U.S. Court of Appeals whose decisions are binding precedent on the U.S. District Court for the Southern District of Ohio, the U.S. Court of Appeals for the 6thCircuit, has not yet addressed the issue raised by

this case: whether the Wiretap Act prohibits the use of software commonly known as `spyware’ to obtain another person's emails and/or a record of other computer activities.  However, other federal courts consistently have held that a defendant's access and review of email and other electronic communications does not violate the Wiretap Act unless it is `contemporaneous’ with the intended recipient's access. . . .

The courts adopting this holding have reasoned that the term `intercept’ as defined in the Wiretap Act requires interception of the communication either before it reaches the intended recipient, or `contemporaneous with transmission’ -- but not after it reaches that destination when presumably, the data is placed in electronic storage. See, e.g., U.S. v. Steiger, 318 F.3d 1039 (U.S. Court of Appeals for the 11th Circuit 2003).

Luis v. Zang, supra (emphasis in the original).

She then noted that

[a]ccording to an affidavit filed by the CEO of Defendant Awareness, the software at issue in this case is designed to record `various activities . . . such as e-mails sent and  case, defining the time frame in which this event occurs, the CEO further avers that the software sends all of the recorded activity over the internet to `an online account,’ where it can be viewed at a later time. 

Luis v. Zang, supra. 

The Magistrate Judge also explained that Luis was relying on

several cases involving `keylogger’ software to argue that such software has been held not to `intercept’ electronic communications under the Wiretap Act, because it only accesses `stored’ data. For example, in Bailey as in the instant case, a husband surreptitiously installed keylogger software on his then-wife's computer.

The court granted summary judgment to the husband on the Wiretap Act and comparable Michigan state law claims, based upon evidence that `the key logger only allowed Defendant Bailey to learn [email and IM account] passwords, which were used to [later] access and copy Plaintiff's email and messages,’ without any `contemporaneous’ interception of those messages. 

Luis v. Zang, supra.  (For more on the facts and the court’s decision in the Bailey case, check out this prior post.)

In arguing that there had been an “interception,” Luis relied on the U.S. Court of Appeals for the 7th Circuit’s decision in U.S. v. Szymuszkiewicz, 622 F.3d 701 (2010):

In Szymuszkiewicz, the Seventh Circuit affirmed the criminal conviction of a defendant who had secretly programmed his supervisor's email program to duplicate and send to him `within the same second’ all emails that were sent to her. . . . In affirming the conviction, the court rejected the defendant's argument that his actions did not violate the Wiretap Act because he did not `intercept’ the emails contemporaneously.

The court held that although the emails may have been forwarded to the defendant while in temporary `storage,’ the process would have been completed so close in time it was `contemporaneous by any standard.’

Luis v. Zang, supra.  (For more on the Szymuszkiewicz case, check out this prior post.)

The Magistrate Judge then found that there is a

distinction between `keylogger’ software that does not simultaneously transmit the user's data over the internet, and the type of `spyware’ (whether or not termed `keylogger’ software) that is `web-based.’ . . .

Unlike the cases relied upon by [Awareness Technologies], the facts presented involve immediate (or close to immediate) interception of keystrokes on a computer and transmission to the `spy's’ electronic account. For that reason, [Luis] asserts that the use of [Awareness Technologies’] keylogging software satisfies the definition of an `intercept[ion]’ under the Wiretap Act.

Luis v. Zang, supra. 

She found that “spyware can violate the Wiretap Act if it transmits captured or recorded information over the internet” and that timing is “irrelevant”.  Luis v. Zang, supra.  In so doing, she relied on the decision in Klumb v. Goan, 884 F.Supp.2d 644 (U.S.District Court for the Eastern District of Kentucky 2012), which held that whether the email is

rerouted within a `blink-of-an-eye’ is not of primary importance to the router switching analysis. If it were, a smart programmer could simply program the software to wait a certain amount of time before rerouting the email through the internet to the unauthorized third party.

The point is that a program has been installed on the computer which will cause emails sent at some time in the future through the internet to be rerouted automatically through the internet to a third party address when the intended recipient opens the email for the first time.

Luis v. Zang, supra.  The Magistrate Judge therefore rejected Awareness Technologies’ argument that no “intercept” had occurred, which meant the case could not be dismissed for that reason.  Luis v. Zang, supra. 

But the judge then found that Luis did not have a viable cause of action under the Wiretap Act against Awareness Technologies because the section of the Wiretap Act

that provides for a private civil remedy, 18 U.S. Code § 2520(a), limits the category of viable defendants to those individuals or entities that have `intercepted, disclosed, or intentionally used [a device] in violation of this chapter.’

Although manufacturers are not explicitly excluded, the choice of verbs used in the plain language of the statute makes clear the statute `does not contemplate imposing civil liability on software manufacturers and distributers for the activities of third parties.’ Potter v. Havlicek, 2008 WL 2556723 at *7 (U.S. District Court for the Southern District of Ohio 2008).

Luis v. Zang, supra. 

She therefore recommended to the district court judge who has the case that “all claims” against Awareness Technologies should be dismissed.  Luis v. Zang, supra. 

No comments: