TechLaw

Earlier this year I blogged about a Vermont divorce court's recognition of the fact that the First Amendment places limits on a court's ability to enjoin divorcing couples' ability to write nasty things about each other on the Internet. The court recognized the issue, but did not decide it, given the court's limited subject-matter jurisdiction.

Yesterday a California appellate court weighed in with a fuller analysis in another case involving a trial court's decision to enjoin a spouse from posting on the Internet allegedly defamatory remarks about her husband.

A couple lessons can be drawn from the California court's opinion. The First Amendment does not allow for injunctions against future, unspecified defamatory statements. However, a narrowly tailored injunction to protect privacy interests -- such as a real threat of personal harm -- is possible if the interest is sufficiently compelling.

Alleged Defamatory Remarks: Injunction Was Prior Restraint

Following a hearing, the trial court issued an order enjoining the wife (and her mother) "from publishing false and defamatory statements and/or confidential personal information about [the husband] on the internet. ..."

Two distinct types of information are implicated here: allegedly defamatory statements about the husband, and statements that allegedly violated the husband's privacy rights. The court's analysis was different for each type.

The appellate court concluded that the decision to enjoin the wife's allegedly defamatory Internet speech was an unconstitutional prior restraint. California courts applying the First Amendment to defamation claims have concluded that an injunction is constitutional only to the extent it prohibits a person from repeating statements that have been determined during a trial to be defamatory. Here, whether or not the wife's prior online publications were defamatory had yet to be determined, and the injunction was broader than a mere ban on repeating what the husband alleged the wife to have previously posted online. This aspect of the trial court's order also suffered from constitutional vagueness and overbreadth flaws, the court said, because it "fails to adequately delineate which of [the wife's] future comments might violate the injunction and lead to contempt of court."

Alleged Invasion of Privacy: Balancing Test Required

Taking up the portion of the trial court's injunction forbidding the wife from posting online "confidential personal information," the court ruled that a balancing test was required, an inquiry that weighed the husband's privacy interests against the wife's free speech constitutional rights. Relevant factors here included whether the husband is a public figure, the nature of the information involved, whether the information is of legitimate public concern, the extent of harm caused by online publication of the information, and the strength of the private and governmental interest in preventing its publication.

The first problem with the trial court's order was that it failed to define "confidential personal information." Without a clear definition, it is impossible to assess the extent of the husband's privacy interests and difficult for the wife to determine what information she was prohibited from placing on the Internet, the court said.

The husband claimed that the wife would, if permitted, post his telephone number, address, and social security number on the Internet. The husband argued that, because he is a deputy sheriff, posting this information would jeopardize his safety. And the court agreed, ruling that a court would be "fully justified" in enjoining the publication of this kind of information on the Internet:

We agree that a court would be fully justified in issuing an order preventing a party from putting this type of identifying information about another person on the Internet, particularly where, as here, that person is a law enforcement officer. To the extent that [the husband] seeks such an order and supports this request for evidence, the court would be justified in immediately ordering that this type of information be kept private. Such a restriction does not involve information that has any public value and would serve the significant public interest of protecting the safety of a law enforcement officer.

However, the court noted, the trial court's injunction was not limited to this kind of information. Any injunction prohibiting the online publication of any "confidential personal information" is vague, overbroad, and not narrowly tailored, the court said. On remand, the trial court should determine exactly which information the husband wants to keep private, and then engage in a balancing test to determine whether there is a compelling reason that the information be kept private. Information contained in court files is not necessarily exempt from disclosure, the court cautioned; in fact, it said, there is a presumption that this information is a matter of public record. Personal safety could be a compelling reason, the court suggested, but any order protecting this interest must be narrowly tailored so it does not interfere with the wife's First Amendment rights.

Update: The Citizens Media Law Blog also has a comment and more background information about the case.

The case is Evans v. Evans, No. D051144 (Calif. Ct.App., May 12, 2008).

A recent case, Bailey v. Bailey, No. 07-11672 (E.D. Mich., Feb. 6, 2008), held that the unauthorized access of a person's already-read e-mail violates the Stored Communications Act, 18 U.S.C. 2701. The court followed Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2003), in what was a ruling of first impression on this issue in the Sixth Circuit. The defendant used surreptitiously installed keylogger software to capture his wife's e-mail account password and then used this knowledge to read her e-mail.

The plaintiff didn't challenge her husband's use of the keylogger under the federal wiretap law, but she did bring claims under a pair of Michigan eavesdropping statutes. She lost, revealing a big hole in Michigan's scheme for protecting electronic information. The first statute, MCL 750.539c, protects "conversations," and the court held here that a keylogger eavesdrops on keystrokes not "conversations." The second statute, MCL 750.539d, makes it unlawful to install a device that eavesdrops on "the sounds or events in that place." Here again, the court made a very literal reading of the law, holding that because a keylogger "only records electronically what keystrokes are pressed on a keyboard" -- not "sounds or events" -- the statute did not reach the defendant's conduct.

The court held, however, that the plaintiff had a common law cause of action for the privacy tort of intrusion upon seclusion. She will have to prove at trial that her husband's installation and use of the keylogger is "objectionable to a reasonable man." Let's hope the court meant man and woman.

Legislation to outlaw the unauthorized installation of keystroke loggers has been under consideration by the Michigan state legislature for several years now. The latest proposal, Senate Bill 145, would create a civil cause of action with $10,000 in statutory damages for the unauthorized installation of keyloggers.

Not all state eavedropping laws are as rooted in the physical world as the Michigan statutes involved in Bailey. In Rich v. Rich, No. 2007-01538 (Mass. Super., Nov. 26, 2007), the court held that a husband's act of installing a keylogger on a family computer (which he used to gain access to his wife's e-mail account password, just as in Bailey), violated a Masschusetts law that protected the "contents" of wire and oral communications. "Contents" is defined by the Massachusetts statute as "any information" concerning the existence, contents, of meaning of a communication.

Looking over the TRUSTe 2007 Most Trusted Companies for Privacy announcement this morning, I was surprised to see Weight Watchers listed at #22 -- the very bottom -- of their consumer survey results.

Lower than Google (#11), a company literally in possession of a goldmine of personal information that  Privacy International calls "hostile" to privacy and the Electronic Privacy Information Center contends fails to "take adequate steps to safeguard the personal data that is collected" through search queries and through the routine operation of its many other online services.

Lower than Bank of America (#20), which Privacy Rights Clearinghouse reports had five separate data breach incidents between June 29, 2005, and April 12, 2007.

Lower than America Online (#4), a company that in 2006 accidentally posted to the Web 20 million search  queries entered by 658,000 individuals using AOL's client software. This incident drew a class action lawsuit, which I checked on just now. The case, Ramkissoon v. AOL LLC, No. 06-cv-5866 (N.D. Calif., complaint filed Sept. 22, 2006), was dismissed in early 2007 for improper venue.

Lower than a slew of other, giant data-processing companies.

Americans, Weight Watchers is not watching our weight.

Weight Watchers does not record what we eat or when we eat it. Until the day comes when our bathroom scales have IP addresses, Weight Watchers has no ability to monitor and record our weight. Their mission seems considerably more benign. According to David Kirchhoff, President, Weight Watchers International, "Our singular mission as an organization is to help people lose weight in a sustainable way by helping them adapt a healthier lifestyle and a healthier relationship with food and activity."

I trust David on this one. When it comes to privacy, I worry more about Google than Weight Watchers.

Another reason for Weight Watcher's relatively low performance in the TRUSTe game might be that the study does not actually measure which companies provide the most robust privacy protection. Instead, it measures a company's reputation for privacy protection. Two different notions entirely. Because in the United States there is no universally acknowledged set of information privacy rights or a shared concept of privacy harms, companies are free to shape the public's perception of what privacy looks like (for example, the presence of a privacy policy on the Web site, or a privacy seal, or the hiring of a privacy officer), and then work assiduously to cultivate a reputation for privacy that aligns with this definition. Moreover, companies with sterling reputations in other aspects of their business -- such as customer service or product quality -- are able to transfer those positive brand reputations to their privacy practices. The TRUSTe survey acknowledges this point:

Based on previous consumer studies we have conducted, we have found that consumer perceptions about privacy and trust can be influenced by a number of factors. In fact, the consumer ratings may not reflect at all the actual privacy practices of the company and its good effort to protect the personal information of its customers and employees.

Leaving aside the goofiness of scoring Weight Watchers lower than Google or any number of other companies in the report, TRUSTe's essential insight is valuable. Having a reputation for privacy is as good for business as providing strong privacy protections. Right now, in the United States at least, when it comes to privacy, form is more valuable than substance.

Here is TRUSTe's complete list, with the highest-ranking companies at the top:

Most Trusted Companies for Privacy
Consumer Survey Results March 2007

American Express
Charles Schwab
IBM
America Online
Amazon
Johnson & Johnson
U.S. Postal Service
E-Bay
Procter & Gamble
Nationwide
Google
E-Loan
WebMD
Dell
Countrywide
USAA
Disney
Hewlett-Packard
U.S. Bank
Bank of America
Intuit
Weight Watchers

If you're the sort of person who thinks "self-regulation" is an oxymoron, today's news about a massive data breach in the United Kingdom is reason to be thankful.  Reportedly, the British government misplaced digital media containing detailed personal information on 25 million individuals. Privacy advocates in the United States believe that a massive data breach of the sort disclosed today is necessary to stimulate action on pending federal data breach notification bills.

Maybe and maybe not. The United Kingdom already has strict data protection laws -- more rigorous than anything that could pass the current Congress -- and yet  these laws were unable to prevent the carelessness of a few government officials. On the other hand, one might argue that, since today's data breach episode demonstrates the near-impossibility of adequately protecting databases of personal information, perhaps the government should not be creating them in the first place.

A study presented today at Carnegie Mellon University's Workshop on the Economics of Information Security suggests that Web users are more willing to purchase from online businesses that offer strong privacy protections and that they are willing to pay a premium for privacy protection.

These findings challenge the conventional wisdom that Web users do not make buying decisions based on privacy concerns and, in fact, that Web users willingly surrender personal information in exchange for very little in return.

According to the authors of The Effect of Online Privacy Information in Purchasing Behavior: An Experimental Study, Web users seem not to value privacy because Web site privacy information is not being conveyed to them in a meaningful way. Privacy policies, the study's authors contend, are "invisible" to Web users: they are rarely read, they are difficult to comprehend when read, and most users mistakenly believe that the presence of a privacy policy means that their personal information is protected.

The study put privacy information front-and-center through the use of a technology called PrivacyFinder, a tool that processes a Web site's Platform for Privacy Preferences (P3P information) and presents the information in an easy-to-read "privacy meter" graphic. Survey participants, when presented with privacy information in this format, "tend[ed] to purchase from online retailers who better protect their privacy."