Justia Internet Law Opinion Summaries

Articles Posted in US Court of Appeals for the Third Circuit
by
Clemens, then an employee, provided ExecuPharm with sensitive information, including her address, social security number, bank, and financial account numbers, insurance, and tax information, passport, and information relating to her family. Clemens’s employment agreement provided that ExecuPharm would “take appropriate measures to protect the confidentiality and security” of this information. After Clemens left ExecuPharm, a hacking group (CLOP) accessed ExecuPharm’s servers, stealing sensitive information pertaining to current and former employees, including Clemens. CLOP posted the data on the Dark Web, making available for download 123,000 data files pertaining to ExecuPharm, including sensitive employee information. ExecuPharm notified current and former employees of the breach and encouraged precautionary measures. Clemens reviewed her financial records and credit reports for unauthorized activity; placed fraud alerts on her credit reports; transferred her bank account; enrolled in ExecuPharm’s complimentary one-year credit monitoring services; and purchased three-bureau additional credit monitoring services for herself and her family for $39.99 per month.Clemens's suit under the Class Action Fairness Act, 28 U.S.C. 1332(d), was dismissed for lack of Article III standing. The court concluded that Clemens’s risk of future harm was not imminent, but “speculative.” Any money Clemens spent to mitigate the speculative risk was insufficient to confer standing; even if ExecuPharm breached the employment agreement, it would not automatically give Clemens standing to assert her breach of contract claim. The Third Circuit vacated. Clemens’s injury was sufficiently imminent to constitute an injury-in-fact for purposes of standing. View "Clemens v. Execupharm Inc" on Justia Law

by
Popa browsed the website of Harriet Carter Gifts, added an item to her cart, but left the website without making a purchase. She later discovered that, unbeknownst to her, Harriet Carter’s third-party marketing service, NaviStone, tracked her activities across the site. Popa sued both entities under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA), 18 Pa. C.S. 5701, which prohibits the interception of wire, electronic, or oral communications. The district court granted the defendants summary judgment, reasoning that NaviStone could not have “intercepted” Popa’s communications because it was a “party” to the electronic conversation. Alternatively, it ruled that if any interception occurred, it happened outside Pennsylvania, so the Act did not apply.The Third Circuit vacated. Under Pennsylvania law, there is no direct-party exception to WESCA liability, except for law enforcement under specific conditions. The defendants cannot avoid liability merely by showing that Popa directly communicated with NaviStone’s servers. NaviStone intercepted Popa’s communications at the point where it routed those communications to its own servers; that was at Popa’s browser, not where the signals were received at NaviStone’s servers. The court noted that the district court never addressed whether Harriet Carter posted a privacy policy and, if so, whether that policy sufficiently alerted Popa that her communications were being sent to a third-party company to support a consent defense. View "Popa v. Harriet Carter Gifts Inc." on Justia Law

by
Hepp hosts FOX 29’s Good Day Philadelphia. In 2018, Hepp was told by coworkers that her photograph was making its way around the internet. The image depicts Hepp in a convenience store, smiling, and was taken without Hepp’s knowledge or consent. She never authorized the image to be used in online advertisements. Hepp alleged each use violated her right of publicity under Pennsylvania law. A dating app advertisement featuring the picture appeared on Facebook. A Reddit thread linked to an Imgur post of the photo. Hepp sued, citing 42 PA. CONS. STAT. 8316, and common law. The district court dismissed Hepp’s case, holding that the companies were entitled to immunity under the Communications Decency Act of 1996, which bars many claims against internet service providers, 47 U.S.C. 230(c). The Third Circuit reversed, citing an exclusion in 230(e)(2) limitation for “any law pertaining to intellectual property.” Hepp’s claims are encompassed within the intellectual property exclusion. View "Hepp v. Facebook" on Justia Law

by
In 2012, Rad and others were charged with acquiring penny stocks, “pumping” the prices of those stocks by bombarding investors with misleading spam emails, and then “dumping” their shares at a profit. Rad was convicted of conspiring to commit false header spamming and false domain name spamming under the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), 15 U.S.C. 7701(a)(2), which addresses unsolicited commercial email. The PSR recommended raising Rad’s offense level to reflect the losses inflicted on investors, estimating that Rad realized about $2.9 million in “illicit gains” while acknowledging that because “countless victims” purchased stocks, the losses stemming from Rad’s conduct could not “reasonabl[y] be determined.” Rad emphasized the absence of evidence that any person lost anything. Rad was sentenced to 71 months’ imprisonment. The record is silent as to how the court analyzed the victim loss issue. The Third Circuit affirmed. DHS initiated removal proceedings under 8 U.S.C. 1227(a)(2)(A)(iii), which renders an alien removable for any crime that “involves fraud or deceit” “in which the loss to the victim or victims exceeds $10,000.” The IJ and the BIA found Rad removable.The Third Circuit remanded. Rad’s convictions for CAN-SPAM conspiracy necessarily entail deceit under 8 U.S.C. 1101(a)(43)(M)(i). The second element, requiring victim losses over $10,000, however, was not adequately addressed. The court noted that intended losses, not just actual ones, may meet the requirement. View "Rad v. Attorney General United States" on Justia Law

by
The Pennsylvania Attorney General (OAG) charged Walker with forgery and computer crimes. The prosecutor and the lead investigator requested that Penn State produce Walker’s emails from her employee account. At Penn’s request, they obtained a subpoena. The subpoena was missing information regarding the date, time or place where the testimony or evidence would be produced, or which party was requesting the evidence. The subpoena was incomplete and unenforceable. The prosecutor offered the subpoena to Penn’s Assistant General Counsel, who instructed an employee to assist. After the OAG obtained Walker’s emails, the pending criminal charges were dismissed with prejudice. Walker filed suit under 42 U.S.C. 1983. The district court dismissed, citing qualified immunity because Walker did not have a clearly established right to privacy in her work emails. A Third Circuit panel affirmed, reasoning that Penn produced the emails voluntarily, rather than under coercion resulting from the invalid subpoena and was acting within its legal authority and through counsel.The Third Circuit affirmed the dismissal of Walker's amended complaint, alleging violations of the Stored Communications Act, 18 U.S.C. 2701 (SCA). The SCA is inapplicable because Penn does not provide electronic communication services to the public. Penn acted within its rights as Walker’s employer in voluntarily disclosing her work emails. Penn’s search of its server to produce Walker’s emails is not prohibited by the SCA, regardless of whether its counsel was induced by deceit or knowingly cooperative. It is the law of the case that Penn consented to disclose Walker’s emails. View "Walker v. Coffey" on Justia Law

by
Officers executed a search warrant at Rawls’ residence, yielding an iPhone 6 and a Mac Pro Computer with attached external hard drives, all protected with encryption software. With a warrant, forensic analysts discovered the password to decrypt the Mac Pro but could not determine the passwords for the external hard drives. The Mac Pro revealed an image of a pubescent girl in a sexually provocative position, logs showing that it had visited likely child exploitation websites and that Rawls had downloaded thousands of files known to be child pornography. Those files were stored on the external hard drives. Rawls’ sister stated that Rawls had shown her child pornography on the external hard drives. A Magistrate ordered Rawls to unencrypt the devices. Rawls cited the Fifth Amendment privilege against self-incrimination. The court denied Rawls’ motion, reasoning the act of decrypting the devices would not be testimonial. Rawls decrypted the iPhone, which contained 20 photographs that focused on the genitals of Rawls’ six-year-old niece. Rawls stated that he could not remember the passwords for the hard drives. The Third Circuit affirmed a civil contempt finding.Rawls, incarcerated since September 2015, moved for release, arguing that 28 U.S.C. 1826(a) limits the maximum confinement for civil contempt to 18 months. The Third Circuit ordered his release, rejecting the government’s argument that Rawls was not a “witness” participating in any “proceeding before or ancillary to any court or grand jury.” The proceedings to enforce the search warrant fall within the statute’s broad description of any “proceeding before or ancillary to any court or grand jury," the Decryption Order is “an order of the court to testify or provide other information,” and section 1826(a) applies to the detention of any material witness, even if that person is also a suspect in connection with other offenses. View "United States v. Apple Mac Pro Computer" on Justia Law

by
News broke in 2012 that Google’s Doubleclick.net cookies were bypassing Safari and Internet Explorer privacy settings and tracking internet-user information. Google settled FTC and state attorneys general lawsuits, agreeing to cease the practice and to pay $39.5 million in fines, without admitting wrongdoing. Plaintiffs' claims were consolidated into a putative class action, alleging violations of federal privacy and fraud statutes, California unfair competition and privacy statutes, the California constitution’s right to privacy, and California’s privacy tort law. The Third Circuit affirmed the dismissal of all but the California constitutional and tort claims. The parties agreed to a settlement. The district court approved certification of an FRCP 23(b)(2) class and the settlement under FRCP 23(e). Under the settlement a cy pres award would be paid to organizations the defendant approved, primarily data privacy organizations that agree to use the funds to research and promote browser privacy. It also included class counsel’s fees and costs, and incentive awards for named class representatives. One objector argued that the cy pres money belongs to the class as compensation and challenged the choice of cy pres recipients because of their pre-existing relationships with Google and class counsel. The Third Circuit vacated, stating that the “cursory certification and fairness analysis were insufficient for us to review its order certifying the class and approving the settlement. The settlement agreement’s broad release of claims for money damages and its designation of cy pres recipients are particularly concerning.” View "In Re: Google Inc. Cookie Placement Consumer Privacy Litigation" on Justia Law

by
Oberdorf walked her dog with a retractable leash. Unexpectedly, the dog lunged. The D-ring on the collar broke and the leash recoiled and hit Oberdorf’s face and eyeglasses, leaving Oberdorf permanently blind in her left eye. Oberdorf bought the collar on Amazon.com. She sued Amazon.com, including claims for strict products liability and negligence. The district court found that, under Pennsylvania law, Amazon was not liable for Oberdorf’s injuries. A third-party vendor, not Amazon itself, had listed the collar on Amazon’s online marketplace and shipped the collar directly to Oberdorf. The court found that Amazon was not a “seller” under Pennsylvania law and that Oberdorf’s claims were barred by the Communications Decency Act (CDA) because she sought to hold Amazon liable for its role as the online publisher of third-party content. The Third Circuit vacated and remanded. Amazon is a “seller” under section 402A of the Second Restatement of Torts and thus subject to the Pennsylvania strict products liability law. Amazon’s involvement in transactions extends beyond a mere editorial function; it plays a large role in the actual sales process. Oberdorf’s claims against Amazon are not barred by section 230 of the CDA except as they rely upon a “failure to warn” theory of liability. The court affirmed the dismissal under the CDA of the failure to warn claims. View "Oberdorf v. Amazon.com Inc" on Justia Law

by
Defendants created a publicly searchable “Inmate Lookup Tool” into which they uploaded information about thousands of people who had been held or incarcerated at the Bucks County Correctional Facility since 1938. Taha filed suit, alleging that the County and Correctional Facility had publicly disseminated information on the internet in violation of the Pennsylvania Criminal History Record Information Act, 18 Pa. Cons. Stat. 9102, about his expunged 1998 arrest and incarceration. The district court granted Taha partial summary judgment on liability before certifying a punitive damages class of individuals about whom incarceration information had been disseminated online. The court then found that the only remaining question of fact was whether defendants had acted willfully in disseminating the information. After the court certified the class, the defendants filed an interlocutory appeal. The Third Circuit affirmed the class certification order, rejecting an argument that the district court erred in granting Taha partial summary judgment on liability before ruling on class certification. The court upheld conclusions that punitive damages can be imposed in a case in which the plaintiff does not recover compensatory damages, that punitive damages can be imposed on government agencies, and that the predominance requirement under FRCP 23(b)(3) was met so that a class could be certified. View "Taha v. County of Bucks" on Justia Law