July 25, 2005
Bellia on Spyware, and Searcy v. Microsoft
Patricia Bellia of Notre Dame Law School recently posted a paper on spyware and surveillance laws, Spyware and the Limits of Surveillance Law. She challenges those who believe that the Electronic Communications Privacy or the Computer Fraud and Abuse Act adequately address spyware, concluding that “there is good reason to question whether federal electronic surveillance statutes can successfully combat anything but the most extreme forms of spyware.”
If nothing else, this article points out that there is an existing body of law pertaining to “spyware,” and much of it constitutes plaintiffs’ losses in court (although, I should note, there have been a number of settlements where defendants have paid money). As Bellia points out, some of these losses are attributable to judicial formalism.
As an example of these phenomena, consider Searcy v. Microsoft Corp., 2005 WL 1163114 (M.D. Fla. May 4, 2005). This case is putatively a spyware case, although (like many spyware cases) it doesn’t really discuss the allegations in those terms. The case is further muddled by the fact that (a) Searcy was a pro se plaintiff, and (b) worse, he was an incarcerated man with a history of repeat frivolous lawsuits. Usually these attributes produce poor judicial reasoning, as evidenced here.
In this lawsuit, Searcy alleges that Microsoft and AOL created and distributed software devices that surreptitiously captured personal information. He alleged that the capture violated the ECPA. However, he never alleges that the defendants ever did anything with that information. As a result, the court immediately rejects the lawsuit.
So far, so good. Then, the court continues:
"Defendants could not be held liable for the manufacture and distribution of software which may be exploited by third parties and used to illegally obtain a person's electronic information."
[An aside: the court footnotes this sentence to Zeran and AOL v. Green, both cases where the defendants relied on 47 USC 230. However, by its terms, 47 USC 230 doesn't apply to ECPA claims, so the court's reliance on these cases is sloppy at best.]
The court then concludes:
"[The ECPA] simply does not contemplate imposing civil liability on software manufactures [sic] and distributors for the activities of third parties."
This latter sentence is a strong statement, and it seems germane to the continuing confusion over how we sort through the allocation of responsibility between advertisers, manufacturers and distributors/affiliate marketers. The court was clearly saying that merely developing a tool to capture data does not violate the ECPA, even if some unrelated third party exploits that data. However, this language might also suggest a broader principle that there are strong limits to derivative liability under the ECPA irrespective of 47 USC 230.
Unfortunately, this case will never be good precedent because of the plaintiff's unique situation. However, the case both reinforces Bellia’s points and represents yet another example where a court rejects the legal claims of anti-spyware plaintiffs.
if you sell software that someone uses to fileshare copyrighted material, you can be liable; if you sell software somone uses to rip personal information and misuse it, you can't?
Posted by: scott at July 25, 2005 03:43 PM