Court Rejects Attempt to Hold Software Company Liable for Surveillance Conducted by Its Customer – Luis v. Zang
[Post by Venkat Balasubramani]
Luis v. Zang, 12 cv 629 (S.D. Oh. Mar. 5, 2013)
Divorces have spawned some of the most interesting privacy disputes, such as the cases involving whether GPS surveillance of a vehicle violated one spouse’s privacy rights and whether accessing webmail using a shared computer constitutes a violation of privacy laws. This particular case involved the use of “WebWatcher” software that ostensibly allows people to monitor the computer-related activities of individuals. We blogged on a separate matter involving this divorce (see “Lawyer Who Advised Brother-in-Law Regarding the Use of Spyware on His Wife Disqualified in Ensuing Privacy Dispute”), but this particular lawsuit is one of a three lawsuits spawned out of the divorce; two of which were filed by Javier Luis (against a variety of defendants) relating to the monitoring of his communications with Cathy Zang:
[a]lthough Plaintiff alleges that he has never met Cathy Zang in person, he alleges that he virtually met her, via a “Metaphysics” internet chat room, in January or February 2009 (Doc. 39, P 15). Shortly thereafter, Plaintiff alleges that he began to have “daily” communications, in the course of a “caring relationship” with Ms. Zang via the telephone and computer.
[Zang filed a separate lawsuit as well.] The key question before the court is whether Access Technologies, maker of WebWatcher, can be held liable for the monitoring activities conducted by its customer.
Whether WebWatcher ‘Intercepts” Communications: The court struggles with several semantic questions surrounding whether there has been an ‘interception’ as defined by the wiretap statute: (1) is information captured instantaneously; (2) is the information captured transmitted locally; and (3) is the information re-routed. The court rejects Access’ argument that there has been no interception, noting that the facts at this stage indicate a near-instantaneous capture and re-routing of information to a remote location.
Can Access be held liable for its customers’ conduct: Even assuming an interception occurred, the court says Luis’s claims fall short because remedies are only available against the individuals that “intercepted, disclosed, or intentionally used” communications in violation of the statute. The court says that the statute does not contemplate imposing civil liability “on software manufacturers and distributors for the activities of third parties.” While there is a provision of the statute that prohibits the “[m]anufacture, distribution, possession, and advertising [of devices” that can be used for interception],” (and imposes criminal liability for this activity) the court says that the civil remedies provision does not extend to this part of the statute.
The court also dismisses the litany of state law claims brought against Access (invasion of privacy, infliction of emotional distress, “bullying and harassment”) on the basis that Access did not have any knowledge of Mr. Zang’s use of the product and was not a party to any agreement that involved unlawful interception of communications. (The court does not mention Section 230, but that sounds like a fairly plausible basis for rejecting the state law claims as well.)
Although the two cases analyzed slightly different statutory provisions, this dispute is reminiscent of the SpectorSoft case, where a federal district court in Tennessee held that an ex-spouse could not assert federal or state law claims against the company that made monitoring software. In SpectorSoft, the court focused on whether the disclosure of communications was knowing or intentional. In this case, the court says there was an interception, but says that liability for the interception does not extend to third parties. Either way, the result is the same: in the garden-variety case, it’s difficult to hold the software developer liable for interceptions effected by customers and clients. This decision reaffirms what is a fairly helpful result for developers of these types of software providers.
As far as derivative liability goes, both with respect to the Wiretap Act and the Computer Fraud and Abuse Act, plaintiffs have fared poorly in holding third parties liable for the actions of the people who actually did the monitoring, intercepting, or accessing. Courts have been reluctant to extend the reach of these statutes to third parties who did not directly participate in the allegedly wrongful activities themselves.
It’s worth flagging that in addition to lawsuits from private parties, these software providers also have to worry about FTC actions. As noted in this 2008 Wired article, the FTC shut down the websites of a company that sold ‘DIY spyware’.
[image credit — kar/shutterstock: eyeball spy catcher]