Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse — Hayes v. SpectorSoft
[Posted by Venkat]
In what probably belongs in the “software doesn’t surreptitiously record conversations, people do” file, a federal court in Tennessee rejected Electronic Communications Privacy Act and product liability claims brought by someone whose ex-spouse used software to log internet activity and communications. (Access a copy of the order here [scribd].)
The case presented a now-familiar fact pattern of the use of monitoring (in this case keylogger) software by a spouse to keep track of the online activities of the soon-to-be ex-spouse. The plaintiff (Thomas Hayes) sued SpectorSoft, which produced two pieces of software used by his ex-spouse and someone else to monitor his instant message, email, and browsing activities. Hayes alleged violations of the Electronic Communications Privacy Act and also asserted negligence and product liability claims. The court granted SpectorSoft’s motion for summary judgment and dismissed the case.
With respect to the ECPA claims the court concluded that Hayes needed to prove that SpectorSoft intended for the communications to be wrongly intercepted, and that Hayes’s evidence that SpectorSoft marketed the software to spouses who were conducting surveillance was insufficient to show this intent. According to the court, the type of intent required by the ECPA was that the defendant must have the “conscious objective” to cause the result (i.e., the unlawful surveillance and disclosure). The court cites to In re Pharmatrak where the First Circuit found that a web-monitoring company’s gathering and inadvertent disclosure of information about web users did not violate the ECPA due to lack of intent. The court also relied on the fact that the person who installed the SpectorSoft software clicked through a terms of use agreement which contained a representation that the software would only be installed on computers which the user owned, or computers on which the user was authorized to install the software. (SpectorSoft is a classic passive conduit and presented ample evidence that it did not know of the underlying violations.)
Plaintiff also made a creative argument that the SpectorSoft software was “unreasonably dangerous.” The court expressed doubt as to whether software qualified as a product at all, and in any event concluded that plaintiff failed to demonstrate that the software was unreasonably dangerous by putting forth evidence that SpectorSoft could have taken alternative measures that would have prevented the inadvertent disclosure.
The court’s decision is not surprising, given that (1) SpectorSoft did not conduct the eavesdropping but only provided the tools to facilitate it and (2) the software could be used to conduct multiple lawful activities (monitoring children, employees, archiving messages). The decision was also not surprising given that the installation and use of the software could have been avoided if the user had taken adequate security precautions. (Sidenote: I wonder if it’s farfetched to argue that one spouse has the right to access the email and other accounts of another spouse based on some community property-like theory?)
I guess at the extreme end of the spectrum a court may be willing to hold a software company liable for developing software where the only possible use is to conduct unlawful surveillance, but this fact pattern wasn’t even close. Holding the software company in that instance would also raise potential First Amendment/crime-facilitating speech issues (?).
Related: In late 2008, a federal court halted sales of keylogger/do it yourself spyware software. (See coverage at Wired and JOLT Digest.) Also, this type of a claim has a higher likelihood of success when brought against the ex-spouse, rather than the software company, as noted by Tom O’Toole here.