Over on The Faculty Lounge and Prawfsblawg there is an emerging kerfuffle over whether it breaks any laws, or leads to any liability, for a blog operator to disclose the email addresses or IP address of people that post comments there. The whole debate is somewhat ridiculously wrapped up in a brouhaha that it’s not worth going into, and involves Paul Campos, Brian Leiter, Leiter’s co-blogger Dan Filler, The Faculty Lounge (where Filler also posts), the whole Law-School-Is-a-Scam movement, anonymous trolls, and who knows what else. Suffice it to say it is reaching kerfuffled heights of kerfuffledness. I’m just interested in the legal question as an Internet Law issue. If you really must know more, you can follow the links in wrap-up posts on Volokh Conspiracy and Above the Law.
(Aside: The whole thing reminds me of a lawsuit between neighbors. Some dispute arises between the two — maybe one doesn’t keep his or her grass cut short enough. Pretty soon the neighbors come to hate each other, and seek to express that hate in legal claims over every perceived infraction dating years back, no matter how tenuous the relation of those claims is to any facts. Before you know it, they’ve got dueling civil RICO lawsuits against each other, and they are telling their lawyers, “it’s the principle of the matter!” I tell my students they should see dollar signs when they hear that phrase, at least if they are billing by the hour, but other attorneys have told me what they hear is, “Run away!“)
Let’s start with a hypothetical, in order to avoid the need for any hyper-ventilated speculation. A runs a blog on which B comments, providing an email address that is not displayed with the comment, which A then provides to third party C. Is A liable for anything?
One point worth noting right away is that, unless you add more facts to the hypo, there’s nothing in it that would hinge liability on whether the disclosure is to one person or 1,000 people. So what people are suggesting is some legal provision that would prohibit a blog operator from posting on the site, “Dear ObstreperousMan, using email address email@example.com and posting from IP address 220.127.116.11, I’m sick of your rude and abusive comments, and you are not welcome here any more.” Is there something in the law that would prohibit such behavior or subject the blog operator to liability?
The short answer is no, I can’t think of any basis on which the blog operator would be liable for such conduct. It seems clear that the actual law is only a small and perhaps relatively insignificant part of the furor, but I still found it to be an interesting intellectual exercise, so let me walk through what people have suggested.
First, several commenters at various blogs have speculated that some sort of privacy regulation might prohibit the conduct in question, such as the FTC Act, California Online Privacy Protection Act, or (most oddly) the EU Data Protection Directive. But none of those would apply here, at least not under the assumption that the blog host and blog contributors are all located in the United States. There is no general requirement under U.S. law that would prohibit the operator of a website from voluntarily disclosing an email address or basic log information such as an IP address to third parties. There are some laws and regulations that would apply to various commercial website operators, that would require either a disclosure of privacy practices or in some instances that the operator take affirmative steps to protect personally identifiable information. But none of them would govern here, and even if they did, none flatly prohibit the conduct in question (some would require it to be disclosed in general terms).
For example, the California Online Privacy Protection Act applies only to “[a]n operator of a commercial Web site or online service.” Many blogs (such as The Faculty Lounge) do not even have advertisements, which in any event would not be enough to make a blog “commercial,” in my view. In addition, the California OPPA only governs the collection of information from an individual “who seeks or acquires, by purchase or lease, any goods, services, money, or credit” from the website. It clearly does not apply here.
Section 5 of the FTC Act likewise only prohibits “unfair or deceptive acts or practices in or affecting commerce.” Although “commerce” gets a very broad definition in Commerce Clause jurisprudence, that does not mean it gets a similar reading everywhere it appears in the U.S. Code, and it has been less broadly applied by the FTC. The FTC has construed its authority under Section 5 not to extend to political or charitable organizations, for example. With respect to websites the FTC has used its Section 5 authority to bring enforcement actions against various commercial website operators that have violated their privacy policies or that have engaged in other practices that put consumer privacy at risk, such as failing to secure credit card information or retail transaction data. Simply disclosing contact information (e.g., to marketers) is not an unfair or deceptive trade practice unless the site operator promised not to. And I am not aware of any enforcement actions against private parties operating a noncommercial site for anything, let alone disclosing information that was provided to them by another individual in a noncommercial transaction. (For example, I am not aware of any FTC enforcement actions against individual eBay sellers, who are clearly engaged in commerce.) The FTC Act provides no private cause of action, so the only concern would be an FTC enforcement action, which is in any event relatively rare.
Some commenters have mentioned state unfair or deceptive trade practice acts, which might give a different definition to “trade practice.” I’d be surprised if any state had interpreted “trade practice” to apply to, essentially, any practice, including one that did not involve trade. The behavior in question in the hypo is essentially no different from someone listening to someone else gossip about a third person, and then disclosing the identity of the gossiper to other people. It would be quite a stretch to argue that that is somehow a “trade practice.” Furthermore, such an interpretation would have serious First Amendment problems, as it would prohibit the disclosure of truthful information outside of any commercial or fiduciary relationship. I think the problems become manifest if, instead of a blog comment, you imagine the blog operator receiving an email from a commenter who is having trouble posting. Would it be an “unfair or deceptive trade practice” for the blog operator to reveal that email address to others? What about forwarding the email? Instead of a blog operator, how about a person with a Facebook page whose profile is public? Someone sends that person an email. Is it an unfair or deceptive trade practice to reveal the sender’s email address to others or forward the email? That would be a novel application of such statutes, to say the least, and such behavior occurs literally every day with no suggestion of liability by anyone.
The EU Data Protection Directive would not apply at all to our hypothetical assuming that, like The Faculty Lounge, neither the servers nor any of the operators of A’s blog are located in any EU country. Preliminarily, it is important to remember that the EU Data Protection Directive itself is not law; rather, it is a directive to the member states to adopt compliant laws, so to determine if the relevant law had been violated we would need to first determine which member state’s laws applied and then consult that law. But none apply here for the reason I mentioned. The Yahoo case, often cited in such matters, is distinguishable, because not only did Yahoo have a French subsidiary, but Yahoo was also trying to serve the French market through its main yahoo.com site as well. Even if some European country decided to adopt a universal jurisdiction approach to privacy regulations, any judgement resulting from such a proceeding would likely be unenforceable in the US, as it would be a restriction on A’s truthful speech (namely, B provided the following email address when commenting).
Some commenters striving to figure out a way the EU Data Protection Directive would apply have pointed to the Department of Commerce’s EU Safe Harbor Program. It is true that US companies wishing to obtain data from European companies may, in effect, voluntarily subject themselves to the requirements of the Data Protection Directive by signing up for the Safe Harbor. But relatively few US companies have done this; essentially only companies engaging in cross-border information transactions with partners located in Europe. There would be absolutely no reason for a noncommercial blog like the Faculty Lounge to sign up for the Safe Harbor, and a quick perusal of the list of companies that have signed up does not reveal any blogs, or even blog hosts like Typepad.
There are some who suggest that even without any viable claim whatsoever, the blog operator who discloses information could be subjected to lawsuits (class actions, even!) that would pose enormous litigation costs. But filing a lawsuit with no viable claims for the purpose of imposing needless litigation costs on an opponent is sanctionable behavior under Fed. R. Civ. P. 11. Of course it could still happen; I could sue anyone I wanted tomorrow for tortiously making the moon explode, and it would take a motion to dismiss to get rid of me. But such frivolous behavior is not worth losing any sleep over.
Finally, there are those who want to add additional facts to the hypo I proposed above. Say, instead of just disclosing commenter information, the blog operator A conspired with C to commit a tort, and provided the information in question to assist C in committing that tort. If A knew that C was going to commit a tort and assisted C in that endeavor, then that would make A contributorily liable for the tort in question under standard tort law (Rest. 2d Torts § 876). People are speculating about a lot of things with respect to the whole foofaraw, so the marginal speculation I suppose does not pose much additional cost. I’ll just note that the key is knowledge; A has to know or have reason to know that C is going to commit a tort — not just be a mean person, but give rise to some cause of action. In any event the bottom line for my purposes is that the mere disclosure of commenter information by itself does not lead to any liability.
I would think that if you were going to try to make an argument that a private website owner is under some legal obligation not to disclose information you would try to make that argument using the Stored Communications Act. Many plaintiffs have tried to use the unauthorized access provision of the SCA, 18 U.S.C. s 2701, to argue that when promises about how data will be handled are violated, that constitutes unauthorized access to the company’s own servers, but courts have uniformly rejected that argument. Slightly more promising would be 2702, which provides that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.” There’s just a couple of problems with suggesting that it would prevent disclosure of identifying information concerning a blog commenter. First, there’s considerable doubt that a website operator qualifies as a provider of an “electronic communication service.” An ECS is defined for purposes of the SCA as “any service which provides to users thereof the ability to send or receive wire or electronic communications.” A few courts have suggested or held that that includes websites, see Konop v. Hawaiian Airlines, Inc., 302 F. 3d 868 (9th Cir. 2002) (parties did not dispute issue); but the vast majority of courts have held that “ECS provider” refers to access providers and intermediate communications providers, not the provider of a destination for a communication, which would make all recipients into ECS providers. For an example of such a holding see Keithly v. Intelius Inc., 764 F. Supp. 2d 1257, 1271-72 (W.D. Wash. 2011).
Second, the provision I quoted above applies only to the contents of communications, not to customer records. The contents of the communication here are the contents of the comment itself, which was posted with the consent of the commenter on the website for everyone to see. Posting contents with consent is expressly permitted under the SCA. Customer records, on the other hand, are subject to a much less stringent set of protections. Specifically, ECS providers are free to provide customer records to whomever they wish other than the government: “A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service . . . to any person other than a governmental entity.” So the SCA clearly would not prohibit the behavior in the hypo, at least where C is not a government agent. (In my altered hypo above, where A posts B’s information publicly on the website, you could argue that the public includes the government, thereby making it a disclosure to a “governmental entity.” But I still don’t think a website is an ECS so it doesn’t matter.)
In short, unless there is some other applicable law that someone can point me to, there does not appear to be any legal obligation on the part of a noncommercial website operator not to disclose comment registration or log information to private third parties. When you post comments on blogs, or gossip to acquaintances, as far as I can determine you have nothing but norms to fall back on if you are later publicly associated with those statements.
Update: The permanent bloggers at The Faculty Lounge have put up a statement that “[a]t no time have we, the permanent bloggers at the Faculty Lounge, disclosed any kind of identifying information about any Faculty Lounge commenter to any third party.” I’m strongly inclined to accept that, which would mean that my discussion above really is hypothetical.