Can a Website Operator Disclose Identifying Information About Blog Commenters?

groundhog-smOver on The Faculty Lounge and Prawfsblawg there is an emerging kerfuffle over whether it breaks any laws, or leads to any liability, for a blog operator to disclose the email addresses or IP address of people that post comments there. The whole debate is somewhat ridiculously wrapped up in a brouhaha that it’s not worth going into, and involves Paul Campos, Brian Leiter, Leiter’s co-blogger Dan Filler, The Faculty Lounge (where Filler also posts), the whole Law-School-Is-a-Scam movement, anonymous trolls, and who knows what else. Suffice it to say it is reaching kerfuffled heights of kerfuffledness. I’m just interested in the legal question as an Internet Law issue. If you really must know more, you can follow the links in wrap-up posts on Volokh Conspiracy and Above the Law.

(Aside: The whole thing reminds me of a lawsuit between neighbors. Some dispute arises between the two — maybe one doesn’t keep his or her grass cut short enough. Pretty soon the neighbors come to hate each other, and seek to express that hate in legal claims over every perceived infraction dating years back, no matter how tenuous the relation of those claims is to any facts. Before you know it, they’ve got dueling civil RICO lawsuits against each other, and they are telling their lawyers, “it’s the principle of the matter!” I tell my students they should see dollar signs when they hear that phrase, at least if they are billing by the hour, but other attorneys have told me what they hear is, “Run away!“)

Let’s start with a hypothetical, in order to avoid the need for any hyper-ventilated speculation. A runs a blog on which B comments, providing an email address that is not displayed with the comment, which A then provides to third party C. Is A liable for anything?

One point worth noting right away is that, unless you add more facts to the hypo, there’s nothing in it that would hinge liability on whether the disclosure is to one person or 1,000 people. So what people are suggesting is some legal provision that would prohibit a blog operator from posting on the site, “Dear ObstreperousMan, using email address joe@yahoo.com and posting from IP address 168.192.100.100, I’m sick of your rude and abusive comments, and you are not welcome here any more.” Is there something in the law that would prohibit such behavior or subject the blog operator to liability?

The short answer is no, I can’t think of any basis on which the blog operator would be liable for such conduct. It seems clear that the actual law is only a small and perhaps relatively insignificant part of the furor, but I still found it to be an interesting intellectual exercise, so let me walk through what people have suggested.

First, several commenters at various blogs have speculated that some sort of privacy regulation might prohibit the conduct in question, such as the FTC Act, California Online Privacy Protection Act, or (most oddly) the EU Data Protection Directive. But none of those would apply here, at least not under the assumption that the blog host and blog contributors are all located in the United States. There is no general requirement under U.S. law that would prohibit the operator of a website from voluntarily disclosing an email address or basic log information such as an IP address to third parties. There are some laws and regulations that would apply to various commercial website operators, that would require either a disclosure of privacy practices or in some instances that the operator take affirmative steps to protect personally identifiable information. But none of them would govern here, and even if they did, none flatly prohibit the conduct in question (some would require it to be disclosed in general terms).

For example, the California Online Privacy Protection Act applies only to “[a]n operator of a commercial Web site or online service.” Many blogs (such as The Faculty Lounge) do not even have advertisements, which in any event would not be enough to make a blog “commercial,” in my view. In addition, the California OPPA only governs the collection of information from an individual “who seeks or acquires, by purchase or lease, any goods, services, money, or credit” from the website. It clearly does not apply here.

Section 5 of the FTC Act likewise only prohibits “unfair or deceptive acts or practices in or affecting commerce.” Although “commerce” gets a very broad definition in Commerce Clause jurisprudence, that does not mean it gets a similar reading everywhere it appears in the U.S. Code, and it has been less broadly applied by the FTC. The FTC has construed its authority under Section 5 not to extend to political or charitable organizations, for example. With respect to websites the FTC has used its Section 5 authority to bring enforcement actions against various commercial website operators that have violated their privacy policies or that have engaged in other practices that put consumer privacy at risk, such as failing to secure credit card information or retail transaction data. Simply disclosing contact information (e.g., to marketers) is not an unfair or deceptive trade practice unless the site operator promised not to. And I am not aware of any enforcement actions against private parties operating a noncommercial site for anything, let alone disclosing information that was provided to them by another individual in a noncommercial transaction. (For example, I am not aware of any FTC enforcement actions against individual eBay sellers, who are clearly engaged in commerce.) The FTC Act provides no private cause of action, so the only concern would be an FTC enforcement action, which is in any event relatively rare.

Some commenters have mentioned state unfair or deceptive trade practice acts, which might give a different definition to “trade practice.” I’d be surprised if any state had interpreted “trade practice” to apply to, essentially, any practice, including one that did not involve trade. The behavior in question in the hypo is essentially no different from someone listening to someone else gossip about a third person, and then disclosing the identity of the gossiper to other people. It would be quite a stretch to argue that that is somehow a “trade practice.” Furthermore, such an interpretation would have serious First Amendment problems, as it would prohibit the disclosure of truthful information outside of any commercial or fiduciary relationship. I think the problems become manifest if, instead of a blog comment, you imagine the blog operator receiving an email from a commenter who is having trouble posting. Would it be an “unfair or deceptive trade practice” for the blog operator to reveal that email address to others? What about forwarding the email? Instead of a blog operator, how about a person with a Facebook page whose profile is public? Someone sends that person an email. Is it an unfair or deceptive trade practice to reveal the sender’s email address to others or forward the email? That would be a novel application of such statutes, to say the least, and such behavior occurs literally every day with no suggestion of liability by anyone.

The EU Data Protection Directive would not apply at all to our hypothetical assuming that, like The Faculty Lounge, neither the servers nor any of the operators of A’s blog are located in any EU country. Preliminarily, it is important to remember that the EU Data Protection Directive itself is not law; rather, it is a directive to the member states to adopt compliant laws, so to determine if the relevant law had been violated we would need to first determine which member state’s laws applied and then consult that law. But none apply here for the reason I mentioned. The Yahoo case, often cited in such matters, is distinguishable, because not only did Yahoo have a French subsidiary, but Yahoo was also trying to serve the French market through its main yahoo.com site as well. Even if some European country decided to adopt a universal jurisdiction approach to privacy regulations, any judgement resulting from such a proceeding would likely be unenforceable in the US, as it would be a restriction on A’s truthful speech (namely, B provided the following email address when commenting).

Some commenters striving to figure out a way the EU Data Protection Directive would apply have pointed to the Department of Commerce’s EU Safe Harbor Program. It is true that US companies wishing to obtain data from European companies may, in effect, voluntarily subject themselves to the requirements of the Data Protection Directive by signing up for the Safe Harbor. But relatively few US companies have done this; essentially only companies engaging in cross-border information transactions with partners located in Europe. There would be absolutely no reason for a noncommercial blog like the Faculty Lounge to sign up for the Safe Harbor, and a quick perusal of the list of companies that have signed up does not reveal any blogs, or even blog hosts like Typepad.

Others have suggested a possible breach of contract action. But there doesn’t seem to be any enforceable contract. For example, at blogs such as The Faculty Lounge, there is no express promise of confidentiality for email address or log information anywhere on the site; even if there were a privacy policy many courts have held that privacy policies are not enforceable promises. All the comment form states at The Faculty Lounge and many other sites is “Email address will not be displayed with the comment,” which even under the facts of the hypo described above is true. And there is no implied contract either, for a couple of reasons. First, in order to be enforceable, a promise typically has to be given in exchange for something, such as another promise or performance. It seems dubious that the blog commenter is engaged in any sort of transaction with a blog operator, however; it’s just a conversation or a series of (publicly posted) emails. If the theory is correct that every blog comment carries with it an exchange of something valuable (the comment itself) in return for some sort of implied promise of confidentiality, every email would subject to a similar restriction. But if anything, the opposite is true; people generally expect that their emails may be forwarded. That leads to the second problem with the implied contract theory, which is that there is precious little evidence that there is an implication that by making available a comment box on the blog, the blog owner is proposing an exchange of confidentiality in return for comments, such that when you “perform,” you’re entitled to your half of the bargain. You may expect confidentiality, in the same way you expect to get served when you walk into a restaurant, but your walking into a restaurant is not the sort of “performance” that triggers a contractual obligation to provide you with anything in return. Your remedy for poor service is leaving.

There are some who suggest that even without any viable claim whatsoever, the blog operator who discloses information could be subjected to lawsuits (class actions, even!) that would pose enormous litigation costs. But filing a lawsuit with no viable claims for the purpose of imposing needless litigation costs on an opponent is sanctionable behavior under Fed. R. Civ. P. 11. Of course it could still happen; I could sue anyone I wanted tomorrow for tortiously making the moon explode, and it would take a motion to dismiss to get rid of me. But such frivolous behavior is not worth losing any sleep over.

Finally, there are those who want to add additional facts to the hypo I proposed above. Say, instead of just disclosing commenter information, the blog operator A conspired with C to commit a tort, and provided the information in question to assist C in committing that tort. If A knew that C was going to commit a tort and assisted C in that endeavor, then that would make A contributorily liable for the tort in question under standard tort law (Rest. 2d Torts § 876). People are speculating about a lot of things with respect to the whole foofaraw, so the marginal speculation I suppose does not pose much additional cost. I’ll just note that the key is knowledge; A has to know or have reason to know that C is going to commit a tort — not just be a mean person, but give rise to some cause of action. In any event the bottom line for my purposes is that the mere disclosure of commenter information by itself does not lead to any liability.

I would think that if you were going to try to make an argument that a private website owner is under some legal obligation not to disclose information you would try to make that argument using the Stored Communications Act. Many plaintiffs have tried to use the unauthorized access provision of the SCA, 18 U.S.C. s 2701, to argue that when promises about how data will be handled are violated, that constitutes unauthorized access to the company’s own servers, but courts have uniformly rejected that argument. Slightly more promising would be 2702, which provides that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.” There’s just a couple of problems with suggesting that it would prevent disclosure of identifying information concerning a blog commenter. First, there’s considerable doubt that a website operator qualifies as a provider of an “electronic communication service.” An ECS is defined for purposes of the SCA as “any service which provides to users thereof the ability to send or receive wire or electronic communications.” A few courts have suggested or held that that includes websites, see Konop v. Hawaiian Airlines, Inc., 302 F. 3d 868 (9th Cir. 2002) (parties did not dispute issue); but the vast majority of courts have held that “ECS provider” refers to access providers and intermediate communications providers, not the provider of a destination for a communication, which would make all recipients into ECS providers. For an example of such a holding see Keithly v. Intelius Inc., 764 F. Supp. 2d 1257, 1271-72 (W.D. Wash. 2011).

Second, the provision I quoted above applies only to the contents of communications, not to customer records. The contents of the communication here are the contents of the comment itself, which was posted with the consent of the commenter on the website for everyone to see. Posting contents with consent is expressly permitted under the SCA. Customer records, on the other hand, are subject to a much less stringent set of protections. Specifically, ECS providers are free to provide customer records to whomever they wish other than the government: “A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service . . . to any person other than a governmental entity.” So the SCA clearly would not prohibit the behavior in the hypo, at least where C is not a government agent. (In my altered hypo above, where A posts B’s information publicly on the website, you could argue that the public includes the government, thereby making it a disclosure to a “governmental entity.” But I still don’t think a website is an ECS so it doesn’t matter.)

In short, unless there is some other applicable law that someone can point me to, there does not appear to be any legal obligation on the part of a noncommercial website operator not to disclose comment registration or log information to private third parties. When you post comments on blogs, or gossip to acquaintances, as far as I can determine you have nothing but norms to fall back on if you are later publicly associated with those statements.

Update: The permanent bloggers at The Faculty Lounge have put up a statement that “[a]t no time have we, the permanent bloggers at the Faculty Lounge, disclosed any kind of identifying information about any Faculty Lounge commenter to any third party.” I’m strongly inclined to accept that, which would mean that my discussion above really is hypothetical.

8 thoughts on “Can a Website Operator Disclose Identifying Information About Blog Commenters?

  1. Thanks for taking the time to do this, Bruce. It’s a real service. All I’ll add is that if I had been making these arguments, I would want to do so anonymously, too!

  2. First thing is that We always have option to approved/ disapprove any comment on our blog posts. We should be careful in approving any comment in terms of legality. Secondly it is good if there is such option which can easily get IP or other user information for any kind problem.

  3. I actually cannot tell if my answer to your post would not go up because I have been banned from the Faculty Lounge – or because of a problem with TypePad.

    The Safe Harbor certainly is one way in which a company can become subject to EU rules – and it does not necessarily apply to just commercial companies. Saymedia (aka “Typepad”) is a global operation and a commercial business with operations it would seem in the EU and was formed by a merger of Six Apart Ltd (which is on the Safe Harbor list though not “current” whatever that means) and VideoEgg (not on the list.) See http://safeharbor.export.gov/list.aspx I would disagree with your characterisation that only a few companies are on the safe harbor list – it is quite extensive.

    I certainly posted on TFL and Prawfsblawg – that is hardly a secret – and I posted both from the US and Europe. When in Europe it was apparent from TLDs, e.g., .de, .co.uk that the Typepad server I was posting on was likely in Europe or holding itself out to be. I think that would be enough to establish jurisdiction. Given how privacy is addressed in the international tech sector I would be very surprised if TypePad has not sought in the EU compliance advice.

    It is interesting to me that US companies are seeking out European partners in certain areas of data because EU companies are, as a result of the directive, considered to be more skilled at vital issues like anonymising data. In any event (and without overstating the law profs are not practitioners trope) just about every tech lawyer I know could have answered the question posted at prawfsblawg “off the cuff” so to speak – including US tech lawyers dealing with internet issues. TypePad may have a problem under COPPA because it is a commercial service and it should have taken steps to require blog operators like TFL and indeed Prawsblawg to at least state a privacy policy – indeed it could automate this process by requiring blog operators to select a policy from a menu to be displayed and it is odd that it has not chosen to do so.

    However, Leiter does host advertising on his site and he has used it to “out” some of the people whose names he appears to have obtained from Filler (and I am very confident that Filler did leak names.) As such he’d better hope none of his targets are in California, because they could make an issue of it.

    A quick explanation of my point about TypePad’s predecessor Six Apart being described as not current. The idea that any entity that in some form still exists can go non-current under data protection law would be hopelessly unacceptable in the EU and I cannot see how it works in the context of the Safe Harbor for TypePad. The only way to escape the obligations would be to delete all personal data ever subscribed while the entity was registered. But the evident purpose of the merger that created Say Media was to acquire the business and accounts of both entities – is Six Apart’s data and blog-role had been deleted the businesses value would have been destroyed. So I think there is perhaps a sound legal argument that once in the Safe Harbor, always in the Safe Harbor – and that the rules thus still apply to TypePad.

  4. MacK, there seems to be some sort of length limit in place at all Typepad blogs that eats long comments, and also short ones that you post immediately after. As far as I can tell it’s something new because I’ve never encountered it before.

    I don’t think any of your suggestions pose any source of concern for most blog owners. Thanks for finding the SixApart registration on the Safe Harbor, I had very limited time to go looking through the list. But to the extent SixApart, if it still exists, is still covered (which I doubt anyway), that would mean that SixApart itself must follow the Safe Harbor in collecting information from individuals — e.g., from the blog *operators*. Perhaps SixApart would then be obligated to get all of its bloggers to follow the Safe Harbor as well — that’s an interesting question that I haven’t considered. But the obligation would be on the *site host* to follow the Safe Harbor, not people that haven’t signed up for it. For example, arguably SixApart had an obligation to force its bloggers to post a privacy policy on each blog. Again, I haven’t really considered this. But in any event, that could be why SixApart dropped off — and no matter what the EU says, the Safe Harbor is a program set up by the Dept. of Commerce under which companies voluntarily submit themselves to the EU requirements. The EU does not have much say in how it operates. Their only remedy if they do not think the Safe Harbor program is sufficient is to declare the US not a safe destination for EU data under article 25 of the DPD, which is a pretty drastic step. Also, I stand by my statement that “relatively few companies” have signed up for the Safe Harbor. Sure, a lot have, most in the last 8-9 years or so, but most U.S. companies have not. That would include, I would expect, most blogs, even ones that generate a fair amount of revenue and traffic. I don’t have time to look up the relevant corporate names, but neither the Huffington Post nor Gawker Media are registered for the Safe Harbor.

    I don’t think it matters where the *comment* is coming from. A blog hosted in the US operated by people located in the US and not otherwise targeting any European country is not a “data controller” subject to any EU country’s law. I really do not think every American blog in existence needs to worry about the EU DPD on the off chance that someone from the EU might post a comment there. It’s more than just a privacy policy — under EU privacy laws, you also typically have to register with the relevant country’s privacy authority (which would, I suppose, be all of them), provide access to information, take various security measures, etc. I’ve never seen any suggestion that anyone, European or otherwise, thinks that this is the case.

    COPPA does not apply to The Faculty Lounge or any other law prof blog. It applies only to website operators who know that they are collecting information from children under 13 or run a site that targets such children. I really do not think there are that many children out there interested in reading all the ins and outs of the Kansas-Nebraska Act.

    I remain skeptical that merely hosting ads on a site would make it “commercial” under the California OPPA. But it’s a moot point, because a site that did nothing more than host ads would not be obtaining information from a “consumer,” defined as an individual who “seeks or acquires, by purchase or lease, any goods, services, money, or credit” from the website. Only information collection from “consumers” is covered. Blogs with ads clearly do not need to comply with the California OPPA.

  5. I am inclined to agree that the legality issues are a bit of stretch – although one might argue implied contract. When I said COPPA I meant the California OPPA law.

    That said, I do think there is an issue with the idea that data that was submitted under the safe harbour rules can at some later point be taken out from under those rules because a company withdraws -which is what it seems SixApart did. It certainly is not consistent with the legal interpretation of the Directive which the Safe Harbor is intended to effectively implement. I would find it most surprising if Typepad had not retained the blogs and data that started under SixApart. There is also the tricky issue that Typepad is operating worldwide.

    However, to give an example of how this can blow up – recently there was an issue because owners of US purchased Android phones mysteriously received bills containing roaming charges for Europe, although they were certain that they had turned off data roaming. It turned out that buried in the Android code was a function that reported to Google various data relating to the phone and its location. Not surprisingly there was rather a kerfuffle since this data was being collected in Europe, albeit from a US phone purchaser. Google as you are doubtless aware has being having a torrid time with the Data directive and had had to deploy “dog ate my homework” stories so often as to lead to questions about whether it’s omnivorousness indicates a labrador puppy.

    I think TFL is pretty close to the line in making these disclosures (obviously I have an interest since I’m pretty certain I was one of those whose identities was leaked. What the situation does call for is for all blogs to have explicit statements on confidentiality. I also think TFL needs to come clean, did they or didn’t they – although at this stage it is pretty howlingly obvious that they did.

    I am not worried by Leiter. Not really – he is what one of my favorite professors would call a pissant and frankly I am sufficiently successful and secure that my identity must have really irritated him. I do prefer to engage in this debate on my own terms though and not find myself deluged in e-mails and/or resumés. Also for family reasons I prefer not to use my own name in debate as historically my views could and indeed were, when I was in college, be attributed to a family member for whom it would be very problematic to have political views at all. However, I am aware that Leiter has sought to use the threat of outing as a club to silence people he disagrees with and I find that most offensive. That is why it is rather ironic that getting caught using the very pseudonyms he deplores to out people has proved so devastating to him – poetic justice, and the Pablo Neruda’s name would be part of that is very rich indeed.

  6. MacK, our confusion over COPPA/California OPPA is why I refer in class to “CalOPPA,” despite how clunky that sounds. Throw in COPA and the C/O/P/A acronym space is pretty crowded.

    I think you’re right right the EU would take a dim view of opting out of the Safe Harbor once you’ve opted in — particularly if you get to retain the data you collected. I haven’t looked into that issue. I don’t know what, if any, restrictions DOC puts on withdrawal, but it’s an interesting question. My impression of the Safe Harbor generally is that it was a way for both sides to save face politically and was not really ever intended to be strictly enforced (although there has in fact been an enforcement action on the US side).

    • In an airport on an iPhone

      Safe harbor has to afford the same standard of protection as the directive or the whole thing becomes invalid under the directive

  7. The origin of the safe harbor was a certain desperation in the part of US business especially banks because the transition period was coming to an end under the directive at which point export of data to a country without equivalent protection would be banned. There was no possibility of the us passing legislation matching the directive anytime soon no matter how hard certain interests pushed it because others opposed – the safe harbor was a solution – US receivers of exported data could enter a legally binding FTC enforceable commitment to abide by the directive – solved, byt

Comments are closed.