Over on The Faculty Lounge and Prawfsblawg there is an emerging kerfuffle over whether it breaks any laws, or leads to any liability, for a blog operator to disclose the email addresses or IP address of people that post comments there. The whole debate is somewhat ridiculously wrapped up in a brouhaha that it’s not worth going into, and involves Paul Campos, Brian Leiter, Leiter’s co-blogger Dan Filler, The Faculty Lounge (where Filler also posts), the whole Law-School-Is-a-Scam movement, anonymous trolls, and who knows what else. Suffice it to say it is reaching kerfuffled heights of kerfuffledness. I’m just interested in the legal question as an Internet Law issue. If you really must know more, you can follow the links in wrap-up posts on Volokh Conspiracy and Above the Law.
(Aside: The whole thing reminds me of a lawsuit between neighbors. Some dispute arises between the two — maybe one doesn’t keep his or her grass cut short enough. Pretty soon the neighbors come to hate each other, and seek to express that hate in legal claims over every perceived infraction dating years back, no matter how tenuous the relation of those claims is to any facts. Before you know it, they’ve got dueling civil RICO lawsuits against each other, and they are telling their lawyers, “it’s the principle of the matter!” I tell my students they should see dollar signs when they hear that phrase, at least if they are billing by the hour, but other attorneys have told me what they hear is, “Run away!“)
Let’s start with a hypothetical, in order to avoid the need for any hyper-ventilated speculation. A runs a blog on which B comments, providing an email address that is not displayed with the comment, which A then provides to third party C. Is A liable for anything?
One point worth noting right away is that, unless you add more facts to the hypo, there’s nothing in it that would hinge liability on whether the disclosure is to one person or 1,000 people. So what people are suggesting is some legal provision that would prohibit a blog operator from posting on the site, “Dear ObstreperousMan, using email address email@example.com and posting from IP address 22.214.171.124, I’m sick of your rude and abusive comments, and you are not welcome here any more.” Is there something in the law that would prohibit such behavior or subject the blog operator to liability?
The short answer is no, I can’t think of any basis on which the blog operator would be liable for such conduct. It seems clear that the actual law is only a small and perhaps relatively insignificant part of the furor, but I still found it to be an interesting intellectual exercise, so let me walk through what people have suggested.
First, several commenters at various blogs have speculated that some sort of privacy regulation might prohibit the conduct in question, such as the FTC Act, California Online Privacy Protection Act, or (most oddly) the EU Data Protection Directive. But none of those would apply here, at least not under the assumption that the blog host and blog contributors are all located in the United States. There is no general requirement under U.S. law that would prohibit the operator of a website from voluntarily disclosing an email address or basic log information such as an IP address to third parties. There are some laws and regulations that would apply to various commercial website operators, that would require either a disclosure of privacy practices or in some instances that the operator take affirmative steps to protect personally identifiable information. But none of them would govern here, and even if they did, none flatly prohibit the conduct in question (some would require it to be disclosed in general terms).
For example, the California Online Privacy Protection Act applies only to “[a]n operator of a commercial Web site or online service.” Many blogs (such as The Faculty Lounge) do not even have advertisements, which in any event would not be enough to make a blog “commercial,” in my view. In addition, the California OPPA only governs the collection of information from an individual “who seeks or acquires, by purchase or lease, any goods, services, money, or credit” from the website. It clearly does not apply here.
Section 5 of the FTC Act likewise only prohibits “unfair or deceptive acts or practices in or affecting commerce.” Although “commerce” gets a very broad definition in Commerce Clause jurisprudence, that does not mean it gets a similar reading everywhere it appears in the U.S. Code, and it has been less broadly applied by the FTC. The FTC has construed its authority under Section 5 not to extend to political or charitable organizations, for example. With respect to websites the FTC has used its Section 5 authority to bring enforcement actions against various commercial website operators that have violated their privacy policies or that have engaged in other practices that put consumer privacy at risk, such as failing to secure credit card information or retail transaction data. Simply disclosing contact information (e.g., to marketers) is not an unfair or deceptive trade practice unless the site operator promised not to. And I am not aware of any enforcement actions against private parties operating a noncommercial site for anything, let alone disclosing information that was provided to them by another individual in a noncommercial transaction. (For example, I am not aware of any FTC enforcement actions against individual eBay sellers, who are clearly engaged in commerce.) The FTC Act provides no private cause of action, so the only concern would be an FTC enforcement action, which is in any event relatively rare.
Some commenters have mentioned state unfair or deceptive trade practice acts, which might give a different definition to “trade practice.” I’d be surprised if any state had interpreted “trade practice” to apply to, essentially, any practice, including one that did not involve trade. The behavior in question in the hypo is essentially no different from someone listening to someone else gossip about a third person, and then disclosing the identity of the gossiper to other people. It would be quite a stretch to argue that that is somehow a “trade practice.” Furthermore, such an interpretation would have serious First Amendment problems, as it would prohibit the disclosure of truthful information outside of any commercial or fiduciary relationship. I think the problems become manifest if, instead of a blog comment, you imagine the blog operator receiving an email from a commenter who is having trouble posting. Would it be an “unfair or deceptive trade practice” for the blog operator to reveal that email address to others? What about forwarding the email? Instead of a blog operator, how about a person with a Facebook page whose profile is public? Someone sends that person an email. Is it an unfair or deceptive trade practice to reveal the sender’s email address to others or forward the email? That would be a novel application of such statutes, to say the least, and such behavior occurs literally every day with no suggestion of liability by anyone.
The EU Data Protection Directive would not apply at all to our hypothetical assuming that, like The Faculty Lounge, neither the servers nor any of the operators of A’s blog are located in any EU country. Preliminarily, it is important to remember that the EU Data Protection Directive itself is not law; rather, it is a directive to the member states to adopt compliant laws, so to determine if the relevant law had been violated we would need to first determine which member state’s laws applied and then consult that law. But none apply here for the reason I mentioned. The Yahoo case, often cited in such matters, is distinguishable, because not only did Yahoo have a French subsidiary, but Yahoo was also trying to serve the French market through its main yahoo.com site as well. Even if some European country decided to adopt a universal jurisdiction approach to privacy regulations, any judgement resulting from such a proceeding would likely be unenforceable in the US, as it would be a restriction on A’s truthful speech (namely, B provided the following email address when commenting).
Some commenters striving to figure out a way the EU Data Protection Directive would apply have pointed to the Department of Commerce’s EU Safe Harbor Program. It is true that US companies wishing to obtain data from European companies may, in effect, voluntarily subject themselves to the requirements of the Data Protection Directive by signing up for the Safe Harbor. But relatively few US companies have done this; essentially only companies engaging in cross-border information transactions with partners located in Europe. There would be absolutely no reason for a noncommercial blog like the Faculty Lounge to sign up for the Safe Harbor, and a quick perusal of the list of companies that have signed up does not reveal any blogs, or even blog hosts like Typepad.
There are some who suggest that even without any viable claim whatsoever, the blog operator who discloses information could be subjected to lawsuits (class actions, even!) that would pose enormous litigation costs. But filing a lawsuit with no viable claims for the purpose of imposing needless litigation costs on an opponent is sanctionable behavior under Fed. R. Civ. P. 11. Of course it could still happen; I could sue anyone I wanted tomorrow for tortiously making the moon explode, and it would take a motion to dismiss to get rid of me. But such frivolous behavior is not worth losing any sleep over.
Finally, there are those who want to add additional facts to the hypo I proposed above. Say, instead of just disclosing commenter information, the blog operator A conspired with C to commit a tort, and provided the information in question to assist C in committing that tort. If A knew that C was going to commit a tort and assisted C in that endeavor, then that would make A contributorily liable for the tort in question under standard tort law (Rest. 2d Torts Â§ 876). People are speculating about a lot of things with respect to the whole foofaraw, so the marginal speculation I suppose does not pose much additional cost. I’ll just note that the key is knowledge; A has to know or have reason to know that C is going to commit a tort — not just be a mean person, but give rise to some cause of action. In any event the bottom line for my purposes is that the mere disclosure of commenter information by itself does not lead to any liability.
I would think that if you were going to try to make an argument that a private website owner is under some legal obligation not to disclose information you would try to make that argument using the Stored Communications Act. Many plaintiffs have tried to use the unauthorized access provision of the SCA, 18 U.S.C. s 2701, to argue that when promises about how data will be handled are violated, that constitutes unauthorized access to the company’s own servers, but courts have uniformly rejected that argument. Slightly more promising would be 2702, which provides that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.” There’s just a couple of problems with suggesting that it would prevent disclosure of identifying information concerning a blog commenter. First, there’s considerable doubt that a website operator qualifies as a provider of an “electronic communication service.” An ECS is defined for purposes of the SCA as “any service which provides to users thereof the ability to send or receive wire or electronic communications.” A few courts have suggested or held that that includes websites, see Konop v. Hawaiian Airlines, Inc., 302 F. 3d 868 (9th Cir. 2002) (parties did not dispute issue); but the vast majority of courts have held that “ECS provider” refers to access providers and intermediate communications providers, not the provider of a destination for a communication, which would make all recipients into ECS providers. For an example of such a holding see Keithly v. Intelius Inc., 764 F. Supp. 2d 1257, 1271-72 (W.D. Wash. 2011).
Second, the provision I quoted above applies only to the contents of communications, not to customer records. The contents of the communication here are the contents of the comment itself, which was posted with the consent of the commenter on the website for everyone to see. Posting contents with consent is expressly permitted under the SCA. Customer records, on the other hand, are subject to a much less stringent set of protections. Specifically, ECS providers are free to provide customer records to whomever they wish other than the government: “A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service . . . to any person other than a governmental entity.” So the SCA clearly would not prohibit the behavior in the hypo, at least where C is not a government agent. (In my altered hypo above, where A posts B’s information publicly on the website, you could argue that the public includes the government, thereby making it a disclosure to a “governmental entity.” But I still don’t think a website is an ECS so it doesn’t matter.)
In short, unless there is some other applicable law that someone can point me to, there does not appear to be any legal obligation on the part of a noncommercial website operator not to disclose comment registration or log information to private third parties. When you post comments on blogs, or gossip to acquaintances, as far as I can determine you have nothing but norms to fall back on if you are later publicly associated with those statements.
Update: The permanent bloggers at The Faculty Lounge have put up a statement that “[a]t no time have we, the permanent bloggers at the Faculty Lounge, disclosed any kind of identifying information about any Faculty Lounge commenter to any third party.” I’m strongly inclined to accept that, which would mean that my discussion above really is hypothetical.
Thanks for taking the time to do this, Bruce. It’s a real service. All I’ll add is that if I had been making these arguments, I would want to do so anonymously, too!
First thing is that We always have option to approved/ disapprove any comment on our blog posts. We should be careful in approving any comment in terms of legality. Secondly it is good if there is such option which can easily get IP or other user information for any kind problem.
I actually cannot tell if my answer to your post would not go up because I have been banned from the Faculty Lounge – or because of a problem with TypePad.
The Safe Harbor certainly is one way in which a company can become subject to EU rules – and it does not necessarily apply to just commercial companies. Saymedia (aka “Typepad”) is a global operation and a commercial business with operations it would seem in the EU and was formed by a merger of Six Apart Ltd (which is on the Safe Harbor list though not “current” whatever that means) and VideoEgg (not on the list.) See http://safeharbor.export.gov/list.aspx I would disagree with your characterisation that only a few companies are on the safe harbor list – it is quite extensive.
I certainly posted on TFL and Prawfsblawg – that is hardly a secret – and I posted both from the US and Europe. When in Europe it was apparent from TLDs, e.g., .de, .co.uk that the Typepad server I was posting on was likely in Europe or holding itself out to be. I think that would be enough to establish jurisdiction. Given how privacy is addressed in the international tech sector I would be very surprised if TypePad has not sought in the EU compliance advice.
However, Leiter does host advertising on his site and he has used it to “out” some of the people whose names he appears to have obtained from Filler (and I am very confident that Filler did leak names.) As such he’d better hope none of his targets are in California, because they could make an issue of it.
A quick explanation of my point about TypePad’s predecessor Six Apart being described as not current. The idea that any entity that in some form still exists can go non-current under data protection law would be hopelessly unacceptable in the EU and I cannot see how it works in the context of the Safe Harbor for TypePad. The only way to escape the obligations would be to delete all personal data ever subscribed while the entity was registered. But the evident purpose of the merger that created Say Media was to acquire the business and accounts of both entities – is Six Apart’s data and blog-role had been deleted the businesses value would have been destroyed. So I think there is perhaps a sound legal argument that once in the Safe Harbor, always in the Safe Harbor – and that the rules thus still apply to TypePad.
MacK, there seems to be some sort of length limit in place at all Typepad blogs that eats long comments, and also short ones that you post immediately after. As far as I can tell it’s something new because I’ve never encountered it before.
COPPA does not apply to The Faculty Lounge or any other law prof blog. It applies only to website operators who know that they are collecting information from children under 13 or run a site that targets such children. I really do not think there are that many children out there interested in reading all the ins and outs of the Kansas-Nebraska Act.
I remain skeptical that merely hosting ads on a site would make it “commercial” under the California OPPA. But it’s a moot point, because a site that did nothing more than host ads would not be obtaining information from a “consumer,” defined as an individual who “seeks or acquires, by purchase or lease, any goods, services, money, or credit” from the website. Only information collection from “consumers” is covered. Blogs with ads clearly do not need to comply with the California OPPA.
I am inclined to agree that the legality issues are a bit of stretch – although one might argue implied contract. When I said COPPA I meant the California OPPA law.
That said, I do think there is an issue with the idea that data that was submitted under the safe harbour rules can at some later point be taken out from under those rules because a company withdraws -which is what it seems SixApart did. It certainly is not consistent with the legal interpretation of the Directive which the Safe Harbor is intended to effectively implement. I would find it most surprising if Typepad had not retained the blogs and data that started under SixApart. There is also the tricky issue that Typepad is operating worldwide.
However, to give an example of how this can blow up – recently there was an issue because owners of US purchased Android phones mysteriously received bills containing roaming charges for Europe, although they were certain that they had turned off data roaming. It turned out that buried in the Android code was a function that reported to Google various data relating to the phone and its location. Not surprisingly there was rather a kerfuffle since this data was being collected in Europe, albeit from a US phone purchaser. Google as you are doubtless aware has being having a torrid time with the Data directive and had had to deploy “dog ate my homework” stories so often as to lead to questions about whether it’s omnivorousness indicates a labrador puppy.
I think TFL is pretty close to the line in making these disclosures (obviously I have an interest since I’m pretty certain I was one of those whose identities was leaked. What the situation does call for is for all blogs to have explicit statements on confidentiality. I also think TFL needs to come clean, did they or didn’t they – although at this stage it is pretty howlingly obvious that they did.
I am not worried by Leiter. Not really – he is what one of my favorite professors would call a pissant and frankly I am sufficiently successful and secure that my identity must have really irritated him. I do prefer to engage in this debate on my own terms though and not find myself deluged in e-mails and/or resumÃ©s. Also for family reasons I prefer not to use my own name in debate as historically my views could and indeed were, when I was in college, be attributed to a family member for whom it would be very problematic to have political views at all. However, I am aware that Leiter has sought to use the threat of outing as a club to silence people he disagrees with and I find that most offensive. That is why it is rather ironic that getting caught using the very pseudonyms he deplores to out people has proved so devastating to him – poetic justice, and the Pablo Neruda’s name would be part of that is very rich indeed.
MacK, our confusion over COPPA/California OPPA is why I refer in class to “CalOPPA,” despite how clunky that sounds. Throw in COPA and the C/O/P/A acronym space is pretty crowded.
I think you’re right right the EU would take a dim view of opting out of the Safe Harbor once you’ve opted in — particularly if you get to retain the data you collected. I haven’t looked into that issue. I don’t know what, if any, restrictions DOC puts on withdrawal, but it’s an interesting question. My impression of the Safe Harbor generally is that it was a way for both sides to save face politically and was not really ever intended to be strictly enforced (although there has in fact been an enforcement action on the US side).
In an airport on an iPhone
Safe harbor has to afford the same standard of protection as the directive or the whole thing becomes invalid under the directive
The origin of the safe harbor was a certain desperation in the part of US business especially banks because the transition period was coming to an end under the directive at which point export of data to a country without equivalent protection would be banned. There was no possibility of the us passing legislation matching the directive anytime soon no matter how hard certain interests pushed it because others opposed – the safe harbor was a solution – US receivers of exported data could enter a legally binding FTC enforceable commitment to abide by the directive – solved, byt