By Alex Berengaut

[This article also was published in Law360.]

In May 2017, the “WannaCry” malware was used to launch a worldwide ransomware cyberattack. WannaCry encrypted files on victim computers and demanded a ransom payable in bitcoin to provide the encryption key. The attack was stopped when a British security researcher, Marcus Hutchins, accidentally discovered and activated a “kill switch” in the malware.

In a dramatic turn of events, Hutchins was arrested earlier this month by the FBI in Las Vegas as he was returning home from a cybersecurity conference. He wasn’t charged for anything to do with WannaCry; rather, the government alleged that he had created and conspired to sell a different piece of malware, the “Kronos Banking trojan,” a piece of software that recorded and stole user credentials and other personal identifying information. On Aug. 14, 2017, he pleaded not guilty to the charges against him.

Since Hutchins’ indictment, commentators have questioned whether the creation and selling of malware—without actually using the malware—violates the two statutes under which Hutchins was charged: the Computer Fraud and Abuse Act and the Wiretap Act.[1] It is likely that these issues will be litigated as the case unfolds.

But there is another question raised by the indictment: whether it violates Hutchins’ constitutional rights to charge him for his alleged conduct under any statute in this country. Several circuits—including the Seventh Circuit, where Hutchins’ case will be heard—have recognized that the federal government cannot charge anyone, anywhere in the world irrespective of their connections to the United States.[2] As the Second Circuit has put it, “[i]n order to apply extraterritorially a federal criminal statute to a defendant consistently with due process, there must be a sufficient nexus between the defendant and the United States so that such application would not be arbitrary and fundamentally unfair.”[3]
Continue Reading Is The Hutchins Indictment Over Malware Unconstitutional?

By Katherine Gasztonyi

Last week, Judge Robinson of the District of Delaware dismissed a multi-district lawsuit claiming that Google, Vibrant Media, Media Innovation Group, and WPP violated federal privacy and computer security laws by allegedly circumventing browser privacy settings in order to track users online.

This lawsuit stems from a February 17, 2012, Wall Street Journal article describing these companies’ use of a loophole in Safari’s privacy settings to set third-party tracking cookies even where the browser had been configured to block such cookies.  Lawsuits alleging violations of the federal Wiretap Act, Stored Communications Act, and Computer Fraud and Abuse Act (as well as various state laws) were filed in courts across the country, and ultimately were consolidated before Judge Robinson in Delaware.

Judge Robinson granted the defendants’ motions to dismiss all of the plaintiffs’ claims on the grounds that the plaintiffs had not adequately alleged standing to sue in federal court and, in any event, had failed to state a claim for relief under any of the statutes invoked in their complaint.


Continue Reading Court Tosses Claims Against Google and Others Based on Safari Hack

In a decision issued last week that is being described by some as a “landmark,” Judge Koh of the Northern District of California denied a motion to dismiss a complaint filed against Google alleging that its Gmail service unlawfully intercepts the contents of emails sent by and to Gmail users.  The case involves Google’s longstanding practice of targeting ads in Gmail based on keywords in emails.  The plaintiffs claim that this practice violates the federal Wiretap Act and analogous state wiretapping and eavesdropping statutes. 

 The court denied Google’s motion to dismiss as to all but one of these claims.  Most notably, the court held that the plaintiffs’ claim under the Wiretap Act can proceed, rejecting Google’s arguments that its practice of scanning the contents of emails is authorized under exceptions in the Wiretap Act for interceptions that occur (1) in the “ordinary course of business” or (2) with the consent of at least one party to a communication. 


Continue Reading Court Denies Google’s Motion to Dismiss Gmail Wiretap Claims

The last two weeks have brought two important decisions in the ongoing litigation over behavioral advertising firm NebuAd’s alleged use of a device to intercept data from ISP networks. Several ISPs allegedly permitted NebuAd to install an “appliance” on their networks in order to collect and analyze subscriber data for ad targeting purposes.  In lawsuits that began to be filed in 2008, plaintiffs have alleged that NebuAd–and the ISPs with which it allegedly partnered– violated Title I of the Electronic Communications Privacy Act (i.e., the Wiretap Act) as well as other federal and state laws.  Plaintiffs have sued the ISPs in separate suits around the country.  Two of these suits–against ISPs Embarq and WideOpen West (“WOW”)–yielded decisions in favor of the ISPs last week. 


Continue Reading Two New Decisions on the Wiretap Act and Secondary Liability

Late last month — in a decision that seems to have been largely overlooked in the privacy trade press — a federal judge in Illinois held [PDF] that the Wiretap Act did not prohibit the interception of communications sent over unsecured Wi-Fi networks provided by hotels, restaurants, coffee shops and other commercial entities.  The decision came in a case, In re Innovatio Ventures, LLC Patent Litigation, that does not involve an alleged violation of the Wiretap Act.  Rather (as its name suggests), In re Innovatio is an infringement suit in which Innovatio has accused various commercial entities that provide Wi-Fi to their customers of violating its patents in Wi-Fi technology.  To gather evidence about the defendants’ alleged infringing uses, Innovatio has used “commercially available Wi-Fi network analyzers” to “intercept data packets that are travelling . . . between the Wi-Fi router[s] provided by [the Defendants] and any devices that may be communicating with [the routers].”  Innovatio apparently grew concerned that its activities violated the Wiretap Act and sought a preliminary ruling on the admissibility of the evidence it obtains through its “proposed sniffing protocol.”


Continue Reading Court Holds Interception of Unsecured Wi-Fi Communications Does Not Violate the Wiretap Act

By: Shel Abramson

The United States District Court for the Northern District of California recently dismissed with prejudice most claims asserted by consumer plaintiffs in In re iPhone Application Litigation, including causes of action under the Stored Communications Act (“SCA”), the Wiretap Act, and other federal and state laws.  Plaintiffs asserted that Apple and a group of “Mobile Industry Defendants,” including Google, violated federal and state laws by allowing third party applications for “iDevices”—the iPhone, iPad, and iPod Touch—to collect and use plaintiffs’ personal information without consent.  This personal information included geolocation information, the iPhone’s unique device identifier (UDID), and other consumer information, such as age or gender.  Two separate putative classes of plaintiffs brought claims against Apple—an iDevices Class and a Geolocation Class.  With respect to defendant Apple, Judge Lucy H. Koh dismissed all of plaintiffs’ claims with prejudice, except for two California state law claims.  All claims against the Mobile Industry defendants were dismissed with prejudice.

In rejecting the SCA and Wiretap claims, Judge Koh provided a thorough analysis of why plaintiffs’ theories did not comport with these complex and specific statutes.  If followed by other courts, this precedent could have a far-reaching effect in limiting plaintiffs’ ability to use these federal statutes to pursue alleged harms arising out of online data collection and use.  We examine Judge Koh’s discussion in some detail after the jump.


Continue Reading Key Holdings in the In re iPhone Application Dismissal Order

The Northern District of California issued two key rulings last week in denying in part a motion to dismiss in In re Google Inc. Street View Electronic Communications Litigation, a consolidated action arising out of Google’s acknowledged interception of “payload data,” including emails, usernames, password, and other private data, from unencrypted home wireless networks using technology installed on Google’s Street View vehicles.    

First, in a matter of first impression Judge Ware rejected Google’s argument that its interception of Wi-Fi communications content was not restricted by the Wiretap Act (Title 1 of the Electronic Communications Privacy Act or ECPA), due to a “readily accessible to the general public” exception contained in the statute.  Instead, the court held that this exception applies only to communications using traditional radio broadcast technology.  Significantly, Judge Ware distinguished Wi-Fi technology from traditional radio services, which presumptively are intended to be public, instead likening Wi-Fi to cellular technology, in that both are designed to send communications privately.  The court also held that plaintiffs’ Wiretap Act claim was plausibly pleaded, meaning that the litigation will continue beyond Google’s motion to dismiss. 


Continue Reading Key Holdings in Google Street View Litigation: WiFi Not “Readily Accessible to the General Public” and ECPA Preempts State Wiretap Laws