Ajemian v. Yahoo! Case Update

On March 26, 2018, the United States Supreme Court denied Yahoo!’s Petition for a Writ of Certiorari in the Ajemian v. Yahoo! case. You can read Yahoo!’s Petition and the briefs that were filed on the United States Supreme Court docket Web page. Note that Verizon acquired Yahoo! in 2017, and Yahoo! is now part of Oath Holdings, Inc., which is a Verizon subsidiary that also includes AOL.

So, the October 17, 2017, opinion of the Supreme Judicial Court of Massachusetts in the Ajemian v. Yahoo! case is now final with respect to its holding that “[W]e conclude that the personal representatives may provide lawful consent on the decedent’s behalf to the release of the contents of the Yahoo e-mail account.” As I’ve stated before, this is a very significant development for fiduciaries and family members struggling to obtain access to a deceased individual’s online user accounts! You can read more about the court’s opinion and the applicable provisions of the Stored Communications Act in my previous posting.

Unfortunately, it’s not the end of the case for the Ajemian family. One aspect of the case, the enforceability of Yahoo!’s Terms of Service Agreement, has been remanded to the Massachusetts Probate and Family Court for further proceedings. Chief Justice Gants wrote a separate opinion, concurring in part and dissenting in part, specifically addressing the remand regarding the Terms of Service Agreement. He wrote:

If the motion judge on remand were to rule that this provision contractually allows Yahoo to destroy e-mail messages in its possession that are owned by a user (or a personal representative of the estate of the user) after the user has filed a court action to obtain access to these messages, we would surely reverse that ruling. So why remand the case to permit that possibility?

Not only is the remand unnecessary, but it also is unfair to the plaintiffs. The additional cost of further litigation is a financial pinprick to a Web services provider such as Yahoo, but it is a heavy financial burden on the assets of an estate, even a substantial estate. The plaintiffs should not have to spend a penny more to obtain estate property in the possession of Yahoo that they need to administer the estate.

What does this all mean to fiduciaries and family members dealing with the contents of a decedent’s online accounts? If the contents of a decedent’s online account are protected by § 2703 of the Stored Communications Act, the Ajemian case tells us that the court-appointed personal representative of the decedent’s estate may provide lawful consent (within the meaning of § 2703(b)(3) of the Stored Communications Act) on the decedent’s behalf. If one of the exceptions under § 2703(b) of the Stored Communications Act applies (such as the “lawful consent” exception), then the service provider may voluntarily disclose the online account contents that are protected under the Act. The lawful consent of the deceased user, whether provided by the personal representative after death or by the user before death, does not require the service provider to divulge the contents of the decedent’s communications. That’s where state laws, such as the Revised Uniform Fiduciary Access to Digital Assets Act, come into play. RUFADAA provides a clear state law procedure for fiduciaries to follow to request access to or disclosure of online account contents and other digital assets. Under Section 16(a) of RUFADAA, if a custodian fails to comply with a request from a personal representative of a deceased user’s estate to disclose the contents of electronic communications, the personal representative may apply to the state court for an order directing the custodian to comply with the request.

As of April 2, 2018, RUFADAA has been enacted in thirty-eight states, two other states (California and Delaware) have enacted earlier or modified versions of this uniform law, and seven state legislatures plus the District of Columbia have current, active RUFADAA bills. Three states (Kentucky, Louisiana, and Massachusetts) do not have current, active RUFADAA bills. Check the Uniform Law Commission Web site for the status of RUFADAA bills and enactments.

Posted in E-mail | Tagged , , , , , , , | Comments Off on Ajemian v. Yahoo! Case Update

Court Holds Personal Representatives May Provide Lawful Consent Under the Stored Communications Act

On October 16, 2017, the Supreme Judicial Court of Massachusetts issued its opinion in the Ajemian v. Yahoo! case. With respect to the privacy protections of the federal Stored Communications Act, the court’s opinion states that “[W]e conclude that the personal representatives may provide lawful consent on the decedent’s behalf to the release of the contents of the Yahoo email account.”

This court opinion is a very significant development for fiduciaries and family members struggling to obtain access to a deceased individual’s online user accounts!

The Stored Communications Act is Title II of the Electronic Communications Privacy Act of 1986, codified as 18 U.S.C. §§ 2701 through 2712. The Act creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain online service providers. The Act’s privacy protections have been a significant obstacle for fiduciaries and family members seeking access to the contents of a deceased individual’s online user accounts. If the Act applies, the online user account service provider is prohibited from disclosing the contents/files to the fiduciaries and family members unless an exception under § 2702(b) of the Act is met.

If one of the exceptions in the Act applies, then the service provider may voluntarily disclose the contents of the electronic communications and files protected under the Act. The “lawful consent” exception in § 2702(b)(3) states that a provider may divulge the contents of an electronic communication, “with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service.”

The text of § 2702(b)(3) does not specifically answer the question of whether the personal representative of a deceased individual may grant “lawful consent” on behalf of the deceased individual for the service provider to divulge the account contents. And, previous court cases have not specifically answered this question. Now, the Supreme Judicial Court of Massachusetts has answered that question by saying that a personal representative of a deceased user may provide lawful consent on the deceased user’s behalf to the release of the contents of the deceased user’s email account. The Probate and Family Court in this case had previously ruled that the contents of the deceased user’s emails are property of the deceased user’s estate, and Yahoo did not challenge that ruling on appeal.

As this court opinion points out, even though the “lawful consent” exception under the Stored Communications Act can be met by a personal representative of a deceased user, that alone does not require the service provider to divulge the contents of the deceased user’s electronic communications. The Act states that the service provider may divulge the contents if an exception is met. That’s where state laws such as the Revised Uniform Fiduciary Access to Digital Act comes into play. RUFADAA provides a clear state law procedure for fiduciaries to follow to request access to or disclosure of online account contents and other digital assets. Under Section 16(a) of RUFADAA, if a custodian fails to comply with a request from a personal representative of a deceased user’s estate to disclose the contents of electronic communications, the personal representative may apply to the state court for an order directing the custodian to comply with the request.

At last count, RUFADAA has been enacted in thirty-six states, two other states have enacted earlier or modified versions of this uniform law, and several other states are working on RUFADAA bills for enactment.

For more background information about this case and these issues, you can read the briefs filed in this case on the court Web site using this link: http://www.ma-appellatecourts.org/display_docket.php?src=party&dno=SJC-12237.

Posted in E-mail, General | Tagged , , , , , , , , , | Comments Off on Court Holds Personal Representatives May Provide Lawful Consent Under the Stored Communications Act

Protect Against Identity Theft During Tax Season

Tax-related identity theft and tax-related scams are a big concern for taxpayers and for the IRS. For example, an identity thief might use your Social Security Number to file an income tax return before you do, collecting a tax refund. Another problem is when scammers call or email claiming to be from the IRS and demanding an immediate payment for a tax obligation that doesn’t really exist.

The IRS has a Web page with resources for Identity Protection: Prevention, Detection, and Victim Assistance. IRS Publication 5027 provides identity theft information for taxpayers. IRS Publication 4524 offers basic security awareness tips for taxpayers, including how to keep your computer secure and how to avoid phishing and malware. IRS Publication 5199 is a guide to identity theft for tax preparers.

If you e-file your tax return with the IRS this year, but your filing is rejected because someone else already falsely filed a tax return using your Social Security Number, prepare and file IRS Form 14039 to report the tax-related identity theft to the IRS. You also should follow the detailed checklist at IdentityTheft.gov to report the identity theft and make a recovery plan.

More tips and resources for staying safe online when using your devices are available at StaySafeOnline.org. They have a list of Simple Cybersecurity Tips for Staying Safe Online During Tax Time. For additional computer security tips, I recommend reading the monthly OUCH! security awareness newsletters published by SANS Securing the Human, especially the newsletters on Four Steps to Staying Secure, Passphrases, Password Managers, Two-Step Verification, Shopping Online Securely, and Phishing.

Posted in General | Tagged , | Comments Off on Protect Against Identity Theft During Tax Season

PayPal Faces Proposed Class Action Lawsuit Related to Charitable Donations

On February 28, 2017, a complaint was filed against PayPal in a proposed class action lawsuit related to charitable donations. PayPal provides online-payment processing services, including enabling customers to donate money to charitable organizations. PayPal Giving Fund is a charitable organization that processes and distributes the charitable donations made through PayPal.

The complaint alleges, among other things, that PayPal lists charities on its Web site that aren’t registered with PayPal to receive donations, and a donation to an unregistered charity instead can be redirected to another charitable organization selected by PayPal Giving Fund without notice to the donor or to the intended charitable organization recipient.

PayPal, in a statement to CNBC, responded that the PayPal Giving Fund does notify the intended charitable organization of the donation if the organization has not yet registered with PayPal. There is a six-month period for the charitable organization to register with PayPal and claim the donations.

Page 4 of the complaint alleges that an individual donated $3,250 to thirteen different national and local-level charitable organizations through PayPal in, but only $100 of that amount (3% of the donation) was delivered to the charities the donor selected.

According PayPal Giving Fund’s 2015 IRS Form 990, they received $36,958,614 of contributions, gifts, and grants in 2015; they paid out $29,120,849 of grants and other assistance to domestic organizations and governments in 2015; and they paid out $7,694,521 of grants and other assistance to foreign organizations, governments, and individuals in 2015.

You can read a copy of the February 28, 2017, complaint here: Friends for Health v. PayPal complaint.

Posted in Financial Accounts, General | Tagged , , , , | Comments Off on PayPal Faces Proposed Class Action Lawsuit Related to Charitable Donations

People Watch One Billion Hours of YouTube Videos Every Day

On February 27, 2017, YouTube announced that people watch one billion hours of YouTube videos every single day! Their announcement noted that it would take one person over 100,000 years to watch one billion hours of YouTube videos.

Back in 2015, it was reported that about 300 hours of YouTube videos are uploaded every minute—and that was a 50% increase over the previous year.

Posted in General | Tagged , , | Comments Off on People Watch One Billion Hours of YouTube Videos Every Day

Short Videos Explain Five Top Internet Security Risks

If you are interested in learning more about Internet security basics, there is a free video training course briefly explaining five top Internet security risks. Each training video is only 10-15 minutes long, and the courses include:

  1. How to Choose a Good Password;
  2. How to Know When to Trust a Website;
  3. Why We Need All Those Software Updates;
  4. How to Protect Your Phone From Hackers; and
  5. How to Protect Your Home From the Internet of Things.

The video training courses are provided by Varonis Systems, a software company that helps companies protect against cyber attacks.

Posted in General | Tagged , , , | Comments Off on Short Videos Explain Five Top Internet Security Risks

Is Visiting a Web Site a Crime?

Is it a crime to visit a Web site? That’s one of the issues the Ninth Circuit Court of Appeals has been addressing in United States v. Nosal (decided April 10, 2012) and in Facebook v. Vachani (decided July 12, 2016).

I briefly described these cases and the July 6, 2016, Nosal II opinion in a prior posting. Essentially, Nosal I said violating a Web site’s Terms of Service Agreement is not a crime under the Computer Fraud and Abuse Act, but Vachani said that accessing a Web site after receiving a cease-and-desist letter can be a crime under the CFAA. The bottom line is that it’s difficult to distinguish the two decisions.

The reason I’m posting about this topic again is that the attorneys for the defendants in the Vachani case filed a petition on August 9, 2016, for rehearing of the case with respect to liability under the Computer Fraud and Abuse Act. The rehearing is requested so the court can correct or clarify its interpretation of the CFAA, because the court’s opinion conflicts with the opinion in Nosal I.

Hopefully, the court will clarify their decision so that users will know more clearly when it is a crime to visit a Web site in violation of the company’s Terms of Service Agreement.

Posted in General | Tagged , , , , , , , , | Comments Off on Is Visiting a Web Site a Crime?

Two New Cases on Using Computers “Without Authorization” under the Computer Fraud and Abuse Act

Two new cases on using computers “without authorization” under the Computer Fraud and Abuse Act were decided in July 2016, and both were decided by the United States Court of Appeals for the Ninth Circuit.

The first case, decided on July 6, 2016, is United States v. Nosal (a/k/a Nosal II because the Ninth Circuit also issued an opinion on April 10, 2012, involving the same situation). The short summary of Nosal II is that sharing a password can be a crime of accessing a protected computer “without authorization” under the Computer Fraud and Abuse Act. For an excellent recap of the facts and analysis of the case, read this July 6, 2016, article by Orin Kerr that appeared in The Washington Post.

The second case, decided on July 12, 2016, is Facebook v. Vachani. The short summary of Vachani is that accessing a Web site after being notified that you are not authorized to access it can be a crime of accessing a protected computer “without authorization” under the Computer Fraud and Abuse Act. For an excellent recap of the facts and analysis of the case, read this July 12, 2016, article by Orin Kerr that appeared in The Washington Post.

With respect to the Vachani case, the court makes a difficult-to-follow distinction as it interprets the Computer Fraud and Abuse Act, and this issue is described in more detail in Orin Kerr’s article. In Nosal I, the Ninth Circuit court decided that the “exceeds authorized access” prong of 18 U.S.C. § 1030(a)(4) “does not extend to violations of [a company’s] use restrictions” (e.g., violating a Terms of Service Agreement is not a crime under the Computer Fraud and Abuse Act). But, in Vachani, the Ninth Circuit court decided that accessing a Web site after receiving a cease-and-desist letter can be a crime of accessing a protected computer “without authorization” under the Computer Fraud and Abuse Act. The court’s distinction appears to depend on the person’s intent—whether the person at issue “might be unaware that they were committing a crime” (e.g., that is not a crime) versus a person who “deliberately circumvented the rescission of authorization” (e.g., that is a crime).

For fiduciaries and family members dealing with online accounts and digital property of an incapacitated or deceased family member, the concern remains that accessing the incapacitated or deceased person’s online accounts and digital property could be a crime under federal or state law. The U.S. Department of Justice is on the record asserting that the Computer Fraud and Abuse Act is broad enough to permit the government to charge a person with a crime when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. This position was stated by Richard Downing, Deputy Chief of the DOJ’s Computer Crime and Intellectual Property Section, Criminal Division, in testimony presented on November 15, 2011, before the U.S. House Committee on Judiciary, Subcommittee on Crime, Terrorism, and National Security (note that this testimony was given before Nosal I was decided). However, Mr. Downing also testified, “Let me be very clear that the DOJ is in no way interested in bringing cases against the people who lie about their age on a dating site or anything of the sort. We don’t have time or resources to do that.”

The bottom line is that this still is a developing area of law. Fiduciaries and family members should review and consider carefully the applicable Terms of Service Agreement before using a shared password or otherwise accessing a Web site in violation of the Web site’s access rules.

Posted in General | Tagged , , , , , , , , | Comments Off on Two New Cases on Using Computers “Without Authorization” under the Computer Fraud and Abuse Act

Study Shows Users Don’t Read Terms of Service Agreements

Not surprisingly, a recent study shows that users don’t read Terms of Service Agreements and Privacy Policies. In a July 7, 2016, working paper, Jonathan Obar and Anne Oeldorf-Hirsch reported that, in their experiment, 98% of users missed the “gotcha clauses” they planted in the Terms of Service Agreement and Privacy Policy for a fictitious social networking site they created. One of the “gotcha clauses” was that, by agreeing to the Terms of Service Agreement, the user would immediately assign their first-born child to the company!

In their experiment, the fictitious company had a 4,316-word Terms of Service Agreement for the user to read when signing up for the company’s social networking site. By comparison, Google’s Terms of Service Agreement (revised April 14, 2014) runs 1,881 words, Facebook’s Terms of Service Agreement (revised January 30, 2015) runs 3,159 words, and Yahoo!’s Terms of Service Agreement (revised March 16, 2012) runs 5,585 words. The working paper notes that an average adult should be able to read the 4,316-word Terms of Service Agreement used in the experiment in 15-17 minutes. However, in the experiment, 86% of users spent less than one minute reading the Terms of Service Agreement, and 97% of users spent less than five minutes reading the Terms of Service Agreement. Only 9 of the 527 participants in the experiment (1.7%) reported noticing the “gotcha clause” requiring the user to assign their first-born child to the company.

From an estate planning perspective, some Terms of Service Agreement provisions are important to consider, especially when planning for a user’s incapacity or death. Here are several provisions to consider in reviewing Terms of Service Agreements:

  1. May the user share the user’s password or let others access the user’s account? For estate planning, this is important to determine whether a fiduciary or family member can access the user’s account during the user’s incapacity or after the user’s death. If someone other than the user accesses the user’s account and “exceeds authorized access”—which could include violating the access rules of a company’s Terms of Service Agreement—that person could be charged with a crime under applicable state law, under the federal Computer Fraud and Abuse Act (18 U.S.C. § 1030(a)(2)), or under the federal Stored Communications Act (18 U.S.C. § 2701(a)) For example, Section 4.8 of Facebook’s Terms of Service Agreement (revised January 30, 2015) says “You will not share your password…let anyone else access your account, or do anything else that might jeopardize the security of your account.”
  2. May the user transfer the user’s account? For estate planning, this is important to determine whether the user’s account may be transferred to another individual, to the trustee of a revocable living trust, to the trustee of an irrevocable trust, to a Limited Liability Company (LLC), to a partnership, or to a corporation either during the user’s lifetime or after the user’s death. If the user breaches the account transfer restrictions in the company’s Terms of Service Agreement, it could be grounds for the company to terminate the user’s account.
  3. Does the user’s account terminate on the user’s death? For estate planning, this is important to know what planning needs to be done during the user’s lifetime to preserve and protect the user’s account contents and what planning options are available after the user’s death. For example, Section 28 of Yahoo!’s Terms of Service Agreement (revised March 16, 2012) says “You agree that your Yahoo account is non-transferable and any rights to your Yahoo ID or contents within your account terminate upon your death.”
  4. What rights to the user’s data are being assigned to the company? For estate planning, this is important to know what intellectual property rights are involved. For example, is the user granting the company a license to use original works of authorship of the user that may be protected by copyright law? If so, does that license continue after the user’s death or after the user’s account is deleted?
Posted in General, Intellectual Property Rights | Tagged , , , , , , , , | Comments Off on Study Shows Users Don’t Read Terms of Service Agreements

Minnesota Joins Other States Enacting the Revised Uniform Fiduciary Access to Digital Assets Act

On May 22, 2016, Minnesota’s Governor signed a bill enacting the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA). The new law takes effect August 1, 2016, and will be found in Minnesota Statutes Chapter 521A. The new law creates a clear procedure to enable access to or disclosure of online accounts and digital assets to a person’s fiduciaries. A person’s fiduciaries may include an agent under a power of attorney, a court-appointed conservator of a living person, a trustee of a trust, or a court-appointed personal representative of a deceased person’s estate.

At latest count (updated July 14, 2016), including Minnesota, 18 states have enacted RUFADAA into law, and 13 other states have introduced RUFADAA in their legislatures. My understanding is that many other introductions of RUFADAA are planned within the next year. An up-to-date list of RUFADAA introductions and enactments in state legislatures can be found on the Uniform Law Commission Web site. A good summary of RUFADAA is also available on the ULC Web site.

Even with the new enactment of RUFADAA in Minnesota and other states, it is important for individuals to plan ahead for access to or disclosure of their online accounts and digital assets during incapacity or after death. The federal Stored Communications Act (18 U.S.C. § 2702) creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain providers of electronic communication services or remote computing services. If the privacy protections of the Stored Communications Act apply, an online account service provider is prohibited from disclosing the contents of certain electronic communications and files unless an exception under § 2702(b) of the Act is met. Under § 2702(b)(3) of the Act, with the “lawful consent” of the user, an online account service provider may disclose the contents of the user’s electronic communications and files that are protected by the Act. RUFADAA provides a clear state law procedure for fiduciaries to follow to request access to or disclosure of online account contents and other digital assets.

So, a user’s “lawful consent” for disclosure of digital assets should be included in an individual’s estate plan, such as an individual’s financial power of attorney document for use while the individual is living, the individual’s will for use after the individual is deceased, and, if applicable, the individual’s revocable living trust (or irrevocable trust) for use if any digital assets are held in the trust. Under Section 4(b) of RUFADAA, it is also possible to sign a stand-alone document (what RUFADAA calls a “record”) to allow or prohibit disclosure to a fiduciary of some or all of an individual’s digital assets, including the content of electronic communications sent or received by the individual.

A document evidencing a user’s “lawful consent” for disclosure of digital assets is important to coordinate with the full fiduciary access and disclosure procedures under RUFADAA. In addition, there are other important digital asset issues that should be addressed as part of a comprehensive estate plan that an estate planning attorney can help plan and implement. For example, how should digital assets be distributed at death? Should family photos and videos be copied for each of the individual’s children? Should some beneficiaries be prohibited from receiving some of the digital assets? Should some of the digital assets be deleted on the individual’s death?

Because so many aspects of our personal and business lives have moved into the digital world, it’s important for an individual considering disclosure of and distribution of digital assets to seek legal advice from an attorney licensed to practice in the individual’s state as part of a comprehensive estate plan.

Posted in General | Tagged , , , , , , , , | Comments Off on Minnesota Joins Other States Enacting the Revised Uniform Fiduciary Access to Digital Assets Act