Convertible Virtual Currency (Like Bitcoin) is Subject to U.S. Money-Laundering Rules

On March 18, 2013, the the U.S. Financial Crimes Enforcement Network released new interpretive guidance regarding “convertible virtual currency” for purposes of the Bank Secrecy Act (BSA). The BSA requires financial institutions in the United States to report cash transactions and suspicious financial activities that might signify money laundering, tax evasion, or other criminal activities. The Financial Crimes Enforcement Network is a bureau of the U.S. Department of the Treasury that combats money laundering, among other things.

Under the new interpretive guidance, “virtual currency” is defined as a medium of exchange that operates like a currency in some environments but does not have all the attributes of real currency (“real currency” is the coin and paper money of the United States that is designated as legal tender). “Convertible virtual currency,” then, is defined as virtual currency that has an equivalent value in real currency or that acts as a substitute for real currency.

Without getting into too much detail, the new interpretive guidance states that “exchangers” and “administrators” are “money transmitters” within the scope of the Bank Secrecy Act and its regulations, unless a limitation or exemption applies, if they either: (1) accept and transmit a convertible virtual currency or (2) buy or sell convertible virtual currency. In other words, these parties may be subject to the registration requirements, record-keeping requirements for certain transactions, and mandatory reporting requirements for certain suspicious activities that might signify money laundering, tax evasion, or other criminal activities. Under the new interpretive guidance, an “exchanger” is a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency, and an “administrator” is a person engaged as a business in issuing (putting into circulation) a virtual currency and who has the authority to redeem (to withdraw from circulation) the virtual currency.

However, a mere “user” of convertible virtual currency is not subject to the Bank Secrecy Act and its regulations. Under the new interpretive guidance, a “user” is a person that obtains virtual currency to purchase goods and services. In other words, merely using convertible virtual currency to purchase real or virtual goods or services does not make the person a “money transmission service” (so the person does not have the registration, reporting, or record-keeping obligations under the Bank Secrecy Act regulations).

One example of a popular convertible virtual currency is Bitcoin. Based on the definition of “convertible virtual currency,” the new interpretive guidance might also apply to the virtual currencies used in online video games and virtual worlds (e.g., if the video game or virtual world virtual currency has an equivalent value in real currency), bringing certain video game transactions within the scope of the Bank Secrecy Act and its regulations unless a limitation or exemption applies. According to a March 21, 2013, article in the Wall Street Journal by Jeffrey Sparshott, the “anti-money-laundering rules would apply depending on the ‘factors and circumstances’ of each business.”

This new interpretive guidance is another example of how much value is being converted into virtual currencies and how much these virtual currencies have become part of our daily lives. On May 18, 2009, John D. Sutter on CNN reported that at least $1 billion per year is transferred into virtual currencies each year, primarily for online video games. That’s amazing, and I can only imagine how much more value is converted into virtual currencies today. These virtual currencies, including Bitcoin and amounts in video games and virtual worlds, can have financial value and should be included as part of a person’s estate planning.

Posted in Financial Accounts, Video Games & Virtual Worlds | Tagged , , , , , , , , , , | Comments Off

Jim Lamm Presents at 2013 Miami Law Review Symposium on “Will You Have a Digital Afterlife?”

On Friday, February 15, 2013, I presented a ninety–minute seminar titled “Will You Have a Digital Afterlife?” with Professor Christina L. Kunz, Michael J. McGuire, and Damien A. Riehl at the 2013 Miami Law Review Symposium on Social Media & the Law in Coral Gables, Florida. Our panel discussed how computers, electronically stored information, online accounts, and other digital property have changed the way we interact with people and how we transact business, and this flood of digital property is also changing how fiduciaries and family members administer an estate after a person’s incapacity or death.

Our panel discussed the four main obstacles for fiduciaries and family members trying to access electronically stored information, online accounts (e–mail, social networking accounts like Facebook and Google+, etc.), and other digital property. These four main obstacles are: (1) passwords; (2) encryption; (3) federal and state criminal laws that penalize “unauthorized access” to computers and data (including the Computer Fraud and Abuse Act); and (4) federal and state data privacy laws (including the Stored Communications Act).

Our panel reported on current state legislative efforts regarding fiduciary access to digital property and the Uniform Law Commission’s Drafting Committee that is working on this topic. We also discussed intellectual property law issues, including a current case addressing the issue of whether a person can sell a “used” digital music file, book, or movie purchased from Apple’s iTunes store without violating copyright law. And our panel discussed estate planning tips to plan ahead for digital property during incapacity and after death as well as tips to help identify an incapacitated or deceased person’s online accounts and software tools to help gain access to electronically stored information that may be protected by a password on the person’s smartphone, iPad, or computer.

Posted in General | Tagged , , , , , , , , , , , , , | Comments Off

February 2013 List of State Laws and Proposals Regarding Fiduciary Access to Digital Property During Incapacity or After Death

Note: please refer to this August 2013 post for an updated list of state laws.

When a person becomes incapacitated or after a person dies, there are significant challenges that fiduciaries and family members face when dealing with that person’s smartphones, computers, electronically stored information, online accounts, Internet domain names, and other digital property. As I’ve mentioned in previous posts, there are four main obstacles for fiduciaries and family members trying to access this digital property (especially online accounts like e–mail accounts, social networking accounts like Facebook, etc.): (1) passwords; (2) encryption; (3) federal and state criminal laws that penalize “unauthorized access” to computers and data (including the Computer Fraud and Abuse Act); and (4) federal and state data privacy laws (including the Stored Communications Act).

in May 2011, my colleague Gene Hennig and I submitted to the Uniform Law Commission a Project Proposal for a uniform law to grant fiduciaries specific powers and authority regarding a person’s online accounts and digital property during incapacity and after death. In January 2012, the Uniform Law Commission appointed a Study Committee, which presented its final report at the July 2012 Uniform Law Commission annual meeting. On July 17, 2012, the Uniform Law Commission appointed a Drafting Committee on Fiduciary Access to Digital Assets to prepare a uniform law on this topic. The first meeting of the Drafting Committee was held November 30 and December 1, 2012, and the second meeting of the Drafting Committee is February 15–17, 2013.

As of the date of this posting, I am aware of five states that currently have enacted specific laws to help fiduciaries deal with e–mail fiduciary access to online accounts, although I believe that several of these laws are too limited in scope:

  1. Connecticut Statutes § 45a–334a (see also Proposed Bill 5227 introduced January 11, 2013, status)
  2. Idaho Statutes §–15–3–715(28)
  3. Oklahoma Statutes § 58–269
  4. Rhode Island General Laws Chapter 33–27
  5. Indiana Code § 29–1–13–1.1

As I mentioned above, the Uniform Law Commission appointed a Drafting Committee on Fiduciary Access to Digital Assets to prepare a uniform law on this topic. As of the date of this posting (including the updates mentioned below), I am aware that the following other states that have already introduced or are considering introducing new legislation to address fiduciary access to digital property, although I believe that several of these proposals are too limited in scope:

  1. California
  2. Colorado
  3. Maine: Legislative Document 850 introduced March 5, 2013, (to study the issue), status (thank you to Justin LeBlanc for notifying me about this bill)
  4. Maryland: Senate Bill 29 introduced January 9, 2013, status
  5. Massachusetts
  6. Michigan: House Bill 5929 introduced September 20, 2012, status (thank you to Brian Cohan for notifying me about this bill)
  7. Missouri
  8. Nebraska: Legislative Bill 783 introduced January 5, 2012, status
  9. Nevada: Senate Bill 131 introduced February 18, 2013, status (thank you to Ashley Watkins for notifying me about this bill)
  10. New Hampshire: House Bill 116 introduced January 3, 2013, status
  11. New Jersey: Assembly Bill 2943 introduced May 14, 2012, status
  12. New York: Bill A823–2013 introduced January 9, 2013, status
  13. North Carolina Senate Bill 279 introduced March 12, 2013, status (thank you to Evan Carroll for notifying me about this bill)
  14. North Dakota: House Bill 1455 introduced January 21, 2013, status
  15. Ohio
  16. Oregon Senate Bill 54 introduced January 14, 2013, status (thank you to Evan Carroll for notifying me about this bill)
  17. Pennsylvania: House Bill 2580 introduced August 23, 2012, status
  18. Virginia: Senate Bill 914 introduced January 7, 2013, status

If you are aware of any other state that is considering this type of legislation, please contact me so that I can add it to the list.

[Updated February 25, 2013, to add links to Michigan bill; on March 18, 2013, to add links to Nevada, North Carolina, and Oregon bills; and on April 1, 2013, to add links to the Maine bill]

Posted in General | Tagged , , , , , , , | Comments Off

Jim Lamm Presents on Digital Death at 2013 Heckerling Institute

On Thursday, January 17, 2013, I presented a ninety–minute seminar titled “Digital Death: What to Do When Your Client Is Six Feet Under But His Data Is in the Cloud” with Professor Christina L. Kunz and Damien A. Riehl at the 47th Annual Heckerling Institute on Estate Planning in Orlando, Florida. Our panel discussed how fiduciaries and family members need to inventory, value, and administer smartphones, computers, electronically stored information, online accounts, domain names, and other digital property as part of their duties for estate and trust administrations, guardianships, and conservatorships. We also talked about estate planning tips to plan ahead for digital property during incapacity and after death.

Specifically, we talked about the four main obstacles for fiduciaries and family members trying to access electronically stored information, online accounts (e–mail, social networking accounts like Facebook and Google+, etc.), and other digital property. These four main obstacles are: (1) passwords; (2) encryption; (3) federal and state criminal laws that penalize “unauthorized access” to computers and data (including the Computer Fraud and Abuse Act); and (4) federal and state data privacy laws (including the Stored Communications Act).

Our panel also discussed intellectual property law issues, including a current case addressing the issue of whether a person can sell a “used” digital music file, book, or movie purchased from Apple’s iTunes store without violating copyright law. Finally our panel reported on state legislative efforts regarding fiduciary access to digital property and the Uniform Law Commission’s Drafting Committee that is working on this topic.

You can download the Table of Contents from the seminar materials here: Table of Contents (PDF link).

Posted in E-mail, Intellectual Property Rights, Social Networking Accounts | Tagged , , , , , , , , , , , , , , , | Comments Off

Jim Lamm Quoted in The Wall Street Journal

On January 5, 2013, I was quoted in The Wall Street Journal in the article “Life and Death Online: Who Controls a Digital Legacy?” by Geoffrey A. Fowler.

The article describes a Toronto family’s struggle with a deceased teenager’s digital afterlife, and the obstacles created by criminal laws, privacy laws, and Terms of Service contracts with online account service providers. For more information about the court case mentioned in the article involving Facebook opposing (and successfully blocking) a family’s demand to obtain a decedent’s Facebook account data, read my October 2012 posting about the Facebook case and about the the Stored Communications Act.

Posted in Social Networking Accounts | Tagged , , , , , , , , | Comments Off

Uniform Law Commission’s Drafting Committee on Fiduciary Access to Digital Assets

The Uniform Law Commission has appointed a Drafting Committee to address the issue of Fiduciary Access to Digital Assets, and its first meeting will be November 30 and December 1, 2012, in Minneapolis, Minnesota. The ULC studies and reviews state laws to determine which laws should be uniform among the states, and, when appropriate, they draft and propose statutory language to promote uniformity.

In May 2011, my colleague Gene Hennig and I submitted to the ULC a Project Proposal for a uniform law to grant fiduciaries specific powers and authority regarding an individual’s online accounts and digital property during incapacity and after death. Although I am not a commissioner, I have been actively involved in this ULC process as an observer.

In January 2012, the ULC appointed a Study Committee to consider the issue of Fiduciary Access to Digital Assets. That Study Committee presented its final report at the July 2012 ULC annual meeting.

On July 17, 2012, the ULC appointed a Drafting Committee to prepare a uniform law on Fiduciary Access to Digital Assets. As I mentioned above, the first meeting of the Drafting Committee will be held on November 30 and December 1, 2012, in Minneapolis, Minnesota. The second meeting of the Drafting Committee is scheduled for February 15–16, 2013, in Washington, D.C.

Posted in General | Tagged , , , , , , , | Comments Off

Facebook Blocks Demand for Contents of Deceased User’s Account

On September 20, 2012, Facebook obtained a court order blocking a demand to turn over the contents of a deceased user’s Facebook account. The executor of Sahar Daftary’s estate requested a subpoena to compel Facebook to turn over the decedent’s Facebook account contents as part of a coroner’s inquest to determine her cause of death. According to the court records, the executor disputes that Ms. Daftary committed suicide and “believes that her Facebook account contains critical evidence showing her actual state of mind in the days leading up to her death.” However, the court held that the Stored Communications Act’s privacy rights protect the account contents, and Facebook cannot be compelled to turn over the contents in a civil action.

At first glance, this may appear to be a surprising result. However, I believe this case was decided correctly under the Stored Communications Act. Also, while one key question was not answered by the court in this order, I believe this case is ultimately beneficial to other families and fiduciaries seeking e–mails or other contents of an incapacitated or deceased user’s online accounts. To explain why, let’s first examine the privacy rights under the Stored Communications Act, and then I’ll explain my thoughts about this new Facebook ruling.

Stored Communications Act

The Stored Communications Act (also known as the “Stored Wire and Electronic Communications Act”) is part of the Electronic Communications Privacy Act of 1986. The Stored Communications Act is codified in 18 U.S.C. §§ 2701 through 2712. Among other things, the Stored Communications Act creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain service providers.

Without going too far into the technical details, in general, the protections under the Stored Communications Act depend on:

  1. Whether the request or demand for information is made by a governmental entity (e.g., in a law enforcement investigation) or by some other person or entity (e.g., in a civil lawsuit);
  2. Whether the company provides services to the public (e.g., Facebook, Google, Yahoo!, Microsoft, and Apple provide services to the public) or whether the services are not publicly available (e.g., an employer that provides e–mail accounts only to its employees);
  3. Whether the request or demand is for the contents of the electronic communications and files (e.g., the body and subject line of an e–mail) or whether the request or demand is for noncontent information (e.g., the user’s name, address, connection records, length of service, type of service, network/IP address, and the means and source of payment for the service);
  4. Whether access to the contents of the electronic communications and files are “restricted in some fashion” or are “completely public”; and
  5. Whether the company provides an “electronic communications service” (ECS) or a “remote computing service” (RCS).

For more a more detailed description of the Stored Communications Act, I recommend reading A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It by Orin S. Kerr.

Estate Administration Example

Let’s walk through an example involving the administration a deceased user’s estate to better understand how the Stored Communications Act applies. Let’s assume the decedent had: (1) a free e–mail account (it doesn’t matter if it’s a Google Gmail account, a Microsoft Hotmail account, or a Yahoo! Mail account); (2) a Facebook account; and (3) an employer–provided e–mail account. Also, let’s assume we have a duly–appointed executor with authority to act on behalf the decedent’s estate (an executor also is referred to as a personal representative of the estate or as an estate administrator).

First, if there is a law enforcement investigation involved regarding the decedent (e.g., a murder investigation involving the decedent’s death or a crime for which the decedent is being investigated), then a governmental entity might want to review the e–mail or Facebook account contents. Under § 2703 of the Stored Communications Act, a governmental entity can compel the disclosure of contents of electronic communications and files protected under the Stored Communications Act by following the proper procedures for the type of information requested from each provider (e.g., a search warrant, subpoena, etc.). That’s beyond the scope of our example, so I’m not going to walk through those procedures.

In our example, the executor of the decedent’s estate is not a governmental entity. So, there are three main options for the executor to obtain the contents of the two e–mail accounts and the Facebook account:

  1. Ask each provider for a copy of the deceased user’s account contents;
  2. File a civil lawsuit against the provider to try to compel the provider to turn over the deceased user’s account contents; and
  3. Use the decedent’s username and password (if you have them) to access the decedent’s e–mail and Facebook accounts to directly obtain a copy of the account contents.

The first option is what I generally recommend. The duly–appointed executor of the decedent’s estate (or, for an incapacitated user’s accounts, the duly–appointed guardian, conservator, or attorney–in–fact under a durable power of attorney) asks the provider for a copy of the account contents and furnishes documentation to the provider showing the fiduciary’s authority (e.g., a copy of the durable power of attorney or a certified copy of the court documents appointing the guardian, conservator, or executor to act on behalf of the living user or of the deceased user’s estate). If the user is deceased, I recommend also furnishing a certified copy of the death certificate to the provider. The executor of a decedent’s estate stands in the shoes of the decedent, so, for purposes of our example, the executor should be able to provide “lawful consent” on behalf of the decedent to divulge the contents of the decedent’s accounts. I will say more about “lawful consent” below (and why the September 20, 2012, Facebook order mentioned above is relevant to this). The second option for the executor—file a civil lawsuit against the provider—does not work if the Stored Communications Act applies. A civil action cannot require (see § 2703) a provider to disclose the contents of electronic communications and files protected under the Stored Communications Act, but the provider may voluntarily disclose the contents if one of the exceptions under § 2702(b) is met. Again, I will say more about the “lawful consent” exception below. The third option for the executor—use the decedent’s username and password to access the account directly—might be construed as “unauthorized access” under a state or federal criminal law. I’ve written previously (here and here) about whether it’s a crime for fiduciaries to access a decedent’s online accounts, and the chilling effect those criminal laws have on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. Since option two doesn’t work if the Stored Communications Act applies and option three might be construed as a criminal act, that leaves the duly–appointed executor (or other fiduciary) with option one as the clear choice: ask each provider for a copy of the deceased user’s account contents and provide appropriate documentation to back up the request.

Second, to continue applying the Stored Communications Act to our example, let’s look at whether the company holding the contents is providing services to the public. For the free e–mail account and the Facebook account in our example, we know that Google, Microsoft, Yahoo!, and Facebook provide these services to the public. But, the employer–provided e–mail account in our example is different, because the typical employer only provides the e–mail account to employees (and a school that provides accounts only to its students and staff also does not provide services to the public). That difference is important because § 2702(a) of the Stored Communications Act prohibits a company that provides ECS or RCS to the public from divulging the contents of the electronic communications or files unless an exception is met. That statutory prohibition on divulging contents doesn’t apply to a company that does not provide ECS or RCS to the public (e.g., the employer–provided e–mail in our example), because there is a different expectation of privacy for the user. So, the company could voluntarily divulge the employer–provided e–mail account contents or might be compelled in a civil proceeding to turn over those contents—the company can’t use § 2702(a) of the Stored Communications Act as a shield to prevent disclosure. But, there may be other reasons that the company can’t or won’t turn over the employer–provided e–mail account contents, such as: (1) a trade secret protected by state law; (2) a non–compete agreement, a non–disclosure agreement, or the company’s electronic resources policy; (3) “protected health information” under the Health Insurance Portability and Accountability Act of 1996—HIPAA (but, an incapacitated employee’s designated health care agent or a deceased employee’s personal representative has authority to request this information); (4) medical information protected from disclosure by a state law or the Americans with Disabilities Act of 1990; (5) “nonpublc personal information” under the Gramm–Leach–Bliley Act; or (6) some other privacy law or privilege.

Third, in our example, the executor of the deceased user’s estate is looking for the contents of the electronic communications and files. Different protections apply for voluntary and compelled disclosure of “contents” versus the “noncontent information” about the account, especially if a governmental entity is making the demand. For our example, similar exceptions apply under the voluntary disclosure rules for contents and noncontent information. I will say more about the “lawful consent” exception below.

Fourth, we need to consider whether access to the contents of the electronic communications and files in our example are “restricted in some fashion” or are “completely public.” If the contents are completely public, the privacy protections of the Stored Communications Act do not apply. On the other hand, if access to the contents is restricted in some fashion, then the privacy protections of the Stored Communications Act do apply. It’s interesting to think of a user’s “privacy rights” with respect to social networking services, such as a user’s Facebook Wall (or MySpace Comments or Google+ Stream), which can be seen by hundreds or even thousands of “friends.” Do those contents receive privacy protections under the Stored Communications Act? The court in Crispin v. Christian Audigier, Inc., 717 F.Supp.2d 965 (C.D. Cal. 2010), faced this issue and determined that Facebook’s Wall feature and MySpace’s Comments feature are analogous to a restricted–access electronic bulletin board on which friends and family can post messages and news updates. The court in Crispin determined that a user’s Facebook Wall or MySpace Comments postings can have restricted access (receiving privacy protections under the Stored Communications Act) if they are only visible to another person who has been granted access to see the user’s full profile.

Fifth, we look at whether the company provides an “electronic communications service” or a “remote computing service.” Different rules apply for voluntary and compelled disclosure with respect to ECS providers versus RCS providers if a governmental entity is making the demand, but the distinction is less relevant for our example with the executor of a deceased user’s account potentially bringing a civil suit. A single company might be classified as providing just ECS, just RCS, both ECS and RCS, or neither ECS nor RCS. In the Crispin case mentioned above, the court determined that both Facebook and MySpace are ECS providers and RCS providers. With respect to private messaging features of Facebook and MySpace, the court in Crispin determined that these features are analogous to e–mail communications and held that Facebook and MySpace operate as ECS providers with respect to unopened messages and operate as RCS providers with respect to messages that have been opened and retained. The court in Crispin also held that “Facebook and MySpace are ECS providers as respects wall postings and comments and that such communications are in electronic storage. In the alternative, the court holds that the Facebook and MySpace are RCS providers as respects the wall postings and comments.”

Based on the discussion above, for our example, the free e–mail account and the Facebook account have statutory privacy protections under the Stored Communications Act. So, both the company providing the free e–mail account (e.g., Google, Microsoft, Yahoo!, etc.) and Facebook are prohibited by § 2702(a) of the Stored Communications Act from divulging the contents of the electronic communications or files unless an exception is met. If the Stored Communications Act applies and an exception is met under § 2702(b), then the provider may voluntarily divulge the contents but cannot be compelled to divulge the contents in a civil suit. As discussed above, the prohibition against voluntary disclosure under § 2702(a) of the Stored Communications Act does not apply to the employer–provided e–mail contents. With respect to the free e–mail account and the Facebook account, to which the Stored Communications Act does apply, the exception for voluntary disclosure under § 2702(b)(3) is relevant: a provider “may divulge the contents of a communication…with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service.”

With that “lawful consent” exception under § 2702(b)(3) in mind, the key question is whether the duly–appointed executor of a deceased user’s estate (or other fiduciary for a living user) can provide “lawful consent” so that the provider may voluntarily divulge the contents for purposes of § 2702 of the Stored Communications Act.

Conclusions From the September 20, 2012, Facebook Ruling

Finally, this key question brings us back to the September 20, 2012, court order blocking a demand to turn over the contents of a deceased user’s Facebook account. As I mentioned above, the executor of Sahar Daftary’s estate asked the court to compel Facebook to turn over the decedent’s Facebook account contents as part of a coroner’s inquest to determine her cause of death. From the discussion above, the Stored Communications Act applies, § 2702(a) prevents Facebook from divulging the contents unless an exception is met, and Facebook cannot be compelled to divulge the contents in a civil suit. In its Motion to Quash Subpoena in a Civil Case filed on August 6, 2012, and in its Reply In Support of Motion to Quash Subpoena in a Civil Case filed on August 27, 2012, Facebook asserts that it is not clear that the executor’s consent satisfies the Stored Communications Act’s exception for “lawful consent” under § 2702(b)(3). Facebook argues that different jurisdictions may vest different powers in executors, so this would “impose excessive burdens and risks on Facebook and other service providers.” Facebook also argues that “it would be far too burdensome to require service providers to analyze the law of the relevant jurisdiction each time an administrator asserted the right to consent on behalf of a deceased user. It would also be patently unfair. Service providers are subject to serious penalties for wrongful disclosure.” But, I believe a reasonable counterpoint to this argument by Facebook is that banks and brokerage companies need to deal with fiduciaries on a routine basis, and they’ve figured out a way to make that process work effectively.

To its credit, Facebook offered a reasonable middle ground stating “Facebook would not object if the Court (1) holds that Anisa Daftary may provide lawful consent under Section 2702 of the SCA to the disclosure of communications in Sahar’s account, and (2) orders Facebook to disclose the reasonably accessible communications sought by Applicants.” In this case, Anisa Daftary is both the mother of Sahar Daftary (the deceased Facebook user) and the executor of her estate. However, because the Stored Communications Act applies and the provider cannot be compelled to divulge the contents in a civil suit, the September 20, 2012, order states that the court lacks jurisdiction to address whether the executor of the deceased user’s estate may offer consent so that Facebook may disclose the records voluntarily (the court notes that it would be an impermissible advisory opinion).

So, with all that being said, why do I believe that this case is ultimately beneficial to family members and fiduciaries seeking e–mails or other contents of an incapacitated or deceased user’s online accounts? Because I think the court’s order should give comfort to Facebook and other online account providers to voluntarily disclose an incapacitated or deceased user’s account contents. Facebook mentioned in its pleadings the chilling effect of the Stored Communications Act’s prohibitions (and penalties) on voluntary disclosure of contents unless an exception is met. While the court did not answer the question of whether, as a matter of law, the executor of a deceased user’s estate (or a duly–appointed fiduciary acting on behalf of an incapacitated user) may provide “lawful consent” under § 2702, the final sentence of the court’s opinion suggests what the answer should be. The court said “Of course, nothing prevents Facebook from concluding on its own that Applicants have standing to consent on Sahar’s behalf and providing the requested materials voluntarily.” I want to be clear: this sentence is not a determination of the court that others can rely on—it is only obiter dictum. Still, I believe this sentence is ultimately beneficial because it strongly suggests (to me) that this court would not oppose the executor of a deceased user’s estate providing “lawful consent” under § 2702 of the Stored Communications Act. And, this court—the U.S. District Court, Northern District of California—is especially important because the Terms of Service Agreement for Facebook (section 16.1) provides that any disputes must be resolved in a court located in Santa Clara County, California (which is within the boundaries of the U.S. District Court, Northern District of California). In addition, the U.S. District Court, Northern District of California, is the chosen federal court jurisdiction under the Terms of Service Agreement for Apple, Google, LinkedIn (section 8.1), Twitter (section 12.B), WordPress, Yahoo! (section 27), and YouTube (section 14). So, the final sentence from this court’s order, even though it isn’t binding authority, should give comfort to some of the major online account service providers because this court is the key jurisdiction for these providers in the event of a dispute. A notable exception to that list of providers is Microsoft, which selects Washington state for its dispute resolution provision.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , , , , , , , , | Comments Off

What Happens to Your Apple iTunes Music, Videos, and eBooks When You Die?

Recently, there have been several news stories about what happens to your digital music, videos, and eBooks purchased from Apple’s iTunes when you die. The same question would apply to other digital music, video, and eBook sellers (for example, eBooks purchased on an Amazon Kindle or a Barnes & Noble NOOK). Some of these news stories (for example, this CNN story from September 3, 2012 and this Daily Mail story from September 2, 2012), have speculated that actor Bruce Willis may be considering legal action against Apple regarding his digital music collection, but that has been denied by his wife according to CNN.

I previously wrote about this topic in May 2011, but it’s a good time to dig deeper into these issues. Since then, a new federal case has been filed (but not yet decided) that should answer key questions about what rights a person has in downloaded Apple iTunes digital music files, at least with respect to copyright law. Before I describe this new case, I want to walk through a few of the layers involved and draw some comparisons between digital media files (e.g., songs, videos, and eBooks) and traditional media (e.g., paper books, vinyl records, cassette tapes, CDs, DVDs, Blu–Ray discs, etc.).

“The Account Itself” versus “The Contents”

First, I want to draw a distinction between “the account itself” (e.g., a user’s Apple iTunes account, Amazon Kindle account, Barnes & Noble NOOK account, or a similar digital media account) and “the contents” of the account—the digital files that are downloaded to the user’s device(s) containing the song, video, eBook, etc. The Terms of Service contracts for many service providers do not allow the account itself to be transferred to anyone else. Apple’s Terms of Service contract, for example, says that “As long as you comply with these Terms of Use, Apple grants you a personal, non–exclusive, non–transferable, limited privilege to enter and use the Site.” Some Terms of Service contracts also prohibit a user from allowing anyone else to access the user’s account (Apple’s Terms of Service contract does allow authorized persons to use your account: “You may not use anyone else’s Apple ID, password or account at any time without the express permission and consent of the holder of that Apple ID, password or account.”). Apple has a separate Terms of Service contract for its iTunes store that does not clarify whether a person’s iTunes “account itself” is transferable, but, presumably the general Apple Terms of Service contract’s statement that your use of Apple sites is non–transferable also prohibits the transfer of a person’s iTunes account. If that is the case, the beneficiaries named under a deceased user’s Last Will and Testament (or the decedent’s intestate heirs) would not “receive” a deceased user’s iTunes or Kindle “account itself.” If the beneficiaries do not receive “the account itself” from the decedent, the beneficiaries generally would not be able to use that account to re–download the deceased user’s music, videos, eBooks, etc. from Apple’s iTunes service onto the beneficiary’s device(s).

So, the bottom line is that, after a person becomes incapacitated or dies, the family members and fiduciaries must read the applicable Terms of Service contracts to see whether the digital media accounts—“the accounts themselves”—are transferable or not. If “the account itself” is not transferable, then the family members and fiduciaries must read the applicable Terms of Service contracts to see whether they are authorized to access the incapacitated or deceased user’s digital media account to download the digital media files that the user already paid for. Typically, the user has already downloaded all of the digital media files to the user’s computer, iPod, iPad, Kindle, NOOK, or other electronic devices, but double–check to make sure. Also, the user’s electronic devices may be locked with a lost or forgotten password that prevents the beneficiary from access the digital media files. Once the fiduciaries and family members have the digital media files, the next question is: what happens to those digital media files?

What Can You Do With Your Digital Media Files?

So, what happens to the digital song, video, or eBook files that a deceased user previously legally downloaded to the user’s device(s) from an online service provider (e.g., Apple iTunes, Amazon Kindle, Barnes & Noble NOOK, etc.). Before distributing those digital media files to the appropriate beneficiaries after the user dies, the fiduciaries and family members should consider issues involving: (1) copyright law, (2) the Terms of Service contract where the user purchased the digital file, and (3) whether the digital file has any “digital rights management” (DRM) copy–protection on it.

Except for one interesting potential twist that I’ll discuss below, the copyright law issues and DRM issues should generally be the same for a person’s digital media files as they are for a person’s paper books, vinyl records, cassette tapes, CDs, DVDs, Blu–Ray discs, etc. You generally can’t make multiple copies of these items and hand out those copies to each of your friends and family members (during lifetime or after death), because that would violate the “reproduction right” of the copyright act. 17 U.S.C. § 106. And, if you circumvent the DRM protecting the digital media file, CD, DVD, Blu–Ray disc, etc. from being copied, you may be violating the Digital Millennium Copyright Act of 1988 (DMCA).

In general, you can leave an individual paper book, vinyl record, cassette tape, CD, DVD, Blu–Ray disc, etc. to one beneficiary at death without violating copyright law. Your fiduciaries or beneficiaries could keep it, or they also could sell it or otherwise dispose of it without violating copyright law. Why? The “first sale doctrine” of copyright law permits the owner of a lawfully–made copy to sell or otherwise dispose of that copy. 17 U.S.C. § 109(a). The “first sale doctrine” of copyright law does not require a sale—it also applies to a transfer by gift. UMG Recordings, Inc. v. Augusto, 558 F.Supp.2d 1055 (C.D. Cal. 2008). Just to be clear, the “first sale doctrine” allows you to sell or otherwise dispose of a lawfully–made copy, but it does not allow you to reproduce the copyrighted work.

Before I discuss the interesting potential twist for digital media files and copyright law that I hinted at above, there are two other things to consider when deciding what you can do with your digital media files. First, check whether the Terms of Service contract with Apple iTunes or with another service provider restricts how you can use the digital media files that you download. The iTunes Terms of Service contract has a section of “Usage Rules” that states you can use iTunes media files on up to five iTunes–authorized devices at any time (Apple calls this feature “Home Sharing“) and you can “burn an audio playlist up to seven times” (“burning” describes the process of recording a digital song file onto a CD). But, if you read carefully, those two restrictions don’t apply to “iTunes Plus Products.” These “iTunes Plus Products” are Apple’s digital music and video files sold without DRM, and the iTunes Terms of Service contract says “You may copy, store, and burn iTunes Plus Products as reasonably necessary for personal, noncommercial use.” Second, if a digital media file is protected with DRM (copy–protection), then you have another layer of analysis—whether the digital file can be transferred without violating the Digital Millennium Copyright Act of 1988.

Does the “First Sale Doctrine” of Copyright Law Apply to Digital Media Files?

Finally, if the fiduciaries and family members have obtained the deceased person’s digital media files (songs, videos, eBooks, etc.), have determined that a transfer or sale of the digital media files does not violate the Terms of Service contract with Apple iTunes or with another service provider, and have determined that the digital file can be transferred without circumventing any DRM (and potentially violating the DMCA), then the remaining question is whether the “first sale doctrine” of copyright law applies to the digital media files themselves. That question leads us directly to the the interesting potential twist for digital media files and copyright law that I hinted at above, as well as the pending case that I hinted at above.

The interesting potential twist is that some parties are arguing that selling digital media files (songs, videos, eBooks, etc.) themselves should not fall under the “first sale doctrine” of copyright law because a digital music file itself, as the argument goes, is different from a “material object in which a work is fixed” like a vinyl record, cassette tape, or CD.

For example, when you buy a music CD, you acquire a polycarbonate plastic disc, which is a material object in which the copyrighted music works are fixed. Your rights to give that physical CD away or to sell that physical CD are protected under the “first sale doctrine.” But, can you give away or sell your digital music files? And, does it make a difference if you are transferring just the digital music files themselves versus transferring the iPod (or similar device) containing one or more digital music files that you legally purchased?

The questions above are a central part of the case of Capitol Records, LLC, v. ReDigi Inc., filed in January 2012 in the United States District Court, Southern District of New York, case number 12–CV–0095. ReDigi is an online service “to store, stream, and/or sell your legally purchased digital music.” Capitol Records sued ReDigi on various copyright infringement grounds.

When you buy digital music on your iPod, for example, the iPod is the material object in which the copyrighted music work is fixed. It was stated by Capitol Records’s attorney in a February 6, 2012, hearing in this case that giving away or selling your iPod with the digital music on it is protected under the “first sale doctrine.” But, the potential twist that they argued, essentially, is that you can’t make a reproduction of a particular digital music file itself after it has been “fixed” to your iPod. In other words, giving away or selling a digital music file separate from the iPod involves reproducing the copyrighted song from the iPod to a new storage device, and the “first sale doctrine” only permits you to sell or otherwise dispose of the “material object”—the iPod. This argument is based on the term “copies” in the Copyright Act. Section 106 of the Copyright Act gives a copyright owner exclusive rights “to reproduce the copyrighted work in copies or phonorecords” and “to distribute copies or phonorecords of the copyrighted work.” The key term is “copies,” which is defined in § 101 of the Copyright Act as “material objects, other than phonorecords, in which a work is fixed,” and it “includes the material object, other than a phonorecord, in which the work is first fixed.”

The analogy used by Capitol Records’s attorney in the February 6, 2012, hearing is a paper book. Copyright law allows you to give away the book or to sell the book. But copyright law doesn’t allow you to photocopy the book and give that photocopy to someone else (even if you throw the book in the garbage).

The counter–argument that has been made is that the terminology in 17 U.S.C. § 106 that gives a copyright owner exclusive rights “to reproduce the copyrighted work in copies or phonorecords” and “to distribute copies or phonorecords of the copyrighted work” is identical to the terminology in 17 U.S.C § 109(a) that says “the owner of a particular copy or phonorecord lawfully made under this title, or any person authorized by such owner, is entitled, without the authority of the copyright owner, to sell or otherwise dispose of that copy or phonorecord” (the “first sale doctrine”). In other words, either digital media files are included in “copy or phonorecord” for both the copyright owner’s exclusive rights and the “first sale doctrine” exception to those rights, or, in the alternative, if a digital media file does not fall within the scope of the “first sale doctrine” wording, a digital media file similarly would be excluded from the copyright owner’s exclusive rights under the Copyright Act.

A counter–arugment to that counter–argument is that the “first sale doctrine” only applies to the “actual copy” that is initially made when you downloaded it and “fixed” to your iPod (for example), but you can’t make a reproduction of that “actual copy” that is initially made. In other words, any sale or other disposition of the digital music file itself would be a reproduction. On the other hand, according to statements made by ReDigi’s attorney in the February 6, 2012, hearing in this case, each iTunes digital music file has a unique identifier in it so that you can check to ensure there is only one of that unique digital music file. So, it should be possible to track the “actual copy” that is legally downloaded with its unique identifier (e.g., ReDigi’s software could search a person’s computer and other devices to make sure there aren’t additional copies of that unique digital music file, as well as watching the ReDigi servers to see if that unique digital file goes through their marketplace improperly).

There are other interesting arguments and counter–arguments that will be explored in this case, including the scope of the “fair use doctrine” and the concepts of “time–shifting” and “space–shifting” as they are applied to the digital music files themselves. The final decision in this case may have a significant impact on what happens to your digital music, video, and eBook files themselves when you die (and while you’re alive too), at least with respect to the copyright law issues. This will be very interesting to watch as it develops.

Posted in Intellectual Property Rights | Tagged , , , , , , , , , , , , , | Comments Off

Defending Your Ownership and Privacy in Twitter (and Other Online Accounts)

If law enforcement demands the contents of your electronic communications or non–content records from your Twitter account, do you have standing to challenge the subpoena? A New York criminal court has said “no”—because you don’t have a proprietary interest in your Twitter account, and you don’t have privacy interests in your Tweets.

In an April 20, 2012, order in the case New York v. Harris, the court concluded that a user lacks standing to challenge a New York County District Attorney’s subpoena sent to Twitter demanding user information and postings for a Twitter account allegedly used by Mr. Harris. The court concluded that these records belonged to Twitter, and the user did not have a proprietary interest in his Tweets. The court also noted that, by agreeing to Twitter’s terms of service agreement, the user “was granting a license for Twitter to use, display and distribute the defendant’s Tweets to anyone and for any purpose it may have.” At the time of the order, Twitter’s terms of service agreement said, in part:

By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non–exclusive, royalty–free license to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed).

On May 17, 2012, Twitter revised its terms of service agreement to add “You retain your rights to any Content you submit, post or display on or through the Services.” But, the same court in a June 30, 2012, order dismissed Twitter’s argument that users have standing to challenge a subpoena like this one. In an article on AllThingsD, Mike Isaac reported that Twitter plans to appeal the court’s decision.

The court also concluded that the user had no privacy interest in his Tweets because they are able to be viewed by others around the world instantly. In the June 30, 2012, order in this case, the court said that posting a message on Twitter is like yelling your message out your window and being heard by a witness walking across the street: “Well today, the street is an online, information superhighway, and the witnesses can be the third party providers like Twitter, Facebook, Instragram, Pinterest, or the next hot social media application.” The court went on to say that, “If you post a tweet, just like if you scream it out the window, there is no reasonable expectation of privacy.”

The court ordered Twitter to turn over all non–content information (logs of account usage, basic subscriber information, etc.) related to this user account and to turn over the content information for this user account that is more than 180 days old. The court noted that the government must obtain a search warrant (not just a subpoena) to force Twitter to disclose the content information for the user account that is in temporary electronic storage for 180 days or less, as required by § 2703(a) of the Stored Communications Act.

The reason I mention this case is that ownership interests in online accounts (Twitter, Facebook, e–mail, YouTube, Flickr, etc.) and privacy interests in online accounts are important issues when planning ahead for a person’s incapacity and death, as well as when the fiduciaries and family members are administering the person’s estate after the person becomes incapacitated or dies. I have mentioned before the importance of reading the terms of service agreements for online accounts to see: (1) whether the user’s account terminates at death, (2) whether the user’s account is transferrable, (3) whether the agreement prohibits the user from allowing others (such as a spouse or a duly–appointed fiduciary) from accessing the user’s account (and whether this “unauthorized access” also could be considered a crime), (4) whether the user’s account can be terminated if you breach the terms of the agreement, and (5) which state law governs the agreement.

As the court mentioned in this case, “The world of social media is evolving, as is the law around it.” The court went on to say, “As the laws, rules and societal norms evolve and change with each new advance in technology, so too will the decisions of our courts.” We can see that the terms of service agreements from these online service providers are also evolving with each new court decision, which happened in this case with Twitter changing its agreement between the dates of the April and June 2012 court orders, presumably in response to the April order.

It will be interesting to see what the future holds for new and different types of online accounts and services (including virtual items in video games and other virtual worlds), especially whether a user has some type of ownership interest (a property right, license interest, intellectual property right, etc.) and whether a user has a privacy interest. These are important issues in estate planning, and some of these rights may have financial value.

Posted in E-mail, General, Intellectual Property Rights, Social Networking Accounts, Video Games & Virtual Worlds | Tagged , , , , , , , , , , , , , | Comments Off

How Secure Are Your Online Account Passwords?

With announcements this month from popular Web sites LinkedIn, eHarmony, and Last.fm that a significant number of user passwords may have been compromised, it’s a good time to ask yourself, “How secure are your passwords?” It’s also a good time to change your passwords on these Web sites, if you haven’t done so already.

Microsoft generally recommends using strong passwords that are at least fourteen characters long, using a mix of uppercase letters, lowercase letters, numbers, and symbols. They also recommend not using the same password for everything. If you use the same password for multiple online accounts, then when one account’s password is compromised, your other accounts also may be compromised. The old adage that “a chain is only as strong as its weakest link” applies to your online accounts. Whitson Gordon posted an interesting article yesterday on Lifehacker explaining the different methods that online service providers use to protect user passwords, and there are significant differences in the level of security that these companies may use.

If you’d like to see an interesting example of how long it may take a hacker to guess your password, Gibson Research Corporation has a useful Web site that estimates the time to search through the possible password character combinations. There is a brief video explanation on their Web site too. For example, an eight character password consisting of only lowercase letters may take up to 2.17 seconds to guess using an offline system that can guess 100 billion passwords per second. Changing that to an eight character password containing an equal number of lowercase letters, uppercase letters, numbers, and symbols results in up to 18.62 hours to guess the password. Changing that to a twelve character password containing an equal number of uppercase letters, lowercase letters, numbers, and symbols results in up to 174,000 years to guess the password. Please note that these estimates are based on the time it would take to try every possible combination of characters, and the password may be guessed before running through every possible combination. These estimates also are based on the number of uppercase letters, lowercase letters, numbers, and symbols that you enter (e.g., three of each type of character in my last example). But, a hacker generally won’t know the precise mix characters that you used, so they may start by trying just lowercase letters and then add more complexity if that isn’t successful. And, if your password is one of the 470,000 or so words in the dictionary or one of the more commonly–used passwords, it may take a hacker only a few seconds to guess your password.

If you’re wondering how to remember all of the strong passwords you’ll need for each of your online accounts, consider using a popular software tool like LastPass, 1Password, KeePass, RoboForm, Keeper, etc. Look for a tool that is secure, easy to update, convenient to use, and portable so that it’s always with you (e.g., on a smartphone). If you use an encrypted electronic list, make sure you write down instructions for your fiduciaries so they can find it and access it if you are incapacitated or deceased (store the written instructions in a secure location like a safe deposit box, home safe, etc.).

One of my favorite features of LastPass and similar software tools is that they can integrate securely with my Web browser to automatically fill in my username and password (after I’ve typed in my master password when I first start my Web browser), so that I don’t need to manually type any of my “strong” passwords. LastPass and similar software tools also can generate “strong” passwords when you register for a new Web service or when you choose to change your password for a Web service—and they can fill in the new password automatically for you so you don’t make a typo.

Posted in E-mail, Financial Accounts, General, Social Networking Accounts | Tagged , , , , , , , , , , , , | Comments Off