Uniform Law Commission’s Drafting Committee on Fiduciary Access to Digital Assets

Posted on November 19, 2012 by Jim Lamm

The Uniform Law Commission has appointed a Drafting Committee to address the issue of Fiduciary Access to Digital Assets, and its first meeting will be November 30 and December 1, 2012, in Minneapolis, Minnesota. The ULC studies and reviews state laws to determine which laws should be uniform among the states, and, when appropriate, they draft and propose statutory language to promote uniformity.

In May 2011, my colleague Gene Hennig and I submitted to the ULC a Project Proposal for a uniform law to grant fiduciaries specific powers and authority regarding an individual’s online accounts and digital property during incapacity and after death. Although I am not a commissioner, I have been actively involved in this ULC process as an observer.

In January 2012, the ULC appointed a Study Committee to consider the issue of Fiduciary Access to Digital Assets. That Study Committee presented its final report at the July 2012 ULC annual meeting.

On July 17, 2012, the ULC appointed a Drafting Committee to prepare a uniform law on Fiduciary Access to Digital Assets. As I mentioned above, the first meeting of the Drafting Committee will be held on November 30 and December 1, 2012, in Minneapolis, Minnesota. The second meeting of the Drafting Committee is scheduled for February 15–16, 2013, in Washington, D.C.

Posted in General | Tagged , , , , , , , | Comments Off on Uniform Law Commission’s Drafting Committee on Fiduciary Access to Digital Assets

Facebook Blocks Demand for Contents of Deceased User’s Account

Posted on October 11, 2012 by Jim Lamm

On September 20, 2012, Facebook obtained a court order blocking a demand to turn over the contents of a deceased user’s Facebook account. The executor of Sahar Daftary’s estate requested a subpoena to compel Facebook to turn over the decedent’s Facebook account contents as part of a coroner’s inquest to determine her cause of death. According to the court records, the executor disputes that Ms. Daftary committed suicide and “believes that her Facebook account contains critical evidence showing her actual state of mind in the days leading up to her death.” However, the court held that the Stored Communications Act’s privacy rights protect the account contents, and Facebook cannot be compelled to turn over the contents in a civil action.

At first glance, this may appear to be a surprising result. However, I believe this case was decided correctly under the Stored Communications Act. Also, while one key question was not answered by the court in this order, I believe this case is ultimately beneficial to other families and fiduciaries seeking e–mails or other contents of an incapacitated or deceased user’s online accounts. To explain why, let’s first examine the privacy rights under the Stored Communications Act, and then I’ll explain my thoughts about this new Facebook ruling.

Stored Communications Act

The Stored Communications Act (also known as the “Stored Wire and Electronic Communications Act”) is part of the Electronic Communications Privacy Act of 1986. The Stored Communications Act is codified in 18 U.S.C. §§ 2701 through 2712. Among other things, the Stored Communications Act creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain service providers.

Without going too far into the technical details, in general, the protections under the Stored Communications Act depend on:

  1. Whether the request or demand for information is made by a governmental entity (e.g., in a law enforcement investigation) or by some other person or entity (e.g., in a civil lawsuit);
  2. Whether the company provides services to the public (e.g., Facebook, Google, Yahoo!, Microsoft, and Apple provide services to the public) or whether the services are not publicly available (e.g., an employer that provides e–mail accounts only to its employees);
  3. Whether the request or demand is for the contents of the electronic communications and files (e.g., the body and subject line of an e–mail) or whether the request or demand is for noncontent information (e.g., the user’s name, address, connection records, length of service, type of service, network/IP address, and the means and source of payment for the service);
  4. Whether access to the contents of the electronic communications and files are “restricted in some fashion” or are “completely public”; and
  5. Whether the company provides an “electronic communications service” (ECS) or a “remote computing service” (RCS).

For more a more detailed description of the Stored Communications Act, I recommend reading A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It by Orin S. Kerr.

Estate Administration Example

Let’s walk through an example involving the administration a deceased user’s estate to better understand how the Stored Communications Act applies. Let’s assume the decedent had: (1) a free e–mail account (it doesn’t matter if it’s a Google Gmail account, a Microsoft Hotmail account, or a Yahoo! Mail account); (2) a Facebook account; and (3) an employer–provided e–mail account. Also, let’s assume we have a duly–appointed executor with authority to act on behalf the decedent’s estate (an executor also is referred to as a personal representative of the estate or as an estate administrator).

First, if there is a law enforcement investigation involved regarding the decedent (e.g., a murder investigation involving the decedent’s death or a crime for which the decedent is being investigated), then a governmental entity might want to review the e–mail or Facebook account contents. Under § 2703 of the Stored Communications Act, a governmental entity can compel the disclosure of contents of electronic communications and files protected under the Stored Communications Act by following the proper procedures for the type of information requested from each provider (e.g., a search warrant, subpoena, etc.). That’s beyond the scope of our example, so I’m not going to walk through those procedures.

In our example, the executor of the decedent’s estate is not a governmental entity. So, there are three main options for the executor to obtain the contents of the two e–mail accounts and the Facebook account:

  1. Ask each provider for a copy of the deceased user’s account contents;
  2. File a civil lawsuit against the provider to try to compel the provider to turn over the deceased user’s account contents; and
  3. Use the decedent’s username and password (if you have them) to access the decedent’s e–mail and Facebook accounts to directly obtain a copy of the account contents.

The first option is what I generally recommend. The duly–appointed executor of the decedent’s estate (or, for an incapacitated user’s accounts, the duly–appointed guardian, conservator, or attorney–in–fact under a durable power of attorney) asks the provider for a copy of the account contents and furnishes documentation to the provider showing the fiduciary’s authority (e.g., a copy of the durable power of attorney or a certified copy of the court documents appointing the guardian, conservator, or executor to act on behalf of the living user or of the deceased user’s estate). If the user is deceased, I recommend also furnishing a certified copy of the death certificate to the provider. The executor of a decedent’s estate stands in the shoes of the decedent, so, for purposes of our example, the executor should be able to provide “lawful consent” on behalf of the decedent to divulge the contents of the decedent’s accounts. I will say more about “lawful consent” below (and why the September 20, 2012, Facebook order mentioned above is relevant to this). The second option for the executor—file a civil lawsuit against the provider—does not work if the Stored Communications Act applies. A civil action cannot require (see § 2703) a provider to disclose the contents of electronic communications and files protected under the Stored Communications Act, but the provider may voluntarily disclose the contents if one of the exceptions under § 2702(b) is met. Again, I will say more about the “lawful consent” exception below. The third option for the executor—use the decedent’s username and password to access the account directly—might be construed as “unauthorized access” under a state or federal criminal law. I’ve written previously (here and here) about whether it’s a crime for fiduciaries to access a decedent’s online accounts, and the chilling effect those criminal laws have on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. Since option two doesn’t work if the Stored Communications Act applies and option three might be construed as a criminal act, that leaves the duly–appointed executor (or other fiduciary) with option one as the clear choice: ask each provider for a copy of the deceased user’s account contents and provide appropriate documentation to back up the request.

Second, to continue applying the Stored Communications Act to our example, let’s look at whether the company holding the contents is providing services to the public. For the free e–mail account and the Facebook account in our example, we know that Google, Microsoft, Yahoo!, and Facebook provide these services to the public. But, the employer–provided e–mail account in our example is different, because the typical employer only provides the e–mail account to employees (and a school that provides accounts only to its students and staff also does not provide services to the public). That difference is important because § 2702(a) of the Stored Communications Act prohibits a company that provides ECS or RCS to the public from divulging the contents of the electronic communications or files unless an exception is met. That statutory prohibition on divulging contents doesn’t apply to a company that does not provide ECS or RCS to the public (e.g., the employer–provided e–mail in our example), because there is a different expectation of privacy for the user. So, the company could voluntarily divulge the employer–provided e–mail account contents or might be compelled in a civil proceeding to turn over those contents—the company can’t use § 2702(a) of the Stored Communications Act as a shield to prevent disclosure. But, there may be other reasons that the company can’t or won’t turn over the employer–provided e–mail account contents, such as: (1) a trade secret protected by state law; (2) a non–compete agreement, a non–disclosure agreement, or the company’s electronic resources policy; (3) “protected health information” under the Health Insurance Portability and Accountability Act of 1996—HIPAA (but, an incapacitated employee’s designated health care agent or a deceased employee’s personal representative has authority to request this information); (4) medical information protected from disclosure by a state law or the Americans with Disabilities Act of 1990; (5) “nonpublc personal information” under the Gramm–Leach–Bliley Act; or (6) some other privacy law or privilege.

Third, in our example, the executor of the deceased user’s estate is looking for the contents of the electronic communications and files. Different protections apply for voluntary and compelled disclosure of “contents” versus the “noncontent information” about the account, especially if a governmental entity is making the demand. For our example, similar exceptions apply under the voluntary disclosure rules for contents and noncontent information. I will say more about the “lawful consent” exception below.

Fourth, we need to consider whether access to the contents of the electronic communications and files in our example are “restricted in some fashion” or are “completely public.” If the contents are completely public, the privacy protections of the Stored Communications Act do not apply. On the other hand, if access to the contents is restricted in some fashion, then the privacy protections of the Stored Communications Act do apply. It’s interesting to think of a user’s “privacy rights” with respect to social networking services, such as a user’s Facebook Wall (or MySpace Comments or Google+ Stream), which can be seen by hundreds or even thousands of “friends.” Do those contents receive privacy protections under the Stored Communications Act? The court in Crispin v. Christian Audigier, Inc., 717 F.Supp.2d 965 (C.D. Cal. 2010), faced this issue and determined that Facebook’s Wall feature and MySpace’s Comments feature are analogous to a restricted–access electronic bulletin board on which friends and family can post messages and news updates. The court in Crispin determined that a user’s Facebook Wall or MySpace Comments postings can have restricted access (receiving privacy protections under the Stored Communications Act) if they are only visible to another person who has been granted access to see the user’s full profile.

Fifth, we look at whether the company provides an “electronic communications service” or a “remote computing service.” Different rules apply for voluntary and compelled disclosure with respect to ECS providers versus RCS providers if a governmental entity is making the demand, but the distinction is less relevant for our example with the executor of a deceased user’s account potentially bringing a civil suit. A single company might be classified as providing just ECS, just RCS, both ECS and RCS, or neither ECS nor RCS. In the Crispin case mentioned above, the court determined that both Facebook and MySpace are ECS providers and RCS providers. With respect to private messaging features of Facebook and MySpace, the court in Crispin determined that these features are analogous to e–mail communications and held that Facebook and MySpace operate as ECS providers with respect to unopened messages and operate as RCS providers with respect to messages that have been opened and retained. The court in Crispin also held that “Facebook and MySpace are ECS providers as respects wall postings and comments and that such communications are in electronic storage. In the alternative, the court holds that the Facebook and MySpace are RCS providers as respects the wall postings and comments.”

Based on the discussion above, for our example, the free e–mail account and the Facebook account have statutory privacy protections under the Stored Communications Act. So, both the company providing the free e–mail account (e.g., Google, Microsoft, Yahoo!, etc.) and Facebook are prohibited by § 2702(a) of the Stored Communications Act from divulging the contents of the electronic communications or files unless an exception is met. If the Stored Communications Act applies and an exception is met under § 2702(b), then the provider may voluntarily divulge the contents but cannot be compelled to divulge the contents in a civil suit. As discussed above, the prohibition against voluntary disclosure under § 2702(a) of the Stored Communications Act does not apply to the employer–provided e–mail contents. With respect to the free e–mail account and the Facebook account, to which the Stored Communications Act does apply, the exception for voluntary disclosure under § 2702(b)(3) is relevant: a provider “may divulge the contents of a communication…with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service.”

With that “lawful consent” exception under § 2702(b)(3) in mind, the key question is whether the duly–appointed executor of a deceased user’s estate (or other fiduciary for a living user) can provide “lawful consent” so that the provider may voluntarily divulge the contents for purposes of § 2702 of the Stored Communications Act.

Conclusions From the September 20, 2012, Facebook Ruling

Finally, this key question brings us back to the September 20, 2012, court order blocking a demand to turn over the contents of a deceased user’s Facebook account. As I mentioned above, the executor of Sahar Daftary’s estate asked the court to compel Facebook to turn over the decedent’s Facebook account contents as part of a coroner’s inquest to determine her cause of death. From the discussion above, the Stored Communications Act applies, § 2702(a) prevents Facebook from divulging the contents unless an exception is met, and Facebook cannot be compelled to divulge the contents in a civil suit. In its Motion to Quash Subpoena in a Civil Case filed on August 6, 2012, and in its Reply In Support of Motion to Quash Subpoena in a Civil Case filed on August 27, 2012, Facebook asserts that it is not clear that the executor’s consent satisfies the Stored Communications Act’s exception for “lawful consent” under § 2702(b)(3). Facebook argues that different jurisdictions may vest different powers in executors, so this would “impose excessive burdens and risks on Facebook and other service providers.” Facebook also argues that “it would be far too burdensome to require service providers to analyze the law of the relevant jurisdiction each time an administrator asserted the right to consent on behalf of a deceased user. It would also be patently unfair. Service providers are subject to serious penalties for wrongful disclosure.” But, I believe a reasonable counterpoint to this argument by Facebook is that banks and brokerage companies need to deal with fiduciaries on a routine basis, and they’ve figured out a way to make that process work effectively.

To its credit, Facebook offered a reasonable middle ground stating “Facebook would not object if the Court (1) holds that Anisa Daftary may provide lawful consent under Section 2702 of the SCA to the disclosure of communications in Sahar’s account, and (2) orders Facebook to disclose the reasonably accessible communications sought by Applicants.” In this case, Anisa Daftary is both the mother of Sahar Daftary (the deceased Facebook user) and the executor of her estate. However, because the Stored Communications Act applies and the provider cannot be compelled to divulge the contents in a civil suit, the September 20, 2012, order states that the court lacks jurisdiction to address whether the executor of the deceased user’s estate may offer consent so that Facebook may disclose the records voluntarily (the court notes that it would be an impermissible advisory opinion).

So, with all that being said, why do I believe that this case is ultimately beneficial to family members and fiduciaries seeking e–mails or other contents of an incapacitated or deceased user’s online accounts? Because I think the court’s order should give comfort to Facebook and other online account providers to voluntarily disclose an incapacitated or deceased user’s account contents. Facebook mentioned in its pleadings the chilling effect of the Stored Communications Act’s prohibitions (and penalties) on voluntary disclosure of contents unless an exception is met. While the court did not answer the question of whether, as a matter of law, the executor of a deceased user’s estate (or a duly–appointed fiduciary acting on behalf of an incapacitated user) may provide “lawful consent” under § 2702, the final sentence of the court’s opinion suggests what the answer should be. The court said “Of course, nothing prevents Facebook from concluding on its own that Applicants have standing to consent on Sahar’s behalf and providing the requested materials voluntarily.” I want to be clear: this sentence is not a determination of the court that others can rely on—it is only obiter dictum. Still, I believe this sentence is ultimately beneficial because it strongly suggests (to me) that this court would not oppose the executor of a deceased user’s estate providing “lawful consent” under § 2702 of the Stored Communications Act. And, this court—the U.S. District Court, Northern District of California—is especially important because the Terms of Service Agreement for Facebook (section 16.1) provides that any disputes must be resolved in a court located in Santa Clara County, California (which is within the boundaries of the U.S. District Court, Northern District of California). In addition, the U.S. District Court, Northern District of California, is the chosen federal court jurisdiction under the Terms of Service Agreement for Apple, Google, LinkedIn (section 8.1), Twitter (section 12.B), WordPress, Yahoo! (section 27), and YouTube (section 14). So, the final sentence from this court’s order, even though it isn’t binding authority, should give comfort to some of the major online account service providers because this court is the key jurisdiction for these providers in the event of a dispute. A notable exception to that list of providers is Microsoft, which selects Washington state for its dispute resolution provision.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , , , , , , , , | Comments Off on Facebook Blocks Demand for Contents of Deceased User’s Account

What Happens to Your Apple iTunes Music, Videos, and eBooks When You Die?

Posted on September 4, 2012 by Jim Lamm

Recently, there have been several news stories about what happens to your digital music, videos, and eBooks purchased from Apple’s iTunes when you die. The same question would apply to other digital music, video, and eBook sellers (for example, eBooks purchased on an Amazon Kindle or a Barnes & Noble NOOK). Some of these news stories (for example, this CNN story from September 3, 2012 and this Daily Mail story from September 2, 2012), have speculated that actor Bruce Willis may be considering legal action against Apple regarding his digital music collection, but that has been denied by his wife according to CNN.

I previously wrote about this topic in May 2011, but it’s a good time to dig deeper into these issues. Since then, a new federal case has been filed (but not yet decided) that should answer key questions about what rights a person has in downloaded Apple iTunes digital music files, at least with respect to copyright law. Before I describe this new case, I want to walk through a few of the layers involved and draw some comparisons between digital media files (e.g., songs, videos, and eBooks) and traditional media (e.g., paper books, vinyl records, cassette tapes, CDs, DVDs, Blu–Ray discs, etc.).

“The Account Itself” versus “The Contents”

First, I want to draw a distinction between “the account itself” (e.g., a user’s Apple iTunes account, Amazon Kindle account, Barnes & Noble NOOK account, or a similar digital media account) and “the contents” of the account—the digital files that are downloaded to the user’s device(s) containing the song, video, eBook, etc. The Terms of Service contracts for many service providers do not allow the account itself to be transferred to anyone else. Apple’s Terms of Service contract, for example, says that “As long as you comply with these Terms of Use, Apple grants you a personal, non–exclusive, non–transferable, limited privilege to enter and use the Site.” Some Terms of Service contracts also prohibit a user from allowing anyone else to access the user’s account (Apple’s Terms of Service contract does allow authorized persons to use your account: “You may not use anyone else’s Apple ID, password or account at any time without the express permission and consent of the holder of that Apple ID, password or account.”). Apple has a separate Terms of Service contract for its iTunes store that does not clarify whether a person’s iTunes “account itself” is transferable, but, presumably the general Apple Terms of Service contract’s statement that your use of Apple sites is non–transferable also prohibits the transfer of a person’s iTunes account. If that is the case, the beneficiaries named under a deceased user’s Last Will and Testament (or the decedent’s intestate heirs) would not “receive” a deceased user’s iTunes or Kindle “account itself.” If the beneficiaries do not receive “the account itself” from the decedent, the beneficiaries generally would not be able to use that account to re–download the deceased user’s music, videos, eBooks, etc. from Apple’s iTunes service onto the beneficiary’s device(s).

So, the bottom line is that, after a person becomes incapacitated or dies, the family members and fiduciaries must read the applicable Terms of Service contracts to see whether the digital media accounts—“the accounts themselves”—are transferable or not. If “the account itself” is not transferable, then the family members and fiduciaries must read the applicable Terms of Service contracts to see whether they are authorized to access the incapacitated or deceased user’s digital media account to download the digital media files that the user already paid for. Typically, the user has already downloaded all of the digital media files to the user’s computer, iPod, iPad, Kindle, NOOK, or other electronic devices, but double–check to make sure. Also, the user’s electronic devices may be locked with a lost or forgotten password that prevents the beneficiary from access the digital media files. Once the fiduciaries and family members have the digital media files, the next question is: what happens to those digital media files?

What Can You Do With Your Digital Media Files?

So, what happens to the digital song, video, or eBook files that a deceased user previously legally downloaded to the user’s device(s) from an online service provider (e.g., Apple iTunes, Amazon Kindle, Barnes & Noble NOOK, etc.). Before distributing those digital media files to the appropriate beneficiaries after the user dies, the fiduciaries and family members should consider issues involving: (1) copyright law, (2) the Terms of Service contract where the user purchased the digital file, and (3) whether the digital file has any “digital rights management” (DRM) copy–protection on it.

Except for one interesting potential twist that I’ll discuss below, the copyright law issues and DRM issues should generally be the same for a person’s digital media files as they are for a person’s paper books, vinyl records, cassette tapes, CDs, DVDs, Blu–Ray discs, etc. You generally can’t make multiple copies of these items and hand out those copies to each of your friends and family members (during lifetime or after death), because that would violate the “reproduction right” of the copyright act. 17 U.S.C. § 106. And, if you circumvent the DRM protecting the digital media file, CD, DVD, Blu–Ray disc, etc. from being copied, you may be violating the Digital Millennium Copyright Act of 1988 (DMCA).

In general, you can leave an individual paper book, vinyl record, cassette tape, CD, DVD, Blu–Ray disc, etc. to one beneficiary at death without violating copyright law. Your fiduciaries or beneficiaries could keep it, or they also could sell it or otherwise dispose of it without violating copyright law. Why? The “first sale doctrine” of copyright law permits the owner of a lawfully–made copy to sell or otherwise dispose of that copy. 17 U.S.C. § 109(a). The “first sale doctrine” of copyright law does not require a sale—it also applies to a transfer by gift. UMG Recordings, Inc. v. Augusto, 558 F.Supp.2d 1055 (C.D. Cal. 2008). Just to be clear, the “first sale doctrine” allows you to sell or otherwise dispose of a lawfully–made copy, but it does not allow you to reproduce the copyrighted work.

Before I discuss the interesting potential twist for digital media files and copyright law that I hinted at above, there are two other things to consider when deciding what you can do with your digital media files. First, check whether the Terms of Service contract with Apple iTunes or with another service provider restricts how you can use the digital media files that you download. The iTunes Terms of Service contract has a section of “Usage Rules” that states you can use iTunes media files on up to five iTunes–authorized devices at any time (Apple calls this feature “Home Sharing“) and you can “burn an audio playlist up to seven times” (“burning” describes the process of recording a digital song file onto a CD). But, if you read carefully, those two restrictions don’t apply to “iTunes Plus Products.” These “iTunes Plus Products” are Apple’s digital music and video files sold without DRM, and the iTunes Terms of Service contract says “You may copy, store, and burn iTunes Plus Products as reasonably necessary for personal, noncommercial use.” Second, if a digital media file is protected with DRM (copy–protection), then you have another layer of analysis—whether the digital file can be transferred without violating the Digital Millennium Copyright Act of 1988.

Does the “First Sale Doctrine” of Copyright Law Apply to Digital Media Files?

Finally, if the fiduciaries and family members have obtained the deceased person’s digital media files (songs, videos, eBooks, etc.), have determined that a transfer or sale of the digital media files does not violate the Terms of Service contract with Apple iTunes or with another service provider, and have determined that the digital file can be transferred without circumventing any DRM (and potentially violating the DMCA), then the remaining question is whether the “first sale doctrine” of copyright law applies to the digital media files themselves. That question leads us directly to the the interesting potential twist for digital media files and copyright law that I hinted at above, as well as the pending case that I hinted at above.

The interesting potential twist is that some parties are arguing that selling digital media files (songs, videos, eBooks, etc.) themselves should not fall under the “first sale doctrine” of copyright law because a digital music file itself, as the argument goes, is different from a “material object in which a work is fixed” like a vinyl record, cassette tape, or CD.

For example, when you buy a music CD, you acquire a polycarbonate plastic disc, which is a material object in which the copyrighted music works are fixed. Your rights to give that physical CD away or to sell that physical CD are protected under the “first sale doctrine.” But, can you give away or sell your digital music files? And, does it make a difference if you are transferring just the digital music files themselves versus transferring the iPod (or similar device) containing one or more digital music files that you legally purchased?

The questions above are a central part of the case of Capitol Records, LLC, v. ReDigi Inc., filed in January 2012 in the United States District Court, Southern District of New York, case number 12–CV–0095. ReDigi is an online service “to store, stream, and/or sell your legally purchased digital music.” Capitol Records sued ReDigi on various copyright infringement grounds.

When you buy digital music on your iPod, for example, the iPod is the material object in which the copyrighted music work is fixed. It was stated by Capitol Records’s attorney in a February 6, 2012, hearing in this case that giving away or selling your iPod with the digital music on it is protected under the “first sale doctrine.” But, the potential twist that they argued, essentially, is that you can’t make a reproduction of a particular digital music file itself after it has been “fixed” to your iPod. In other words, giving away or selling a digital music file separate from the iPod involves reproducing the copyrighted song from the iPod to a new storage device, and the “first sale doctrine” only permits you to sell or otherwise dispose of the “material object”—the iPod. This argument is based on the term “copies” in the Copyright Act. Section 106 of the Copyright Act gives a copyright owner exclusive rights “to reproduce the copyrighted work in copies or phonorecords” and “to distribute copies or phonorecords of the copyrighted work.” The key term is “copies,” which is defined in § 101 of the Copyright Act as “material objects, other than phonorecords, in which a work is fixed,” and it “includes the material object, other than a phonorecord, in which the work is first fixed.”

The analogy used by Capitol Records’s attorney in the February 6, 2012, hearing is a paper book. Copyright law allows you to give away the book or to sell the book. But copyright law doesn’t allow you to photocopy the book and give that photocopy to someone else (even if you throw the book in the garbage).

The counter–argument that has been made is that the terminology in 17 U.S.C. § 106 that gives a copyright owner exclusive rights “to reproduce the copyrighted work in copies or phonorecords” and “to distribute copies or phonorecords of the copyrighted work” is identical to the terminology in 17 U.S.C § 109(a) that says “the owner of a particular copy or phonorecord lawfully made under this title, or any person authorized by such owner, is entitled, without the authority of the copyright owner, to sell or otherwise dispose of that copy or phonorecord” (the “first sale doctrine”). In other words, either digital media files are included in “copy or phonorecord” for both the copyright owner’s exclusive rights and the “first sale doctrine” exception to those rights, or, in the alternative, if a digital media file does not fall within the scope of the “first sale doctrine” wording, a digital media file similarly would be excluded from the copyright owner’s exclusive rights under the Copyright Act.

A counter–arugment to that counter–argument is that the “first sale doctrine” only applies to the “actual copy” that is initially made when you downloaded it and “fixed” to your iPod (for example), but you can’t make a reproduction of that “actual copy” that is initially made. In other words, any sale or other disposition of the digital music file itself would be a reproduction. On the other hand, according to statements made by ReDigi’s attorney in the February 6, 2012, hearing in this case, each iTunes digital music file has a unique identifier in it so that you can check to ensure there is only one of that unique digital music file. So, it should be possible to track the “actual copy” that is legally downloaded with its unique identifier (e.g., ReDigi’s software could search a person’s computer and other devices to make sure there aren’t additional copies of that unique digital music file, as well as watching the ReDigi servers to see if that unique digital file goes through their marketplace improperly).

There are other interesting arguments and counter–arguments that will be explored in this case, including the scope of the “fair use doctrine” and the concepts of “time–shifting” and “space–shifting” as they are applied to the digital music files themselves. The final decision in this case may have a significant impact on what happens to your digital music, video, and eBook files themselves when you die (and while you’re alive too), at least with respect to the copyright law issues. This will be very interesting to watch as it develops.

Posted in Intellectual Property Rights | Tagged , , , , , , , , , , , , , | Comments Off on What Happens to Your Apple iTunes Music, Videos, and eBooks When You Die?

Defending Your Ownership and Privacy in Twitter (and Other Online Accounts)

Posted on July 25, 2012 by Jim Lamm

If law enforcement demands the contents of your electronic communications or non–content records from your Twitter account, do you have standing to challenge the subpoena? A New York criminal court has said “no”—because you don’t have a proprietary interest in your Twitter account, and you don’t have privacy interests in your Tweets.

In an April 20, 2012, order in the case New York v. Harris, the court concluded that a user lacks standing to challenge a New York County District Attorney’s subpoena sent to Twitter demanding user information and postings for a Twitter account allegedly used by Mr. Harris. The court concluded that these records belonged to Twitter, and the user did not have a proprietary interest in his Tweets. The court also noted that, by agreeing to Twitter’s terms of service agreement, the user “was granting a license for Twitter to use, display and distribute the defendant’s Tweets to anyone and for any purpose it may have.” At the time of the order, Twitter’s terms of service agreement said, in part:

By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non–exclusive, royalty–free license to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed).

On May 17, 2012, Twitter revised its terms of service agreement to add “You retain your rights to any Content you submit, post or display on or through the Services.” But, the same court in a June 30, 2012, order dismissed Twitter’s argument that users have standing to challenge a subpoena like this one. In an article on AllThingsD, Mike Isaac reported that Twitter plans to appeal the court’s decision.

The court also concluded that the user had no privacy interest in his Tweets because they are able to be viewed by others around the world instantly. In the June 30, 2012, order in this case, the court said that posting a message on Twitter is like yelling your message out your window and being heard by a witness walking across the street: “Well today, the street is an online, information superhighway, and the witnesses can be the third party providers like Twitter, Facebook, Instragram, Pinterest, or the next hot social media application.” The court went on to say that, “If you post a tweet, just like if you scream it out the window, there is no reasonable expectation of privacy.”

The court ordered Twitter to turn over all non–content information (logs of account usage, basic subscriber information, etc.) related to this user account and to turn over the content information for this user account that is more than 180 days old. The court noted that the government must obtain a search warrant (not just a subpoena) to force Twitter to disclose the content information for the user account that is in temporary electronic storage for 180 days or less, as required by § 2703(a) of the Stored Communications Act.

The reason I mention this case is that ownership interests in online accounts (Twitter, Facebook, e–mail, YouTube, Flickr, etc.) and privacy interests in online accounts are important issues when planning ahead for a person’s incapacity and death, as well as when the fiduciaries and family members are administering the person’s estate after the person becomes incapacitated or dies. I have mentioned before the importance of reading the terms of service agreements for online accounts to see: (1) whether the user’s account terminates at death, (2) whether the user’s account is transferrable, (3) whether the agreement prohibits the user from allowing others (such as a spouse or a duly–appointed fiduciary) from accessing the user’s account (and whether this “unauthorized access” also could be considered a crime), (4) whether the user’s account can be terminated if you breach the terms of the agreement, and (5) which state law governs the agreement.

As the court mentioned in this case, “The world of social media is evolving, as is the law around it.” The court went on to say, “As the laws, rules and societal norms evolve and change with each new advance in technology, so too will the decisions of our courts.” We can see that the terms of service agreements from these online service providers are also evolving with each new court decision, which happened in this case with Twitter changing its agreement between the dates of the April and June 2012 court orders, presumably in response to the April order.

It will be interesting to see what the future holds for new and different types of online accounts and services (including virtual items in video games and other virtual worlds), especially whether a user has some type of ownership interest (a property right, license interest, intellectual property right, etc.) and whether a user has a privacy interest. These are important issues in estate planning, and some of these rights may have financial value.

Posted in E-mail, General, Intellectual Property Rights, Social Networking Accounts, Video Games & Virtual Worlds | Tagged , , , , , , , , , , , , , | Comments Off on Defending Your Ownership and Privacy in Twitter (and Other Online Accounts)

How Secure Are Your Online Account Passwords?

Posted on June 21, 2012 by Jim Lamm

With announcements this month from popular Web sites LinkedIn, eHarmony, and Last.fm that a significant number of user passwords may have been compromised, it’s a good time to ask yourself, “How secure are your passwords?” It’s also a good time to change your passwords on these Web sites, if you haven’t done so already.

Microsoft generally recommends using strong passwords that are at least fourteen characters long, using a mix of uppercase letters, lowercase letters, numbers, and symbols. They also recommend not using the same password for everything. If you use the same password for multiple online accounts, then when one account’s password is compromised, your other accounts also may be compromised. The old adage that “a chain is only as strong as its weakest link” applies to your online accounts. Whitson Gordon posted an interesting article yesterday on Lifehacker explaining the different methods that online service providers use to protect user passwords, and there are significant differences in the level of security that these companies may use.

If you’d like to see an interesting example of how long it may take a hacker to guess your password, Gibson Research Corporation has a useful Web site that estimates the time to search through the possible password character combinations. There is a brief video explanation on their Web site too. For example, an eight character password consisting of only lowercase letters may take up to 2.17 seconds to guess using an offline system that can guess 100 billion passwords per second. Changing that to an eight character password containing an equal number of lowercase letters, uppercase letters, numbers, and symbols results in up to 18.62 hours to guess the password. Changing that to a twelve character password containing an equal number of uppercase letters, lowercase letters, numbers, and symbols results in up to 174,000 years to guess the password. Please note that these estimates are based on the time it would take to try every possible combination of characters, and the password may be guessed before running through every possible combination. These estimates also are based on the number of uppercase letters, lowercase letters, numbers, and symbols that you enter (e.g., three of each type of character in my last example). But, a hacker generally won’t know the precise mix characters that you used, so they may start by trying just lowercase letters and then add more complexity if that isn’t successful. And, if your password is one of the 470,000 or so words in the dictionary or one of the more commonly–used passwords, it may take a hacker only a few seconds to guess your password.

If you’re wondering how to remember all of the strong passwords you’ll need for each of your online accounts, consider using a popular software tool like LastPass, 1Password, KeePass, RoboForm, Keeper, etc. Look for a tool that is secure, easy to update, convenient to use, and portable so that it’s always with you (e.g., on a smartphone). If you use an encrypted electronic list, make sure you write down instructions for your fiduciaries so they can find it and access it if you are incapacitated or deceased (store the written instructions in a secure location like a safe deposit box, home safe, etc.).

One of my favorite features of LastPass and similar software tools is that they can integrate securely with my Web browser to automatically fill in my username and password (after I’ve typed in my master password when I first start my Web browser), so that I don’t need to manually type any of my “strong” passwords. LastPass and similar software tools also can generate “strong” passwords when you register for a new Web service or when you choose to change your password for a Web service—and they can fill in the new password automatically for you so you don’t make a typo.

Posted in E-mail, Financial Accounts, General, Social Networking Accounts | Tagged , , , , , , , , , , , , | Comments Off on How Secure Are Your Online Account Passwords?

Wisconsin Family Struggles to Obtain Access to Deceased Son’s Facebook and Gmail Accounts

Posted on June 1, 2012 by Jim Lamm

A June 1, 2012, article by Jessica Hopper posted on MSNBC’s Rock Center, describes a Wisconsin family’s attempts to gain access to their deceased son’s online accounts. As I mention in previous postings, it can be a very time–consuming, expensive, and frustrating process.

The first problem is that most major Web services won’t reveal or reset the password of an incapacitated or deceased person. The second problem is that the Terms of Service contracts at some major Web services prohibit you from allowing anyone else to access your account, which may prevent even a court–appointed and duly–authorized fiduciary from fully accessing an incapacitated or deceased person’s account. And, if you aren’t authorized to access the incapacitated or deceased person’s account, you may be violating a state or federal criminal law regarding unauthorized access to computers or computer systems. Third, the Terms of Service contracts for some major Web services, like the one for Yahoo!, says that your account terminates at death. Finally, the Terms of Service contracts for most major Web services say that the online account is not transferrable or only transferrable with permission.

In this Wisconsin family’s situation, it appears that they have been struggling with access to their deceased son’s Facebook account and Google Gmail account. I have not seen copies of any of the pleadings filed in this case or the orders signed by Judge Joseph D. Boles of the Pierce County Circuit Court, so I’m not sure if the family requested a copy of “the contents” of these online accounts or whether they requested full access to “the account itself.” I’ve previously explained the difference between trying to obtain “the contents” versus full access to “the account itself.” The article notes that Facebook has received a copy of the Wisconsin Circuit Court’s order but has not responded yet.

In this situation, I don’t know whether Facebook or Google were made parties to the court proceedings (served with notice of the pending action and given an opportunity to be heard by the court) before the orders were issued. This may be an important element in this case. My understanding is that, in the past, Yahoo! has asserted that a general court order, without naming Yahoo! as a party to the court proceedings, is not sufficient for them to turn over the e–mail account contents. For example, in the Michigan case In re Ellsworth, No. 2005–296, 651–DE (Mich. Prob. Ct. 2005), a family made Yahoo! a party to the court proceeding, gave Yahoo! notice of the proceeding, and a Yahoo! representative appeared at the hearing. Following the order in the Ellsworth case, Yahoo! turned over the contents of the deceased user’s e–mail account to the family.

It will be interesting to see how Facebook and Google respond to this Wisconsin family’s requests and the court’s orders.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , , | Comments Off on Wisconsin Family Struggles to Obtain Access to Deceased Son’s Facebook and Gmail Accounts

WSJ Article on Access to Online Accounts After a Business Owner Dies

Posted on May 21, 2012 by Jim Lamm

There is an article by Molly Williams in today’s Wall Street Journal titled “If a Business Owner Dies, Who Can Access the Web?” The article points out that some small businesses have only one person who knows the passwords to the important online accounts for the business, and that could disastrous for the business if that person becomes incapacitated or dies without writing down the passwords so that others can access the accounts. Ensuring access to the business’s important online accounts is an important part of business continuity planning—a business may need to handle online customer orders, online purchases from suppliers, online payroll software, online bill paying, online marketing, e–mails, and more.

In general, I suggest that a business use its own e–mail server or have the business contract with a commercial e–mail service provider—do not rely on a free e–mail service for your business e–mails. Why? Because the Terms of Service contracts at the major free e–mail service providers (Google, Microsoft, and Yahoo!), say that these accounts are not transferable (or transferable only with permission). So, if the business e–mail account is registered in the individual owner’s name at one of the free e–mail services, the account probably cannot be transferred.

Also, the Yahoo! Terms of Service contract says that your account terminates when you die. The Terms of Service contracts at many other service providers are silent about what happens to your account when you die. If a business contracts directly with a commercial e–mail service provider (rather than one of the free e–mail providers), the account could continue after the owner dies.

The Microsoft and Facebook Terms of Service contracts say that only you may use your account, and you must not authorize a third party to access or use your account. This probably does not work well for business purposes, where more than one person may need to access the online account. As I have mentioned before, it could be considered a crime to access another person’s online accounts—even if you are the duly–authorized fiduciary for that person—if you “exceed authorized access” under the online account’s Terms of Service contract. The Wall Street Journal article quotes me as recommending not to access another person’s account using the person’s password—instead, the duly–authorized fiduciary for that person should contact the service provider to request the contents of the account to avoid potential charges of “exceeding authorized access.” I’ve previously mentioned the proper procedures for contacting Google, contacting Microsoft, and contacting Facebook. For a Yahoo! e–mail account, you can contact Yahoo! Customer Care to start the process, but note that, in the past, they have required a court order directing them to turn over the e–mail account contents citing privacy concerns.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , , , | Comments Off on WSJ Article on Access to Online Accounts After a Business Owner Dies

Update on Whether It’s a Crime for Fiduciaries to Access a Decedent’s Online Accounts

Posted on April 11, 2012 by Jim Lamm

I’ve written previously that using an incapacitated or deceased person’s passwords to access that person’s online accounts may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. On April 10, 2012, the Ninth Circuit Court of Appeals issued an opinion in United States v. Nosal regarding the scope of the phase “exceed authorized access” under § 1030 of the Computer Fraud and Abuse Act.

In this case, David Nosal, a former employee of Korn/Ferry, convinced current Korn/Ferry employees to obtain information from a confidential Korn/Ferry database—information that Mr. Nosal could use to help start a competing business. The current Korn/Ferry employees were authorized to access the database, but disclosing that confidential information violated Korn/Ferry’s company policies. The criminal charge was “exceeding authorized access” under the Computer Fraud and Abuse Act because the company’s policy was violated.

The Ninth Circuit held in this case that “We need not decide today whether Congress could base criminal liability on violations of a company or website’s computer use restrictions. Instead, we hold that the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions.” Note that the key phrase in that quote is “use restrictions.” The Ninth Circuit concluded “Therefore, we hold that ‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” In this case, the current company employees had permission to access the confidential company database, but the company’s policies restricted the use of the information. So, the criminal charge of “exceeding authorized access” under the Computer Fraud and Abuse Act was dismissed.

As I have discussed before, the U.S. Department of Justice has asserted that § 1030(a)(2) of the Computer Fraud and Abuse Act is broad enough to permit the government to charge a person with a crime for violating the Computer Fraud and Abuse Act when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. This position may have a chilling effect on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. The Terms of Service contracts at some major Web services, including Facebook and Microsoft’s Hotmail, specifically prohibit you from allowing anyone else to access your account.

This case is interesting for fiduciaries and family members because the Ninth Circuit narrowly construes the phrase “exceeds authorized access,” despite the government arguing for a very broad construction of “exceeds authorized access.” Although it is not part of the Ninth Circuit’s holding, the most interesting portion of the order to me is the Discussion section of the Ninth Circuit’s opinion, where the court gives several examples of the consequences of the government’s broad construction, including an example about Facebook’s Terms of Service contract provision regarding letting someone else access your account:

For example, it’s not widely known that, up until very recently, Google forbade minors from using its services. See Google Terms of Service, effective April 16, 2007–March 1, 2012, § 2.3, http://www.google.com/intl/en/ policies/terms/archive/20070416 (“You may not use the Services and may not accept the Terms if…you are not of legal age to form a binding contract with Google….”) (last visited Mar. 4, 2012). Adopting the government’s interpretation would turn vast numbers of teens and pre–teens into juvenile delinquents—and their parents and teachers into delinquency contributors. Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. See Facebook Statement of Rights and Responsibilities § 4.8 http://www.facebook.com/legal/terms (“You will not share your password,…let anyone else access your account, or do anything else that might jeopardize the security of your account.”) (last visited Mar. 4, 2012). Yet it’s very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.

…Not only are the terms of service vague and generally unknown—unless you look real hard at the small print at the bottom of a webpage—but website owners retain the right to change the terms at any time and without notice. See, e.g., YouTube Terms of Service § 1.B, http://www.youtube.com/t/terms (“YouTube may, in its sole discretion, modify or revise these Terms of Service and policies at any time, and you agree to be bound by such modifications or revisions.”) (last visited Mar. 4, 2012). Accordingly, behavior that wasn’t criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever.

The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations. But we shouldn’t have to live at the mercy of our local prosecutor. Cf. United States v. Stevens, 130 S. Ct. 1577, 1591 (2010) (“We would not uphold an unconstitutional statute merely because the Government promised to use it responsibly.”). And it’s not clear we can trust the government when a tempting target comes along. Take the case of the mom who posed as a 17–year–old boy and cyber–bullied her daughter’s classmate. The Justice Department prosecuted her under 18 U.S.C. § 1030(a)(2)(C) for violating MySpace’s terms of service, which prohibited lying about identifying information, including age. See United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009). Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.

So, although the Ninth Circuit’s actual holding in this case does not specifically resolve the question of whether using an incapacitated or deceased person’s passwords to access that person’s online accounts is a crime (if that “exceeds authorized access” when the Web service’s Terms of Service contract prohibits letting others access the online account), the opinion’s discussion about Facebook’s Terms of Service provision gives me some hope for the future. Keep in mind that the Ninth Circuit concluded “Therefore, we hold that ‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use,” so the chilling effect on fiduciaries and family members accessing online accounts remains a problem.

For more discussion of United States v. Nosal, read the April 10, 2012, article by Orin Kerr at The Volokhh Conspiracy, including a mention of disagreement among the circuit courts about whether to interpret the Computer Fraud and Abuse Act broadly or narrowly, which could lead to a Supreme Court opinion on this issue in the future.

Posted in E-mail, Financial Accounts, Online Sales Accounts, Social Networking Accounts, Video Games & Virtual Worlds, Web Pages and Blogs | Tagged , , , , , , , , , , , , , | Comments Off on Update on Whether It’s a Crime for Fiduciaries to Access a Decedent’s Online Accounts

Sharing Your Facebook Password With Employers, Schools, or Fiduciaries

Posted on March 25, 2012 by Jim Lamm

Previously, I’ve written about courts ordering spouses to reveal their Facebook passwords in the course of a divorce proceeding. In the past few weeks, there have been several stories about employers asking a job applicant to reveal the applicant’s Facebook username and password and schools asking a student to reveal the student’s Facebook username and password. See articles here, here, here, here, and here for a sampling of articles. The ACLU quickly condemned this practice as an invasion of privacy and has encouraged legislation to protect users’ privacy.

Facebook’s Chief Privacy Officer, Erin Egan, posted on March 23, 2012, that demanding access to a Facebook user’s profile and private information “undermines the privacy expectations and the security of both the user and the user’s friends.” She states, “That’s why we made it a violation of Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password.” She also states, “Facebook takes your privacy seriously. We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action.”

In a previous post about Planning Ahead for Access to Contents of a Decedent’s Online Accounts, I cautioned against having a family member or fiduciary use the password of an incapacitated or deceased user to gain full access to that user’s online accounts (“the account itself”) because it may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. According to the statement quoted above by Facebook’s Chief Privacy Officer, in addition to state or federal criminal laws, Facebook may initiate legal action (presumably a civil law suit against the person exceeding access to the Facebook account) where appropriate to protect the privacy and security of users.

It’s essential to plan ahead with a list of passwords so that, during a period of incapacity or after your death, your fiduciaries and family members have full access to your smartphones, tablet devices, computers, and encrypted data storage. But, your fiduciaries and family members must think carefully about the potential for criminal penalties or civil lawsuits if they try to use your list of passwords to get full access to any of your online accounts (“the account itself”). As I’ve discussed before, the safer course of action for now it so have the duly–appointed fiduciary for an incapacitated or deceased person request a copy of “the contents” of the online account from the online service provider, and that should not be construed as “unauthorized access.”

Posted in Social Networking Accounts | Tagged , , , , , , , | Comments Off on Sharing Your Facebook Password With Employers, Schools, or Fiduciaries

Jim Lamm Quoted in The Wall Street Journal’s Law Blog

Posted on February 14, 2012 by Jim Lamm

On February13, 2012, I was quoted in The Wall Street Journal’s Law Blog in the article “What Happens to Your ‘Digital Assets’ When You Die?” by Steve Eder. The article also quotes my colleague, Gene Hennig, who co–authored a Project Proposal with me in May 2011 to the Uniform Law Commission for a uniform law to grant fiduciaries specific powers and authority regarding an individual’s online accounts and digital property during incapacity and after death.

Posted in General | Tagged , , , , , | Comments Off on Jim Lamm Quoted in The Wall Street Journal’s Law Blog