Our blog has moved! Now redirecting to new blog...

Welcome to the website of the Internet and Intellectual Property Justice Clinic, a University of San Francisco School of Law clinical program that provides legal assistance to parties in intellectual property matters. For more information, see the "About Us" page.

Our website includes commentary from our students on cutting-edge internet law and intellectual property topics. Those posts are listed below, and more are archived under "Pages" on the right. Enjoy!

Special Section: Privacy in a Digital Age

Suppose you were a professional whose name when Googled linked to a porn site.  Or, you emailed a picture of your child to friends and found it reproduced on sites that you had never heard of.  Or, you received a notice from your ISP that they were going to turn your identification to a plaintiff in a copyright suit who was accusing you of illegally downloading a movie or recording you had never seen or heard.

In a digital age, new challenges arise concerning privacy and privacy rights. The problems described below are some of the legal issues that have come up in our Law School Clinic, which has been dedicated to Internet and Intellectual Property cases for the past 10 years (and will be addressed on this site).

-Robert Talbot


1. What are the privacy protections of Facebook and other social networks?

After receiving much criticism from policy groups and the media, Facebook has attempted to provide its users with more information before changing its privacy policy. But you have to be careful and monitor your own account. Facebook will post its privacy policy on your account and give you a set number of days to opt out.

If you own a Facebook account you should spend five minutes to go through the account and privacy settings. There you can select who can see your information, whom can use your information, and lessen the chance of photos of you ending up on Google searches.

From a legal standpoint, this is an area that is currently undecided. In 2010, a class action lawsuit was filed against Facebook regarding the use of private information for advertising purposes. The plaintiffs allege that Facebook is in violation of California Business Code § 17200, California Penal Code § 502, California Civil Code § 1750, breach of contract, breach of implied contracts, breach of implied covenant of good faith and fair dealing, California Civil Code § 1572 and 1573, unjust enrichment, negligence, and negligence per se.

2. If I am accused anonymously of illegally downloading a movie, can plaintiff who has my IP address discover my personal identity and address?

Yes. Generally, a plaintiff will file a John Doe lawsuit and subpoena the Internet Service Provider for your identity and address. Currently there is not a universal standard for determining whether the plaintiff can obtain this information. If someone is trying to retrieve your personal information, you should contact an attorney in your state that is familiar with the applicable standard.

Courts have applied the following standards:

Summary judgment standard: A plaintiff must make a sufficient showing on all essential elements of the case for which it has the burden of proof.

Balancing test: In addition to the summary judgment standard, the courts also balance the strength of the plaintiff’s case against the individual’s interest in remaining anonymous.

Motion to dismiss: This is a lower standard. Here, plaintiff must only show that the claim, even if true, does not have a legal remedy.

Good faith standard: This is the lowest standard. Here, the plaintiff is only required to bring the suit in good faith and show there was no intent to harass the defendant.

3. Can I prevent the ISP from revealing my personal information?

Yes. The ISP can challenge the subpoena on your behalf, but they are not required to do so. Sometimes service providers will notify you prior to responding to the subpoena. If you find out about the lawsuit you can file a motion to quash the subpoena. But you must act quickly; generally you must do this within 7 days. You also do not want to reveal your identity on the motion. One court found that revealing your identity on a motion to quash constituted a voluntary waiver of anonymity. This is very complicated and procedural. You should contact an attorney in your state before proceeding.

4. What is a motion to quash?

A motion to quash is when an individual asks the court to set aside or invalidate an action. When a plaintiff subpoenas an Internet Service Provider for IP addresses, names, or other personal information, the ISP, defendant, or someone on behalf of the defendant may move to quash the subpoena.

5. If my name appears in a search engine and is linked to a pornographic site, does this violate any privacy rights?

Your privacy rights are not violated simply because your name appears in a search engine and is linked to a pornographic site. Many people could have your name; the link does not necessarily refer to you. If, in fact, the site is referring to you, this could be a violation of your privacy rights, publicity rights, and/or defamatory. To remove your name you can contact the search engine itself to see if they will remove the material and/or bring legal action against the website that has used your name.

6. Can the government obtain my email messages?

They can always obtain the email messages with a warrant. The question is whether a warrant is required. Inevitably this issue will need to be decided by the United States Supreme Court. Recently in the United States v. Warshak, the Sixth Circuit found that email was protected by the Fourth Amendment and law enforcement needed to obtain a warrant before accessing email.

7. Can private parties obtain my email messages in a lawsuit?

Yes. In the discovery process, the opposition may request certain documents that pertain to the lawsuit. If an email is responsive to their request, and not protected by the attorney-client privilege, you will have to turn over your email. If you do not want the email to be made public, you should seek a protective order, which prevents public disclosure of confidential information.

8. Can my employer view my email?

The Stored Communications Act protects individuals from having their email accessed without authorization. Unfortunately, the Stored Communications Act does not apply to corporate or other nonpublic networks. Furthermore, most companies now have you sign an agreement waiving any privacy interests. Recently the United States Supreme Court went even further and held that it was not a violation of the Fourth Amendment for a public employer to examine an employee’s personal text messages. The lesson is this: be careful with your electronic communications at work.

9. What happens when I delete a file?

It’s very difficult to actually delete a file. Even when you’ve placed the file in the recycle bin and deleted it, certain information will still remain on the hard disk. Computer forensic experts can retrieve chunks of data even if it has been overwritten several times. 


Right to Privacy on the Internet

By Patrick L.

This note will explore an individual’s legal right to privacy on Facebook.

The right to privacy is rooted in the 4th Amendment to the United States’ Constitution, which protects a person’s legitimate expectations of privacy. U.S. Const. amend. IV. This means that if an individual has both a subjective (actual) and objective (reasonable) expectation of privacy it is an expectation that society will recognize. This right to privacy is accorded to both citizens and non-citizens while on U.S. soil.

In 1986 Congress passed a federal law regulating the privacy of communication. Information posted on a website is subject to regulation under the federal Stored Communications Act (SCA). 18 U.S.C.A. §§ 2701-2712. The SCA permits disclosure of electronic communications that are publicly posted.

In regards to the right of privacy with respect to communications made via an Internet website, such as Facebook, the 9th Circuit has found that the unauthorized viewing of a secured website was an unlawful invasion of privacy. Konop v. Hawaiian Airlines, Inc., 236 F.3d 1035 (9th Cir. 2001). In Konop the website at issue was designed as a secure website requiring a user name and password to which an individual could only get a user name and password from Konop. Konop created the website and granted access to fellow employees of Hawaiian Airlines so they could discuss their experiences working for Hawaiian Airlines. Id. The court found the limited access to the website which could only be granted by the creator of the website to be a distinction from other websites requiring a user name and password. Id. This distinction gave the user’s of the website Konop created a higher expectation of privacy than a website which would allow anyone to create there own user name and password. Id.

Websites that are readily available to the public—websites that anyone can access without a user name or password—do not carry an expectation of privacy regarding electronic communications made through the website. Id. A secured website is one that requires a user to insert a user name and password to access the site. Facebook is a website that requires a user name and password to access the site. However, anyone can create their own user name and password and be granted access to the Facebook website. In Konop the user names and passwords were created by the administrator of the website, who only granted access to the website to certain co-workers.

Facebook’s Privacy Policy

Many websites, including Facebook, have privacy policies designed to protect an individual’s privacy and assure them that information a user posts on the website will not be readily available to anyone on the Internet. Facebook has an extensive privacy policy which can be found by clicking on the word “Privacy” located at the bottom right hand corner of the Facebook page and displayed as a blue hyperlink. Anyone who signs up can become a Facebook user, as long as they are at least 13 years old. Being a Facebook user allows people to stay in touch with friends through posting comments and pictures on a person’s Facebook page, and through live instant-message chatting.

A Facebook user can post as much or as little information about themselves as they want on the profile page. A Facebook user’s profile page is the central part of having a Facebook account where a user can update their status, receive messages from friends, and post pictures. Facebook’s default privacy settings allow other Facebook users to view this information when looking at the profile page. These privacy settings can be changed by each individual user to increase or decrease the access that other Facebook users have to one’s profile page. However, Facebook makes certain information publicly available to everyone: name, profile photo, list of friends, gender and geographic region. This means that even if a user sets their Facebook page to private settings that only allow their Facebook friends to view their page, anyone searching Facebook, or the Internet, can access the publicly available information.

When signing up for Facebook, certain personal information is required, including a user’s name, email, gender, and birth date. Even though it is required, personal information such as an email address, or birth date, can be hidden from other users through optional privacy settings.

The lowest level of privacy setting on a user’s Facebook page is “everyone”. With this setting, Facebook considers all information provided by the user as publicly available. This info is available to anyone through Facebook, through search engines, or even through other websites not affiliated with Facebook.

Facebook is constantly collecting and logging user information. For example, the Facebook website keeps track of all actions a user takes such as adding a friend, joining a group, or creating a photo album. Facebook also collects information from the computer or mobile phone with which a user accesses the site. Facebook collects information on the browser used, IP address, and the other web pages a user visits.

One way user information is utilized by Facebook is to improve services and features and to provide customer support. Facebook also uses a user’s information to contact them with service related announcements when there have been changes to the website, new features have been added, or the privacy policy has been amended. An important—and revenue generating—use of personal information by Facebook is to present advertisements to the user that are personalized based on the information obtained by Facebook.

Facebook states that a user’s information is only shared with third parties when the sharing is permitted by the user based on privacy settings, is reasonably necessary to offer services, or when Facebook is legally required to do so.

Facebook stresses that there are inherent risks in sharing information. Facebook is about sharing information and content with friends, and any of this information is subject to exposure by unauthorized third parties in violation of privacy settings or security measures taken by Facebook. The nature of the internet gives any “hacker” the opportunity to access a Facebook user’s information in violation of the Facebook privacy policy and the privacy settings chosen by an individual user.

Facebook Users Expectation of Privacy

Under the 9th Circuit’s standard for an expectation of privacy in websites such as Facebook, the crucial fact is whether or not the site requires a user name and password given to a user by the creator of the website. Facebook users would most likely not be considered to have an expectation of privacy under this test because anyone can sign up for Facebook by creating their own user name and password. Once a person signs on as a user they need to understand that Facebook is a publicly available resource, which anyone can join, as long as they are at least 13 years old. And, once a person becomes a Facebook user, they can access all of the information of their Facebook friends, as well as the information of any Facebook user whose Facebook page has a privacy setting of “everyone”.

In short, there is no complete privacy for any Facebook user since certain information such as name, date of birth, and email address are publicly available information according to the Facebook privacy policy regardless of the user’s privacy settings. When signing up for a new Facebook account, a user is provided the default privacy settings by Facebook. These default settings allow other Facebook users to access a person’s information, even if they are not Facebook friends.

Even if a user voluntarily chooses to keep their information private through the privacy settings on their page, Facebook’s privacy policy allows the company to share a user’s information with the government or authorities whenever required by law, such as in the course of a police investigation.
Facebook also disclaims any guarantee of privacy. As with any information posted on the internet, Facebook cannot guarantee that a user’s information won’t be accessed by an unauthorized third party hacking into the site and violating the Facebook privacy policy or the law.

At its core Facebook is about a user sharing information and connecting with friends. Based on Facebook’s design for a user to share information, Facebook’s privacy policy, and existing caselaw, a Facebook users best approach is to assume there is no expectation of privacy in anything they post on Facebook.

Location-Aware Services & Privacy

By Andrea S.

The Christian Science Monitor recently ran a story about a new website called PleaseRobMe.com. Soon, nearly every popular blog on the web was featuring the story and a link to the site.

PleaseRobMe.com mocks users of FourSquare who connect their location “check-ins” to their Twitter status updates. FourSquare is a location aware service that allows users to tell friends the address of which Starbucks, movie theater, or restaurant they are at. PleaseRobMe.com demonstrates the potential dangers of this technology by allowing users to enter a city or a specific username and get updates on exact locations of other users.

While PleaseRobMe.com focuses on FourSquare and Twitter, there are plenty of other services that have the same function. For instance, Yelp iPhone application users can use the “Check-It” feature to post their current locations to their Facebook status updates. The program even automatically announces if you’re a “regular,” or frequent patron of a specific business.

Ultimately, the developers of PleaseRobMe.com disabled the search feature and replaced it with two articles: one from the Center for Democracy and Technology (CDT) and the other from the Electronic Frontier Foundation (EFF). The articles highlight how location-aware internet services like FourSquare can present a number of problems. One is social; having friends, family or your significant other know your location at all times in undesirable, even if you are doing nothing wrong.

Another problem is emerging, at least in the U.K., is that people who use such services are seen as an insurance risk. Insurers who protect people’s homes and other personal property are concerned about the public’s increasing willingness to reveal extremely personal information. While one small piece of information seems inconsequential, the totality of an individual’s posts could reveal a good deal about their routines and property.

Then there are the legal concerns that come from broadcasting one’s location and activities. In private disputes, such as insurance fraud or problems between employee/employer, location-aware services pose a number of potential problems. For instance, if an individual is on disability, and presumably homebound, too many public announcements of outside location may be cause for a challenge to the benefits – even if not a violation of the benefit program rules.

As for criminal offenses, posting ones location may waive potential 4th Amendment rights. While there are usually some procedural barriers for determining someone’s whereabouts at a specific time, the same is not true for information that is public and observable. Broadcasting real time location for anyone on the internet to read, gives up any reasonable expectation of privacy.

Of course, quick access to this information does not always have a negative result. There are instances where such information could help law enforcement or allow an accused to establish innocence. The question is whether or not citizens want to open themselves up to a system with less protections than those currently enjoyed.

Despite the potential dangers of such services, a recent MSNBC.com article says that location-aware social networking may be a new trend. While it may be a powerful, new, and up-and-coming technology, it has a lot of troubling features. Moreover, it seems unnecessary. Restaurant and shopping reviews can be posted without it being in real time or announcing the reviewer’s current location. Additionally, there are private communication tools that allow friends to find each other. The bottom line is: for the time being social media users will continue to use location based services, like FourSquare, until the negative consequences of surrendering locational privacy hits home.

Cyberbullying, Schools, and the Constitution

By Dale R.

     The suicides of two teenagers became the center of national attention in 2010.  Fifteen year old Phobe Prince, an Irish immigrant in Massachusetts killed herself after several months of being the victim of bullying at school and on-line.. More recently, an eighteen year old college freshman named Tyler Clementi jumped off the George Washington bridge after his roommate used a computer camera to record Clementi engaged in sexual activity with another man, and posted the video on the Internet. Both suicides resulted in criminal charges being filed against the alleged bullies.

    The suicides turned media and national attention to the growing problem of cyberbullying. Researchers Sameer Hinjua and Justin W. Patchin at the Cyberbullying Research Center found that about 20.8 percent of students under eighteen were the victims of cyberbullies according to a study conducted in February 2010.

    This commentary will discuss possible school responses to cyberbullying and potential legal restrictions that might apply to those responses.

    The Supreme Court famously upheld the free speech rights of students in the 1968 case Tinker v. Des Moines Independent School District. In Tinker, school administrators punished several students for wearing black armbands to protest the Vietnam War. The Supreme Court via Justice Fortas dismissed the suspensions as violations of the First Amendment. The Court held that schools can only discipline speech if it is creates a "substantial disruption" to the daily operation of the school. Later Supreme Court cases placed limitations on Tinker's sweep. For example, in Fraser v. Bethel School District (1986), The Supreme Court upheld the suspension of a student who, at an assembly, gave a speech filled with sexual innuendo. Chief Justice Burger wrote that the suspension was justified because schools play a vital role in teaching proper civil discourse and could punish students for speech that is lewd and vulgar.

    Courts often have found that many instances of cyberbullying and other cyberconduct by student's violate the Tinker standard. For example, the Pennsylvania Supreme Court upheld a student expulsion for a website the student created even though the site was created off campus.  In this case, J.S. v. Bethlehem School District, J.S., created an anonymous website attacking school administrators and teachers. He compared one teacher to the Nazis and asked for donations so he could hire a hitman to kill her. The Principal contacted the police and F.B.I. to discover the creator of the website and decided to expel J.S. after the F.B.I. stated they would not file criminal charges against him.

    The majority upheld the expulsion even though J.S. did not tell anyone at the school about the website and took it down voluntarily. The Court reasoned that Tinker's substantial disruption standard was met because the teacher-victim suffered emotional distress and needed to take a leave of absence because of the remarks.

    Many jurisdictions agree with the decision reached by the Pennsylvania court in J.S. and hold that schools need broad power to punish students for unacceptable conduct even if the actions occur off-campus and not during school hours.

    But in other jurisdictions, there are some courts that reach the opposite result. A federal court in California held that a suspension for cyberbullying violated the First Amendment and Due Process in J.C. v. Beverly Hills Unified School District. J.C. created a video mocking a fellow student named C.C. as a slut and posted the video on YouTube. The court noted that J.C., unlike J.S. in the case above, wanted other kids at school including the victim to see the video. J.C. received a two-day suspension. The court held that her suspension violated J.C.'s First Amendment rights because there was no substantial disruption to school activities and the kind of name-calling J.C. did on her video was the every day kind of bullying that school administrators can expect from students.

    J.C. also received support for her argument from California Education Code Section 48900(s). The court noted that the statute severely limits the scope of school jurisdiction and no reasonable person can interpret it to allow a school to punish a student for off-campus activities that were not connected to any school function or event.

    Many states are considering or have passed legislation to deal with cyberbullying. Oregon's law may represent a well-balanced approach. The Oregon law requires every school district set up a policy for cyberbullying but encourages schools to consult with students, parents, and teachers to create the policy. School districts are required to explicitly tell student's about the policy and the consequences of violations. The victims of cyberbullying maintain their rights to bring private lawsuits against their attackers but the statute itself expressly does not create a private right of action.

    My prediction is that the Prince and Clementi suicides will pressure states and school administrators to punish students for off-campus conduct even if it greatly expands school power in constitutionally questionable ways. This is troubling to me because it is probable that cyberbullies often attack their victims during school-hours as well non school hours and school administrators should focus their attention on in-school bullying to solve both problems. This desire to take action against cyber conduct may lead to harsh punishments for what might be considered  protected speech in other contexts.