John Stivarius Quoted in Law360
Comcast’s Win Encourages ISPs To Fight User-Data Requests
By Allison Grande
Law360, New York (June 18, 2014, 4:11 PM ET) — An Illinois appeals court recently freed Comcast Cable Communications LLC from having to reveal users’ identities to an Internet pornography provider trying to pin them for computer fraud, a ruling likely to embolden service providers to dispute user-data requests that they believe to be mere fishing expeditions for evidence of wrongdoing.
In a May 20 ruling, the appeals court reversed the trial court’s determination that the identities associated with about 300 IP addresses should be revealed after they were identified by porn company Guava LLC as being linked to individuals who allegedly used stolen usernames and passwords to access Guava’s protected computer system.
Instead, the appeals panel concluded that Comcast did not have to comply with Guava’s petition because the porn company had a history of serving these types of investigative demands to identify targets for potential settlements without fleshing out its allegations. Moreover, revealing the person associated with an IP address would not necessarily give Guava information about who caused its damages since one address could be used by multiple parties, the opinion said.
“Cases like this show generally that ISPs can fight back and successfully protect their users’ information, and they show specifically that courts may be more likely to quash subpoenas when the facts presented by the plaintiffs are less than sympathetic,” Davis Wright Tremaine LLP partner James Rosenfeld told Law360.
The ruling is likely to instill confidence in service providers, which are currently faced with a combination of murky legal obligations and mounting pressure from users to shield their data from outside parties, according to attorneys.
“It’s a Catch-22 almost because they’ve got the obligation of complying with a subpoena, but compliance is not a simple task because there’s uncertainty in the law about what to do,” said John Stivarius, the head of the complex litigation practice group at Elarbee Thompson Sapp & Wilson LLP. “But the Comcast ruling is likely to make service providers feel better about fighting back.”
Since the advent of the Internet, electronic service providers have had to grapple with the balance between protecting users’ private information and providing subscriber data to third parties to help weed out bad actors.
Under the Electronic Communications Privacy Act and a patchwork of state laws, nongovernmental entities can move to obtain basic subscriber information, such as names and IP addresses, on individuals they believe may be violating the law, such as by obtaining unauthorized access to a site or infringing a copyright. However, the obligations and protections under the laws vary, leaving service providers uncertain about how to respond to demands from various jurisdictions.
“It’s really been a problem in the privacy area that, under certain state laws, there seems to be more protections for users than under ECPA, and Congress is no closer to amending the federal law to close the gaps,” said Weisbrod Matteis & Copley PLLC partner Peter Toren.
Courts have come up with legal standards that strive to balance the need for information disclosures with the protection of users’ online anonymity and data, but even these tests are far from uniform, according to attorneys.
“There’s ambiguity because different tests have been created in different jurisdictions, and the tests that exist can be somewhat fuzzy when you are a service provider or a user confronting one of the subpoenas,” Rosenfeld said. “Usually, service providers have to make a gut call whether it’s worth fighting because there are certainly a lot of instances where it is not clear.”
Further complicating the analysis is the gradual move toward classifying IP addresses as personally identifiable information. In recent years, the Federal Trade Commission has amended its Children’s Online Privacy Protection Act rule to clarify that IP addresses are considered information that can be linked to a child under 13, regulators in the European Union have moved to classify dynamic IP addresses as personally identifiable information, and the U.S. Health Insurance Portability and Accountability Act has been broadened to treat IP addresses as a form of protected health information.
But courts are still producing conflicting decisions on the issue, which include a 2009 decision by the Western District of Washington that freed Microsoft Corp. from class action claims over the unlawful collection of user data during the Windows XP installation process by finding that IP addresses couldn’t be considered PII because they identify a computer and not a person.
“The issue of whether an IP address constitutes PII is a subject of considerable debate in courts today, [and] regulators and courts are reaching different conclusions in different jurisdictions,” said Ross Buntrock, head of the communication, technology and mobile practice group at Arent Fox LLP.
Stivarius said that service providers would be best served to “go the conservative route and not voluntarily turn over the information unless ordered by the court.”
“That approach will likely help them reduce risks such as the business issues that could arise from customers finding out that you’ve turned all their information over and then later discovering that they’re not the ones that did anything even though they were linked to the address,” he said.
The Comcast ruling will likely help service providers take a more aggressive stance, not only by showing that it is possible to prevail in nongovernmental fights but also by helping them to sketch a tentative line between user-data requests that courts are likely to uphold and those it might toss, attorneys noted.
“If someone is doing a fishing expedition solely to get information to use later, which is what was alleged in the Guava case, then companies might be in a better position to truly fight it,” Stivarius said.
Counsel information for the parties in the Comcast dispute was not immediately available.
The case is Guava LLC v. Comcast Cable Communications LLC, case number 5-13-0091, in the Appellate Court of Illinois, Fifth District.
–Additional reporting by Kira Lerner. Editing by Elizabeth Bowen and Christine Chun.