Saturday, November 03, 2007

Times Union, Privacy Policy, and the Electronics Communications Privacy Act

UPDATE (11/4/2007): The Times Union exacerbated its violations of the ECPA and their own privacy policy with a further article by Casey Seiler about Sock Puppets.
In a recent article the Times Union "outed" some blog commenters. I've been wondering if they can be sued for this, as it appears to violate both their own privacy policy and the Electronics Communications Privacy Act (18 US Code 2702) (ECPA). So I did some research.

First a little background. The TU's blogs allow for registered users to post comments on blog posts. The registered users can register with a pseudonym, effectively making their comments anonymous. Most commenters seem to do so anonymously (I use the somewhat obvious username wredlich). So if a reporter writes a blog post about Guilderland, someone who wants to say something about that can post a comment on it using a pseudonym such as NormalGuilderlandVoter or truthsquad.

This happened and the TU outed the commenters in an article. You can read more about this on their Local Politics blog, and the Times Union article itself.

Times Union reporter Scott Waldman, in a rare moment of actual investigative journalism, checked on the IP address of commenters and/or their e-mail addresses and then wrote an article reporting their actual identities.

The outing created a stir not only on the TU blog, but also on Democracy in Albany (aka DIA), a popular local website for political activists (mostly but not all Democrats). At least some DIA users are regular pseudonymous commenters.

The ECPA at 18 US Code 2702(a)(3) provides:
(a) Prohibitions. Except as provided in subsection (b) or (c)--
(3) a provider of ... electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service ....

There are exceptions of course, but I don't think any apply.

You can also read the TU privacy policy.

Some excerpts:
How does the Times Union use the information it collects?

The Times Union uses this information to provide you with the service you have requested. ...

Does the Times Union share the information with anyone else?
The Times Union may disclose information if it is required by law through a subpoena, a search warrant or another legal process or if we need to protect our legal rights (for example, if we are trying to collect money you owe us for a subscription). In this instance, the disclosure may take place without your consent. In addition, we may disclose information to third party service providers we use to provide products, services or functions on our behalf ... Finally, we may share your information with entities under control of, or under common control with Hearst ...
Beyond that, the information is not shared with any third parties.

What about information I share in your forums?

You should be aware that when you voluntarily disclose personal information (e.g., your name, e-mail address) in the forums, blogs, chat areas, or the user-created Web sites in, that information can be collected and used by others and may result in unsolicited messages from other posters or third parties.

Nowhere in the privacy policy does it state that a user's personal information will be published in the newspaper as news. As I read the privacy policy, the publication of these identities is both implicitly and explicitly prohibited. The "Beyond that" clause is explicit. The "voluntarily disclose" answer to the forum question also at least implicitly prohibits what was done, and I consider that to be an explicit prohibition.

Note that § 2702 of the ECPA is a criminal statute, so perhaps someone will contact the federal prosecutor ( Also, under § 2707, a violator can be held liable in a civil action. A plaintiff can recover any actual damages, as well as any profits made by the violator, and there is a minimum recovery of $1000. Punitive damages are also available if the violation is willful or intentional. In this case there have been prior complaints and so the conduct does appear to be intentional. A successful action also leads to attorney fees. Violation of the privacy policy can create a breach of contract claim.

There are quirks. For example, is the Times Union an electronic communication service provider under the Electronic Communications Privacy Act? I think so. Just having a website would not qualify, but by hosting forums and blog comments, I think they've opened that door.

Now imagine this: Mark Grimm and his attorney Warren Redlich join forces with ... Donald Csaposs. These Three Musketeers ride off into a courtroom battle with the mighty Times Union. Oh the humanity!

No IP addresses were harmed in the making of this post


Richard D. Benham said...

Hello. Living as I do on another continent, I am not very familiar with the Times Union or with the work of r Scott Waldman. However, I am aware of an article from 22 August 2007 (p. D-1), Candidate lists false credentials. The fraudulent activities of the candidate concerned were first publicized on a forum of which I was moderator at the time, but it was quite clear from the article that Mr Waldman had conducted his own research and uncovered further evidence of false claims by the candidate that my colleagues and I were unaware of. I am therefore impressed with Mr Waldman as an investigative journalist and feel that your sneering aside “in a rare moment of actual investigative journalism” us uncalled-for.

As to the ethics of the specific case you mention, I think the situation is ambivalent. The law may be one thing, and the privacy may be another, but if this guy was in breach of the site’s sock-puppet policy, it is arguable, from the point of view of common-sense morality, that he can expect what he gets.

Richard D. Benham said...

Sorry, that should have been “privacy policy may be another”.