LinkedIn did not violate the Stored Communications Act in disclosing search histories to third parties. Low v. LinkedIn Corp., 2012 U.S. Dist. LEXIS 97012 (N.D. Cal. July 12, 2012) [Note: Numerous websites, including those of the law firms involved, are following this case, but none has this order as of the time of this posting, so I apologize for the long quote. If I could link it instead, I would have]:
1. Stored Communications Act
Plaintiffs’ first cause of action alleges that LinkedIn violated the federal Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”). See AC ¶¶ 65-78. Enacted in 1986 as Section II of the Electronic Communications Protection Act (“ECPA”), the SCA creates criminal and civil liability for certain unauthorized access to stored communications and records. See Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 874 (9th Cir. 2002). “The SCA was enacted because the advent of the Internet presented a host of potential privacy breaches that the Fourth Amendment does not address.” Quon v. Arch Wireless Operating Company, Inc., 529 F.3d 892, 900 (9th Cir. 2008), rev’d on other grounds by City of Ontario v. Quon, 130 S.Ct. 2619 (2010). Despite this purpose, the SCA has a narrow scope: “[t]he SCA is not a catch-all statute designed to protect the privacy of stored Internet communications;” instead “there are many problems of Internet privacy that the SCA does not address.” Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, 72 GEO. WASH. L. REV. 1208, 1214 (2004). Generally, the SCA prohibits providers from (1) “knowingly divulg[ing] to any person or entity the contents of a communication.” 18 U.S.C § 2702(a)(1)-(2); see id. § 2707 (creating a private right of action); see also Quon, 529 F.3d at 900 (“[T]he SCA prevents ‘providers’ of communication services from divulging private communications to certain entities and/or individuals.”).
The SCA covers two types of entities: (1) “remote computing services” (“RCS”), and (2) “electronic communication services” (“ECS”). 18 U.S.C § 2702(a)(1)-(2). The non-disclosure obligations depend on the type of provider at issue. See, e.g. Quon, 529 F.3d at 900-902. Plaintiffs contend in their opposition that LinkedIn is an RCS for the purposes of its SCA liability. See Opp’n at 14-15. The SCA prohibits an entity “providing remote computing service to the public” from “knowingly divulge[ing] to any person or entity the contents of any communication which is carried or maintained on that service.” 18 U.S.C § 2702(a)(2).
The SCA only creates liability for a provider that is an RCS or an ECS. A provider of email services is an ECS. Quon, 529 F.3d at 901. On the other hand, under the SCA the term “remote computing service” means “the provision to the public of computer storage or processing services by means of an electronic communications system.” 18 U.S.C § 2711(2) (emphasis added). A “remote computing service” refers to “the processing or storage of data by an offsite third party.” Quon, 529 F.3d at 901. In defining RCS, “Congress appeared to view ‘storage’ as a virtual filing cabinet.” Id. at 902. Indeed, the Ninth Circuit has explained that “[i]n light of the Report’s elaboration upon what Congress intended by the term ‘Remote Computer Services,’ it is clear that, before the advent of advanced computer processing programs such as Microsoft Excel, businesses had to farm out sophisticated processing to a service that would process the information.” Id. at 902 citing Kerr, 72 GEO. WASH. L. REV. at 1213-14.
Whether an entity is acting as an RCS or an ECS (or neither) is context dependent, and depends, in part, on the information disclosed. See In re U.S., 665 F. Supp. 2d 1210, 1214 (D. Or. 2009) (“Today, most ISPs provide both ECS and RCS; thus, the distinction serves to define the service that is being provided at a particular time (or as to a particular piece of electronic communication at a particular time), rather than to define the service provider itself. The distinction is still essential, however, because different services have different protections.”); Kerr, 72 GEO. WASH. L. REV. at 15-16 (“The classifications of ECS and RCS are context sensitive: the key is the provider’s role with respect to a particular copy of a particular communication, rather than the provider’s status in the abstract. A provider can act as an RCS with respect to some communications, an ECS with respect to other communications, and neither an RCS nor an ECS with respect to other communications.”).
Although many allegations within the Amended Complaint relate to information that third parties would be able to infer, the Amended Complaint limits the information LinkedIn allegedly disclosed to third parties. The Amended Complaint alleges that LinkedIn transmits to third parties the LinkedIn user ID and the URL of the LinkedIn profile page viewed by the internet user. See AC ¶¶ 28, 66-68. Even taking Plaintiffs’ allegations as true, it does not appear that LinkedIn was functioning as an RCS when it disclosed the LinkedIn user ID and the URL of the profile pages the user had viewed to third parties. LinkedIn was not acting as a “remote computing service” with respect to the disclosed information because it was not “processing or stor[ing] [] data by an offsite third party [in this case LinkedIn].” Quon, 529 F.3d at 901. LinkedIn IDs are numbers generated by LinkedIn and were not sent by the user for offsite storage or processing. See 18 U.S.C. § 2702(a)(2)(A). LinkedIn was not acting “as a virtual filing cabinet,” or as an offsite processor of data with respect to the user IDs it created. Similarly, the URL addresses of viewed pages were not sent to LinkedIn by Plaintiffs for storage or processing. See 18 U.S.C. § 2702(a)(2)(A)-(B). LinkedIn was not functioning as either a “filing cabinet” or “an advanced computer processing program such as Microsoft Excel,” that allows businesses to “farm out sophisticated processing to a service that would process the information,” with respect to the LinkedIn user IDs or the URLs of users’ profile pages. Quon, 529 F.3d at 902.
At least one commentator has seriously doubted the conclusion that a website, such as LinkedIn, provides “processing services” for its customers, qualifying it as an RCS. Kerr, 72 GEO. WASH. L. REV. at 1229-31. This view is supported by the legislative history of the SCA. Congress established liability for “remote computing services to include services that store and process information. S. Rep. No. 99-541, at 3 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3557 (“[C]omputers are used extensively today for the storage and processing of information. With the advent of computerized recordkeeping systems, Americans have lost the ability to lock away a great deal of personal and business information. For example, physicians and hospitals maintain medical files in offsite data banks, businesses of all sizes transmit their records to remote computers to obtain sophisticated data processing services.”). Therefore, the Court finds that Plaintiffs have not stated a claim for relief pursuant to the SCA because Plaintiffs have not established that LinkedIn was acting as an RCS when it disclosed LinkedIn IDs and URLs of viewed pages to third parties. Therefore, Defendants’ motion to dismiss the SCA claim is GRANTED.
Plaintiff Low also alleged a violation of the SCA in the original complaint. Compl. ¶¶ 41-53. Plaintiff’s original complaint did not articulate a coherent theory regarding its SCA claim. Specifically, the original complaint’s SCA claim failed to identify what information was transmitted to third parties. Plaintiffs’ Amended Complaint now identifies what information was transmitted to third parties and how, theoretically, a LinkedIn user’s information can be de-anonymized. However, the additional factual allegations in the Amended Complaint establish that Plaintiffs’ SCA claim fails to establish a cause of action. This defect is based on a failure of theory and not on a failure of pleading. Additional factual allegations are unlikely to establish that Defendant was an RCS in light of the legislative history of the SCA. Because further amendment would be futile, Defendant’s motion to dismiss the SCA claim is granted with prejudice.
Update Sunday: Still nothing posted elsewhere.
