To Protect Privacy Rights on the Internet, Common Law Needs a Reboot
Samuel Israel 
• Bookmarks: 80
Since 1986, the Computer Fraud and Abuse Act, which prohibits unauthorized access to a computer, has been the primary legal proscription against hacking and computer fraud. However, several recent cases surrounding social media and publicly accessible information underscore new concerns around private companies and their violations of the data privacy rights the CFAA does not cover. Two recent examples include Clearview AI’s facial recognition scandal — where a facial recognition company used by numerous law enforcement agencies had its data cache infiltrated by hackers, exposing the information of millions of people — and the 2019 case, hiQ v. LinkedIn, in which the 9th U.S. Circuit Court of Appeals ruled that automatic scraping of data does not violate the CFAA and therefore LinkedIn could not bar hiQ from scraping data from its website. These two cases challenge our understanding of what constitutes our right to privacy in the Internet Age.
Ben Sobel, in his forthcoming law review article, analyzes the legality of extracting and cataloging data generated by human users on programs like social media platforms — also known as data scraping. In “A New Common Law of Web Scraping,” he points out that not only do the laws leave questions on the legality of public data scraping, they also leave little recourse if data has been breached. He argues this is because the CFAA, as interpreted by the courts, only allows legal action to be taken by platforms that have been breached, not by the users whose data was extracted.
With the limitations of the CFAA, Sobel looks into the construction of privacy rights made by Justice Louis Brandeis and Samuel Warren in their seminal 1890 Harvard Law Review article “The Right to Privacy.” Deeply engrained in U.S. jurisprudence, Brandeis and Warren mixed judicial precedent from property interests with implied contracts to rationalize damages from a breach in privacy. For example, Brandeis and Warren highlight a case from 1849, Prince Albert v. Strange, in which a court stretched the intellectual property rationale by classifying a summary description of the property, in this case the etchings of paintings of Prince Albert, as the prince’s private property.
This argument made by Brandeis and Warren that data related to property has private ownership was used against Clearview AI, with the rationale that data scraped by the company is in fact private property of the user. However, Sobel notes that these arguments did not hold up when LinkedIn sought to prevent hiQ from scraping their platform. To make his point, Sobel points to the case Roberson v. Rochester, in which 17-year-old Abigail Roberson sued Franklin Mills and Rochester Folding Box Co. for using her face in an advertisement without her permission. However, the New York Court of Appeals denied Roberson’s request for injunctive relief, saying the appropriation of her face in an advertisement did not result in a loss of any monetary value. In Sobel’s mind, and in agreement with many legal scholars, the Roberson ruling was an incredibly narrow-minded view of privacy rights. In a very similar case that approached the Georgia Supreme Court, the following was stated regarding the precedent made by the Roberson majority:
“We think the conclusion reached by them was the result of an unconscious yielding to the feeling of conservatism which naturally arises in the mind of a judge who faces a proposition which is novel. … But this conservatism should not go to the extent of refusing to recognize a right which the instincts of nature prove to exist, and which nothing in judicial decision, legal history, or writings upon the law can be called to demonstrate its nonexistence as a legal right.”
Sobel notes that if the Roberson case illustrates how little we can rely on courts to protect our privacy rights, then we must look to our elected officials. At this time, however, the level of protection afforded to digital data varies by state. Only four state legislatures have passed laws that potentially regulate data-scraping technology and Illinois is the only state granting a clear private right of action for nonconsensual collection and use of facial recognition to date.
“Aside from Illinois’s Biometric Privacy Law, there is no slam-dunk statute for users,” Sobel told the Chicago Policy Review.
Because the courts have failed to provide clarity in their rulings on property and privacy rights, Sobel proposes a new tort (i.e., a civil wrong) that provides plaintiffs the ability to sue those that willfully breach certain material agreements stated in a platform’s terms of services. Sobel proposes the following:
“An actor who willfully breaches a covenant with a second party is liable to a third party for an invasion of privacy caused by the actor’s willful breach if: (a) the actor knows or recklessly disregards the possibility that the breached covenant is material to a contractual relationship between the second party and the third party that existed at the time of the actor’s breach, and (b) the actor knows or recklessly disregards the possibility that its breach of that covenant is likely to be highly offensive to that third party.” (Sobel 2020, 64-65)
By including language about a breach in terms of service — the willingness of the breach, offensiveness to the third party, and a breach in bad faith — the tort offers relief to plaintiffs on a narrow set of facts. Sobel words the language of the tort as such to prevent it from being too narrow or too boundless while also balancing the constitutional safeguards of the First Amendment, as journalists and researchers scrape websites to collect data for study and reportage. By doing this, Sobel believes his tort will offer protections directly to users in privacy breaches — such as Clearview AI — without relying on a court’s interpretation of age-old precedents or hope of a legislative body’s action on privacy.
“If this tort were introduced in the court of law, it wouldn’t be a dramatic departure from court norms,” said Sobel. “However, this would give individuals who had their data accessed against [their] will an avenue to seek legal action in civil court.”
Sobel, Benjamin. 2020. “A New Common Law of Web Scraping”. Lewis & Clark L. Rev 25. https://dx.doi.org/10.2139/ssrn.3581844.
