The Faculty Lounge

Is this blog an instrumentality of Brian Leiter?

Are you, Dan Filler, in favor of his bullying tactics?

You seem to be too busy to answer your emails Dan. Hope you find some time soon.

"credible" allegations?

I think it's unfair to expect Dan to admit giving Leiter the information in light of possible criminal liability for doing so if it violates any laws of the states in which he, Leiter, or the posters were living. That's up to whatever authorities take an interest in the matter (unless someone presses charges, not much will probably happen along those grounds).

However, like many people here I am in academia and would rather focus on developing my career rather than worrying about personal information getting into vindictive hands that might interfere with that development.

So, what would be nice if TFL could provide a privacy policy and a listing of who exactly has access to IP addresses and email addresses, a promise that going forward that privacy policy will be vigorously enforced, and a promise that if that policy ever changes then it will be non-retroactive (whatever new person gains access will not gain access to old poster information).

While Paul Campos continues to cyber-stalk and bully the Faculty Lounge blogger, normal people might be interested in Leiter's brief comment about this spectacle in a March 8 update:

http://leiterlawschool.typepad.com/leiter/2013/03/we-get-mail-thomas-r-grover-esq-edition.html

Maybe someone at an academic conference abroad doesn't spend enough time parsing your lengthy postings, but it seems clear that you're a pathological liar and you've libelled Leiter. Good luck!

Brucie:

If you don't know of the various provisions that might apply you ought to. Say The California Online Privacy Protection Act of 2003 or the FTC Code of Fair Information Practices. The California act requires a site to show its privacy policy and precludes this sort of disclosure. The FTC code has similar requirements. Also if you were not a law professor - and hence in practice you would by now have heard of the EU's data protection directive and the consequential FTC Safe Harbor regs that most US lawyers doing anything with data know about since they impact US businesses including TypePad, Google, etc.

I am no jurisdictional expert, but why does EU or California law apply to the Faculty Lounge?

Decency and Bob: I suspected that Paul might have been thinking along the lines that you two apparently are, that the FTC Act, California Online Privacy Protection Act, or EU Data Protection Directive might apply here. But none of them do. There is no general requirement under U.S. law that would prohibit the operator of a website from voluntarily disclosing an email address or basic log information such as an IP address to third parties. There are some laws and regulations that would apply to various *commercial* website operators, such as some of those that you cite, that would require either a disclosure of privacy practices or in some instances take affirmative steps to protect personally identifiable information. But none of them would govern here.

For example, the California Online Privacy Protection Act applies only to "[a]n operator of a commercial Web site or online service." The Faculty Lounge does not even have advertisements, which in any event would not be enough to make it "commercial," in my view. In addition, the California OPPA only governs the collection of information from an individual "who seeks or acquires, by purchase or lease, any goods, services, money, or credit" from the website. It clearly does not apply here.

Section 5 of the FTC Act likewise only prohibits "unfair or deceptive acts or practices in or affecting commerce." Although "commerce" gets a very broad definition in Commerce Clause jurisprudence, it has been less broadly applied by the FTC. The FTC has construed its authority under Section 5 not to extend to political or charitable organizations, for example. With respect to websites the FTC has used its Section 5 authority to bring enforcement actions against various commercial website operators that have violated their privacy policies or that have engaged in other practices that put consumer privacy at risk, such as failing to secure credit card information or retail transaction data. I am not aware of any enforcement actions against private parties for disclosing information that was provided to them by another individual in a noncommercial transaction.

The EU Data Protection Directive does not apply here for the simple reason that neither the Faculty Lounge servers nor any of its operators are located in any EU country. Of course, as you two are no doubt aware, the EU Data Protection Directive itself is not law; rather, it is a directive to the member states to adopt compliant laws, so to determine if the relevant law had been violated we would need to first determine which member state's laws applied and then consult that law. But none apply here for the reason I mentioned. US companies wishing to obtain data from European companies may, in effect, voluntarily subject themselves to the requirements of the Data Protection Directive by signing up for the Dept. of Commerce's EU Safe Harbor, but relatively few U.S. companies have done this; essentially only companies engaging in cross-border information transactions with partners located in Europe. There would be absolutely no reason for a noncommercial blog like the Faculty Lounge to sign up for the Safe Harbor, and a quick perusal of the list (http://safeharbor.export.gov/list.aspx) reveals that neither it nor Typepad is listed.

I would think that if you were going to try to make an argument that a private website owner were under some legal obligation not to disclose information you would try to make that argument using the Stored Communications Act. Many plaintiffs have tried to use the unauthorized access provision of the SCA, 18 U.S.C. s 2701, to argue that when promises about how data will be handled are violated, that constitutes unauthorized access to the company's own servers, but courts have uniformly rejected that argument. Slightly more promising would be 2702, which provides that "a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service." There's just a couple of problems with suggesting that it would prevent disclosure of identifying information concerning a blog commenter. First, there's considerable question about whether a website operator qualifies as a provider of an "electronic communication service." An ECS is defined for purposes of the SCA as "any service which provides to users thereof the ability to send or receive wire or electronic communications." Some courts, for example the Ninth Circuit, have held that that includes websites which allow the posting of public or semi-public messages; but the better reading seems to be that it refers to access providers and intermediate communications providers, and not the provider of a destination for a communication, which would make all recipients into ECS providers.

Second, the provision I quoted above applies only to the contents of communications, not to customer records. The contents of the communication here are the contents of the comment itself, which was posted with the consent of the commenter on the website for everyone to see. Posting contents with consent is expressly permitted under the SCA. Customer records, on the other hand, are subject to a much less stringent set of protections. Specifically, ECS providers are free to provide customer records to whomever they wish other than the government: "A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service . . . to any person other than a governmental entity." So the SCA clearly would not prohibit the behavior alleged here.

Of course, what do I know, I'm only a law professor.

Except Leiter said he pursued the identity of one poster, "dybbuk," who did not "dare to disagree with him" but harassed and defamed a former student of his. That's a bit different.