Holland et al v. Yahoo! Inc.MOTION to Dismiss; Memorandum of Points and Authorities in Support ThereofN.D. Cal.March 5, 20141 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS CASE NO. 5:13-CV 10-4980 LHK sf-3388413 REBEKAH KAUFMAN (CA SBN 213222) RKaufman@mofo.com ROBERT PETRAGLIA (CA SBN 264849) RPetraglia@mofo.com MORRISON & FOERSTER LLP 425 Market Street San Francisco, California 94105-2482 Telephone: 415.268.7000 Facsimile: 415.268.7522 MARC ZWILLINGER (Admitted pro hac vice) marc@zwillgen.com JACOB SOMMER (Admitted pro hac vice) jake@zwillgen.com ZWILLGEN PLLC 1900 M. Street, Suite 250 Washington, D.C. 20036 Telephone: 202-296-3585 Facsimile: 202-706-5298 Attorneys for Defendant YAHOO! INC. UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION IN RE YAHOO MAIL LITIGATION Case No. 5:13-CV-10-4980 LHK DEFENDANT YAHOO! INC.’S NOTICE OF MOTION AND MOTION TO DISMISS; MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF CLASS ACTION HEARING: Date: August 7, 2014 Time: 1:30 p.m. Place: Courtroom 8 Judge: The Honorable Lucy H. Koh 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 NOTICE OF MOTION AND MOTION TO DISMISS i CASE NO. 5:13-CV 10-4980 LHK sf-3388413 NOTICE OF MOTION AND MOTION TO DISMISS TO PLAINTIFFS AND THEIR ATTORNEYS OF RECORD: PLEASE TAKE NOTICE THAT on August 7, 2014, at 1:30 p.m., or as soon thereafter as the matter may be heard, in the Courtroom of the Honorable Lucy H. Koh, located at the Robert F. Peckman Federal Building, 280 South First Street, Fifth Floor, San Jose, California, Defendant Yahoo! Inc. (“Yahoo”) will, and hereby does, move the Court for an order dismissing Plaintiffs’ Consolidated Class Action Complaint pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure. This motion is based on the Notice of Motion and Motion, the accompanying Memorandum of Points and Authorities, the accompanying Request for Judicial Notice, the papers and records on file in this action, and such other written and oral argument as may be presented to the Court. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 TABLE OF CONTENTS TO MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS ii CASE NO. 5:13-CV 10-4980 LHK sf-3388413 TABLE OF CONTENTS Page NOTICE OF MOTION AND MOTION TO DISMISS ................................................................. i TABLE OF AUTHORITIES ........................................................................................................ iii MEMORANDUM OF POINTS AND AUTHORITIES ............................................................... 1 I. INTRODUCTION ............................................................................................................. 1 II. ISSUES TO BE DECIDED ............................................................................................... 2 III. FACTUAL BACKGROUND ............................................................................................ 2 IV. LEGAL STANDARD ........................................................................................................ 3 V. ARGUMENT ..................................................................................................................... 3 A. Plaintiffs’ Wiretap Act Claim Must Be Dismissed. ............................................... 3 1. The Wiretap Act Does Not Apply To Emails Once They Reach Yahoo’s Servers. ............................................................................. 3 2. Even if the Wiretap Act Applied, Plaintiffs Fail to State A Claim. ......................................................................................................... 7 a. The Wiretap Act allows ECS providers to “intercept” emails when a party to the communication has given consent. .................................................. 7 b. The Wiretap Act allows ECS providers to access electronic communications in the ordinary course of business. ........................................................................................... 9 B. Plaintiffs’ SCA Claim Must Be Dismissed Because Yahoo Has Statutory Immunity Under the SCA. .................................................................... 11 C. The Good Faith Defense Exception Under the Wiretap Act and SCA Bar Plaintiffs’ Claims. ................................................................................. 13 D. Plaintiffs Fail to State a Claim Under CIPA. ....................................................... 14 1. CIPA does not apply because the communications at issue were not in transit. .................................................................................... 14 2. Interpreting section 631 to apply to email scanning would transform ordinary conduct into a criminal offense and lead to absurd results. ...................................................................................... 16 3. Plaintiffs’ CIPA claim is preempted. ....................................................... 18 E. Plaintiffs Fail to State a Claim for Violation of the California Constitution. ......................................................................................................... 21 VI. CONCLUSION ................................................................................................................ 23 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 TABLE OF AUTHORITIES TO MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS iii CASE NO. 5:13-CV 10-4980 LHK sf-3388413 TABLE OF AUTHORITIES Page(s) CASES Adams v. City of Battle Creek, 250 F.3d 980 (6th Cir. 2001) ................................................................................................... 11 Ashcroft v. Iqbal, 556 U.S. 662 (2009) ............................................................................................................ 3, 21 Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) ............................................................................................................ 3, 13 Belluomini v. CitiGroup, Inc., No. CV 13-01743 CRB, 2013 U.S. Dist. LEXIS 103882 (N.D. Cal. July 23, 2013) ............. 22 Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996) ........................................................................................ 4, 6 Bunnell v. Motion Picture Ass’n of Am., 567 F. Supp. 2d 1148 (C.D. Cal. 2007) .............................................................................. 3, 19 Buza v. Yahoo, Inc., No. C 11-4422 RS, 2011 U.S. Dist. LEXIS 122806 (N.D. Cal. Oct, 24, 2011) ..................... 12 Crowley v. CyberSource Corp., 166 F. Supp. 2d 1263 (N.D. Cal. 2001) .................................................................................. 12 Florida Lime & Avocado Growers, Inc. v. Paul, 373 U.S. 132 (1963) ................................................................................................................ 18 Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107 (3d Cir. 2003) .................................................................................................... 12 Hall v. EarthLink Network, Inc., 396 F.3d 500 (2d Cir. 2005) .................................................................................................... 10 Hernandez v. Hillsides, Inc., 47 Cal. 4th 272 (2009) ............................................................................................................ 21 Hill v. National Collegiate Athletic Assn., 7 Cal. 4th 1 (1994) ............................................................................................................ 21, 22 In re Cybernetic Servs., Inc., 252 F.3d 1039 (9th Cir. 2001) ................................................................................................. 18 In re DoubleClick, Inc. Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001) ....................................................................................... 5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 TABLE OF AUTHORITIES TO MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS iv CASE NO. 5:13-CV 10-4980 LHK sf-3388413 In re Google Android Consumer Privacy Litig., No. 11-MD-02264 JSW, 2013 U.S. Dist. LEXIS 42724 (N.D. Cal. Mar. 26, 2013) ............. 22 In re Google, Inc. Privacy Policy Litig., Case No. C-12-01382-PSG, 2013 U.S. Dist. LEXIS 171124 (N.D. Cal. Dec. 3, 2013)......... 10 In re Google Inc. Street View Elec. Commc’ns Litig., 794 F. Supp. 2d 1067 (N.D. Cal. 2011) aff’d sub nom Joffe v. Google, Inc., 729 F.3d 1262 (9th Cir. 2013) ................................................................................................. 19 In re iPhone Application Litig., 844 F. Supp. 2d 1040 (N.D. Cal. 2012) (Koh, J.) ......................................................... 5, 12, 22 In Re: Google Inc. Gmail Litigation, 13-md-02430-LHK (N.D. Cal Sept. 26, 2013) ................................................................ passim Kirch v. Embarq Management Co., 702 F.3d 1245 (10th Cir. 2012) ............................................................................................... 10 Konop v. Hawaiian Airlines, Inc., 302 F.3d 878 (9th Cir. 2002) ............................................................................................ passim Leocal v. Ashcroft, 543 U.S. 1 (2004) .................................................................................................................... 11 Martel v. United States, No. CIV S-11-3040 GEB CKD PS, 2012 U.S. Dist. LEXIS 59436 (E.D. Cal. Apr. 27, 2012) ....................................................... 21 McCowan v. United States, 376 F.2d 122 (9th Cir. 1967) ................................................................................................... 16 People v. Cho, 2010 WL 4380113 (Cal. Ct. App. Nov. 5, 2010) .................................................................... 22 People v. Griffitt, 2010 WL 5006815 (Cal. Ct. App. Dec. 9, 2010) .................................................................... 22 People v. Nakai, 183 Cal. App. 4th 499 (2010) ................................................................................................. 22 People v. Nuckles, 56 Cal. 4th 601 (2013) ............................................................................................................ 16 People v. Roberts, 184 Cal. App. 4th 1149 (2010) ............................................................................................... 15 People v. Wilson, 17 Cal. App. 3d 598 (1971) ..................................................................................................... 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 TABLE OF AUTHORITIES TO MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS v CASE NO. 5:13-CV 10-4980 LHK sf-3388413 Quon v. Arch Wireless Operating Co., 445 F. Supp. 2d 1116 (C.D. Cal. 2006), aff’d in part and rev’d in part on other grounds by 529 F.3d 892 (9th Cir. 2008) ................................................................................ 19 Reichert v. Elizabethtown College, No. 10-2248, 2011 U.S. Dist. LEXIS 86837 (E.D. Pa. Aug. 5, 2011) ................................... 12 Rice v. Rice, 951 F.2d 942 (8th Cir. 1991) ................................................................................................... 13 Rogers v. Ulrich, 52 Cal. App. 3d 894, 125 Cal. Rptr. 306 (1975) ..................................................................... 15 Sams v. Yahoo! Inc., 713 F.3d 1175 (9th Cir. 2013) ........................................................................................... 13, 14 Sherwood Partners, Inc. v. Lycos, Inc., 394 F.3d 1198 (9th Cir. 2005) ................................................................................................. 20 Shively v. Carrier IQ, Inc., No. C-12-0290 EMC, 2012 U.S. Dist. LEXIS 103237 (N.D. Cal. July 24, 2012) ................. 19 State v. Lott, 879 A.2d 1167 (N.H. 2005) .............................................................................................. 17, 18 Stern v. Weinstein, 512 Fed. Appx. 701 (9th Cir. 2013) ........................................................................................ 21 Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994) ....................................................................................................... 4 Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2003) .......................................................................................... passim United States v. Councilman, 418 F.3d 67 (1st Cir. 2005) (en banc) ................................................................................. 6, 14 United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) ............................................................................................. 14, 16 Valentine v. NebuAd, Inc., 804 F. Supp. 2d 1022 (N.D. Cal 2011) ................................................................................... 19 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 TABLE OF AUTHORITIES TO MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS vi CASE NO. 5:13-CV 10-4980 LHK sf-3388413 STATUTES 18 U.S.C. § 1702 ...................................................................................................................................... 16 § 2510(4) ................................................................................................................................... 9 § 2510(5)(a) ............................................................................................................................... 9 § 2510(12) ................................................................................................................................. 4 § 2510(17)(A) ........................................................................................................................... 4 § 2511 .................................................................................................................................. 6, 12 § 2511(1) ................................................................................................................................... 1 § 2511(1)(a) ............................................................................................................................... 9 § 2511(2)(a)(i) ......................................................................................................... 2, 10, 13, 20 § 2511(2)(a) – (i) ..................................................................................................................... 20 § 2511(2)(d) .............................................................................................................................. 7 § 2511(c) ................................................................................................................................. 13 § 2520(d) ....................................................................................................................... 2, 13, 20 § 2520(d)(3) ............................................................................................................................ 13 § 2701, et seq. ................................................................................................................. 1, 5, 12 § 2701(a) ................................................................................................................................. 11 § 2701(a)(2) ............................................................................................................................. 12 § 2701(a) ................................................................................................................................. 13 § 2701(c) ................................................................................................................................. 13 § 2701(c)(1) ............................................................................................................. 1, 11, 12, 18 § 2701(c)(2) ............................................................................................................................. 12 § 2702-04 ................................................................................................................................ 18 § 2702(a) ........................................................................................................................... 12, 13 § 2703(a) ................................................................................................................................... 6 § 2707(e) ........................................................................................................................... 13, 20 § 2708 ...................................................................................................................................... 19 § 2709 ...................................................................................................................................... 18 Act of 2001 ...................................................................................................................................... 6 Cal. Penal Code § 629.51 ................................................................................................................................... 14 § 629.51(c) .............................................................................................................................. 15 § 631 ................................................................................................................................. passim § 631(b) ................................................................................................................................... 20 § 1524.2 ................................................................................................................................... 15 OTHER AUTHORITIES California Constitution ........................................................................................................... passim Fed. R. Civ. P. 12(b)(6) ................................................................................................................... 3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 TABLE OF AUTHORITIES TO MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS vii CASE NO. 5:13-CV 10-4980 LHK sf-3388413 Nathan Judish et. al., Computer Crime and Intellectual Property Section, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (“Search and Seizure Manual”) Department of Justice Office of Legal Education, 3d ed. 2009) at 165-67, available at http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf ..................................... 6 Uniting and Strengthening America By Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001, Pub. L. No. 107-56, § 209, 115 Stat. 272, 283 (enacted October 26, 2001) .............................................................. 6 S. Rep. No. 99-541 (1986) ...................................................................................................... 11, 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 1 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 MEMORANDUM OF POINTS AND AUTHORITIES Defendant Yahoo! Inc. (“Yahoo”) respectfully submits this brief in support of its motion to dismiss plaintiffs’ Consolidated Class Action Complaint. I. INTRODUCTION The crux of this case is plaintiffs’ allegation that Yahoo “intercepts” and “scans” incoming and outgoing emails for advertising purposes in violation of federal and California law. Though the Complaint is modeled on the Google Inc. Gmail Litigation pending before this Court, this case is distinct in significant ways. Unlike the Google case, Yahoo’s own Mail users have not sued Yahoo. This case is brought solely on behalf of a putative class of non-Yahoo Mail users. Yahoo’s own Mail users were each advised as a condition of signing up for Yahoo Mail that Yahoo would scan their email for advertising and other purposes—in direct contrast to the disclosures in the Gmail Litigation that the Court found lacking. Plaintiffs’ Complaint is legally deficient. First, plaintiffs are wrong as a matter of law that the Wiretap Act, 18 U.S.C § 2511(1), applies to the conduct alleged. The Ninth Circuit held that the privacy protections of the Stored Communications Act (SCA), 18 U.S.C. § 2701, not the Wiretap Act, apply once an email hits an electronic communication service (ECS) provider’s servers for delivery. Emails that have reached an ECS provider’s servers are necessarily in temporary storage en route to the recipient. Access to those emails by an ECS provider is thus governed by the SCA and cannot constitute an “interception” in violation of the Wiretap Act. Moreover, the SCA provides complete immunity to an ECS provider, such as Yahoo, for accessing emails on its own servers. See 18 U.S.C. § 2701(c)(1). For similar reasons, plaintiffs’ attempt to assert liability under California’s wiretapping law, Cal. Penal Code § 631 (CIPA), fails because the communications are no longer in transit once on a provider’s servers. And if CIPA applied to conduct immunized by the SCA, it would be preempted by federal law. Second, even if the Wiretap Act applied, that claim must be dismissed for several reasons. There can be no violation of the Wiretap Act where a party to a communication consents to its interception. Here, Yahoo obtained clear and express consent from its users to access emails sent to and from their Yahoo Mail Accounts. This consent was hyperlinked directly from the sign-up 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 2 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 page; a fact that plaintiffs concede but then obfuscate through artful pleading. Even absent such consent, 18 U.S.C. § 2511(2)(a)(i) allows providers like Yahoo to access email communications in the ordinary course of business and thus no “device,” as defined in the Wiretap Act, was used to “intercept” communications. Yahoo is also immune from suit under 18 U.S.C. § 2520(d) for the claims alleged, as it acted in good faith reliance on the legislative authorizations in the Wiretap Act and the SCA, and plaintiffs have not pled facts that would support a conclusion that Yahoo did not have such a good faith belief. See 18 U.S.C. § 2520(d). Finally, plaintiffs fail to plead any facts to support a claim for a violation of the California Constitution. The California Supreme Court has set a “high bar” for such claims, requiring plaintiffs to plead that they have a legally protected privacy interest in the content of their emails and a reasonable expectation of privacy from Yahoo in their emails. Plaintiffs have pled no such facts, nor is it clear that they could do so (and certainly not on a classwide basis) in light of the Court’s prior recognition that email communications are by their very nature not “confidential.” Plaintiffs’ Complaint should accordingly be dismissed in its entirety. II. ISSUES TO BE DECIDED 1. Whether plaintiffs have failed to state a claim under the Wiretap Act. 2. Whether plaintiffs have failed to state a claim under the Stored Communications Act. 3. Whether plaintiffs have failed to state a claim under Section 631 of the California Invasion of Privacy Act. 4. Whether plaintiffs have failed to state a claim for violation of Article 1 Section 1 of the California Constitution. III. FACTUAL BACKGROUND Plaintiffs’ Complaint is based on their contention that “Yahoo intercepts emails sent to and from its Yahoo Mail users while the emails are in transit and scans their content, storing the data it collects indefinitely, for ‘future use.’” (Compl. ¶ 1.) Plaintiffs allege they did not consent to this conduct because they are not Yahoo users, and therefore were not parties to Yahoo’s terms of service, which state, among other things, that “Yahoo’s automated systems scan and analyze 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 3 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 all incoming and outgoing communications content sent and received from your account.” (Id. ¶¶ 3, 41, Ex. D.) They further allege that Yahoo did not obtain adequate consent from its own users. (Id. ¶ 6.) Based on these allegations, plaintiffs assert violations of the California Invasion of Privacy Act, the California Constitution, the Wiretap Act, and the Stored Communications Act on behalf of a putative class of “all persons in the United States who are not Yahoo Mail users and who sent emails to or received emails from a Yahoo mail user from October 2, 2011 to the present.” (Id. ¶ 97.) IV. LEGAL STANDARD Under Federal Rule of Civil Procedure 12(b)(6), a complaint must be dismissed for failure to state a claim if the plaintiff either fails to state a cognizable legal theory or has not alleged sufficient facts to support a cognizable legal theory. See Fed. R. Civ. P. 12(b)(6); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 562-63 (2007). A pleading that offers “labels and conclusions” or “a formulaic recitation of the elements of a cause of action will not do.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quotations and citation omitted). The complaint must allege facts which, when taken as true, raise more than a speculative right to relief. Twombly, 550 U.S. at 555. V. ARGUMENT A. Plaintiffs’ Wiretap Act Claim Must Be Dismissed. 1. The Wiretap Act Does Not Apply To Emails Once They Reach Yahoo’s Servers. Although plaintiffs plead both a violation of the Wiretap Act and, in the alternative, the SCA, only the SCA applies to the Complaint’s allegations as a matter of law. The Electronic Communications Privacy Act (“ECPA”) has two major parts. The first is the Wiretap Act, which governs communications while in transit and makes it an offense to “intentionally intercept [] . . . any wire, oral, or electronic communication.” Bunnell v. Motion Picture Ass’n of Am., 567 F. Supp. 2d 1148, 1152 (C.D. Cal. 2007) (citing 18 U.S.C. § 2511(1)(a)). The second is the SCA, which governs access to communications in electronic storage, including “temporary, intermediate storage of a wire or electronic communication incidental to the electronic 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 4 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 transmission thereof,” and makes it an offense to improperly access stored electronic communications, except for access by service providers or as authorized by their users. 18 U.S.C. § 2510(17)(A) (emphasis added); Konop v. Hawaiian Airlines, Inc., 302 F.3d 878, 878-79 (9th Cir. 2002). The Ninth Circuit has determined that these two parts of ECPA do not cover the same conduct. Rather, the protection for stored or asynchronous communications, like email, is distinct from the protections for other types of contemporaneous communications, and anything that falls within the statutory definition of “electronic storage” is governed only by the SCA and not the Wiretap Act. Konop, 302 F.3d at 878-79. Under controlling precedent, the Wiretap Act applies only where an electronic communication is “acquired during transmission, not while it is in electronic storage.” Konop, 302 F.3d at 878; see also Theofel v. Farey-Jones, 359 F.3d 1066, 1078 (9th Cir. 2003) (same). The Ninth Circuit, in Konop, made this determination based both on the ordinary meaning of “intercept,” and “the structure of ECPA, which created the SCA for the express purpose of addressing ‘access to stored . . . electronic communications and transactional records.” Konop, 302 F.3d at 878-79; see also Bohach v. City of Reno, 932 F. Supp. 1232, 1235 (D. Nev. 1996) (“An ‘electronic communication’ consists of the ‘transfer’ of the signals, data, and other items at § 2510(12), but does not include their ‘electronic storage.’”) (citing Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 461-62 (5th Cir. 1994)). In both Konop and Theofel, the Ninth Circuit also determined that email in the possession of a service provider falls squarely within the definition of “electronic storage” for purposes of the SCA. “Electronic storage,” is defined in the SCA as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” 18 U.S.C. § 2510(17)(a). This definition encompasses emails that have reached the service provider and are in temporary intermediate storage on the provider’s servers en route to the recipient, and those that remain stored on the provider’s servers for future access by the recipient. Theofel, 359 F.3d at 1077 (finding email is 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 5 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 in electronic storage regardless of whether it is in pre-delivery storage or post-delivery storage).1 This Court itself has previously analyzed the SCA’s definition and found that it properly applies to communications that are temporarily stored for the purpose of further transmission.2 Because email communications in the possession of Yahoo fall squarely within the SCA, the Wiretap Act does not apply to the alleged conduct. See Theofel, 359 F.3d at 1077-78 (rejecting a Wiretap Act claim related to email where the allegedly intercepted communications were in electronic storage). A contrary decision would contradict Konop because the Ninth Circuit has already considered and rejected the idea that email residing on a service provider’s systems could be intercepted under the Wiretap Act: It is therefore argued that if the term “intercept” does not apply to the en route storage of electronic communications, the Wiretap Act’s prohibition against “intercepting” electronic communications would have virtually no effect. While this argument is not without appeal, the language and structure of the ECPA demonstrate that Congress considered and rejected this argument. Congress defined “electronic storage,” as “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof,” indicating that Congress understood that electronic storage was an inherent part of electronic communication. Nevertheless, as discussed above, Congress chose to afford stored communications less protection than other forms of communication.” Konop, 302 F.3d at 880 n.6.3 (citation omitted). Here, because plaintiffs’ allegations concern Yahoo’s alleged conduct once emails reach Yahoo and not while those emails are in transmission 1Even before Theofel, courts around the country had interpreted the SCA to apply to communications stored for a limited time in the middle of transmission to their destination; Theofel only expanded the SCA’s coverage to emails stored as backup even after delivery. See, e.g., In re DoubleClick, Inc. Privacy Litig., 154 F. Supp. 2d 497, 511-12 (S.D.N.Y. 2001). 2In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1059 (N.D. Cal. 2012) (Koh, J.) (“In In re DoubleClick, the district court, after considering the plain language of the statute, concluded that ‘[the SCA] only protects electronic communications stored ‘for a limited time’ in the ‘middle’ of a transmission, i.e. when an electronic communication service temporarily stores a communication while waiting to deliver it.’” 154 F. Supp. 2d at 512) (quoting dictionary definitions of “temporary” and “intermediate”). 3This does not leave email unprotected. The SCA still protects email communications from unauthorized access by third parties, sets rules for government access, and restricts provider disclosure of such communications. See 18 U.S.C. § 2701, et seq. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 6 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 to Yahoo, plaintiffs’ attempt to assert a claim under the Wiretap Act fails.4 See generally Bohach, 932 F. Supp. At 1236 (“The computer’s storage of an electronic communication, whether that storage was ‘temporary’ and ‘intermediate’ and ‘incidental to’ its impending ‘electronic transmission,’ or more permanent storage for backup purposes, was ‘electronic storage,’ because only ‘communications’ can be ‘intercepted,’ and . . . the ‘electronic storage’ of an ‘electronic communication’ is by definition not part of the communication.’”). This reading of ECPA is also consistent with and supported by the separate provisions of ECPA governing law enforcement access to email communications. Under the SCA, the government may require an email provider to turn over email from its servers with a search warrant—regardless of whether recipients have opened or read the emails. 18 U.S.C. § 2703(a). If accessing emails after Yahoo receives them but before the user has retrieved them is an “intercept,” the SCA would not permit the government to get undelivered (or unopened) email using a search warrant. Instead, law enforcement would always be required to get a wiretap order under 18 U.S.C. § 2511. This is not, and has never been, the law.5 Instead, ECPA specifies that a search warrant is the appropriate form of process for emails in electronic storage. See 18 U.S.C. § 2703(a). According to the Ninth Circuit, the effect on law enforcement must be considered in determining the scope of the Wiretap Act. See Konop, 302 F.3d at 879 (“if Konop’s position were correct and acquisition of a stored electronic 4Most other Circuits agree with the Ninth Circuit’s position on this issue. The First Circuit has split with other Circuits and held that communications can be simultaneously in electronic storage and capable of being intercepted under the Wiretap Act. United States v. Councilman, 418 F.3d 67, 79-80 (1st Cir. 2005) (en banc). This is not the law in the Ninth Circuit, as commentators and the government have repeatedly recognized. See Nathan Judish et. al., Computer Crime and Intellectual Property Section, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (“Search and Seizure Manual”) (Department of Justice Office of Legal Education, 3d ed. 2009) at 165-67, available at http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf (distinguishing the views of the 3rd, 5th, 9th and 11th Circuits from the contrary position of the 1st Circuit). 5By contrast, it was the law with regard to stored voicemails because the definition of “Wire Communications,” under ECPA previously included the storage of such communications. Congress specifically amended ECPA in 2001 to change this outcome to make voicemails more like emails. See Uniting and Strengthening America By Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001, Pub. L. No. 107-56, § 209, 115 Stat. 272, 283 (enacted October 26, 2001). Accordingly, Congress expected the SCA and not the Wiretap Act to govern the retrieval of emails that can be accessed by a provider. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 7 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 communication were an interception under the Wiretap Act, the government would have to comply with the more burdensome, more restrictive procedures of the Wiretap Act to do exactly what Congress apparently authorized it to do under the less burdensome procedures of the SCA. Congress could not have intended this result.”). Accordingly, plaintiffs’ attempt to extend the Wiretap Act to emails in Yahoo’s possession must be denied. 2. Even if the Wiretap Act Applied, Plaintiffs Fail to State A Claim. a. The Wiretap Act allows ECS providers to “intercept” emails when a party to the communication has given consent. Even if the Wiretap Act applied, Yahoo cannot be liable for illegal interception because it is not unlawful to intercept an electronic communication where one of the parties to the communication has given prior consent. 18 U.S.C. § 2511(2)(d). Here, as evidenced by the allegations in the Complaint, every Yahoo user has expressly consented to the alleged conduct. As the Complaint acknowledges, to create an email account with Yahoo, a “new user must . . . click on the ‘Create Account’ button.” (Compl. ¶ 31.) The sentence above the “Create Account” button reads: “‘I agree to the Yahoo Terms and Privacy.” (Id.) As acknowledged in the Complaint, the phrase “Yahoo Terms” is hyperlinked to Yahoo’s Communications Terms of Service. (Id.) The Communications Terms of Service, under the heading “Acceptance of Terms” in section 1(c) of the Terms, states: Please note that your Yahoo! Messenger account is tied to your Yahoo! Mail account. Therefore, your use of Yahoo! Messenger and all Yahoo! Messenger services will be subject to the TOS and laws applicable to the Applicable Yahoo! Company in Section 10. Yahoo’s automated systems scan and analyze all incoming and outgoing communications content sent and received from your account (such as Mail and Messenger content including instant messages and SMS messages) including those stored in your account to, without limitation, provide personally relevant product features and content, to match and serve targeted advertising and for spam and malware detection and abuse protection. By scanning and analyzing such communications content, Yahoo collects and stores the data. Unless expressly stated otherwise, you will not be allowed to opt out of this feature. If you consent to this ATOS and communicate with non-Yahoo users using the Services, you are responsible for notifying those users about this feature. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 8 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 (Id. ¶ 41; Ex D). Thus, users were informed and agreed that their email will be scanned and analyzed to match and serve targeted advertising if they create a Yahoo account.6 Plaintiffs attempt to muddy the waters by describing additional documents that set forth additional terms of service for various Yahoo products and services that are not Yahoo Mail (Compl. ¶¶ 38, 39, 43, 44; Exs. C, E); citing to Yahoo’s policies regarding the use of users’ personal information (Compl. ¶¶ 33-37); and identifying indirect methods by which a user could arrive at the Communications Terms of Service and Privacy Policy in addition to the direct link from the sign-up page (Compl. ¶¶ 31, 38, 39, 50). This is an obvious attempt to distort Yahoo’s transparent terms of service to try to take advantage of the Court’s ruling regarding Google’s terms of service, which this Court found inadequate to provide notice of email scanning. (Google Order at 24.) But Yahoo’s terms of service are distinct from Google’s and do exactly what the Court held Google failed to do—inform every user that Yahoo scans, stores and analyzes users emails to match and serve targeted advertising. In the Google matter, this Court ruled that users of Google’s Gmail product did not consent to the interception and use of their emails because Google’s Terms of Service and Privacy Policies “did not explicitly notify Plaintiffs that Google would intercept users’ emails for the purposes of creating user profiles or providing targeting advertising.” (Google Order at 23.) The Court noted: “I’ve looked through the two terms of service and the four privacy policies and I just don’t see in there any explicit language that the content of e-mails is going to be reviewed to create targeted advertising or to create user profiles. . . . Why wouldn’t [Google] just say ‘the content of your e-mails?’” (Tr. at 15:19-23, 20:2-3; Request for Judicial Notice Ex. A) Yahoo’s terms of service do just that. The clear terms of Yahoo’s agreement with its users demonstrate that all users consent to the scanning and analyzing of their email. If such language is deemed 6 This language is not equivocal, nor does it merely suggest that Yahoo has the capability to scan or analyze communications, which may or may not apply to mail. It says that all mail will be scanned and analyzed. (Compare Order Granting in Part and Denying in Part Defendant’s Motion to Dismiss, In Re: Google Inc. Gmail Litigation, 13-md-02430-LHK at 25 (N.D. Cal Sept. 26, 2013) (“Google Order”) (“[this language] demonstrates only that Google has the capacity to intercept communications, not that it will.”)). 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 9 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 inadequate to obtain consent, it is hard to imagine what text would suffice. Plaintiffs’ Wiretap Act claim must accordingly be dismissed. b. The Wiretap Act allows ECS providers to access electronic communications in the ordinary course of business. The Wiretap Act allows an action against any person who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” 18 U.S.C. § 2511(1)(a). “Intercept” is defined as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Id. § 2510(4). However, the definition of “electronic, mechanical, or other device” excludes “any telephone or telegraph instrument, equipment or facility, or any component thereof . . . being used by a provider of wire or electronic communication service in the ordinary course of its business . . . .” Id. § 2510(5)(a). Here, Yahoo’s alleged conduct falls within the “ordinary course of business” exception to the definition of “device” and, thus, there is no “interception.” Yahoo provides email services to its users and a core aspect of its business, per the express terms of its agreement with its users, is providing free email services in exchange for targeted advertising. Although the Court previously held that the “ordinary course of its business” exception “means that the electronic communication service provider engaged in the alleged interception must demonstrate the interception facilitated the communication service or was incidental to the functioning of the provided communication service” (Google Order at 15), Yahoo respectfully disagrees that the “ordinary course of business” exception must be so narrowly read. First, a plain reading of the statutory text of § 2510(5)(a) demonstrates that the exception applies more broadly than to mere interceptions that facilitate transmission of the electronic communication. In particular, Congress used the broad phrase “ordinary course of its business” (which on its face encompasses conduct broader than transmitting emails), demonstrating that Congress intended to protect an ECS provider’s own customary and routine business practices. Another court in this district has rejected a narrow interpretation of the phrase “ordinary course of business” for this reason, finding that such an interpretation “does not square with the plain meaning of the 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 10 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 statutory text at issue” because “Congress specifically chose the broader term ‘business’ that covers more far-ranging activity. For good measure, Congress also teamed the term ‘business’ with the terms ‘ordinary course,’ suggesting an interest in protecting a provider’s customary and routine business practices.” In re Google, Inc. Privacy Policy Litig., Case No. C-12-01382-PSG, 2013 U.S. Dist. LEXIS 171124 at *33 (N.D. Cal. Dec. 3, 2013). Here, Yahoo’s ordinary business should be defined as Yahoo defines it with its users. And Yahoo informs its users that its business is providing free email (at substantial scale and cost) in exchange for the ability to display advertisements. This approach would follow the approach of other courts that have considered the ordinary course of business exception,7 and it would also avoid uncertainty amongst ECS providers and courts about which conduct will be covered by the ordinary course of business exception. See id. at *36 (noting that this Court’s narrow interpretation “begs the question of what exactly it means for a given action to be ‘necessary’ to the delivery of [e]mail” and that activities such as spam-filtering or indexing may not be “really ‘necessary’” to transmitting email). Second, ECPA’s statutory scheme further demonstrates that the “ordinary course of its business” is not intended to be narrowly interpreted. The sole limitation that Congress placed on an ECS provider’s acquisition of content is that such acquisition occur through a device used in the ordinary course of its business. In contrast, Congress imposed a further limitation only on wire communication service providers, requiring that any service observing or random monitoring be limited to “mechanical or service quality control checks” 18 U.S.C. § 2511(2)(a)(i). Though Congress imposed a limitation on both ECS and wire communication 7See In re Google, Inc. Privacy Policy Litig., 2013 U.S. Dist. LEXIS 171124 (N.D. Cal. Dec. 3, 2013); Hall v. EarthLink Network, Inc., 396 F.3d 500, 504 (2d Cir. 2005) (holding that business conduct unrelated to the provision of an email service (storing email in case a former custodian asked for it) was conduct within the ordinary course of business); Kirch v. Embarq Management Co., 702 F.3d 1245, 1250 (10th Cir. 2012) (Embarq, in allowing NebuAd to run a technology test related to advertising, was protected by the exception because Embarq had “no more of its users’ electronic communications than it had in the ordinary course of its business as an ISP”) upholding Kirch, 2011 WL 3651359, at *9 n.42 (D. Kan. Aug. 19, 2011) (the “ordinary course of its business” defense “appears to have merit, as plaintiffs have admitted that Embarq conducted the NebuAd tests to further legitimate business purposes and that behavioral advertising is a widespread business and is commonplace on the internet.”). 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 11 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 service providers that any “interceptions” be part of the ordinary course of business, Congress did not expressly or impliedly narrow the scope of “ordinary business,” except to limit employees of wire communications providers from listening in on conversations. This reading is consistent with ECPA’s legislative history in which Congress made clear that in imposing limitations on providers it was not concerned with the type of algorithmic processing and scanning of emails alleged in the Complaint but instead was concerned about “humans listening in on voice conversations”—thereby necessitating a limitation on wire service providers beyond conduct in the “ordinary course of its business.” (S. Rep. No. 99-541 at 20 (1986); Request for Judicial Notice Ex. B). Finally, the rule of lenity prohibits a narrow interpretation of the “ordinary course of business” exception to liability. The rule of lenity requires that ambiguities in a criminal statute, such as the Wiretap Act, be resolved in favor of the defendant. Leocal v. Ashcroft, 543 U.S. 1, 11 n.8 (2004) (under the rule of lenity, criminal statutes imposing penalties must be strictly construed in favor of the defendant even when applied in a civil case). The Wiretap Act is a criminal statute, and narrowing its exceptions expands its scope. As this Court has recognized, courts have found the exceptions to the Wiretap Act to be “not altogether clear.” (Google Order at 14 (citing Adams v. City of Battle Creek, 250 F.3d 980, 982 (6th Cir. 2001))). Other courts have interpreted the “ordinary course of its business” exception differently from this Court’s prior interpretation. See supra n. 7. Any ambiguities in the interpretation of the exception should accordingly be resolved to cover Yahoo’s conduct in the ordinary course of its business, consistent with the express terms of its agreements with its users. Therefore, this Court should not limit this exception and greatly expand liability under the Wiretap Act. B. Plaintiffs’ SCA Claim Must Be Dismissed Because Yahoo Has Statutory Immunity Under the SCA. In enacting the SCA, Congress determined that email service providers have statutory immunity from purported violations of 18 U.S.C. § 2701(a)—the provision alleged to be violated here. See 18 U.S.C. § 2701(c)(1). A violation of § 2701(a) occurs when someone, without authorization, or in excess of authorized access, intentionally accesses a facility through which an 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 12 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 electronic communication service is provided and “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.” 18 U.S.C. § 2701(a)(2). Although emails are covered by these provisions, Yahoo is not. Recognizing that email service providers need to be able to access emails on their servers, the SCA entirely exempts conduct authorized by “the person or entity providing a wire or electronic communications service.”8 18 U.S.C. § 2701(c)(1). As this Court has previously recognized, § 2701(c)(1) allows a service provider complete access to communications stored on these “facilities.” In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1057 (N.D. Cal. 2012) (Koh, J.); Crowley v. CyberSource Corp., 166 F. Supp. 2d 1263, 1270-71 (N.D. Cal. 2001). Because of this clear statutory exception, courts regularly dismiss claims against ECS providers based on alleged access to or searching of communications stored on their own networks. See, e.g., Buza v. Yahoo, Inc., No. C 11-4422 RS, 2011 U.S. Dist. LEXIS 122806, at *1 (N.D. Cal. Oct, 24, 2011) (dismissing claims based on alleged unlawful access to stored emails by an ECS provider); Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 115 (3d Cir. 2003) (ECS providers may not be held liable for searching stored communications on their own systems); Reichert v. Elizabethtown College, No. 10-2248, 2011 U.S. Dist. LEXIS 86837 (E.D. Pa. Aug. 5, 2011) (same). The SCA thus recognizes that providers of email services must have complete access to the emails residing on their systems at all times to deliver their services, and that such access should not be prohibited by any law.9 The immunity granted ECS providers does not mean that they can divulge the contents of emails carried on their servers to anyone for any purpose. Instead, 18 U.S.C. § 2702(a) prohibits email providers from “knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service,” subject to certain exceptions, 8This statutory immunity further demonstrates that an ECS provider cannot be held liable under the Wiretap Act. It would contravene the statutory text and defy not only Konop but also common sense if providers are fully immune from accessing email on their servers under § 2701, but could be criminally and civilly liable for the same conduct under 18 U.S.C. § 2511. 9For the reasons cited above in Section V.B.1, Yahoo’s conduct was also authorized by its users, thus also providing immunity under 18 U.S.C. §2701(c)(2). 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 13 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 including with consent from an originator or addressee of such communications. Here, plaintiffs have not stated a violation of 18 U.S.C. § 2702(a), as their conclusory, unsupported allegations that Yahoo unlawfully shares “content with third parties” lacks the factual specificity required by Twombly.10 C. The Good Faith Defense Exception Under the Wiretap Act and SCA Bar Plaintiffs’ Claims. Plaintiffs’ claims must be dismissed for the additional reason that the good faith defense exception provides a complete defense to liability. Both the Wiretap Act and the SCA state that “a good faith reliance on—(1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization . . . is a complete defense against any civil or criminal action brought under this chapter or any other law.” 18 U.S.C. § 2520(d); 18 U.S.C. § 2707(e) (emphasis added); see also Rice v. Rice, 951 F.2d 942, 944-45 (8th Cir. 1991) (noting § 2520(d)(3)’s good faith defense applies to providers); Sams v. Yahoo! Inc., 713 F.3d 1175, 1180-81 (9th Cir. 2013). Yahoo relied in good faith on the provision of the SCA authorizing an ECS provider to access emails on its own servers, 18 U.S.C. § 2701(a), (c), the decisions of the Ninth Circuit in Konop and Theofel, and on the Wiretap Act’s authorization of “interception” of electronic communications with the consent of one party to the communication, 18 U.S.C. § 2511(c). Further, Yahoo acted with a good faith belief it was authorized to access electronic communications in the ordinary course of its business. 18 U.S.C. 2511(2)(a)(i). Yahoo thus has a complete defense to plaintiffs’ claims. The Ninth Circuit recently held that where statutory immunity under ECPA is based on a good faith belief that the law permits the provider’s actions, a plaintiff must plead facts supporting a lack of good faith to overcome a motion to dismiss. Sams, 713 F.3d at 1181. Plaintiffs plead no facts suggesting that Yahoo did not act in good faith reliance upon the plain 10In particular, plaintiffs have failed to allege specific information about what information they contend was shared, with whom, and for what purpose. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 14 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 language of the Wiretap Act and the SCA when accessing or analyzing email. Plaintiffs’ claims should accordingly be dismissed.11 D. Plaintiffs Fail to State a Claim Under CIPA. 1. CIPA does not apply because the communications at issue were not in transit. Plaintiffs assert that Yahoo has violated section 631 of CIPA, which prohibits using a “machine, instrument or contrivance” to read or learn a communication’s contents “while the same is in transit or passing over any wire, line, or cable” without the consent of all parties to the communication. Cal. Penal Code § 631 (emphasis added). Plaintiffs have not stated a claim under section 631 because that section only applies to communications intercepted “in transit,” and emails that a provider receives and stores en route to a user are in electronic storage and not “in transit” under wiretapping laws. See generally Konop, 302 F.3d at 874. Interpreting the all- party consent provisions of section 631 to apply to email received by a provider would transform ordinary conduct into a criminal offense, in direct conflict with the statutory interpretation principles used by the Ninth Circuit in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (concluding that while a broad reading of the Computer Fraud and Abuse Act was supported by the text of the statute, a narrower reading was required given the everyday realities of computer use). Section 631 does not define “in transit,” and no California case has interpreted the phrase’s application to electronic communications like email. But like the federal law, California’s analogous wiretap act carves out stored communications from its scope. Cal. Penal 11 Even in Councilman, discussed supra n.4, the court recognized that potential uncertainty caused by any overlap of the Wiretap Act and the Stored Communications Act was solved by the broad good faith immunity provision described above. The Councilman court said that “Congress specifically anticipated that communication service providers might misapprehend their lawful ability to intercept or disclose communications in certain circumstances. Congress addressed that the problem with a broad, affirmative good faith defense.” Councilman, 418 F.3d at 83-84. Reliance on the previous holdings of the Ninth Circuit in Konop and Theofel with regard to the inapplicability of the Wiretap Act to the conduct alleged in the Complaint would certainly qualify on its face as good faith. See Sams, 713 F.3d at 1181 (holding at the motion to dismiss phase that Yahoo was statutorily immune from suit when the plaintiff pled no facts supporting an allegation that Yahoo did not act in good faith.) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 15 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 Code § 629.51 (“This chapter applies to the interceptions of wire and electronic communications. It does not apply to stored communications or stored content.”). When there are no state law decisions on point, California courts have turned to federal court interpretations of the federal Wiretap Act. See People v. Roberts, 184 Cal. App. 4th 1149, 1166 (2010). The Ninth Circuit has found that when stored communications laws apply, the scope of wiretap laws end. Importantly, with regard to wire communications, California courts also have held that where communications have arrived at a service provider and are in storage en route to their destination, but have not been delivered to a recipient, those communications are no longer “in transit” under section 631. People v. Wilson, 17 Cal. App. 3d 598, 603 (1971); see also Cal. Penal Code § 629.51(c) (statute authorizing wiretaps does not apply to stored communications); Cal. Penal Code § 1524.2 (providing for access to stored email content with a warrant, not a wiretap order). In Wilson, an answering service received and then transcribed messages for the defendant. 17 Cal. App. 3d at 603. A narcotics agent asked the answering service to let him know if any calls came in for the defendant. The answering service then handed over the messages it had transcribed, but had not delivered, to the narcotics agents. The Court held that section 631 did not prohibit the answering service from handing over the messages. Instead, it found that the information the answering service received was not obtained while the communications were in transit or passing over any wire, but after transmission, even if prior to delivery. Id. The answering service, like Yahoo here, accessed the messages on its own system, and—even though the messages had not yet been delivered to the service’s clients—did not violate CIPA.12 If this Court’s function is to predict how the California Supreme Court would rule when applying CIPA to emails received by the recipient’s provider, this Court should rely on Wilson and the Ninth Circuit’s interpretation of comparable federal law in Konop and Theofel—both of which would support the conclusion that CIPA does not apply to the conduct alleged here. See Wilson, 17 Cal. App. 3d at 603; Theofel, 359 F.3d at 1077 (concurring with Konop and finding 12Accord Rogers v. Ulrich, 52 Cal. App. 3d 894, 125 Cal. Rptr. 306 (1975) (holding a participant to a conversation cannot violate § 631, in part because the communication is no longer in transit when it reaches a recipient). 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 16 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 the Wiretap Act does not apply to email in electronic storage). Plaintiffs’ CIPA claims must be dismissed as a matter of law. 2. Interpreting section 631 to apply to email scanning would transform ordinary conduct into a criminal offense and lead to absurd results. Plaintiffs’ interpretation of section 631 of CIPA—requiring all-party consent for recorded communications, like stored emails and voicemails—would potentially turn ordinary and widespread computer use into criminal activity. For example, administrative assistants would suddenly need both the authorization of their bosses and the consent of the senders before listening to voicemails or reading emails when instructed to do so. This is not the correct interpretation of CIPA. Like the Computer Fraud and Abuse Act (CFAA), CIPA is a criminal statute. And as in Nosal, the rule of lenity applies. People v. Nuckles, 56 Cal. 4th 601, 611 (2013) (rule of lenity applies to interpreting California Penal Statutes). In Nosal, the Ninth Circuit addressed whether violating corporate restrictions on data usage violated the CFAA. In finding such violations were an inadequate basis for criminal liability, the Ninth Circuit refused to adopt a “broad interpretation of a statute” that would “criminalize a broad range of day-to-day activity.” 676 F.3d at 862 (quoting United States v. Kozminski, 487 U.S. 931, 949 (1988)). Applying § 631 of CIPA to emails in the hands of the recipient’s email provider would do just that by making it potentially illegal to rely just on the authority of the recipient to take any action until the email has been read. Consider three types of recorded communication: U.S. mail, voicemail, and email. Intercepting U.S. mail is a crime. 18 U.S.C. § 1702. Yet, in many businesses, an administrative assistant, or mailroom worker, opens mail before it reaches the recipient. This activity is not a crime because the recipient’s consent has always been deemed legally sufficient to authorize others to open mail, before or after delivery. See, e.g., McCowan v. United States, 376 F.2d 122 (9th Cir. 1967) (18 U.S.C. § 1702, governing the theft of mail in transit, applies until delivery to the addressee or an authorized agent). The same is true with voicemail. Previously, callers left voice messages directly on an individual’s answering machine. Now, they are often left on the computer servers of telephone 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 17 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 providers who rely on the recipients’ consent to process, and even to automatically transcribe the message. And administrative assistants and spouses often listen to these voicemails for others. Under plaintiffs’ theory, both activities could be illegal under CIPA unless the sender expressly consents. But once a caller leaves a message, the recipient should have complete control over the recording—not only whether it can be shared with other people after it is heard, but also who may listen to it before it is heard by the recipient. Similarly, an email sender can choose whomever she likes to receive an email message. The recipient’s consent has never before been required before adding a “cc” or a “bcc” to the message. And an email recipient can forward an email to whomever she pleases, even if she sets up an automatic rule to forward some or all of her emails before she reads them. For example, a recipient can set a rule sending all emails containing certain words, like “urgent” or “important,” or coming from certain people to be forwarded to a third party the second they reach the provider’s servers. If CIPA applies, such forwarding could also be illegal without the sender’s consent. But if an email recipient can lawfully authorize an administrative assistant to open her email for her, she should be able to authorize her service provider to access it before she gets it. That access may be to sort the mail, group it by topic or sender, filter it for spam or, as alleged here, to allow the service provider to provide more customized services and advertisements based on its contents in exchange for free service. The key principle is that once a recorded communication is sent—whether by postal mail, voicemail, or email—the recipient should have absolute control to consent to when a third-party can hear or view that message before or after it is read or heard. This result makes sense because unlike telephone calls, a sender of email or voicemail messages knows the communication is preserved and that the recipient can authorize anyone to see or hear it. See State v. Lott, 879 A.2d 1167, 1170-73 (N.H. 2005) (“Unlike persons using a telephone, however, persons using an instant messaging program are aware that their conversations are being recorded.”). CIPA was not meant to protect such forms of stored communications against the recipient’s decision to authorize others to access the communication. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 18 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 A holding that the all-party consent provisions of CIPA apply to stored email, thus preventing any access to stored communications based solely on the authorization of the recipient, would over-criminalize routine internet behavior. Instead, this Court should rule that providers can act on stored messages as instructed by the senders or recipients, as provided in the laws governing stored communications. 3. Plaintiffs’ CIPA claim is preempted. If CIPA applied to emails in transit on an ECS providers’ servers, it would be preempted by the SCA. “Congress may preempt state law in several different ways.” Matsco, Inc. (In re Cybernetic Servs., Inc.), 252 F.3d 1039, 1045-46 (9th Cir. 2001). Congress may do so expressly (express preemption) or by enacting a statutory scheme that is “sufficiently comprehensive” to support an inference that Congress “‘left no room’ for supplementary state regulation’” (field preemption). Id. “State law also is preempted ‘when compliance with both state and federal law is impossible,’ or if the operation of state law ‘stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress’” (conflict preemption). Id. Each form of preemption is implicated by plaintiffs’ CIPA claim. First, applying CIPA to emails after they reach a provider’s servers conflicts with the SCA. The SCA allows ECS providers to access emails in intermediate storage while they are in transit on the providers’ servers and does not require the consent of either party to do so. 18 U.S.C. § 2701(c)(1). The SCA also contains numerous provisions describing the circumstances whereby providers can and must disclose communications in electronic storage. See 18 U.S.C. §§ 2702-04, 2709. Application of CIPA in this case would conflict with these provisions by requiring the consent of both the sender and recipient to access emails. See Florida Lime & Avocado Growers, Inc. v. Paul, 373 U.S. 132, 142 (1963) (“A holding of federal exclusion of state law is inescapable and requires no inquiry into congressional design where compliance with both federal and state regulation is a physical impossibility for one engaged in interstate commerce.”). Second, the SCA expressly preempts state law claims such as CIPA. Congress stated in the SCA that, other than the pursuit of federal constitutional violations, the remedies outlined in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 19 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 the SCA are the exclusive ones available for conduct covered by the statute, demonstrating its intent that the SCA would displace state laws that attempt to govern the same conduct. 18 U.S.C. § 2708. When considering whether the SCA preempted California invasion of privacy claims against a provider of text messaging services for disclosing those messages, another court determined that the SCA expressly preempts CIPA. Quon v. Arch Wireless Operating Co., 445 F. Supp. 2d 1116, 1137-38 (C.D. Cal. 2006), aff’d in part and rev’d in part on other grounds by 529 F.3d 892 (9th Cir. 2008) (“The SCA thus displaces state law claims for conduct that is touched upon by the statute[.]”). Though federal courts in California have previously split over whether ECPA preempts the CIPA, none have considered the unique issue here—whether ECPA preempts parallel state legislation regulating the conduct of email providers when accessing emails on their servers. Compare In re Google Inc. Street View Elec. Commc’ns Litig., 794 F. Supp. 2d 1067, 1084-85 (N.D. Cal. 2011) aff’d sub nom Joffe v. Google, Inc., 729 F.3d 1262 (9th Cir. 2013) (holding that ECPA preempts the CIPA); Bunnell, 567 F. Supp. 2d at 1154 (same), with Shively v. Carrier IQ, Inc., No. C-12-0290 EMC, 2012 U.S. Dist. LEXIS 103237 (N.D. Cal. July 24, 2012) (holding that ECPA does not preempt the CIPA); Valentine v. NebuAd, Inc., 804 F. Supp. 2d 1022 (N.D. Cal 2011) (same). These cases, unlike Quon v. Arch Wireless Operating, generally did not analyze the SCA’s provisions regarding electronic communications services and thus have no bearing on the question of SCA preemption.13 Even if this court were to find that the Wiretap Act and not the SCA governs emails in transit on a provider’s servers, plaintiffs’ CIPA claim would still be preempted. When Congress passed ECPA in 1986, it created a “very comprehensive” scheme that “regulates private parties’ conduct, law enforcement conduct, outlines a scheme covering both types of conduct and also includes a private right of action for violation of the statute. As such, it is apparent. . .‘that Congress ‘left no room’ for supplementary state regulation.’” Bunnell, 567 F. Supp. 2d at 1154; see also In re Google, 794 F. Supp. 2d at 1085; Quon, 445 F. Supp. 2d at 1137-38, rev’d on other 13None of these cases involved the issue of a defendant intentionally accessing communications on its servers with the consent of one of the participants. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 20 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 grounds by 529 F.3d 892 and 130 S. Ct. 2619 (2010). The Wiretap Act comprehensively governs when a provider may intercept contemporaneous communications, stating that a provider may do so when: incident to the rendition of its service or to the protection of the rights or property of the provider of that service; on law enforcement’s behalf with the consent of one party; for any purposes with the consent of one party; on law enforcement’s behalf in response to legal process; and, to intercept “public” communications.14 Congress also extended express immunity for providers who rely in good faith on these authorizations.15 CIPA does not mirror this scheme in any way, nor does it have similar exceptions. Thus, finding that CIPA applies to what ECS providers do with communications prior to delivery would likely foreclose providers’ ability to rely on these important provisions of the Wiretap Act to deliver its services. Such exceptions allow providers to protect themselves (by scanning for malware and spyware, preventing fraud, stopping hackers) and to provide useful services (by sorting incoming messages by topic or thread, delivering “bcc” copies, converting content to hyperlinks, or providing other useful features that require interaction with email content). By contrast, CIPA’s exceptions are limited only to public utilities. Compare 18 U.S.C. §2511(2)(a)(i) with Cal. Penal Code § 631(b). Thus, the carefully-crafted federal exemptions that are designed to allow service providers to function become useless in the face of CIPA. In creating ECPA, Congress knew that legal uncertainty could “discourage potential customers from using innovative communications systems” and “discourage [ECS providers] from developing new innovative forms of telecommunications and computer technology” and believed that ECPA’s comprehensive scheme would help avoid that result. (S. Rep. No. 99-541 at 5 (1986); Request for Judicial Notice Ex. B.) Application of CIPA in this case would intrude upon Congress’s comprehensive regulatory scheme for ECS providers. See Sherwood Partners, Inc. v. Lycos, Inc., 394 F.3d 1198, 1200 (9th Cir. 2005) (“Congress’ intent to supersede state law altogether may be found from a ‘scheme of federal regulation . . . so pervasive as to make reasonable the inference 14See 18 U.S.C. §§ 2511(2)(a) – (i). 15See Section V.D., supra, discussing 18 U.S.C. § 2520(d) and 18 U.S.C. § 2707(e). 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 21 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 that Congress left no room for the States to supplement it.”) (citation omitted). Accordingly, CIPA cannot be applied in this manner. E. Plaintiffs Fail to State a Claim for Violation of the California Constitution. Plaintiffs fail to allege any facts supporting a claim for violation of the California Constitution. Plaintiffs’ Complaint hinges on the allegation that Yahoo intercepted emails and scanned them for “content.” (Compl. ¶¶ 1, 4, 15-18.) These allegations are inadequate to state a plausible claim for relief for a constitutional violation. “[A] plaintiff alleging an invasion of privacy in violation of the state constitutional right to privacy must establish each of the following: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.” Hill v. National Collegiate Athletic Assn., 7 Cal. 4th 1, 39 (1994). “To be actionable under the California Constitution, ‘invasions of privacy must be sufficiently serious in their nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right.” Stern v. Weinstein, 512 Fed. Appx. 701, 702 (9th Cir. 2013) (quoting Hill, 7 Cal. 4th at 26). Also, the plaintiff’s expectations of privacy must be reasonable, a determination of which “rests on an examination of ‘customs, practices, and physical settings surrounding particular activities,’ as well as the opportunity to be notified in advance and consent to the intrusion.” Hernandez v. Hillsides, Inc., 47 Cal. 4th 272, 287-288 (2009). Plaintiffs have failed to set forth facts to support the three elements of a privacy invasion claim under the California Constitution. Rather, they recite the elements of the cause of action, which is insufficient to state a claim. (Compl. ¶¶ 66-71); Iqbal, 556 U.S. 678 (conclusory allegations of the elements of a claim do not state a claim); Martel v. United States, No. CIV S- 11-3040 GEB CKD PS, 2012 U.S. Dist. LEXIS 59436, *5-6 (E.D. Cal. Apr. 27, 2012) (“[P]laintiff here makes a conclusory allegation that his right to privacy was violated and his opposition simply reasserts this allegation. In the absence of any factual allegations to support this claim, the claim under the California Constitution should be dismissed.”) Plaintiffs allege no facts regarding the content of their emails, their intent in sending those emails, the circumstances 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 22 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 under which those emails were sent, or who the recipients of those emails were—i.e., allegations that are necessary to show a factual basis for a privacy claim. See generally Hill, 7 Cal. 4th 1 at 36 (noting that a determination of whether a person has a reasonable expectation of privacy depends on unique facts and circumstances). Plaintiffs have failed to plead facts showing that they had a privacy interest in any of their emails, much less that any expectation of privacy was reasonable. Belluomini v. CitiGroup, Inc., No. CV 13-01743 CRB, 2013 U.S. Dist. LEXIS 103882, *20 (N.D. Cal. July 23, 2013) ([I]f [plaintiffs’] allegations ‘show no reasonable expectation of privacy or an insubstantial impact on privacy interests, the question of invasion may be adjudicated as a matter of law.”). Such a factual pleading is necessary here given that emails by their nature are not confidential. “Unlike phone conversations, email services are by their very nature recorded on the computer of at least the recipient, who may then easily transmit the communication to anyone else who has access to the internet or print the communications.” Google Order at 41:19-21; People v. Nakai, 183 Cal. App. 4th 499 (2010) (finding that, while the defendant intended that the communication be kept confidential between himself and the recipient, he could not reasonably expect that the communication would not be recorded); People v. Cho, 2010 WL 4380113 (Cal. Ct. App. Nov. 5, 2010) (holding internet chat conversations are not confidential); People v. Griffitt, 2010 WL 5006815 (Cal. Ct. App. Dec. 9, 2010) (“Everyone who uses a computer knows that the recipient of e-mails and participants in chat rooms can print the e-mails and chat logs and share them with whoever they please, forward them or otherwise send them to others.”). Finally, plaintiffs allege no facts supporting a conclusion that Yahoo’s conduct resulted in a serious invasion of privacy. “The California Constitution and the common law both set a high bar for an invasion of privacy claim. Even disclosure of personal information, including social security numbers, does not constitute an ‘egregious breach of the social norms’ to establish an invasion of privacy claim.” Bellumoni, 2013 U.S. Dist. LEXIS 103882 at *20-21; see also e.g., In re iPhone Application Litig., 844 F. Supp. 2d 1040, (2012) (holding disclosure to third parties of unique device identifier number, personal data, and geolocation information did not constitute an egregious breach of privacy); In re Google Android Consumer Privacy Litig., No. 11-MD- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 23 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 02264 JSW, 2013 U.S. Dist. LEXIS 42724, 30-33 (N.D. Cal. Mar. 26, 2013) (dismissing plaintiffs’ privacy claim when plaintiffs alleged that “‘Google’s conduct, . . . by design, allowed third party Affiliates, like Defendants Admob and AdWhirl, to obtain Plaintiffs and Class Members [personal identifying information] and to transmit such information without encryption” and that defendants “tracked and shared ‘highly detailed and confidential [personal identifying information] over a substantial period of time without [the plaintiffs] knowledge or consent.”). As plaintiffs have only recited the elements of a claim under the California Constitution, with no supporting facts, their claim should be dismissed. VI. CONCLUSION Yahoo respectfully requests that the Complaint be dismissed. Dated: March 5, 2014 MORRISON & FOERSTER LLP By: /s/ Rebekah Kaufman REBEKAH KAUFMAN Attorneys for Defendant YAHOO! INC. Dated: March 5, 2014 ZWILLGEN PLLC By: /s/ Marc J. Zwillinger MARC J. ZWILLINGER Attorneys for Defendant YAHOO! INC. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 MEMORANDUM OF POINTS AND AUTHORITIES ISO MOTION TO DISMISS 24 CASE NO. 5:13-CV 10-4980 LHK sf-3388413 ATTESTATION OF E-FILED SIGNATURE I, Rebekah Kaufman, am the ECF User whose ID and password are being used to file Defendant Yahoo! Inc.’s Notice of Motion and Motion to Dismiss; Memorandum of Points and Authorities in Support Thereof. In compliance with Civil L.R. 5-1(i)(3), I hereby attest that Marc Zwillinger has concurred in this filing. Dated: March 5, 2014 /s/ Rebekah Kaufman Rebekah Kaufman