Article III Standing in Frank v. Gaos

Why I think there is standing: Think property, not privacy.


Some readers have followed the pending Supreme Court case of Frank v. Gaos, which involves the settlement of class actions using cy pres awards. As Will Baude explained here back in November, the Justices called for additional briefing after oral argument on whether there is Article III standing in the case. The briefs and reply briefs have now been filed, and I thought I would add my own thoughts on why think there is standing.

A confession at the outset: I am not an expert in standing doctrine. But I do know a thing or two about the cause of action in this case. It happens to involve a statute, the Stored Communications Act, that I have spent a rather absurd amount of time studying and teaching over the last two decades. Because the standing test under Spokeo hinges in part on the substantive cause of action, I thought I would explain what Congress was doing when it created this cause of action. If I'm understanding Spokeo correctly, I think that understanding provides a solid basis for Article III standing.

Here's the scoop. As I explained in this article, Congress created the SCA in 1986 to create home-like privacy protections for Internet communications. In the physical world, the law already protects your home. The Fourth Amendment requires a warrant to enter your home. And if someone comes into your house and takes your stuff away, you can sue them for the tort of conversion. But in 1986, it didn't look like those protections would apply to the computer network equivalent of your home, your personal communications such as your private e-mail. First, it wasn't at all clear in 1986 that the Fourth Amendment applied at all to e-mail. And second, e-mail service providers had total access to user e-mails, and it wasn't at all clear that there was any legal prohibition on providers taking those e-mails and sharing them with the world.

Those problems led Congress to enact the SCA with two key parts. First, Section 2702 imposes a ban on service providers voluntarily disclosing user communications unless an exception applies. Second, Section 2703 imposes a ban on the government from compelling service providers to hand over user communications without greater legal process such as a warrant. The two statutory sections are network versions of traditional legal causes of action. Section 2702 stands in the place of the traditional tort of conversion. It stops service providers from taking away your private electronic stuff just like the tort of conversion stops the superintendent of an apartment building from entering apartemnts and taking away tenants' physical stuff. Section 2703 stands in the place of traditonal Fourth Amendment law. It requires the government to get a warrant to compel a provider to fork over e-mails just like the Fourth Amendment requires a warrant for the government to enter a home.

That brings us back to Frank v. Gaos. The plaintiffs are Internet users who object to the fact that when you click on a website link, a referral header is ordinarily sent to the website you're visiting that reveals where you have been. It turns out that when you do a search, your search terms ordinarily appear in your website address. That means that when you click on a link following a search, you're ordinarily passing on the search terms that you entered to the website that you're then visiting. In this case, a class action was brought against Google on behalf of Google users claiming that Google was violating the SCA, and in particular Section 2702, by operating this way. As the plaintiffs saw it, Google was disclosing private search terms of its users in violation of the statute.

From my perspective, I have to say, this seems like an extremely weak SCA case. If I understand the claim, I don't see how it amounts to a violation of Section 2702. The communications here are the search terms in the users' browers. When users click on the links, their actions pass on the communications to the next site they are visiting. The disclosure is by the user, not the provider. Given that, I don't see how the search engine was acting as either a provider of ECS or an RCS with respect to those communications—prerequisites for the ban in Section 2702 to apply. But that's the merits of the case, not standing, and only standing is before the Court.

On standing, the question asked by Spokeo, Inc. v. Robins is whether a plaintiff suffered an invasion of a legally-protected interest that is "concrete and particularized" so as to establish injury-in-fact. "It is instructive," Spokeo explains, "to consider whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts."

It seems to me that the answer is yes. If you imagine that the SCA was violated, that means that the defendant committed an intangible version of the tort of conversion. For Section 2702 to have been violated, Google must have been acting like the Internet equivalent of a superindendent who entered tenants' apartments, took their property, and sent it to someone else without the tenants' permission. The alleged wrong has a close relationship to a traditional common law conversion tort.

The parties have mostly missed this because they (and some Justices at argument) seem to be thinking about this as a privacy case. They're thinking about Section 2702 as a privacy statute. And they're thinking about the cause of action as either similar to or different from a privacy tort. That raises some difficult issues, and it's not surprising that the privacy-focused approach led the Justices to want more briefing.

But I think the case is easier when you realize that Section 2702 is better understood as an intangible conversion statute, not a privacy tort statute. The SCA reflects Congress's judgment that your digital files are your stuff. Someone else can't come along and take that stuff from you. And in the digital world, taking your stuff means copying it and distributing it to someone else. It doesn't matter if the files are particularly private. It just matters that the stuff is your stuff. It's true that concepts of conversion can be an awkward fit when applied to unauthorized copying of digital information—see this brilliant student note from 1996 for more. But the basic idea behind Congress's cause of action in Section 2702 is digital conversion of personal property.

As I understand Spokeo, that goes a long way towards establishing Article III standing. By alleging a Section 2702 violation, the plaintiffs are alleging a concrete and particular harm: Conversion of their personal property, albeit through intangible means of copying and distributing it.

NEXT: Trump's Syria Withdrawal Does Nothing to Restore Constitutional Limits on Presidential War Powers

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. You say this:

    > “When users click on the links, their actions pass on the communications to the next site they are visiting. The disclosure is by the user, not the provider.”

    Which raises this question: does the user have the option to NOT pass on the Referrer information? If the user doesn’t have that choice, then they’re not in control of their information.

    From there, I go to agreeing that the plaintiffs probably don’t have a good cause against Google, etc., as major websites. But, they MIGHT have good cause against browser developers (Google/Chrome, Mozilla/Firefox, Microsoft/IE (or whatever it’s called now), etc. And the resolution of the suit might include a well-publicized notification to browser users on how to blank Referrer information for privacy.

    1. There are various Chrome apps that let you play with referrer.

    2. You do have the option but it requires some technical sophistication (and motivation) to change the settings in your browser. See here for instructions for each of the major browsers. (And note that those instructions could already be out of date depending on the browser version you’re using.)

  2. And in the digital world, taking your stuff means copying it and distributing it to someone else.

    The barrier to relying on either theft or conversion with regard to digital data has been that “taking your stuff” has to mean interfering with your rights with respect to that stuff, so “taking your stuff away” and thereby depriving you of it, but not simply copying your stuff. Identifying a right that is interfered with by duplicating information has been a problem, unless the owner’s access or realization of value is impaired. I don’t see how to navigate this using traditional ideas of actionable harm.

    1. I agree it is difficult. I think the reply to this would be that part of a possessory interest in something is the right to show/publish it to who you want, when you want. And therefore someone else publishing it, even done by copy, is interfering with that possessory interest. Copywrite, for example. Some doesn’t need to steal and use the actual original manuscript. Copying it itself is a violation, as is publication of those copies.

      1. The theory here was that the SCA resembles a conversion statute applied to intangible property, and even if we invent a new property right (the “right to expose”? Louis CK take note!) I don’t see that the owner’s ability to expose or not expose is impacted by the actions of the defendant. The downstream, speculative effects of the owner’s decision whether to expose may be impacted, but not her ability to do so, so I still think it doesn’t work.

  3. Orin, I know this is off your main topic, but I don’t get why you say that it is the *user* who discloses the search terms, when most users have no idea that a disclosure has taken place.

    My admittedly naive take on this is that the responsibility for search term disclosure should fall on some combination of Google as RCS (whose employees knowingly caused the search engine to place the search terms in the URL which it dynamically generates during the search process), and the browser provider as ECS(whose employees knowingly caused the browser to pass that URL to the next site visited, in the referral header).

    Can you please tell me where I have gone wrong?

    1. I don’t think that the argument “the user has idea that a disclosure has taken place”.

      This disclosure is inherent in the way browsers work. It doesn’t seem reasonable that a user is allowed to claim both no responsible in understand how information is passed around and unfettered authority over the way information is passed around.

  4. I would like to add that it’s possible that you could search with Google via HTTPS and your search is encrypted but the referrer might be to a straight HTTP (non-encrypted) website, exposing your search query to every ISP along the way.

    1. This is one of the reasons that Google search devalues HTTP websites.

      In reality though, I don’t think there has ever been a case of an ISP (or even an employer, which matters in the case of employees browsing at work) being publicly caught exploiting their undenied ability to peek into HTTP URLs.

      On the other hand, I assume every significant website does keep track of where its referrals come from. It’s not inherently sinister, they are just trying to understand their user-base, but if it bugs you, that’s where you should take action.

    2. The 2014 update to the HTTP 1.1 specification forbids this, where it had only been discouraged in earlier versions. If it is happening to you then your browser is either ancient or broken.

  5. I don’t think standing depends on distinctions like property v. privacy. I think standing has to come before legal theories of this nature are applied.

    I think the basic threshold question is, “has the plaintiff lost something he could potentially value?” And I don’t think how we characterize or classify it really matters to answering this question.

    It seems to me to be obvious that people could potentially value the search terms they enter (or at least value not having those search terms disclosed to another party), for reasons similar to why people might value not having their video rental records disclosed.

    Whether they have a legal right to those terms (or to not having them disclosed), and what the nature of that right is, strike me as merits questions, not standing questions.

    The internet raises new questions. The notion of standing has to be flexible enough to enable a court to ask the threshold question – might a person value this? – in a direct way when covering new situations and contexts, without being constrained to analogies to past concepts.

    The fact that disclosure of search terms could result in personal embarrassment creates a personal stake in them. This alone is enough, in my view, to satisfy constitutional standing.

  6. Using the term “property” to describe intellectual property has at least as much power to obscure the distinctions as to enlighten. If one claims that personal information is somehow the “property” of the user or originator of that information, under just which regime of intellectual property law might that information fall? Copyright? Patent law? Trademark? Trade secret law? Is there another regime which specifically protects some subset of intangible information?

    The very term “property” presumes some level of legally cognizable and enforceable rights to the object of the claim. If I claim a property interest in real property, there is a panoply of legal rights AND legal obligations which accompany that claim. The same with tangible personal property. But when we discuss intangible information, the paradigm no longer applies. Not ALL information is subject to a claim of “ownership,” and the spectrum of rights and responsibilities that accompany such a claim of ownership might vary widely depending upon just what little bucket of “intellectual property” that information belongs to. Patent rights are very different from copyright rights and rights accruing to information which might qualify as a trade secret. And huge swaths of information might be entitled to no legal protection at all.

    1. Continued –

      Even information which can initially qualify under one of those regimes can lose all legal protection under the right circumstances. For example, if I have developed through time, effort and expense a detailed geologic and seismic survey showing likely spots to drill for oil and gas, that seismic data can be entitled to legal protection as a trade secret. But if I violate the essential legal conditions necessary to maintain that protection, like taking all reasonable steps to maintain its confidentiality, if I share that seismic data with multiple potential investors without ever imposing the duty to maintain confidentiality, legal protection can be lost and it will go into the public domain, free for anybody to use without legal consequence.

      While looking at this as an “intangible conversion” claim might shed light on the standing issue, it is very questionable to simply assume that there are property rights in all manner of intangible information.

    2. BTW, I do understand the point that, in this case, Congress has essentially created a new category of legally protected rights in digital information under the Stored Communications Act. And maybe for purposes of standing a court shouldn’t have to decide the merits question of whether or not the information at issue fits into the cubbyhole of “private communications” protected under that act, that it is enough to establish standing if the plaintiff[s] merely allege a violation. Nevertheless, at least for purposes of surviving a FR 12(b)(6) motion to dismiss, the Plaintiff[s] must be put to the burden of pleasing a plausible set of facts which establishes that the information at issue falls within the confines of the SCA.

      1. I think a plaintiff does have to allege more than this – not just that a technical violation occurred, but that the violation caused or threatened to cause them some sort of concrete, particularized harm. But I think this can easily be done here without needing to classify what precise legal category of rights was validated. As I note above, people could potentially find it embarrassing if certain of their search terms were disclosed. This is enough to find a likelihood disclosure could harm them, which is enough to establish standing at a preliminary stage.

  7. Interesting recent UK case also involving Google, probably well known to folks who do this sort of thing for a living — statute required “damage” resulting from the violation of the act.

    “The act did not purport to give the data subject any property in his personal data, but merely regulated the way in which it could be processed.” []

Please to post comments