Categories
Law Privacy

Senate pushes cybersecurity bill to September

The U.S. Senate Wednesday agreed to postpone until September debate on a bill to bolster cybersecurity.

The legislation, known as the Cybersecurity Information Sharing Act, would direct the federal government to share cyber threats with businesses and shield companies that exchange information and best practices about cybersecurity from antitrust liability.

The deal addresses concerns expressed by senators who charged that the measure as it stands will fail to prevent cyberattacks or protect privacy sufficiently.

The agreement means that Democratic Senators Ron Wyden (Ore.), Patrick Leahy (Vt.) and Al Franken (Minn.), along with Republican Senators Rand Paul (Ky.) and Dean Heller (Nev.), all will be able to offer amendments they say strengthen civil liberties and improve the bill.

“We’ve got to debate some real things like cybersecurity, and have real amendments, not pretend amendments,” Leahy told National Journal.

Categories
Law Privacy

Senate to take up cybersecurity bill as concerns about privacy continue

The U.S. Senate is slated this week to take up legislation that aims to bolster cybersecurity by spurring businesses and the federal government to share information about digital threats and best practices with one another.

The measure, known as the Cybersecurity Information Sharing Act, would direct the federal government to develop ways to share information with the private sector while taking steps to protect privacy and civil liberties. The bill also aims to address antitrust concerns by shielding businesses that share information from enforcement of laws that otherwise might dissuade those businesses from cooperating. The House passed a similar measure in April.

The push represents the third time in as many years that Congress has tried to pass legislation that would encourage sharing of cyber threats. Recent cyberattacks on the Office of Personnel Management, Sony Pictures Entertainment and other targets have prompted legislators to try again. Cybercrime costs the global economy more than $400 billion annually, according to a study released jointly last summer by McAfee and the Center for Strategic and International Studies

Though the measure passed the Senate Intelligence Committee in March, maneuvering underway since then has centered on a tension between defending digital networks and protecting the privacy of Americans whose information is stored in those systems.

Among the concerns: the measure could result in companies handing over personally identifiable information to the National Security Agency. Such information might include, for example, the browsing history of someone who happens to have visited a website that becomes the subject of a cyberattack.

On Monday, Senator Al Franken, Democrat of Minnesota, released a letter from the Department of Homeland Security (DHS), which cautioned against allowing companies to share information with intelligence agencies without first channeling the information through DHS. “The Administration has consistently maintained that a civilian entity, rather than a military or intelligence agency, should lead the sharing of cyber threat indicators and defensive measures with the private sector,” wrote Alejandro Mayorkas, the deputy secretary of homeland security.

“The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers,” Mayorkas added.

Though Senators Richard Burr, Republican of North Carolina and chairman of the intelligence panel, and Dianne Feinstein, the committee’s top Democrat, have circulated an amendment that aims to address concerns over the legislation’s impact on privacy, some civil liberties groups say the fixes don’t go far enough. According to the Center for Democracy and Technology, the bill as modified still would authorize the government to use information about cyber threats to investigate and prosecute crimes of espionage, identity theft and trade secrets violations, regardless whether those infractions tie to cybersecurity.

The White House backs passage of cybersecurity legislation but has called on Congress to strengthen protections for privacy and to narrow an exemption from liability for companies that fail to secure their networks after receiving information they receive.

That leaves the question whether the measures actually may cause businesses and the government to exchange more information about cyber threats. While the measure aims to ease companies’ fears of legal liability, the Department of Justice and the Federal Trade Commission already have advised companies “that properly designed sharing of cyber threat information should not raise antitrust concerns.”

And as N. Eric Weiss of the Congressional Research Service observed in June, sharing of cyber threats happens currently. Industries ranging from retail to financial services participate in so-called information sharing and analysis centers (ISACs) that serve as clearinghouses for information about cyber threats.

“The ‘bottom line’ is how likely nonfederal entities—particularly businesses—value the benefits from sharing information against the cost of sharing,” wrote Weiss, who notes that neither bill would address the cost of membership in ISACs, which can cost anywhere from $10,000 to $100,000 to join and thus might exceed the ability of small and medium-sized businesses to afford.

Still, the wave of cyberattacks—and the fallout from them—might cause businesses to think anew about the advantages of sharing. “Although most data breaches have not been expensive compared with the revenues and profits earned,” noted Weiss, “recent events may change the attitude of boards of directors and senior management: the chief executive officers at Target and Sony Entertainment were forced to resign.”

Categories
Law Privacy

FCC to address Internet privacy

The chairman of the Federal Communications Commission announced in June that the agency plans this fall to address privacy in the context of consumers’ use of the Internet.

The spur for putting privacy on the agenda is the decision last winter by the FCC to enshrine the principle of an Internet open to all providers of content—a concept better known as net neutrality—within the agency’s authority to regulate common carriers pursuant to Title II of the Communications Act.

The decision included a determination that providers of broadband Internet service, including broadband delivered via mobile devices, will be subject to a section of the law that governs so-called customer proprietary network information (CPNI), which includes such things as the frequency, duration and timing of calls. In short, information that telecommunications companies know from providing service to customers.

Except for billing, emergencies and other exceptions provided by law, carriers cannot use CPNI without the approval of customers. But until the FCC’s net-neutrality ruling, the rules that govern use of CPNI applied only to services such as Voice over Internet Protocol—think Skype—that tie to the telephone network.

That seems likely to change. As the FCC noted in its net-neutrality ruling, the rules that govern use of CPNI by telephone companies would not be “well suited” to broadband Internet service. The reason: In recent years the FCC has revised the rules that govern CPNI after initially classifying broadband Internet service as a so-called information service, which exempted Internet service providers (ISPs) from common carrier status and later led a federal appeals court to order the FCC to revise its approach.

In addition, “the existing CPNI rules do not address many of the types of sensitive information to which a provider of broadband Internet services is likely to have access, such as (to cite just one example) customers’ web browsing history,” the FCC explained.

Until it can adopt rules that address the use of CPNI by broadband Internet providers specifically, the FCC says it “intends to focus on whether providers are taking reasonable, good-faith steps to comply” with restrictions on the use of CPNI set forth in the Communications Act. Note that CPNI does not include customers’ names, addresses and other personal information, the handling of which is governed by laws such as the Cable Television Privacy Act and the privacy notices that cable and phone companies deliver to subscribers.

So what protections for privacy should apply to broadband networks? In July, nine Democratic senators, including Elizabeth Warren and White House hopeful Bernie Sanders, wrote to FCC Chairman Tom Wheeler with some suggestions. The proposals include ensuring the definition of CPNI includes data pertaining to Internet usage, online activity and payments; directing ISPs to collect data transparently; requiring ISPs to obtain consumers’ express consent before sharing information; ordering ISPs to safeguard customers’ information and to notify customers in the event of a data breach; and giving consumers a clear process for resolving complaints.

“We call on the Commission to adopt a comprehensive definition of CPNI as it pertains to broadband,” the senators wrote. “Every click consumers make online paints a detailed picture of their personal and professional lives.”

Categories
Law Privacy

Pocket-dial calls are not private, court rules

Someone whom you pocket-dial can listen to your call with impunity, a federal appeals court has ruled.

That’s because you know, or should know, that using a cellphone might result in your calling someone inadvertently, according to the U.S. Court of Appeals for the Sixth Circuit, which held recently that an assistant to the CEO of Cincinnati/Northern Kentucky International Airport who overheard comments about her boss by the airport’s chairman after he pocket-dialed the assistant is not liable for unlawfully intercepting a private conversation.

The assistant, Carol Spaw, listened continuously on Oct. 24, 2013 while James Huff, the chairman of the airport board, discussed Candace McGraw, the CEO, with Larry Savage, the airport’s vice-chairman, and later with Huff’s wife, Bertha. The men had stepped onto an outdoor balcony at their hotel in Bologna, Italy, where they discussed airport personnel matters, including the possibility of replacing McGraw as CEO.

Both Huff and his wife, with whom Huff continued discussing McGraw after returning to their room, later sued Spaw for intentionally intercepting their private conversations. A trial court ruled in favor of Spaw after concluding that because Huff placed the call, the Huffs lacked a reasonable expectation that their conversation would not be intercepted.

The appeals court agreed with respect to James but not with regard to Bertha. Writing for a three-judge panel, Judge Danny Boggs noted that “a number of simple and well-known measures can prevent pocket-dials form occurring.” But James Huff did not employ any of those measures, Boggs noted, adding, “He is no different from the person who exposes in-home activities by leaving drapes open or a webcam on and therefore has not exhibited an expectation of privacy.”

At issue was a series of steps that led to Spaw’s overhearing a conversation the participants thought to be private. After stepping onto the balcony, Huff tried to call Spaw using his iPhone to ask her to make a dinner reservation for him and Savage. When the call failed to connect, Savage called Spaw, who agreed to make reservations.

Thereafter, while Huff and Savage discussed personnel matters, the iPhone, which Huff had placed in the breast pocket of his jacket, called Spaw’s office phone, which she answered. After saying “hello” several times without a response, Spaw placed her phone on speaker mode and said “hello” a few more times. Within the first two minutes, Spaw realized that Huff and Savage were discussing McGraw, which prompted Spaw to take handwritten notes of the conversation and to instruct her colleague Nancy Hill, who also could hear the men talking, to do the same.

Spaw listened continuously to the call, which lasted 91 minutes. During that time, Huff finished his conversation with Savage and returned to his room, where he relayed to Bertha the substance of his conversation with Savage. Spaw, who used an iPhone to record part of the call, claimed that she felt obliged to do so after hearing the men discuss what Spaw described as an intention to discriminate against McGraw unlawfully.

The court noted that whether someone intercepts a phone call in violation of the law that authorized Spaw’s lawsuit turns on two questions: First, whether a person whose call is intercepted exhibits an expectation of privacy and, second, whether that expectation is reasonable.

“James Huff lacked a reasonable expectation of privacy in his statements only to the extent that a third-party gained access to those statements through a pocket-dialed call that he placed,” wrote Boggs (emphasis in original). “In sum, a person who knowingly operates a device that is capable of inadvertently exposing his conversations to third-party listeners and failed to take simple precautions to prevent such exposure does not have a reasonable expectation of privacy with respect to statements that are exposed to an outsider by the inadvertent operation of that device.”

Unlike her husband, however, Bertha Huff had an expectation that the contents of her conversation would remain private, at least until the final two minutes of the call, when her husband realized what had happened and told her his phone was on.

Though Bertha Huff knew her husband owned a cellphone and that cellphones can pocket-dial, “speaking to a person who may carry a device capable of intercepting one’s statements does not constitute a waiver of the expectation of privacy in those statements,” Boggs wrote.

Bertha Huff might have a claim against Spaw, provided Huff can show that Spaw’s actions constituted an intentional use of a device to intercept Huff’s communications, the court ruled.

The decision reminds us that anyone we pocket-dial can eavesdrop. “Having a private cause of action against someone who records your call after a pocket dial may be small consolation if the contents of the call are sufficiently embarrassing,” writes Jonathan Adler, a professor at Case Western University School of Law, in The Washington Post. “So this is a good reminder to lock your phone before putting it in your pocket.”

Categories
Law News Privacy

Gawker fills in a gap between publishing and privacy

Last Thursday, Gawker, an online site that tout’s “today’s gossip” as “tomorrow’s news,” published an item about a married male executive at a major media company who planned to hook up with a male escort in a Chicago hotel room.

As detailed in the post, the executive, who serves as chief financial officer of Condé Nast, called off the rendezvous after the escort, who realized the executive happens to be the brother of a former Treasury secretary, sent his would-be date documents tied to housing discrimination the escort claims to be facing in Texas.

The post drew a firestorm of criticism from readers, including from journalists. Critics condemned Gawker for outing the executive and for detailing an attempt by the escort, whom the piece identified using a pseudonym, to pressure the executive to hit up his brother for help.

A day after the post went up, Gawker took it down. The move marked “the first time we have removed a significant news story for any reason other than factual error or legal settlement,” Nick Denton, the site’s CEO, wrote in a statement. According to Denton:

“The story involves extortion, illegality and reckless behavior, sufficient justification at least in tabloid news terms. The account was true and well-reported. It concerns a senior business executive at one of the most powerful media companies on the planet… In the early days of the Internet that would have been enough… But the media environment has changed, our readers have changed, and I have changed… I believe this public mood reflects a growing recognition that we all have secrets, and they are not all equally worthy of exposure.”

The decision to remove the post prompted the resignation of both Gawker’s executive editor and the site’s editor-in-chief. Removing the post breached the firewall between the editorial and business sides of the house in a way that, in their view, undermined their responsibility to safeguard the site’s editorial integrity.

As Denton noted, the turnabout marked a departure for Gawker, which made its mark with pieces that sparked the downfall or discomfort of a series of public figures. In 2010, the site published an anonymous account of the author’s one-night stand with Christine O’Donnell, then the Republican nominee for the U.S. Senate from Delaware. (Though O’Donnell was a public figure, critics in and out of the media slammed Gawker for invading her privacy. Denton defended the post by pointing out that O’Donnell campaigned as a paragon of chasteness.) In 2011, former U.S. Rep. Chris Lee resigned after Gawker published an email exchange he had with a woman he met on Craigslist.

Hulk Hogan sued Gawker in 2012 for $100 million after Denton posted excerpts from a tape of the wrestler having sex with the wife of a friend. (The case is pending in a Florida court.) More recently, Gawker investigated whether Katie Holmes moved into a Manhattan apartment three years ago that linked via a secret entrance to a Whole Foods Market on the first floor. (She did, it seems.)

To its credit, the site punches up. In 2010, Gizomodo, a Gawker site devoted to tech news, revealed a lapse in Apple’s legendary security by reporting on a prototype of an iPhone 4 that the editors bought from someone who found it in a bar, where an engineer from Apple left it by accident. Last winter, Gawker took the lead in publishing a trove of emails from the hack of Sony.

At its best, Gawker knows  how to “make fun of people and media sites without being overtly cruel,” Sarah Grieco wrote last year in the Columbia Journalism Review. At its worst, Gawker has a tendency to bully, according to Grieco, who cites Gawker’s claims that Shepard Smith, a Fox News anchor, is gay despite a dearth of evidence.

In defense of the discretion that Gawker demonstrates when it wants to, Denton has cited the decision not to publish nude photos of Jennifer Lawrence and other celebrities that leaked last year. The images may have been accurate, but they exposed no lie, Denton told Capital New York recently.

The piece about the CFO seems to be akin to the case of Hogan but with one difference. Hogan charges Gawker with invading his privacy. The video showed Hogan having sex but the act was private and recorded without his knowledge, he alleges. Gawker counters that the material is newsworthy, a position in line with the law, which generally protects reporters who ferret out facts that are not commonly known so long as they’re news.

Still, compared with Hogan, a celebrity who has boasted about his sexual prowess, the CFO of Condé Nast is an unknown. Sure, he works for a company that publishes The New Yorker, Vogue and other titles. But the person in charge of overseeing preparation of financial statements, managing Condé Nast’s financial strength or presenting the company’s creditworthiness has little to do with the content of its magazines.

At many news outlets, the executive suite tends to be a well-paid wing of the back office. And by most accounts, the current CFO of Condé Nast is about as far from the limelight as one can be. It’s also difficult to find a contradiction between his private behavior and public persona. He has no public persona.

Though Denton seems to have concluded as much the realization came too late to prevent the piece from going up in the first place. In a memo Monday to Gawker’s staff, he noted that the CFO story was legal but unworthy of the discretion afforded the editors who signed off on its publication. Writes Denton:

“We need a codification of editorial standards beyond putting truths on the Internet. [italics in original] Stories need to be true and interesting. I believe we will have to make our peace with the idea that to be published, those truths should be worthwhile. And some humane guidelines are needed — in writing — on the calculus of cruelty and benefit in running a story. Everybody has a private life, even a C-level executive, at least unless they blab about it. We do not seek to expose every personal secret — only those that reveal something interesting. And the more vulnerable the person hurt, the more important the story had better be.”

Time will tell if that’s a standard Gawker can uphold. Some members of Gawker’s editorial staff dispute both the viability of the criterion and Denton’s role in publishing the Condé Nast piece, which some in the newsroom say he could have killed up front had he found it as reprehensible as he contends.

Whatever the outcome, the test that Denton has articulated further defines the boundaries of publishing and privacy in a digital age. Highlight the disparities between the statements and actions of public figures. Clear the air of spin. Cover the news. And remember that stories are about people, too.

Categories
Law Privacy

Search of seized hard drives highlights questions of privacy in a digital age

A federal appeals court in New York has agreed to hear anew an appeal that explores the contours of privacy in a digital age.

At the urging of one of their colleagues, a majority of judges on the 2nd Circuit U.S. Court of Appeals voted on June 29 to rehear an appeal filed by Stavros Ganias, an accountant from Wallingford, Connecticut who was convicted in 2011 of two counts of tax evasion and sentenced to 24 months in prison.

The ruling reopens an appeal decided in June 2014 by three judges of the court, who in a divided ruling vacated Ganias’ conviction after concluding that the government violated his Fourth Amendment rights when it retained files from his lawfully searched computers for more than two-and-a-half years and then searched them again when it later developed probable cause.

The case highlights a difference between searches of books or papers and searches of computers and other electronics, which can hold files that range from the professional to the personal and may encompass far more information about someone from whom the government seizes such devices than the warrant itself authorizes.

In deciding to review the ruling, the majority asked the parties and their allies to address two questions that the court will consider when it convenes for oral argument on Sept. 30.

“(1) Whether the Fourth Amendment was violated when, pursuant to a warrant, the government seized and cloned three computer hard drives containing both responsive and non-responsive files, retained the cloned hard drives for some two-and-half years, and then searched the non-responsive files pursuant to a subsequently issued warrant; and

(2) Considering all relevant factors, whether the government agents in this case acted reasonably and in good faith such that the files obtained from the cloned hard rives should not be suppressed.”

At issue is a prosecution that stemmed from Ganias’ work on behalf of a company that had been hired by the U.S. Army to provide security and maintenance services at a vacant facility in Stratford, Connecticut.

Based on a tip from a confidential source that the contractors had stolen copper wire and other equipment from the facility, in Nov. 2003 investigators from the Army obtained warrants to search several premises, including the offices that housed Ganias’ accounting firm.

There, pursuant to the warrant, the agents made identical copies of the hard drives of Ganias’ computers. Though the imaging also copied Ganias’ personal files—contained in programs such as QuickBooks and TurboTax—the agents assured Ganias they were looking only for materials that tied to the investigation. The following spring, after discovering suspicious payments by the contractor to a business owned by someone who had not reported any income from that business, the Army invited the IRS to join the investigation. Investigators from the Army gave the IRS copies of Ganias’ hard drives so that agents from the IRS could review the evidence.

By December, the agents from both the Army and IRS had extracted the files that tied to their investigation of the contractor. They knew the warrant did not authorize them to review other records retrieved from the hard drives. Still, they retained the files that had nothing to do with the investigation.

For its part, the IRS started to suspect that Ganias had failed to report the contractor’s income properly. In July 2005—about 20 months following the seizure of the hard drives—the IRS broadened its investigation to include possible tax fraud by Ganias. The agent in charge of the investigation did not review Ganias personal financial records, which she knew to be beyond the scope of the warrant.

The following February, the government asked Ganias and his attorney for permission to review Ganias’ personal files that had been copied from the hard drives. After Ganias did not respond, the IRS obtained a warrant to search the images of Ganias’ financial records seized in 2003. Because Ganias had revised the original files shortly after the Army copied the drives in 2003, the original records would not have existed absent the government’s retaining the images.

At trial, Ganias sought to suppress the computer files that became the subject of his appeal. Judge Alvin Thompson of the U.S. District Court in Hartford denied the motion, explaining:

“Here… where the searches and seizures were authorized by a magistrate judge, where government agents scrupulously avoided reviewing files that they were not entitled to review, and where the defendant had an alternative remedy pursuant to [a motion to return property] to avoid the complained of injury, i.e. that the government held his data for too long without returning or destroying it, the defendant has not shown that his Fourth Amendment rights were violated.”

On appeal, the court noted that the framers of the Constitution sought to end the practice of the British of searching the premises of opponents and seizing their papers, books and records indiscriminately pursuant to so-called general warrants. Consequently, the court noted, the Fourth Amendment requires that warrants will be available to the government only on a showing of probable cause and a description of the places to be searched and the items to be seized. According to Judge Denny Chin:

“These Fourth Amendment protections apply to modern computer files. Like 18th Century “papers,” computer files may contain intimate details regarding an individual’s thoughts, beliefs, and lifestyle, and they should be similarly guarded against unwarranted Government intrusion. If anything, even greater protection is warranted.”

The court observed that investigators who carry out a warrant may do so by making mirror images of the information stored on hard drives that the investigators can later review off-site. According to the court, the government must review the material within a reasonable period—there’s no one-size-fits-all rule—and that material is subject to exclusion from evidence when the government seizes items outside the scope of the warrant (a practice that starts to resemble a general warrant) and fails to act in good faith.

In the case of Ganias, the court concluded that the government had overstepped its authority. According to Chin, the government’s retaining Ganias’ records for two-and-a-half years interfered with his rights in those files.

“Without some independent basis for its retention of those documents in the interim, the government clearly violated Ganias’ Fourth Amendment rights by retaining the files for a prolonged period of time and then using them in a future criminal investigation,” wrote Chin, who rejected the government’s contention that it obtained a second warrant to search Ganias’ files.

“If the Government could seize and retain non-responsive electronic records indefinitely, so it could search them whenever it later developed probable cause, every warrant to search for particular electronic data would become, in essence, a general warrant,” he added.

The ruling, which vacated Ganias’ conviction, surfaces a tension between the reasonableness of a search—in this case the length of time the government retains records swept up in a search—and the need for the government to establish that it has not altered evidence in its custody. As the Harvard Law review noted in December:

“Although the court properly found that Ganias’ Fourth Amendment rights had been violated, the decision failed to appreciate the importance of authentication requirements for electronic evidence. As a result, Ganias may unnecessarily complicate prosecutions by potentially creating a perceived ‘right to deletion’—a prescription that federal prosecutors must delete files nonresponsive to a warrant sooner rather than later. The court could have avoided any potentially burdensome effects of this prescription on the evidentiary authentication process had it issued a more narrow ruling merely suppressing the evidence.”

The decision to reexamine the ruling also may tie to a question posed by Orin Kerr, a professor of criminal law and procedure at George Washington University who has commented on the case. “Is the real problem here that the government has over-seized and is taking unfair advantage of having extra stuff available to it, or is the real problem only that too much time has elapsed before the government is taking that advantage?” Kerr wrote in The Washington Post following Chin’s ruling.

Kerr suggests the same facts as Ganias except imagines the government developed probable cause for the second crime days after carrying out the first warrant. “Should that case come out differently?” he asks. “And if it could come out differently, is that because we intuit that the information for the second warrant likely is still… available on the original hard drive or because we think that the government’s seizure did not go on for so long as to become unreasonable?”

The first briefs are due by July 29.

Categories
Law

Google wins free-speech case over ‘Innocence of Muslims,’ actor has ‘beef’ but no copyright claim, says court

An actress who lost a lawsuit to force Google’s YouTube to remove an anti-Muslim video from its site pursued the wrong claim against the wrong party.

That’s one conclusion from a decision by 9th Circuit U.S. Court of Appeals, which ruled on Monday that Cindy Lee Garcia cannot compel YouTube to take down “Innocence of Muslims” because she cannot copyright her five-minute performance in the video, which disrespects the Prophet Muhammad and sparked death threats against Garcia.

“In this case, a heartfelt plea for personal protection is juxtaposed with the limits of copyright law and fundamental principles of free speech,” U.S. Circuit Judge Margaret McKeown wrote for a majority of the court. “The appeal teaches a simple lesson—a weak copyright claim cannot justify censorship in the guise of authorship.”

The decision represents a win for free speech. Though the First Amendment does not shield copyright infringement, Garcia could not claim a copyright in her performance. According to the court, granting a copyright to an actor based solely on her performance—a work for hire—would put distributors such as YouTube in the position of having to obtain licenses from everyone who appears in a film, as opposed to obtaining the permission of the work’s author, in this case Youssef.

The alternative would render distribution of movies unworkable, the court found. As McKeown noted:

“Treating every acting performance as an independent work would not only be a logistical and financial nightmare, it would turn cast of thousands into a new mantra: copyright of thousands. That leaves Garcia with a legitimate and serious beef, though not one that can be vindicated under the rubric of copyright.”

What if Garcia had grounded her complaint in the threats to her reputation and privacy that followed Youssef’s using Garcia’s performance in a way that was different than she had authorized? Though she appeared knowingly in “Desert Warrior,” Youssef allegedly overdubbed that performance to make her appear to ask if Muhammad were a “child molester” as part of a film that he disseminated widely.

Under California law, a person’s right to privacy may be violated in varied ways, including by acts that cast someone in a false light. “Innocence of Muslims” portrayed Garcia in a light that was highly offensive to millions of people worldwide, judging by the outrage the film has provoked.

False light can be difficult to prove in California without a showing of financial damages. Moreover, even were Garcia able to prevail against Youssef for portraying her in a false light, it’s unlikely that would authorize her to order YouTube to take down the video because, as the trial court noted, the harm from the trailer’s appearance on the Internet already has occurred.

Garcia sued both Google and Youssef initially in state court, where she alleged a series of wrongs, including violation of her privacy and intentional infliction of emotional distress, that she later dropped against Google when she sued the company in federal court for copyright violation.

Note that Garcia could not sue Google for Youssef’s alleged defamation. Federal law shields online services from liability for information they host that’s created by third parties.

Thus, to the extent Garcia has a remedy, it lies in a wrong to her reputation instead of copyright. As McKeown explained:

“We are sympathetic to her plight. Nonetheless, the claim against Google is grounded in copyright law, not privacy, emotional distress, or tort law, and Garcia seeks to impose speech restrictions under copyright laws meant to foster rather than repress free expression.

Privacy laws, not copyright laws, may offer remedies tailored to Garcia’s personal and reputational harms. On that point, we offer no substantive view. Ultimately, Garcia would like to have her connection to the film forgotten and stripped from YouTube. Unfortunately for Garcia, such a ‘right to be forgotten,’ although recently affirmed by the Court of Justice for the European Union, is not recognized in the United States.”

Garcia’s claims may have a shot but it’s a long one. It’s also a reminder that you may have less dominion over your image than you think. As the ruling demonstrates, what’s workable for content creators and distributors can be at odds with the expectations we have in how our likenesses appear online.

As Matthew Schruers, a vice president of law and policy at the Computer and Communications Industry Association, which supported Google and YouTube in the case, told Wired, “Everything you and I and the rest of the world upload to YouTube, is protected the moment we hit record.”