On October 7, 2014, federal prosecutors in Virginia charged Hammad Akbar with manufacturing, advertising, and selling to retail customers a mobile phone spyware application called “StealthGenie. In issuing this Indictment, the Government applied an old law to new circumstances, which raises a host of questions.
The Prosecution. According to the Indictment, StealthGenie was marketed to persons wishing to monitor “spousal cheaters.” When installed (requiring one-time access to a device such as a phone or computer) the app enables the person installing the app to intercept and record phone conversations and to obtain access to text messages and computer files, all without the knowledge of the owner.
The Government alleges that the app publisher broke the 1986 Electronic Communications Privacy Act, 18 U.S.C. § 2510 et seq. (the “ECPA” or “the Act”). The ECPA expanded the 1968 “Wiretap Act,” which was largely designed to protect telephone conversations from unauthorized government access. The ECPA extended those restrictions to computer files.
The Law. Historically, the Act has been used for the purpose that was surely contemplated by its drafters: to prosecute the sale and use of hardware such as microphones and recorders used to capture voice communications. See, e.g., United States v. Pritchard, 745 F.2d 1112 (7th Cir. 1984) (possession of tape recorder, amplifier and patch cords used to record room conversations sufficient to sustain a conviction under the Act); United States v. Wynn, 633 F Supp. 595 (C.D. Ill. 1986) (manufacturing, sale and advertisement of disguised listening devices prohibited under the Act); see also 2156 P.L. 90-351 (Apr. 29, 1968) (discussing the social harms caused by unauthorized surveillance and wiretapping).
Beginning in the 1990s, prosecutors took an expansive view of the term “electronic communications” to include television cable signals, and used the Act to prosecute the manufacturing, sale and use of so-called cable “descramblers” that allowed users to pirate cable television. See, e.g., United States v. Crawford, 52 F.3d 1303 (5th Cir. 1995) (upholding conviction for manufacturing and selling devices for the unauthorized interception of cable television signals); United States v. Herring, 993 F.2d 784 (11th Cir. 1993) (same); United States v. Davis, 978 F.2d 415 (8th Cir. 1992) (same); United States v. Lande, 968 F.2d 907 (9th Cir. 1992) (same). This creativity proved fruitful: for a time, the Act was primarily used to prosecute cable television piracy and related crimes.
New Era: Challenges for Courts and Uncertainty for Software Manufacturers. United States v. Akbar signals another era in prosecutions under the Act, this time based on an expansive view of the term “device.” In the past, prosecutions under the Act involved the use of a physical device such as a covert microphone, tape recorder, or modified cable box.
But is a software application different from the types of physical devices that were traditionally subject to the Act? Although a few courts in the civil context have evaluated application of the Act to software, there is scant—if any—criminal case law addressing the issue of whether an application like StealthGenie constitutes a device for the purposes of the Act.
Taken to its extreme, the Government’s novel view that a software program constitutes a device could lead to a proverbial slippery slope for the software industry. If the Government’s interpretation stands, that means that manufacturers of digital products such as StealthGenie would face liability under the Act. Given that the Government has already proven successful in expanding the definition of “electronic communications” to include cable signals, perhaps courts would also find that digital footprints such as cookies and browser histories are “electronic communications” subject to the Act. It is well-known that companies such as Google and Facebook obtain and sell these kinds of consumer data without the end-user’s explicit knowledge or consent. The Government’s approach to expand the Act to software applications could have far-reaching implications to the very business models upon which these companies reap their profits.
Also, although data privacy is currently a hot issue thanks to recent news of “hacked” celebrity photographs, as well as breaches or possible breaches of consumer information held by Staples, the Oregon Employment Department, and Home Depot (to name a few), the culprits in those situations are the thieves, not the manufacturer of the “crowbars” they used to “break in.” Akbar has the potential to expand the scope of liability in these cases, as well.
It is unclear whether prosecutions like Akbar will be a successful, or whether courts will take a more restrictive view of the Act. As the Luis court noted, “when existing laws are used in new ways, courts have struggled to determine whether, and in what circumstances” they should be applied to “modern and ever-evolving norms.”