Once again, a judge in the Northern District of California has issued an overbroad temporary restraining order at the behest of a bank in a case over which federal jurisdiction was highly questionable.
Last year, Judge Jeffrey White issued a temporary restraining order at the behest of Bank Julius Baer, attempting to take down the Wikileaks web site based on a suit claiming that it had wrongfully published confidential documents supplied by an anonymous third party. After Bank Julius Baer had to face real opposition instead of a compliant ISP that couldn’t be bothered to protect its absent customer’s rights, not only did Judge White have to admit that his injunction was an improper prior restraint, he also acknowledged that he probably did not have diversity jurisdiction because there were foreign parties on both sides of the caption.
Last week, Judge James Ware issued a temporary restraining order at the behest of Rocky Mountain Bank, ordering both Google and the anonymous owner of a gmail account not to disseminate information that a Bank employee had, more than a month earlier, mistakenly sent to the gmail account. Google was also ordered to freeze the gmail account, and to disclose the identity of the anonymous account owner.
Discussions of this case have focused on several troubling facts, which are bad enough. First, after making its own serious mistakes, Rocky Mountain went to court with a lawsuit that blamed the innocent gmail recipient. Second, the Court compelled the suspension of a gmail account based on an emergency motion with no opportunity to respond. The articles recounted the many First Amendment and Due Process flaws in what happened here. But so far as I have been able to discern, nobody has addressed two ”technical” problems – Rocky Mountain’s complaint does not state a cause of action against either Google or the anonymous email account owner, and the complaint was filed under diversity jurisdiction that was plainly lacking under settled precedent. And yet Google — which had initially refused to comply with Rocky Mountain’s demands unless it got a court order, just rolled over and obeyed the court order instead of opposing it and seeking a stay pending an appeal to be sure that its customer’s rights — not least the right to notice and an opportunity to object — were respected.
First, the complaint. Rocky’s complaint is based on the contention that, having botched its obligation to keep its own customers information secret, it was obligated under various state and federal banking regulations to seek to recover the information and prevent its further dissemination. The complaint further alleges that regulatory officials expressed their endorsement of efforts by the Bank to protect the confidentiality of the information. The complaint sought a declaratory judgment that Rocky Mountain was entitled to information about the account holder, and that Google was obligated to prevent use of the information sent to the account. It sought an injunction enjoining Google and the account holder from accessing or distributing the information mistakenly sent to the email account, and compelling Google to identify the account holder. But curiously absent from the complaint was any allegation about how either Google or the owner of the gmail account had violated the plaintiff’s rights, or any assertion of a cause of action against either Google or the anonymous account holder, that would form the basis for granting relief against either. Nor did Rocky Mountain’s papers explain why section 230 of the Communications Decency Act entitled it to bring an action against Google, or to obtain any relief against Google, even assuming that it had a claim against the gmail account holder. Without a cause of action and without a violation of the plaintiff’s rights, why was Rocky Mountain entitled to relief, and why should the defendants be subjected to an injunction? Neither the complaint, nor the brief in support of the TRO, explains this.
Second, the lack of federal court jurisdiction. Although the complaint identified only Google as a defendant, Rocky Mountain asked for relief against the anonymous gmail account holder, which is obviously, therefore, a defendant just as Google was. Indeed, if either Google or the account holder was the right defendant here, it is the account holder. But this poses a serious problem, because the law is clear that a Doe defendant cannot be sued under diversity jurisdiction. If there had been any party with any incentive to protect the Doe’s rights in this case, that party could have pointed this jurisdictional defect out to the Court, which would therefore have been obligated to dismiss the case instead of issuing a TRO.
And that brings us to Google’s part in this sorry affair. Rocky Mountain's papers recount that it asked Google for help freezing the account and identifying the account holder but that Google refused to do so without “a valid third party subpoena or other appropriate legal process.” Yet despite the filing of plainly defective papers, there is no indication in the publicly filed papers that Google either opposed the requested order or insisted that it be given the opportunity to notify the Doe gmail user so that he or she could obtain counsel and oppose the requested order. Nor do the papers contain any discussion of efforts to notify either Google or the anonymous user about the requested order, even though Rule 65(b)(1) of the Federal Rules of Civil Procedure requires either notice to the parties sought to be enjoined, or a compelling explanation of why notice was not possible. (Because the Bank noticed the problem on August 13, and waited until September 17 to file its suit, it is hard to believe that a few more days' delay to give proper notice would have been catastrophic). And within a day of the issuance of the order (one day before the compliance deadline), Google provided the court with a document explaining how it had complied with the TRO and asked, jointly with Rocky Mountain, that the TRO be vacated. The document explaining Google’s compliance was not filed on the Court’s electronic docket and neither Google nor Rocky Mountain) has yet responded to requests for a copy of that document.
In my experience litigating anonymity issues, Google has been among the most responsible of ISP’s in protecting its customers’ anonymity and insisting on fair notice and an opportunity for the customer to oppose breach of anonymity before any order compelling disclosure is issued. Without knowing just what Google did to comply with the TRO, this experience makes me reluctant to condemn Google or to assume that it lay down for a baseless order. However, Google’s action in presenting its compliance report in secrecy certainly raises suspicions. The report, however, is a judicial record, to which the public has a right of access. Pending such public disclosure, it is hard to judge what Google did.
On his Digital Media Lawyer's Blog, David Johnson supplies some theories -- unjust enrichment, common law right of privacy, right of privacy under the California Constitution or restitution -- on which he believes Rocky Mt. Bank could have sued the Doe gmail account holder. He argues that a prior restraint in furtherance of such a suit would be justified. He does not address either section 230, diversity jurisdiction, or Rule 65.