Written by Roosevelt Bishop, Devon Draker, Shelbie Mora, and Gabrielle Schwartz as a final paper for the Fall 2021 session of Information Privacy Law
Cyber harassment “involves threats of violence, privacy invasions, reputation-harming lies, calls for strangers to physically harm victims, and technological attacks.” Though all of these elements fall under harassment or abuse, online harms can be divided into different mediums and subsections. The various types of cyber harassment “capture the different ways[s] the Internet exacerbates the injuries suffered . . . by extend[ing] the life of destructive posts.” This paper addresses evolution and increased incidences of cyber-harassment such as revenge porn, cyberstalking, Zoom-bombing, and doxxing, and the need for a federal legal solution. Congress must address this harm by enacting a comprehensive cyber-harassment legislation containing the elements detailed below.
“Revenge porn,” is “a category of online pornography that includes amateur images or videos that were self-produced or manufactured with the consent of those depicted, but then distributed without their consent.” The internet and various mediums across cyberspace have made it increasingly easier to distribute and perpetuate harassment like this. Revenge porn can also incorporate sexually graphic images that were obtained without consent, such as a through hidden recording or photograph, and then distributed. Although any person of any gender can be a victim of revenge porn, this medium of cyber harassment disproportionately impacts women, as well as “minors where other minors circulate images of them.”
Some of the many privacy harms caused by revenge porn include reputational harm, diminished psychological well-being, and loss of employment opportunities, to name only a few. Common law tort litigation plays a large role in attempting to redress the injuries caused by nonconsensual pornography. The most common of these torts litigated are public disclosure of private fact, intentional infliction of emotional distress, and defamation. Unfortunately, these torts have many shortcomings when it comes to vindicating victims of revenge porn. The shortcomings are a big reason why states have elected to enact specific statutes for revenge porn. As the internet expands, so too have its methods of distributing non-consensual pornography. Entire websites and blogs have emerged that “encourage viewers to maliciously upload material of their partners or ex-partners.” There has been a large push for federal and state legislatures to enact laws to regulate the takedown of these websites and blogs, as well as to criminalize revenge porn in general.
The Federal Trade Commission (FTC) has played a large role in bringing suit (administrative enforcement actions) against website and blog owners whose trade is dedicated to revenge porn. One example is the action against EMP Media, Inc. and the site’s owners who created a website called MyEx.com. The FTC stated that the defendants solicited “intimate pictures and videos for the website together with personal information of the victims. . . without the victims’ consent.” The site had also “extorted victims by requiring them to pay fees of hundreds of dollars to have their intimate pictures, videos, and information removed from the site.” As a consequence of having their private images posted on the internet, some of the victims lost their jobs, became concerned about losing their jobs in the future or accessing future employment opportunities, and have experienced horrible emotional and psychological distress as a result.
Although federal law does not provide a remedy to victims of revenge porn, forty-eight states and D.C. have enacted “laws that criminalize or create civil liability for someone who distributes a sexually explicit image of someone else without the depicted person’s consent.” One typical law regarding revenge porn is Florida Statute 784.048, which defines the term “sexual cyber harassment” and dictates that the first violation of this statute is a misdemeanor in the first degree. Each state has various definitions and enforcement of revenge porn, but there is also a push on the federal level. The Intimate Privacy Protection Act is a proposed amendment to Title 18 of the United States Code that would make it “unlawful to knowingly distribute a private, visual depiction of a person’s intimate parts or of a person engaging in sexually explicit conduct, with reckless disregard for the person’s lack of consent to the distribution, and for other purposes.” This proposed legislation is just the start to a larger overhaul that is needed to protect victims of revenge porn.
Governments in the U.S. should rethink the importance of the impact of revenge porn and understand the depth and severity of the privacy risks associated with this type of cyber harassment. It can be helpful to look for guidance from other countries. Romania amended the country’s domestic violence law to include cyber harassment as a form of domestic violence. The definition includes “a provision specifically for cybernetic violence which intends to shame, humble, scare, threaten, or silence the victim.” The United States should follow suit and amend the Violence Against Women’s Act to include a provision specifically adding revenge porn or “cybernetic violence.” Likewise, legislation should clarify the mental state required, give clear notice for what conduct violates various statutes, explain the concept of consent, as well as suggest what activities fall outside the realm of revenge porn. Therefore, it would be clearer that only intentional betrayals of someone’s privacy would be punished.
Another problem that revenge porn victims face is consent. Society tends to believe that once a victim shares their nude image or video to another person, they no longer own the rights to that particular image or video. The government should continue to educate the public that “giving someone permission to possess a sexually explicit image does not imply consent to disclose it to anyone else.” In order to regulate revenge porn properly, the government should also amend the law to allow even more enforcement action. Such action should include a remedy to force the website/blog to remove the image at issue or, in certain cases, require that website to remove the anonymity behind the user who posted the image. Overall, the U.S. government has a long way to go before victims of revenge porn can breathe easily and know that the harsh impact of having their private images or videos shared on the web can be redressed and rectified.
The criminal act of stalking is identified by its intent to kill, injure, harass, or intimidate another person to the point where they have a reasonable fear of incurring such unwanted attention. This illicit undertaking is not restricted to an actus reus of crossing state lines. An individual can still be found guilty of stalking so long as the aforementioned mens rea is coupled with “[using] the mail, any interactive computer service, or electronic communication service or electronic communication system of interstate commerce….” How have the United State’s statutory protections adapted and evolved to answer the threats in our modern world? The answer, much like the definition of cyberstalking itself, is one mired in a delicate balance between the protection of an individual and the rights promised by the U.S. Constitution regarding the freedom of expression and the due process of law.
As early as 2007 various law journals have illustrated how the goal of stalking, and by extension cyberstalking, is to “exert ‘control’ over the victim by instilling fear in her; and often such conduct leads to physical action.” A prevalent case in this particular field, United States v. Sayer, perfectly exemplifies the particular conflict between statutory protection for the alleged victim and the constitutional freedoms of the alleged actor. For eight months, defendant Shaun Sayer engaged in the practice of revenge porn as defined in the previous section until Jane Doe changed her name, left the state of Maine, and moved to escape Sayer’s harassment and cyberstalking. Unfortunately, even then, she could not escape Sayer’s cyberstalking and revenge porn practices. When Sayer was finally arrested, he attempted to defend his abhorrent behavior by saying his was protected speech, and “. . . that because the text of §2261A encompasses speech that causes only substantial emotional distress, it proscribes protected expression that is merely annoying or insulting.” However, this defense was found to be insufficient. The outcome of this landmark case regarding cyberstalking speaks favorably to the progress of the U.S. judicial system in redressing the harms of such heinous acts; however, Jane Doe’s harms are, unfortunately, not unique nor are Sayer’s defenses.
As early as 1999, the Department of Justice published a report suggesting that as many as tens of thousands of cyberstalking incidents occur each year. This report was when dial-up internet was still in use. As the technologies and capabilities of the internet have grown, so too have the capabilities for cyberstalking. Unfortunately, law enforcement practices and statutory codification have not considerably grown to meet this threat. Lack of awareness of the problem coupled with potentially obsolete investigatory practices contributes to the unchecked perpetuation of predatory practices behind the shield of anonymity the internet provides. Additionally, “the global reach of the Internet communication brings jurisdictional issues to law enforcement in the investigation and the subsequent prosecution of computer crimes.”
Lack of awareness can be overcome through additional educational opportunities or even dedicated specialists. Expansive legislative compromises could help resolve the jurisdictional issues. Finally, by enlisting the very internet providers who make this practice possible, whether, through special considerations or culpability concerns, the issue of anonymity may be redressable as well. As it is with any cyber harassment issue though, the U.S. must continue to be mindful of the precarious balance of accountability and personal freedoms. Ignoring this balance runs the risk of making any potential solution a possibility for constitutional infringement.
Zoom is a video conference website that has gained mass usage due to the COVID-19 pandemic. Zoom allows users to send out invitations to video conferences via email. Many of the emails contain passwords to the meeting, however, it is not required to password protect the meeting. A rise in video conferences all over the world opened the door for a new form of cyber harassment: Zoom-bombing. Zoom-bombing is when unauthorized users gain access to video conferences and start harassing other users. Access can be gained through many ways such as trying your luck with meeting codes, receiving meeting passwords from other users, or simply searching “Zoom.us” on Twitter to find links to meetings. This form of harassment poses many risks to everyone involved in the meeting. Once authorized users gain access to a Zoom meeting, things can go awry very quickly. Many Zoom-bombing incidents involve pornographic images being displayed. Along with pornography, many other incidents can occur such as people screaming on-screen or taking over the meeting by sharing their screen. Truly anything could happen in a Zoom-bombing incident depending on who is intruding. While these images can be horrifying to see there are many privacy risks involved with Zoom-bombing.
The FBI has put out guidelines for Zoom users to follow to help protect themselves from being targets of Zoom-bombing. These guidelines include precautions such as limiting screen sharing to only the host, not sharing Zoom links online, and not making meetings public. Of course, these are only some mitigating factors. The prevalence of Zoom came about quickly making legislation directly related to Zoom-bombing tricky. However, the closest related statute to prosecute Zoom-bombers under is the Computer Fraud and Abuse Act (CFAA). The CFAA imposes criminal and civil liabilities on anyone who “intentionally accesses a computer without authorization . . . and obtains information from any protected computer.” In this statute, a “protected computer” is a computer used “in or affecting interstate or foreign commerce or communication.” This definition makes it so that virtually every computer is covered under the statute given use in interstate commerce. Therefore, Zoom-bombers who interfere in any meeting on a protected computer may be held criminally and civilly liable under the CFAA. However, given the heightened prevalence of Zoom during the pandemic and the fading ubiquity of Zoom-bombing due to growing awareness, actions under the CFAA are minute. In August 2021, Zoom settled a class action brought against it by targets of Zoom-bombing claiming Zoom violated a California law with its lax security policies allowing for Zoom-bombing. Other than promoting the importance of keeping Zoom meeting links private, the U.S. government does not seem to be pushing for regulations to protect against this form of cyber harassment.
It is difficult to combat Zoom-bombing when Zoom has become a part of everyday life for millions of people around the globe. Other countries are struggling to deal with what to do with Zoom since it is a U.S. company. Countries in the EU and China have reached out to Zoom requesting assurances that its privacy policies will become more secure. However, Zoom’s weak security policies have raised great concern for data protection authorities for countries in the EU, leading many to strongly consider ditching the U.S. company completely. Although to many it may be seen as impractical to abandon Zoom completely since many schools and businesses rely on it daily. Without better security protocols in place, Zoom surely is in danger of losing many customers for fear of their personal data being stolen by Zoom-bombers.
The U.S. must find better ways to mitigate harm to users otherwise the repercussions could be huge. One area of improvement which could seek redress for victims could be harsher criminal punishment for Zoom-bombers. Congress should enact a law specifically for cybersecurity, seeking to prevent harassment on video conferencing platforms to keep up with the evolving workforce. Additionally, a civil penalty including a private right of action for victims to obtain damages against harassers would be ideal. This may be harder to implement given the difficulty in locating the harasser, however, invading one’s right to privacy is serious and the penalties should reflect that. In sum, the U.S. must improve its cyber harassment laws to protect users’ privacy rights.
Doxxing was originally a slang term used by hackers for obtaining private “documents” of other people and posting them for the sake of making the information known publicly. Doxxing is now best known as the collection of personal and private information, including home addresses and other personally identifiable information, and then posting it publicly online against the target’s wishes. The privacy risks posed by doxxing is that it is a scarcely regulated act, which results in a sub-subset form of cyber harassment, known as “swatting.” The New York University Tandon School of Engineering conducted the first large-scale study of doxxing, which focused on websites known for hosting doxed files. Over a total of fourteen weeks, there were more than 1.7 million files that had been shared on the sites. The harm immediately suffered by doxxing is the invasion of privacy, which can cause the victim emotional distress. The subsequent act of “swatting” has resulted in the death of the victim in many cases, proving to have a physical element that doxxing does not necessarily have itself. Swatting is the act of making a hoax call to emergency services, typically reporting some threat to human life or domestic violence, in an attempt to elevate the severity of the response to hopefully include a SWAT team. The information used by the offender is typically obtained by some form of doxxing, most likely the result of a data breach of a company.  
The Department of Health and Human Services has published “Steps to Mitigate Doxxing,” which includes advising individuals to turn on privacy settings, limit the use of third-party applications, remove yourself from data brokers, and avoid posting sensitive information. The FTC has acknowledged that doxxing is often the result of large companies experiencing data breaches, but is still trying to determine when to intervene to prevent these informational injuries. This shows that regulators have acknowledged the privacy concerns of doxxing, but are only in the workshop stages of developing a solution and instead are providing recommendations to the individuals to take actions to prevent it from happening.
The common law torts of harassment, intentional infliction of emotional distress (IIED), intrusion upon seclusion, and public disclosure of private facts are all viable ways a victim of doxxing and swatting can bring a claim against the “doxxer.” Common law torts ensure there is an opportunity for victims to seek judicial remedy as tort law is malleable. However, one limitation is that it requires the victim to seek judicial enforcement. This means that the victim is required to spend considerable resources to not only identify the tortfeasor but also to hire an attorney. Thus, tort law is relatively ineffective at preventing people from engaging in doxxing and swatting, because the likelihood of an individual having the time or money to bring a suit is relatively low.
In the first Session of the 117th Congress, a “Discussion Draft” was proposed that would require internet platform companies to implement and maintain reasonable content moderation policies and practices to address doxxing on the platforms.  While this may prevent the harm of having personal information publicly disclosed, it does not stop the doxxing from occurring. This bill would only prevent the “doxxed” information from becoming more public and impose liability on the company, not the doxxer.
The most notable current attempt at regulation is an amendment of the Communications Act of 1934. This amendment adds the Anti-Swatting Act, which was proposed in 2018.  The Act provides, “enhanced penalties for the transmission of misleading or inaccurate caller identification information with the intent to trigger an emergency response.” This amendment is currently sitting in the House and the last action was taken on it was in 2018. While the legislation looks promising at mitigating the subsequent harms of doxxing and swatting, there is no telling when this amendment will be passed.
All current attempts at regulating the act of doxxing do not properly address the fundamental privacy issues.  The U.S. government needs to do two things to address the privacy harms of doxxing in the U.S.. First, the FTC needs to recognize that the risk of injury from doxxing is enough to warrant federal intervention in private companies and that the injury is not just subsequently physical, but informational as well. The FTC needs to be more willing to use the already broad “unfair and deceptive trade practices” to impose greater liability on companies, not to just moderate their sites like the current bill proposes, but to prevent data breaches from occurring. The FTC stated that the harms of cyber harassment are often the result of data breaches, and the NYU Tandon School of Engineering study corroborates this finding. Second, Congress not only needs to make the act of swatting a felony but make doxxing one as well. The internet and its innate jurisdictional challenges should no longer be a reason to not hold doxxers accountable for their actions and the subsequent harms.
Due to the evolution of technology, cyber harassment has become a global problem that is currently being addressed by a few states and showcases that there is a lack of uniformity across the country in terms of how to enforce these laws. Therefore, Congress has a duty to enact a comprehensive cyber harassment regime at the federal level to mitigate the privacy risks posed. At this time, the United States has been slow to develop such regulations and statutes that address the ever-growing issue of cyber harassment. Thus, to address these modern problems, the legislature must be held to quickly implement modern and effective solutions on both the state and federal levels that strike the precious and precarious balance of privacy protection and personal freedoms.
 Kate Klonick, Re-Shaming The Debate: Social Norms, Shame, and Regulation In An Internet Age, 75 Md. L.R. 4 (2016).
 Michael Salter & Thomas Crofts, Responding to revenge porn: Challenges to online legal impunity, ResearchGate, 1, 1-2 (2015).
 Danielle Keats Citron & Mary Anne Franks, Criminalizing Revenge Porn, 49 Wake Forest L.R. 345, 346-47 (2014).
 In addition to the myriad other harms that do not necessarily implicate privacy.
 Citron & Franks, supra note 4 at 346-47.
 Klonick, supra note 1.
 FTC v. EMP MEDIA, INC., Complaint for Permanent Injunction and Other Equitable Relief, January 9, 2018. (This information was made publicly available to anyone on the internet, and originally ignored removal requests from victims, until they decided to demand payment of removal from consumers ranging from $499 up to $2,800).
 State Revenge Porn Policy, Electronic Privacy Info. Center, https://epic.org/state-revenge-porn-policy/.
 46 Fla. Stat. ch. 784, § 49 (2018). The statute further dictates that the victim may initiate a civil action against the person who violated the statute and obtain relief in the form of an “injunctive relief, monetary damages, reasonable attorney fees, and costs.” Id. Additionally, if an individual with a prior conviction for sexual cyberharassment, commits a second or third offense, it would be considered a felony of the third degree. Id.
 H.R. 5896, 114th Congress (2015-2016).
 The Cube, Romania Criminalises Cyber Harassment as a Form of Domestic Violence, Euro News (Sept. 7, 2020), https://www.euronews.com/2020/07/09/romania-criminalises-cyber-harassment-as-a-form-of-domestic-violence.
 Danielle Citron, Hate Crimes in Cyberspace, 150 (1st ed. 2014). (Danielle Citron suggests that “revenge porn laws should apply only if a defendant disclosed another person’s nude image knowing the person expected the image to be kept private and knowing the person did not consent to the disclosure.”).
 Danielle Citron states further that “criminal law should cover … images that are made available to others, whether it is a single other person or the public at large.”
 Danielle Citron, Hate Crimes in Cyberspace, 151 (1st ed. 2014).
 Although this may have some effect on users’ freedom of speech, the government could view this similarly to certain exceptions on speech (such as violence, drugs, lewdness, etc.).
 18. U.S.C.A. §2261A(2)
 Naomi Goodno, Cyberstalking, a New Crime: Evaluating the Effectiveness of Current State and Federal Laws, 72 Mo. L. Rev. 127 (2007)
 U.S. v. Sayer, 748 F.3d 425, 434 (1st Cir. 2014).
 Wei-Jung Chang, Cyberstalking and Law Enforcement, Procedia Comput. Sci. 176, 1188, 1191 (2020)
 Rachel E. Greenspan, Zoom-Bombing has Become a Popular Form of Trolling During Quarantine, In Many Cases, it May be Illegal, According to Experts.The Insider (Apr. 13, 2020, 5:09 PM), https://www.insider.com/what-is-zoom-bombing-illegal-2020-4 .
 Kate O’Flaherty, Beware Zoom Users: Here’s How People can ‘Zoom-Bomb’ Your Chat, Forbes (Mar. 27, 2020, 11:19 AM), https://www.forbes.com/sites/kateoflahertyuk/2020/03/27/beware-zoom-users-heres-how-people-can-zoom-bomb-your-chat/?sh=797fcdae618e .
 Kate O’Flaherty, Zoom’s A Lifeline During COVID-19: This Is Why It’s Also A Privacy Risk, Forbes (Mar. 25, 2020, 1:54 PM), https://www.forbes.com/sites/kateoflahertyuk/2020/03/25/zooms-a-lifeline-during-covid-19-this-is-why-its-also-a-privacy-risk/?sh=2f24660b28ba .
 Kristen Setera, FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic, FBI (Mar. 30, 2020), https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic .
 Rachel Bercovitz, Prosecuting Zoom-Bombing, Lawfare (Apr. 24, 2020, 10:42 AM), https://www.lawfareblog.com/prosecuting-zoom-bombing .
 18 U.S.C. § 1030 (a)(2)(C).
 18 U.S.C. § 1030 (e)(2)(A).
 In re Zoom Video Commc’n Priv. Litig. (N.D.Cal. 2021) 525 F. Supp. 3d 1017, 1023.
 Samuel Stolton, Commission presses Zoom for security assurances but continues to use platform, Euractiv (Oct. 7, 2020), https://www.euractiv.com/section/data-protection/news/commission-presses-zoom-for-security-assurances-but-continues-to-use-platform/.
 Nelie Bowles, How ‘Doxxing” Became a Mainstream Tool in the Culture Wars, New York Times (Aug. 30, 2017), https://www.nytimes.com/2017/08/30/technology/doxxing-protests.html.
 Dylan E. Penza, The Unstoppable Intrusion: The Unique Effect of Online Harassment and What the United States Can Ascertain from Other Countries’ Attempts to Prevent It, 298, 303, Cornell International Law Journal (2018).
 See Why They Dox: First Large-Scale Study Reveals Top Motivations and Targets For this Form of Cyber Bullying, NYU Tandon School of Engineering (Nov. 7, 2017), https://engineering.nyu.edu/news/why-they-dox-first-large-scale-study-reveals-top-motivations-and-targets-form-cyber-bullying (evidencing that there is a significant privacy problem with the act of doxxing).
 Maria Cramer, A Grandfather Died in ‘Swatting’ Over His Twitter Handle, Officials Say, New York Times (Jul. 24, 2021), https://www.nytimes.com/2021/07/24/us/mark-herring-swatting-tennessee.html.
 Beth Anne Steele, FBI Oregon Tech Tuesday: Building a Digital Defense Against Smart Device Swatting, FBI Portland, Or. (Jan. 12, 2021), https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/fbi-oregon-tech-tuesday-building-a-digital-defense-against-smart-device-swatting.
 A confused homeowner who has a SWAT team break into their house to respond to a hoax call, has not only had their privacy invaded by the doxxing, but in many instances may lose their life due to the swatting.
 Dep’t of Homeland Sec. How to Prevent Online Harassment from “Doxxing” (2017), https://www.dhs.gov/sites/default/files/publications/How%20to%20Prevent%20Online%20Harrassment%20From%20Doxxing.pdf.
 Fed. Trade Comm’n, FTC Information Injury Workshop (2018), https://www.ftc.gov/system/files/documents/reports/ftc-informational-injury-workshop-be-bcp-staff-perspective/informational_injury_workshop_staff_report_-_oct_2018_0.pdf.
 Julia M. MacAllister, The Doxing Dilemma: Seeking a Remedy for the Malicious Publication of Personal Information, 85 Fordham L. Rev. 2451, 2475 – 2479 (2017).
 Rep. Energy Com. Comm.117th Cong., Discussion Draft (Jul. 23, 2021), https://republicans-energycommerce.house.gov/wp-content/uploads/2021/07/17-Carter-FTC-Doxxing.pdf.
 This proposal requires companies to have a written content moderation policy that reasonably attempts to prevent individuals who have been “doxed” from having their information be posted publicly on that website, granting FTC authority to regulate this under “unfair and deceptive trade practices.”
 Anti-Swatting Act of 2018, H.R. 6003, 115th Cong.§ 2 (2018).
 Common law torts are ineffective due to jurisdictional limitations and litigation cost limitations to the victim. The “Discussion Draft” that is currently circulating in the House is great for minimizing the spread of doxxed information regulating content moderation, but it does not help prevent doxxing in the first place. The Anti-Swatting Act would do a great job of penalizing the act of swatting and the physical harms felt by it, but does not address the privacy concerns directly related to being doxxed in the first place.
 Fed. Trade Comm’n, FTC Information Injury Workshop (2018), https://www.ftc.gov/system/files/documents/reports/ftc-informational-injury-workshop-be-bcp-staff-perspective/informational_injury_workshop_staff_report_-_oct_2018_0.pdf.
 Without the risk of being prosecuted for doxxing, individuals have far too much protection to engage in acts that can result in invasions of privacy and even death in extreme cases.