Porn WikiLeaks: HIPAA, 2257s, defamation and the Computer Fraud and Abuse Act

Apr 11, 2011 • Crime, Feature, News, Porn Valley

Legal aspects of the Porn Wikileaks case.

There is a lot of misinformation floating around the web about the Porn Wikileaks story. In the interest of informing the dialogue and helping performers understand their legal options, we have summarized the four legal items that are getting the most attention in the Porn Wikileaks story and provided some information about what the law actually says in regard to HIPAA, 2257, defamation and the Computer Fraud and Abuse Act.

HIPAA

Much has been said about Porn Wikileaks’ violation of the Health Insurance Portability and Accountability Act (HIPAA), particularly due to misinformation in the media claiming that the wiki has made available adult entertainers’ STI test results. While Porn Wikileaks has a “High Risk HIV gay porn actors working in straight Porn” list and “High Risk HIV” list and makes claims within some pages regarding the sexual health of the listed performers, these appear to be — like much of the information on the site — merely cases of libel.

The site has not yet published any medical information, though the DailyBeast and Salon have both published the possibility that the creator of the wiki may publish performers’ health information in the future.

Even if Porn Wikileaks did publish this content, however, a close look at HIPAA shows that these regulations only apply to covered entities, such as health care providers, health insurance companies, HMOs, Medicare, and Medicaid, to name a few. There are several organizations and entities that are not covered by the privacy rule (employers, for example).

The short of HIPAA is, essentially, that any covered health care providers require your authorization to disclose identifiable health information (that is, health information that contains identifiers such as one’s name, address, birth date, or social security number), unless other laws require these providers to disclose it. Thus, because Porn Wikileaks is not a covered entity, they cannot be prosecuted for violation of HIPAA regulations even if they do release medical information.

The responsibility in this event, would fall on the entity that did not take sufficient measures to safeguard this information — or on any employee proven to have leaked the information to the site.

A note must be made here about the information that is actually available on the Adult Industry Medical (AIM) database. We spoke with AIM’s attorney Jeffrey Douglas this morning about the information made available by the Adult Industry Medical database:

The information on Porn Wikileaks that could have come from AIM are the legal names, the stage names and birth dates, correlated. But home addresses, IDs, numbers — all of that could not [have come from AIM].

Most likely, this information came from 2257s, forms required under the Child Protection and Obscenity Enforcement Act of 1988, that are collected to ensure all performers in an adult shoot are over the age of consent.

2257s, Also Known As 18 U.S.C. § 2257

By this law, any producer of explicit material must obtain and retain a 2257 form for every model involved in a shoot along with copies of their IDs (click to see what this form essentially looks like).

While the law itself does not require such stringent record-keeping of anyone who isn’t directly involved in the contracting of performers for shoots, the Department of Justice (DOJ) extended the law by designating a second class of producers, which involves “any person who produces, assembles, manufactures, publishes, duplicates, reproduces, or reissues a book, magazine, periodical, film, videotape, or digitally- or computer-manipulated image, picture, or other matter intended for commercial distribution that contains a visual depiction of an actual human being engaged in actual or simulated sexually explicit conduct, or who inserts on a computer site or service a digital image of, or otherwise manages the sexually explicit content of a computer site or service that contains a visual depiction of, an actual human being engaged in actual or simulated sexually explicit conduct.”

As it regards 2257 compliance, the DOJ makes the following specifications:

A primary producer must examine a government-issued picture identification card belonging to each performer in the visual depiction that demonstrates that the performer is 18 years old or older. The primary producer must then record the legal name, any aliases, and the date of birth of the performer, record the date of production of the depiction, and make a copy of the picture identification card. Once production is complete, a copy of the visual depiction must be maintained along with these records. All information on a performer may be redacted other than the name, date of birth, and information that identifies the type and validity of the picture identification card (e.g., driver’s license or passport number). All of the primary producer’s records for all its visual depictions must also be cross-referenced by name and alias of the performers.

If a secondary producer produces a copy of the visual depiction, the secondary producer must obtain from the primary producer the records associated with that depiction. Finally, the visual depiction must be labeled with the location of the records.

That essentially means that it’s not just studios that have access to these forms with performers’ identifying personal information, but that a number of middlemen receive access to the forms as well.

As Barbie Davenporte at LA Weekly‘s AfterDark LA blog notes, “There is no law preventing the sharing and distribution of 2257 documents within and outside of the industry.”

When we spoke with AIM attorney Jeffrey Douglas this morning, he elaborated on this point:

Adult is a highly competitive market. If you’re a distributor [of adult films], desperately trying to make sales, some guy calls you and says, ‘let’s set up a system where I sell your product, you drop-ship it for me, I make two dollars on every sale, you make six dollars on every sale, everybody’s happy.’ Federal law requires that I turn over all the performers’ information. There’s no guarantee people claiming to be a seller are not a stalker, a crazy or a hostile. Federal law and the market guarantee privacy invasion on a wholesale level.

In terms of protection of performers, the DOJ allows for the redaction of home address, social security numbers, and anything else other than the name, date of birth, and information that “identifies the type and validity” of the performer’s ID, such as a driver’s license number. The 2257s and copies of IDs do not have to be maintained in hard copy, but could also be kept and secured electronically. These two things, however, are not requirements and practices may vary across the industry. As such, there does not appear to be any basis for a claim regarding the disclosure of information contained in these forms.

This law was put into place to help prevent child pornography. Sadly, in the process of potentially safeguarding the exploitation of minors (which, Douglas rightly noted in our conversation with him, may still occur with the use of fake or stolen IDs), a gaping hole was left exposing the personal information of thousands of performers.

“Congress created a significant allocation of resources for hundreds of thousands of small businesses in the United States [with 2257 regulations],” said Douglas. “Did they hold a hearing? No. Do they have any idea what the implications are? No. Can anyone think of any other circumstances where Congress has burdened any industry in this way without holding a hearing to see what it would do? Did they ask law enforcement? No. There has never been a hearing on 2257 from its inception to its current form. All amendments are part of omnibus bills, budget bills, rewrites of the criminal code. They just toss in regulation without any dialog with the industry being regulated. And the people paying the price are small businesses and individuals whose privacy is being invaded. [This industry] is a very attractive punching bag.”

Douglas offers a solution on a state-level basis: to lobby to make it a crime to publish personal identification documents of any individual.

Defamation

Without a doubt, much of the content of Porn Wikileaks could be classified as libelous. Libel is covered under defamation law (which in California, is written under Cal. Civ. Code §§ 45 and 45a but we include §46 as it brings up the sort of statements involved in the case of Porn Wikileaks which, given the information coming out about the man allegedly behind the site, may yet find some relevance):

§45: Libel is a false and unprivileged publication by writing, printing, picture, effigy, or other fixed representation to the eye, which exposes any person to hatred, contempt, ridicule, or obloquy, or which causes him to be shunned or avoided, or which has a tendency to injure him in his occupation.

§45a: A libel which is defamatory of the plaintiff without the necessity of explanatory matter, such as an inducement, innuendo or other extrinsic fact, is said to be a libel on its face. Defamatory language not libelous on its face is not actionable unless the plaintiff alleges and proves that he has suffered special damage as a proximate result thereof. [Editor’s note: Per §48a.4(b), “special damages” are all damages one can prove he has suffered or incurred as a result of the libel.]

§46: Slander is a false and unprivileged publication, orally uttered, and also communications by radio or any mechanical or other means which:
1. Charges any person with crime, or with having been indicted, convicted, or punished for crime;
2. Imputes in him the present existence of an infectious, contagious, or loathsome disease;
3. Tends directly to injure him in respect to his office, profession, trade or business, either by imputing to him general disqualification in those respects which the office or other occupation peculiarly requires, or by imputing something with reference to his office, profession, trade, or business that has a natural tendency to lessen its profits;
4. Imputes to him impotence or a want of chastity; or
5. Which, by natural consequence, causes actual damage.

Certain things are considered defamatory per se, meaning a plaintiff need not prove special damages. In his post detailing how much Wikileaks and Porn Wikileaks differ, Maymay brings up the case of James Jamesson, who posted his negative HIV results to counter information on the Porn Wikileaks site claiming otherwise.

This statement doesn’t simply potentially affect Jamesson’s livelihood by threatening his career, it could technically also be viewed as defamation per se if the statement or statements made also implied that Jamesson knows of his positive status, since the knowledgeable spread of HIV is a felony. Other statements that appear on the site alleging individuals are “child rapists” and “hookers” indicate the people specified are guilty of a crime, and thus, fall under the category of defamation per se.

In cases involving public figures (anyone who has achieved pervasive notoriety), the burden is generally placed on the plaintiff to prove the statements made are false and establish there was actual malice involved. In this case, “actual malice” has nothing to do with cruelty; it merely refers to the publication of information by one who either knows that the information is false or who is acting with reckless disregard for the truthfulness of the statement.

In cases involving private parties (and we are unsure of where the threshold of notoriety is exactly, so please seek legal counsel if you’re interested in pursuing this route), the burden of proving that the statements are true fall on the defendant. The plaintiff need only show negligence on the part of the publisher (that sources are not reliable, that statements are not verified for accuracy, etc).

Please note that as far as defamation cases are concerned the old and tired adage “truth will set you free” is 100 percent true. Truth is an absolute defense in any defamation claim; and by the same token, any statement that is proven to be true will not result in any damages even if the statement is horrifying, so please take this into consideration when considering this option.

“A civil suit gets you money or it doesn’t. If you sue someone without money, you just get a judgment against them,” Douglas said, bringing up another consideration. “That’s better than nothing. But you have to track them down and build a case first. A more systematic way is to hit up their service provider, make them take a look at the site and realize that it is way too much grief to keep up. But it’s bigger than that: if you can’t deter the next one down the line from doing this, it’s little good.”

(To learn how to reach the host of Porn Wikileaks in the Netherlands and the Dutch Data Protection Authority (DPA), see this post, which also includes some other options).

Computer Fraud and Abuse Act

If it can be proven that the creator of Porn Wikileaks exceeded authorized access of AIM’s database or unlawfully gained access to it by exploiting a weakness, it is possible he can be held accountable under the Computer Fraud and Abuse Act. However, as Maymay rightfully states, “Success with that hinges on whether or not it can be proven that PornWikileaks was not merely a passive recipient of the information but actively involved in the breach of AIM’s database.” That has yet to be proved.

According to Davenporte, AIM is currently investigating whether a breach occurred and combing through every access made to the database to find “one or more that features an information download that exceeded the allowed accessibility.”

“There are many possibilities we are exploring, but assuming we can show that somebody accessed essentially the entire database, that without question was a crime,” AIM attorney Jeffrey Douglas told AfterDark LA. “We don’t know whether or not it was a classic hack or whether [AIM’s] database had structured flaw that allowed it.”

It becomes apparent, given this overview, that the course of action for performers is grossly limited. The system, as we know it, is broken. For decades, the adult industry has survived on a code of honor as it regards personal information, but this code is no longer sufficient. Further, while concerns about protecting children from exploitation are justified, we cannot continue to do this at the expense of the safety of an already marginalized group of people. In order for things to change, we’re going to have to think bigger than this website and the people behind it.

Many thanks to Mark R. Matthews, visiting professor of law at the Thurgood Marshall School of Law at Texas Southern University, and AIM attorney Jeffrey Douglas for their insight on the laws at play.

Photo in the header by IXQUICK.

  • Anonymous

    Thanks for the thoughtful and thorough analysis of the legal issues surrounding this case. Very helpful, if not comforting. The law provides little recourse to performers compromised by the leaks. The leakers are largely out of reach and the standards for proving defamation are so high and the cost of pursuing a judgment so prohibitive, I don’t really see anyone going that way.

    Most of all, thanks for connecting the dots concerning 2257, which is such bad law in so many ways it’s hard to know where to begin dismantling it.

    As both a producer/director and I sometime reviewer, I’ve always been concerned about the security of 2257 information. A publisher, for example, becomes a secondary producer if he uses explicit images to accompany a review, which means he needs to secure and maintain all the 2257-required documents in perpetuity. That’s a lot of sensitive information passing through many sets of hands and then ending up who knows where? With everyone in the chain of custody of the images required to get those docs and hang onto them forever, the odds of them being compromised at any link in that chain increase as the distance from the original source grows greater.

    My wife, Nina Hartley, is a principle plaintiff in the F.S.C.s legal challenge to the expanded 2257 and one of the grounds of the challenge is that the regulations, as now interpreted, constitute a security threat to performers because so many anonymous parties have access to their personal data as a result of the wide circulation of the required documentation.

    Clearly, these leaks contain at least some information that appears to have been gleaned from 2257 paperwork, and that’s going to be an ongoing concern until the law is finally brought back within constitutional boundaries.

  • Pingback: A look at the legalities of pornwikileaks.com | Porn Wiki Leaks()

  • Knowsmorehtanuthink

    I love how the FSC and their clan always have to put a positive spin on anything that remotely may reflect negative on them. From 2257 to .xxx, the FSC can be summed up in one word: FAILURE. Now go blog and PR that guys.

  • Anonymous

    Were it not for the injunction F.S.C. secured against the enforcement of the wildly expanded version of 2257 the Bush gang tried to ram down all our throats, there would be a lot of innocent people doing time for minor defects in paperwork and the kind of sensitive information now being propagated by the current batch of malicious leakers would have been put to ill use much sooner and far more extensively.

    I have my own issues with the F.S.C., which I think has been slow to recognize and respond on regulatory issues, but on 2257 they stepped up early and got something done, unlike their detractors who generally gripe a lot and do nothing.