November 12, 2009
Tagged Settles Spam and Address Book Harvesting Claims Brought by NY and TX Authorities
[Post by Venkat]
Tagged, which is supposedly the "third-largest social networking site in the world" (whatever this means) recently settled enforcement actions brought by New York and Texas Attorneys General. (See coverage at Bits and Media Post.)
The basic allegations were that Tagged sent emails to people which falsely implied that the people were depicted (or "tagged") in photos in order to get people to sign up for the service. At sign up Tagged also allegedly failed to disclose that Tagged would access the address books of users and send emails trying to get friends of these users to sign up.
The Tagged settlements - details of which are recapped by David Johnson here - required Tagged to pay 250,000 and 500,000 to Texas and New York, respectively. The settlements also require Tagged to provide users with greater disclosure and require Tagged to jump through certain hoops before accessing the address book of a user. David notes that the enforcement actions were brought under a variety of New York statutes including New York's deceptive trade practices law and false advertising statutes. He notes that those statutes "would not be preempted by CAN-SPAM . . . [but] we will never know" for sure, since Tagged settled.
Although Tagged chose not to fight the battle, there's another case pending in California that is roughly analogous, where the court ruled that claims arising out of similar conduct were preempted by CAN-SPAM. (Hoang v. Reunion.com, discussed by Ethan here and here.) As Ethan notes, in the Reunion case, Judge Chesney ruled that CAN-SPAM preempted pretty much every type of email-based claim except for those sounding in common law fraud. Common law fraud has a high damage threshold and because none of the plaintiffs were able to show that they actually relied on, or suffered out of pocket loss due to, misstatements in any Reunion emails, Judge Chesney dismissed the claims against Reunion. (Incidentally, that case is mired at the district court level. Plaintiffs have indicated they plan to appeal, but defendants moved for sanctions based on the fact that plaintiffs represented to the court that they could file a third amended complaint containing adequate damage allegations but ultimately changed their minds and decided they wanted to appeal. The court deferred ruling on the pending motions and requested additional briefing from the parties.)
Tagged is also defending against a class action filed in California. The plaintiffs in this case allege claims under the Computer Fraud and Abuse Act and the Stored Communications Act, among other statutes. (You can access a copy of the complaint here (scroll down).)
So, what to make of these lawsuits against Tagged and Reunion?
1. I'm inclined to agree with Ethan that Reunion went too far in concluding that only claims for common law fraud are carved out of CAN-SPAM's preemption clause. Mummagraphics - the early appellate preemption case - concluded that immaterial errors are not actionable, but that's a far cry from the high bar set by the court in the Reunion case.
2. CAN-SPAM's preemption clause has a second exception for laws that "are not specific to electronic mail," I don't understand why plaintiffs don't try to rely on non-email specific laws. The Reunion plaintiffs brought claims under California spam statutes. Maybe there were structural (standing or damages-related) reasons for why they did so, but I was surprised they didn't just bring claims under California's unfair business practices statute. On a related note, with respect to the Tagged class action, the Computer Fraud and Abuse Act and Stored Communications Act don't seem like a good fit for these types of claims. The Computer Fraud and Abuse Act has a damage threshold that is probably tough to satisfy, and the Stored Communications Act regulates access to the contents of communications.
3. There isn't a ton of law on the scope of California's anti-spam statute, but the Ninth Circuit certified an issue to the California Supreme Court in Kleffman v. Vonage. I'm not sure if this ruling will add to the mix, but it should be interesting to see what the court does here.
4. It's tough to say whether these lawsuits illustrate that enforcement is better left in the hands of government regulators or whether private parties should play a role in enforcement. Excluding large ISPs, private plaintiffs don't seem to have accomplished very much by way of stopping spam. If anything, they have pushed the envelope, and ended up with a framework that makes private enforcement much harder. That said, here the Texas and New York enforcement actions followed the California class action against Tagged, so it's tough to say.
5. Where is the FTC in all of this? Busy regulating paid endorsements by bloggers I guess.
Posted by Venkat at 08:54 AM Permalink | Spam | Printable Version
November 11, 2009
Starbucks Data Breach Plaintiffs Try Their Luck in the 9th Circuit -- Krottner v. Starbucks
[Post by Venkat]
A lost laptop computer containing the personal information of Starbucks employees prompted a class action lawsuit against Starbucks (in Washington). The lawsuit received some coverage (see, for example Bob McMillan here, and Starbucks Gossip here), but the trial court's dismissal of the lawsuit received almost no coverage. (I mentioned the lawsuit, but failed to note the court's dismissal of it. Here is the one mention I came across of the dismissal.) Plaintiffs appealed the dismissal to the Ninth Circuit, and their just-filed appeal brief is worth a look. Access a copy of the brief at scribd here.
Background: As described in the complaint, in 2008, someone stole a laptop containing the personal information of approximately 97,000 employees. Starbucks notified the police and affected employees (plaintiffs claim Starbucks was slow in effecting this notice). Starbucks also offered one year of free credit monitoring to affected employees. The plaintiffs fall into a couple of categories, but significantly, one of the plaintiffs was notified that someone tried to open a bank account without his authorization. It was never determined whether this attempt to open a bank account with the information of one of the plaintiffs was connected to the underlying breach.
Ruling by Judge Jones: Judge Jones granted the motion to dismiss filed by Starbucks, finding that Washington courts would not recognize a cause of action as asserted by plaintiffs. (Access a copy of the order by Judge Jones dismissing the claims here: [scribd].) After concluding that plaintiffs had standing (given the broad scope of Article III standing this wasn't a surprise), Judge Jones focused on the issue of whether plaintiffs stated cognizable claims in negligence under Washington law. Judge Jones noted that Washington courts don't typically recognize claims where the sole injury is "risk of future harm," and if Washington courts were to recognize a common law cause of action arising from a data breach, they would be alone in doing so. Judge Jones also noted that the overwhelming majority of courts that have looked at the issue have declined to find that plaintiffs could recover merely because their data was stolen, and those that have recognized a possible cause of action have typically ruled against plaintiffs due to insufficient proof of misuse of the data. In Judge Jones's view, the Washington Supreme Court would likely conclude that the issue is best left to the legislature. In a footnote, he notes the enactment of data breach laws in other states, but points out that none of those laws provide for private causes of action, "much less a private right to damages."
With respect to the plaintiffs who did not have any proof that their personal information was misused, the court found that they could "claim only monitoring costs" as a potential injury, and these wouldn't fly under Washington law. With respect to the plaintiff who presented proof that someone tried to open a bank account in his name, the court acknowledged that "the timing of the [events permitted] the inference that someone acquired [plaintiff's] personal information from the laptop and misused it." Nevertheless, the court concluded that he did not assert a cognizable claim because he didn't suffer any out of pocket loss. The plaintiffs also asserted a claim based on implied contract, but the court didn't need to address whether Starbucks breached any implied obligations since it found that plaintiffs did not suffer any type of injury for which Washington law affords a remedy.
What to Make of the Appeal? Plaintiffs' appeal brief (filed on Monday) sort of canvasses the various theories under which plaintiffs should be entitled to relief under Washington law. Plaintiffs spend a fair amount of space discussing how Starbucks breached its (implied) contractual obligations to plaintiffs - Starbucks obtained this information in the employment context, and had policies in place which required employees to safeguard employee information. Given that Starbucks failed to fulfill these obligations, plaintiffs argue that the law would fashion some sort of remedy for the injured plaintiffs. Plaintiffs also attack the trial court's dismissal of the negligence claim from all angles, pointing out that stolen data is often misused long after it is compromised, and the fact that the underlying data breach is unsolved means that Starbucks can't conclusively show that the data will not be misused at some point in the future.
The dispute raises the familiar issue of whether the harm in the data breach context lies in the breach, or the actual misuse of the data. Courts have pretty uniformly taken the view that the harm flows from the actual misuse of the data, rather than the loss of the data. That said, the outcome here depends on the vagaries of state law, and what the Ninth Circuit predicts the Washington Supreme Court would do. My anecdotal observation is that Washington courts are very privacy friendly, but somewhat middle of the road when it comes to crafting "new" causes of action. Plaintiffs also asked the Ninth Circuit to certify the issue to the Washington Supreme Court, something the Ninth Circuit did recently in a spam case (Kleffman v. Vonage).
The Ninth Circuit has dealt with this issue once in an unpublished decision (Stollenwerk v. Tri-West Healthcare Alliance, 254 Fed. Appx. 664 (9th Cir. 2007).) In that case the Ninth Circuit affirmed the dismissal of data breach claims brought by plaintiffs who did not allege misuse of their data, but reversed as to the plaintiff who made a basic showing that the data could have been misused. Stollenwerk was inconclusive in that the Ninth Circuit (again, in an unpublished decision) merely stated that if the plaintiff was able to show actual damages, he would be entitled to relief. Interestingly, Stollenwerk was settled shortly after remand, on the heels of the district court's denial of a motion for class certification. One possibility to consider is that a monitoring claim seems much easier to fit into a class. An "actual damage" claim may be less amenable to class resolution.
On a related note, there's talk of federal data breach legislation winding its way through Senate. (Two proposals are mentioned here.) To my knowledge, neither of the proposals contain a private right of action, and both merely speak to notification upon a breach. There's also the familiar call for a federal standard which would displace disparate state standards. This debate sounds somewhat similar to the one that surrounded the passage of the CAN-SPAM Act.
Related: Tom O'Toole has a post from a while back about Ruiz v Gap Inc., a case from the Northern District of California also involving the loss of employee/applicant data (coincidentally, from an unencrypted laptop): "Court Finds No Cognizable Damages in Gap Laptop Theft Case."
Posted by Venkat at 03:51 PM Permalink | Privacy/Security | Printable Version
November 10, 2009
A New Way to Bypass 47 USC 230? Default Injunctions and FRCP 65
By Eric Goldman
I recently got the following email from David Gingras, the relatively new General Counsel of the Ripoff Report (reposted with his permission):
________
"As you know, Ripoff Report has defended, and won, a lot of CDA cases in the past few years. Although we still get a new case every so often, plaintiffs and their lawyers seem to have gotten the message that lawsuits against us aren’t likely to prevail. Good news, I suppose.
Despite this, a new strategy is arising....In a nutshell, what seems to be happening is that defamation plaintiffs are no longer naming Ripoff Report as a party (which is good). Instead, they are going after the original author (also good, assuming the claim is legitimate).
However, something odd is happening – these cases almost always result in a default. Without any defendant there to argue otherwise, the courts seem willing to grant virtually any relief requested by the plaintiff; i.e. an injunction requiring the removal of the offending material. Once that happens, the plaintiff will approach Ripoff Report with their default injunction and demand that we remove whatever postings they ask us to, even when we were not a party to the case and even if the truth of the statements has never been litigated. Their argument tends to be that under FRCP 65, injunctions can be enforced against non-parties as long as they are acting in “active concert” with a party, so they simply claim we are acting in concert with the author, whatever that means.
In this scenario, it’s almost as if 47 USC s. 230 doesn’t exist at all. In other words, if you are a plaintiff seeking to remove a negative online posting, you’re not going to succeed with any claims against the site. However, that need not stop you – all you have to do is file a lawsuit against someone, claim they were the author, make sure they default, and then ask the court for an injunction (even if it affects a non-party) and voila! You have just accomplished your goals without even really trying!....
[I]t seems to me that if courts allow this type of thing to happen, then the CDA is essentially meaningless – by “litigating” the merits of the case against a non-existent defendant and then approaching Ripoff Report after-the-fact, a plaintiff can obtain relief that they would never be able to get in a legitimate adversarial proceeding, and we’re stuck trying to get the judge to put the genie back into the bottle.
Can plaintiffs use this tactic to get damages from a website/host? Well, not initially, but once you have an injunction requiring the removal of material from the site, the door is open to asking for contempt sanctions if the website doesn’t comply, and that could allow essentially unlimited damages – even when the original claims were time-barred (note: the statute of limitations is an affirmative defense which is waived if the defendant defaults), or even if the original postings were true.
...I am very concerned that this is the start of a new trend. Using a baseball analogy, it’s almost like the plaintiff takes the field alone, plays the game, declares itself the winner, and then finally tells the other team about the game. Should the umpires allow this? No, of course not, but what happens when they do?"
________
David's email raises a fascinating doctrinal question of the interaction between FRCP 65(d) and 47 USC 230, but I wonder how often these issues come up in the field. Ripoff Report is relatively unique among consumer review sites (and UGC sites generally) because it vows never to remove user postings, even if a user asks Ripoff Report to remove the post. In contrast, most UGC sites would speedily comply with a default injunction, no questions asked—especially if the user is not around to protest the takedown. Or the user folds in the face of a demand from a putative plaintiff and deletes the content him/herself, at which point the service provider doesn't even know there was a problem.
Nevertheless, I think David may be witnessing a new and cutting edge way to effectuate illegitimate content takedowns. Many websites that initially stand up for their users, emboldened by the 230 shield, will instantly crumble when presented with a default injunction. For the price of a complaint and a defendant’s default (which can be engineered by targeting a phantom author), plaintiffs obtain an effective cudgel to excise unwanted content throughout the web. Because this could become a cost-effective way of suppressing socially valuable critical content, I encourage UGC sites to be circumspect about honoring default injunctions against user content.
If a UGC site chooses to contest a default injunction, 47 USC 230 should trump FRCP 65. FRCP 65(d) applies to non-litigants in "active concert or participation" with the defendant. Typically, the only relationship between the content producer/defendant and a UGC website is that the website is republishing the defendant’s content. 230 preempts any effort to treat a website as the publisher of third party content, and I think that’s exactly what FRCP 65(d) does.
Now, if a court has properly adjudicated some content as tortious or illegal, it would be socially desirable for the website to remove the content. This is why a court orders the injunction in the first place. However, David’s example assumes an incomplete adjudication because of the default. So if a website contests a default injunction against user-supplied content, a court should do a more thorough evaluation of the plaintiff’s merits. If the court concludes—following a properly contested proceeding—that the injunction was in fact appropriate, only then should the publisher be compelled to remove the content.
Unfortunately, most judges will expect websites to honor a default injunction without question, and therefore they will be reluctant to reconsider the injunction’s merits. Apropos of that, David sent me a report of a hearing from last week involving Ripoff Report's effort to contest a FRCP 65 default injunction. He says that the "judge was apparently ‘incredulous’ at our position – [wondering] why can’t we just agree to take the postings down?" Nevertheless, the judge gave Ripoff Report a chance to brief the matter. I’ll be interested to see if Ripoff Report can make any headway with the skeptical judge. Whatever you think about Ripoff Report generally, I applaud their efforts to defend their users’ words and ensure judicial accuracy rather than rolling over like most UGC sites would.
Posted by Eric at 11:50 AM Permalink | Derivative Liability | TrackBack (0) | Printable Version
November 06, 2009
Google AdWords Litigation Keeps Rolling In--Parts Geek v. US Auto Parts
By Eric Goldman
Parts Geek LLC v. US Auto Parts Network Inc.,3:2009cv05578 (D.N.J. complaint filed Nov. 2, 2009) [warning: 3MB PDF]. The Justia page.
In my world, we have an honor code among geeks--thou shalt not harm other geeks. As you can imagine, then, I was a little sad to see geek-on-geek litigation like this one, where auto parts geeks are suing computer geeks. Can't we geeks all get along?
Parts Geek is an online retailer of auto parts. US Auto Parts Network is a competitor who has bought keyword ads triggered by Parts Geek's trademarks. (However, when I searched this morning for Parts Geek, I didn't see any US Auto Parts' ads). In response, Parts Geek is suing its competitor as well as Google for the keyword advertising.
With respect to Google's involvement, the complaint doesn't break any new ground. I'm pretty sure it's largely a rip of another complaint, but I can't remember which one(s). According to my count, this lawsuit brings Google back up to 9 AdWords lawsuits.
In contrast, there are a couple of interesting facets of the claims against US Auto Parts. First, Parts Geek alleges (para. 42) that US Auto Parts set up a blog entitled "Auto Parts Geek" to divert traffic. Can you imagine a more perfect descriptive fair use situation? I think this will become my new favorite example.
Second, Parts Geek makes a Computer Fraud & Abuse Act claim because US Auto Parts allegedly crawled Parts Geek's site to extract "proprietary data and pricing." The CFAA claim seemed like an afterthought tacked onto allegations that focused almost exclusively on the trademark issues, and it wasn't as fleshed out or robust as we normally see in anti-crawling lawsuits (i.e., no claims for breach of contract, trespass to chattels, copyright infringement or violations of a state computer crimes law). Nevertheless, I'm always interested in anti-crawling lawsuits, especially ones with anti-competitive angles like efforts to keep competitor A from learning competitor B's prices. Further, Parts Geek claims that US Auto Parts' access to its website was delimited by a "terms of use" which, from my limited review of the Parts Geek site, appears to be at best a very obscure "browsewrap." The CFAA is more tolerant of obscure disclosures than contract law is, and this CFAA claim is hardly unusual, but I'm nonetheless troubled by the implications of treating obscure browsewraps as effective anti-crawling mechanisms.
The roster of pending AdWords cases:
* Ezzo v. Google
* Rescuecom v. Google
* FPX v. Google
* John Beck Amazing Profits v. Google and the companion Google v. John Beck Amazing Profits
* Stratton Faxon v. Google (not initially a trademark case)
* Soaring Helmet v. Bill Me
* Ascentive v. Google
* Jurin v. Google 1.0 (voluntarily dismissed), succeeded by Jurin v. Google 2.0
* Rosetta Stone v. Google
* Flowbee v. Google
* Parts Geek v. US Auto Parts
Posted by Eric at 07:17 AM Permalink | Derivative Liability , Search Engines , Trademark | TrackBack (0) | Printable Version
November 03, 2009
Law Professor Sues Over 'Above the Law' Blog Posts--Jones v. Minkin
By Eric Goldman
Jones v. Minkin, 1:09-cv-23256-MGC (S.D. Fla. complaint filed Oct. 27, 2009). The Above the Law blog post on the lawsuit with links to the posts in question.
Given its history of provocative and occasionally aggressive blog posts, it's actually a little surprising that popular law blog Above the Law has not been sued before. A blogger's life is inherently filled with peril. We bet our houses with every blog post, and eventually the law of large numbers starts working against us. The risks are even greater for bloggers covering legal topics. By definition, we routinely cover people who are prepared to mix it up in court. As a result, it's almost inevitable that blawgers who keep at it long enough will get sued eventually.
The plaintiff in this case is University of Miami law professor D. Marvin Jones, who in 2007 was improperly detained by police for possibly racist reasons. This prompted a series of blog posts on Above the Law that included an unflattering cartoon and unfavorable characterizations. Jones now claims that the blog posts put him in a false light, invaded his privacy and constituted copyright infringement because the blog posts used the photo from his university profile page. Although the complaint uses the word "defamation" earlier in the pleading, no defamation claim was alleged. For these violations, Jones asks for tens of millions of dollars to right the alleged wrongs.
I'm skeptical about all three claims, but the copyright claim is almost unquestionably bogus. It's not properly pleaded; there's no allegation of a copyright registration. More importantly, I would be shocked if Jones owned the copyrights in the photo on his faculty page. Usually faculty photos are taken by a university photographer or a third party vendor; in either case, the photo subject normally does not obtain ownership or an exclusive license to the copyright. Perhaps Jones has managed his IP affairs better than 99+% of professors. If not, 17 USC 505, the copyright fee-shifting provision, seems like it sets up Jones to potentially write a check to the defendants. (Fair use also seems strongly possible, but we don't need to get there if the plaintiff can't establish a prima facie case of infringement).
With respect to the alleged privacy violations, there is the obvious problem that police incident reports should be public documents. However, I’m also interested Jones' faculty bio does much to trumpet his high public profile. He self-describes himself as a "public intellectual" (a fairly rare self-characterization among academics) and says he has "appeared as an expert on national and local television" and "is a sought after speaker at many universities." These self-reported assessments about his public visibility don't obviate his privacy rights, but they do suggest that a police detention--especially one with racial overtones, exactly the type of thing he discusses in these public spaces—and the associated report either don't qualify as a "private fact" or are sufficiently newsworthy to trump his privacy interests.
Ben Sheffner's post on this case makes good points about the false light claim. He says it's DOA because (1) Florida doesn't recognize the cause of action, and (2) to the extent it's based on the cartoon, the cartoon was provided by a third party and therefore 47 USC 230 preempts the claim.
This lawsuit reminded me a little of the long-running Steinbuch v. Cutler lawsuit, which also involved a law professor/plaintiff Robert Steinbuch (now at UALR) claiming privacy violations against a blogger. That legal battle hasn't turned out so well for Steinbuch. Putting aside a number of substantive losses along the way, the lawsuit has been going nearly 5 years with no clear end in sight. Some of the delay was caused by Cutler's bankruptcy, but much more of it was due to the inherent weakness of judicial proceedings as a redress for unwanted speech. And in the end, I don't think the lawsuit has done much to enhance Steinbuch's reputation as a law professor or otherwise.
Two other minor points about the lawsuit. First, the complaint repeatedly criticizes Above the Law for referring to Jones as "D. Marvin Jones" rather than some other variation of his name, alleging that the usage was designed to ensnare searchers looking for his book. Perhaps that was the intent (doubtful, but possible), but I have chosen to refer to Jones by the name he uses on his faculty profile...which is "D. Marvin Jones." Second, it was jarring to see "Barack Obama" misspelled in a complaint (especially given the plaintiff's expertise) as "Barrack Obama."
Unfortunately for Above the Law, Florida does not have a robust anti-SLAPP statute. Nevertheless, given its facial lack of merit and the possibility that Jones will want to minimize the size of the check he has to write the defendants for his ill-conceived copyright claim, I hope this lawsuit will reach a quicker resolution than the Steinbuch v. Cutler saga.
FWIW, there is an attractive free conference tomorrow afternoon in San Francisco that, quite topically, will address the unique challenges of online reporting of legal cases. (The official page is down, but this page has all the relevant details). Hope to see you there.
UPDATE: Jones has voluntarily dismissed the case within days of bringing it.
Posted by Eric at 01:57 PM Permalink | Content Regulation , Copyright , Derivative Liability , Publicity/Privacy Rights | TrackBack (0) | Printable Version
Court Sanctions Lawyer for Including Social Security Number and Date of Birth Information in Filing -- Engeseth v. Isanti County
[Post by Venkat]
I've blogged about parties who complain when opposing counsel wrongly includes personal information (usually social security numbers) in court filings. Attempts to assert counterclaims based on this type of conduct typically fail. For one example, see In re Killian, discussed here. (You can see a list of other cases rejecting these types of claims noted here.)
However, a judge in Minnesota recently sanctioned a lawyer for including the "full social security numbers and dates of birth for 179 individuals" in a court filing. (Engeseth v. Isanti County, Case No. 06-CV-2410 MJD/RLE (D. Minn.; Oct. 20, 2009).) After issuing a show cause order on its own motion (as best as I can tell, none of the parties complained), the court concluded that counsel's inclusion of the social security numbers and date of birth information in a filing violated Federal Rule of Civil Procedure 5.2(a), and demonstrated poor judgment. That rule requires truncation of certain personal information (e.g., social security number, taxpayer identification number) in court filings unless otherwise ordered by the court. (Here is a link to the rule: "Privacy Protection for Filings Made with the Court".)
The sanctions imposed by the court included: (1) notice to all injured parties, along with "individualized credit reports and credit monitoring," and (2) payment of $5,000 to the Second Harvest Heartland food bank.
Without minimizing the seriousness of the privacy interests at issue, it seems rough for the court to impose these types of sanctions on its own motion. The credit monitoring makes sense, but I'm not sure what's up with the donation to the food bank. Particularly rough from the lawyer's perspective, given that this appears to be a pro bono case where the lawyer achieved a good result for the clients. The filing containing the social security numbers was an accounting affidavit filed by the lawyer detailing the disbursements of settlement proceeds to his clients. I'm not suggesting that you don't have to follow the rules in pro bono cases. You obviously do, but the sanction must have stung, coming at the end of a successfully prosecuted pro bono case.
My own anecdotal observation is that courts are very reluctant to sanction lawyers these days, and I've seen courts reject sanctions for a lot worse. Nevertheless, the court's order illustrates the importance of adhering to court orders and rules that govern the inclusion of private information in court filings. As to whether this means that parties can assert claims based on the wrongful inclusion of personal information in filings, the answer is, no, they probably cannot. In any event, I would think the relief awarded by the court would be limited to notice and credit-monitoring, as is typically the case in consumer data breach cases. In other words, it's difficult to gain leverage in a case based on the opposing party's wrongful inclusion of personal information in a court filing.
Added: additional coverage at the Minnesota Lawyer Blog here (which first noted the order) and The Register here. The Minnesota Lawyer Blog also provides access to the order itself: [pdf].
(h/t Cathy Gellis)
Posted by Venkat at 01:04 PM Permalink | Privacy/Security | Printable Version
November 02, 2009
October 2009 Quick Links
By Eric Goldman
Just a reminder that I am posting most of these types of links exclusively to my Twitter feed.
* Tricome v. eBay, Inc., 2009 WL 3365873 (E.D.Pa. Oct 19, 2009). Court upholds eBay user agreement's venue selection clause. Evan Brown covers the case.
* The AutoAdmit case is over. Above the Law and the Yale newspaper.
* Google doesn't want to hear your complaints about your reputation management.
* Moneygram settles with the FTC (to the tune of $18M) that its money wiring service was used to perpetrate fraud.
* The FTC scores a rare COPPA settlement, this time with Iconix for $250,000.
* John Wiley & Sons, Inc. v. Kirtsaeng, 2009 U.S. Dist. LEXIS 96520 (SDNY Oct. 19, 2009). Another federal court holds that the purchase of foreign-manufactured textbooks and resale in the US via the Internet is blocked by the importation right and not excused by the First Sale doctrine. My coverage of the analogous Pearson v. Liu ruling.
* Utah's "Don't Spam the Kids" registry survived a constitutional challenge. That doesn't make it good policy!
* Saadi v. Maroun. Blogger hit with $90k judgment for defamation. MLRC coverage. My initial blog post on the case.
* Erik Estavillo, the gamer who sued for being kicked off the PlayStation Network, is appealing his district court loss to the Ninth Circuit. I guess he wants to lock in the adverse ruling as the binding law of the Western United States. My blog post on the district court ruling.
* Rep. Paul Kanjorski wants to end 47 USC 230 with respect to bogus stock investing info? This legislation needs careful monitoring due to its potential perniciousness.
* Venkat has his own version of Quick Links on his site.
Posted by Eric at 05:08 PM Permalink | Content Regulation , Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Privacy/Security , Spam | TrackBack (0) | Printable Version
October 30, 2009
Internet Obscenity Conviction Requires Assessment of National Community Standards--US v. Kilbride
By Eric Goldman
U.S. v. Kilbride, 2009 WL 3448360 (9th Cir. Oct. 28, 2009)
Jeffrey Kilbride and James Schaffer were porn spammers, operating through Ganymede Marketing, a Mauritian company. Their spam failed to comply with CAN-SPAM in several respects, including forged headers, fake email addresses and bogus contact info. The FTC claimed that it had received over 662,000 complaints about their spam. After a 3 week trial, a jury convicted them of criminal CAN-SPAM violations, criminal obscenity for 2 spammed images and other charges. Kilbride was sentenced to 6 1/2 years and Schaffer got over 5 years. Both appealed their convictions.
In the resulting Ninth Circuit opinion, the most important discussion relates to their obscenity convictions. The Supreme Court defined obscene material in the Miller case as:
(a) whether the average person, applying contemporary community standards would find that the work, taken as a whole, appeals to the prurient interest; (b) whether the work depicts or describes, in a patently offensive way, sexual conduct specifically defined by the applicable ... law; and (c) whether the work, taken as a whole, lacks serious literary, artistic, political, or scientific value [emphasis added]
On the Internet, the question arises: whose community standards? The Miller test anticipates that geographically dispersed communities could have different norms, and in theory an Internet content publisher needs to conform to all of them or at least the most restrictive ones. For an early example of this, see United States v. Thomas, 74 F.3d 701 (6th Cir. 1996) (involving a dial-in BBS). However, the cost and limitations of geographic authentication technology means that many Internet content publishers can't steer their content into or away from a particular geography. Personally, I think this is especially true for publishing content by email because I know of no effective way to accurately authenticate the geography of most email recipients.
The US Supreme Court squarely wrestled with the issue of disparate geographic communities being collapsed on the Internet in 2002 in its first Ashcroft v. ACLU ruling (this should be distinguished with the more influential second Ashcroft v. ACLU opinion from 2004, which I still teach today in Cyberlaw). That case involved a challenge to the 1998 Child Online Protection Act (COPA), and the Third Circuit had affirmed a preliminary injunction against COPA on the grounds that the application of a "contemporary community standards" clause to Internet publication was constitutionally infirm due to disparate community standards. In 2002, the US Supreme Court reversed the Third Circuit in a massively fractured way, with 5 different opinions and no clear consensus on anything.
To resolve this appeal, the Ninth Circuit had to divine a single rule of law from this mess-o-opinions. After parsing the inscrutable Supreme Court opinions, the Ninth Circuit concluded that "a national community standard must be applied in regulating obscene speech on the Internet, including obscenity disseminated via email." Whether or not the Ninth Circuit read the Ashcroft v. ACLU precedent correctly, it reached the only logical outcome for a communication medium without clear geographic authentication. Nevertheless, this is hardly an unquestionable conclusion; the Miller case expressly rejected a national standard (whatever that means): "obscenity is to be determined by applying 'contemporary community standards'...not 'national standards.'" Presumably, the 2002 Ashcroft v. ACLU opinion overwrote this statement from Miller (and similar statements in earlier obscenity cases), but no one really understands what the Supreme Court said in 2002.
While the Ninth Circuit reached a sound result, its ruling doesn't help these appellants. Even though the district court provided different jury instructions, the Ninth Circuit concluded that the district court's instructions were not "plain error" (the applicable review standard), so the convictions stand. Harsh.
Even if appellants wrested a reversal, I'm not sure it would matter because I have never fully understood the import of regionally disparate "contemporary community standards." The phrase only explicitly modifies the Miller test’s determination of whether a work "appeals to the prurient interests"--basically, whether the work appeals to content consumers' interest in sex. Community standards can also implicitly come into play with the determination of what is "patently offensive" or the perceived value of the work, but these are not explicitly referenced in the Miller test.
With respect to the prurient interest reference, I could imagine regional differences about some borderline cases (say, a sex education tutorial) or with respect to niche sexual interests, where the niche audience would find that the work appeals to their esoteric interests and the remainder of a region's population might find the work so unappealing that it’s not viewed as sexually interesting at all. But for a lot of "mainstream" pornography, my guess is that there are not meaningful regional differences about the work's sexual appeal. I haven't seen the 2 images at issue in this case, so maybe they fall into the borderline cases. Otherwise, I wonder if a new trial using national community standards would actually change the result. (Another reason for skepticism: our rage towards spam frequently causes us to ignore the rule of law when we have a chance to punish spammers).
In the ruling, the Ninth Circuit also rejected the defendants' facial and as-applied challenges to the criminal CAN-SPAM provisions. The defendants focused their attack on CAN-SPAM restrictions on falsifying information in a way that would "impair" spam blocking. The court concludes that none of the provisions are constitutionally too vague. This wasn't really a close case for the as-applied challenge because of the defendants' egregious handling of their email campaigns. In contrast, I would like to think the facial challenge has not been resolved permanently; these were clearly not the right defendants to raise or litigate the facial issues.
Along the way, the Ninth Circuit takes a swipe at domain name proxy registrations. Pulling a quote only slightly out of context, the court says "Based on the plain meaning of the relevant terms discussed above, private registration for the purpose of concealing the actual registrant's identity would constitute 'material falsification'" (one of the elements of a CAN-SPAM crime). You may also recall the recent Solid Host v. NameCheap case suggesting that proxy service providers could face contributory ACPA liability. Collectively, these two opinions indicate legally disadvantageous treatment for proxy service usage. Given this disconcerting trend, I don't see the domain name proxy business as a growth industry.
Thomas O'Toole also discusses the ruling.
Posted by Eric at 03:00 PM Permalink | Content Regulation , Domain Names , Spam | TrackBack (0) | Printable Version