July 30, 2010
Google Protected by 17 USC 512(d) for Links to Infringing Content; Perfect 10's Takedown Notices Were Mostly Insufficient
By Eric Goldman
Perfect 10, Inc. v. Google, Inc., 2:04-cv-09484-AHM-SH (C.D. Cal. July 26, 2010)
In 2007, the Ninth Circuit issued an important but befuddling ruling in Perfect 10 v. Amazon and Google. That ruling addressed Perfect 10's prima facie case of secondary copyright infringement against Google (and Amazon, which was using Google results) and remanded the case back to the district court for consideration of that issue as well as the underexplored 17 USC 512 safe harbors.
We've had a couple of blog-worthy rulings since then (on a motion to dismiss and A9's eligibility for the DMCA safe harbors), but it's taken 3 years to see where the court stands on Google's eligibility for the DMCA online safe harbors. The news is largely good for Google.
* Google's lack of user accounts for content loaded into web search and image search means that Google can't have a repeat infringer policy for those services. Google's Blogger practices satisfied the requirement to terminate repeat infringers.
* Google web search, image search, Blogger (to the extent the problem is user posted links) and search cache (also to the extent the problem is cached photos) are all eligible for protection under 17 USC 512(d) with minor exceptions I'll discuss in a moment. This is a noteworthy ruling because it's one of only a handful explicitly addressing 512(d), which provides a safe harbor for links to infringing content. Most of the online safe harbor rulings have involved 512(c), the safe harbor for hosting infringing content. To refresh my memory, I did a quick search in Westlaw, and I did not immediately recall a prior ruling where a service provider won a 512(d) defense. If so, then this is an important precedent. (Please email me to let me know what 512(d) cases I've forgotten).
* The parties divided Perfect 10's takedown notices into three groups:
- Group A. These were categorically defective because Perfect 10 sent them to the wrong google.com email address and they "uniformly do not identify specifically which copyrighted works were infringed."
- Group B. Apparently most of these notices referenced bogus URLs, but some URLs were legit, which gave Google enough information to locate the infringing links. There is a factual dispute about how long it took Google to respond to the legit notices; Perfect 10 alleges that it was up to 7 months, which probably won't qualify as an expeditious response. As a result, for the legitimate Group B takedown notices, Google could be on the hook for any that weren't honored expeditiously.
- Group C. The court describes this group of Perfect 10's takedown notices:
The Group C notices generally consist of a cover letter, a spreadsheet, and a hard drive or DVDs containing electronic files. Where P10 provided spreadsheets, the spreadsheets do not identify the infringing URL, but merely the top-level URL for the entire website. P10 evidently expected Google to comb through hundreds of nested electronic folders containing over 70,000 distinct files, including raw image files such as JPEG files and screen shots of Google search results, in order to find which link was allegedly infringing. In many cases, the file containing the allegedly infringing image does not even include a URL, or the URL was truncated. The spreadsheets also do not identify the copyrighted work that was allegedly infringed....P10 then expected Google to search through a separate electronic folder—attached only to the June 28, 2007 DMCA notice—containing all of the more than 15,000 images that appeared on P10's website as of June 2007, in order to identify the copyrighted work that was infringed. [citations omitted]
Per the Ninth Circuit's ccBill ruling, this paint-by-numbers approach to takedown notices does not work. The delivery of a big database of copyrighted works does not sufficiently identify the infringed works as required by 512(c)(3), nor does Google have to navigate multiple documents to piece together the 512(c)(3) elements. The court helpfully lays out how the 512(c)(3) information must be presented to count as a 512(c)(3) notice:
at a minimum, the essential elements of notification—the copyright owner’s attestations of ownership, nonlicensed use, and veracity of the notice; contact information for the complainant; identification of the copyrighted work; and identification of the infringing material (including the location of that material and if necessary, a specific link under section 512(d))—must be included in a single written communication.
* Google qualifies for 512(c) for hosting infringing copies in Blogger with the exception of up to 23 URLs that might have been covered by a legitimate Group B notice.
The implications of this ruling are pretty straightforward. Copyright owners who want service providers to intervene on their behalf should not get creative or lazy with their 512(c)(3) takedown notices. Over and over again, we've seen that the big service providers will respond quickly to properly drafted takedown notices; and we've seen judges become increasingly less tolerant of plaintiffs who couldn't bother to follow the statutory roadmap. So plaintiffs, please just follow the statute; it's pretty clear on what you need to do.
Overall, this case reminded me of the recent (uncited) Perfect 10 v. RapidShare ruling because that judge also implicitly showed little sympathy to Perfect 10. Perhaps the courts are finally prepared to put an end to Perfect 10's litigation madness. However, given there are a sliver of legitimate Group B notices, Perfect 10 still has a way to continue to make Google's life miserable.
More comments on the case from the EFF and Techdirt.
Posted by Eric at 09:23 AM Permalink | Copyright , Derivative Liability , Search Engines | TrackBack (0) | Printable Version
July 29, 2010
Internet Law Syllabus and Reader for Fall 2010
By Eric Goldman
I have posted my syllabus for this semester's Internet Law course, my 16th year teaching the course. This blog post describes some of the latest developments with the class, including the changes from my 2009 course reader. For a more general discussion of the course's pedagogy, see my Teaching Cyberlaw article.
Course Titling
The most obvious change is that I renamed the course to "Internet Law" from "Cyberspace Law"/"Cyberlaw." I discuss the titling choices/dilemmas in my Teaching Cyberlaw article. Though it took a few years to pull the trigger, James Grimmelmann's 2007 post helped convince me that I should rename the course.
Grading
Last year, I tried an experiment of allowing students to write a wiki entry for part of their course grade. I recapped my experiences with that experiment in this blog post. Although I might be willing to try the experiment again, this semester my teaching load will be too demanding as it is, so I didn't think I could find enough time to support the students' wiki writing.
As a result, the class is back to a 100% final exam. As you can see, for the first time I'm letting students choose when to take their exam within a set window. If you've offered exams on that basis and have any suggestions for me, I would be grateful to hear them.
Added/Subtracted Reader Material
It's been an interesting year for Internet law, but I ended up adding only two new cases: Viacom v YouTube and Tiffany v eBay.
To decide what I add, I made a rough list of the most significant developments of 2010 so far. A preview of what might make the top 10 list at the end of the year:
* Supreme Court cases that weren't: Bilski, Quon
* Trademark intermediary liability: Tiffany v eBay; Gucci v. Frontline
* Copyright intermediary liability: Viacom v YouTube; Arista v Lime Group
* Sony v Tenenbaum
* Google and China
* Google/Facebook product gaffes (Buzz, Street View, Instant Personalization) and the plaintiff bar's excited responses to those gaffes
* Trademark owners giving up their lawsuits against Google (Rescuecom, Parts Geek and
http://blog.ericgoldman.org/archives/2010/07/yet_another_tm.htm">Ezzo). Also, Rosetta Stone v. Google (whenever the opinion issues)
* Barclays v theflyonthewall. One of the most interesting cases of the year.
Honorable mentions:
* Conflicting 3rd Circuit cases re student MySpace profiles
* Utah repealed its Spyware Control Act
* Anderson v. Bell (electronic signatures count for election petitions)
* Snap-on v. O'Neil. Perhaps the most interesting case of the year so far.
* FTC v. Twitter
* the new 1201 exceptions and the Fifth Circuit's puzzling 1201 ruling in MGE v. GE
Materials I dropped from the reader this year:
* Perfect 10 v. Amazon. I never knew how to teach the Perfect 10 troika of 2007 cases, and in practice I ended up skipping this case last year to conserve time. I think the Viacom v. YouTube decision is a worthwhile substitute, even if it deals with different issues.
* Parker v. Yahoo. This was intended as a recap, but it covers some of the same ground as Ticketmaster v. RMG (which is popular with the students, BTW), and I also cut it for lack of time.
* the UDRP rules. I had included them for completeness, but I never really taught them in detail.
* My slides on keyword advertising and blog/social networking law.
Also, I learned that the federal cyberpiracy protections for individuals, formerly codified at 15 USC 1129, moved to 15 USC 8131. Just so you know!
BTW, I had been looking for years for a good keyword advertising case to teach. Last year, I thought the Hearts on Fire v. Blue Nile case worked well. It does a pretty good job framing the issues. I was also happy concluding the semester with the Moreno v. Hanford Sentinel case--it was a great pedagogical wrap-up.
Electronic Casebook
My other big news about the course is that I have converted my reader into an electronic casebook. This may not sound like much, but it took me a fair amount of time to re-edit the cases and collate the materials.
Eventually, I will probably turn the electronic casebook into an official "published" casebook that can be adopted by other professors. That will require more work to supplement the case materials with pictures, notes, comments, explanatory material, etc. I didn't have time to do that this semester. Maybe next year.
However, I am making the electronic file available at Scribd as a $5 download. You can also buy a print-on-demand version from CafePress for $30 + shipping. This is a bit of an experiment to gauge general interest in the materials. Please let me know what you think of the experiment.
If you are a professor interested in adopting the materials for your course, I'm happy to provide you with a free editable copy of the materials (free to you and free for your students). Just email me.
Past Posts
My analogous blog posts from years past: 2009; 2008; 2007; 2006; 2005.
Upcoming Events
Two upcoming HTLI academic events this year are potentially interesting to cyberlaw specialists, so I'll mention them here. On November 5, we'll have a symposium on the First Sale/exhaustion doctrines, which will address a number of Internet legal issues. Then, on March 4, 2011, we'll have our 47 USC 230 15-year retrospective/geekfest royale, an event you will NOT want to miss! Registration has just opened, and this event could sell out, so get your seat early.
Posted by Eric at 09:23 AM Permalink | General , Internet History | TrackBack (0) | Printable Version
July 28, 2010
E-SIGN Prevents Enforcement of Emailed Contract Terms--Buckles v. Investordigs
Buckles Management, LLC v. Investordigs, LLC, No. 10-cv-00508-LTB-BNB (D. Colo. July 23, 2010).
It has been about 10 years now since Congress adopted the federal Electronic Signatures in Global and National Commerce Act (commonly known as “E-Sign”). Cases interpreting E-Sign have been relatively rare. A Colorado federal court judge last week purported to decide whether an e-mail could constitute an enforceable contract under E-Sign, and concluded that the e-mail in question could not be enforced as a contract. Unfortunately, the Court (and the parties briefing the motion) did not realize that this was not an E-Sign case. The Court should have analyzed the case under the Colorado Uniform Electronic Transactions Act. Had it done so, the result may have been different.
Background
The case involves a failed business relationship that is all too typical. An investor provides money, consulting services, and commercial space to a struggling company, without any legal documents to evidence such terms as whether the transaction is a loan or an investment, etc... When the business relationship falls apart, the parties meet to discuss how to end their relationship. After the meeting, a few e-mails are circulated to memorialize the terms discussed. Attorneys are asked to draft documents, but nothing is ever signed; and the parties disagree as to whether or not there was a final agreement.
The investors filed a lawsuit, asserting claims for enforcement of the purported settlement agreement, breach of loan, breach of a lease agreement, unjust enrichment and accounting. In response, the company and individual defendants asserted counterclaims for breach of contract, unjust enrichment, negligent misrepresentation, breach of fiduciary duty and fraud and false misrepresentation.
Decision
The decision in question arises from defendants’ Motion for Summary Judgment, where they maintain that the Colorado Statute of Frauds, which provides that any agreement not to be performed within one year must be in writing and subscribed by the party to be charged, renders the settlement agreement unenforceable. In response, the plaintiffs argued that the parties exchanged a writing that contained the material terms of the agreement sufficient to satisfy the Statute of Frauds. Specifically, the plaintiffs relied on an e-mail, containing a list of the purported agreed-upon settlement terms, sent from the e-mail account of one defendant (who was a principal of the corporate defendant) to another employee at the company, who in turn forwarded the e-mail to four or five other people (including one of the plaintiffs) with the message “thanks to everyone for participating today.”
The court’s basic framework for analyzing the issue seems correct:
• May an e-mail exchange satisfy the Colorado Statute of Frauds writing requirement?
• If so, does this particular e-mail constitute a “writing subscribed by the party to be charged” within the meaning of the Colorado Statute of Frauds?
• If so, does this e-mail adequately describe the terms of an enforceable contract?
The court embarked on a discussion as to whether the e-mail satisfied the Colorado Statute of Frauds. Initially, the court got the analysis right, and concluded that under Colorado law, an e-mail exchange may satisfy the “writing” requirement of the Statute of Frauds.
With respect to whether the e-mail constituted a writing “subscribed by the party to be charged” under the Colorado Statute of Frauds, here the court got off track, with the help of counsel for the parties. The plaintiffs argued that the e-mail contained an “electronic signature” under E-Sign. Section 106(5) of E-Sign defines an “electronic signature” as “an electronic sound, symbol or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” The defendants argued that E-Sign did not apply because the settlement agreement did not affect interstate or foreign commerce. The court concluded that E-Sign did apply, but that the e-mail was actually sent by an administrative employee who did not have authority to bind either the corporate defendant or its individual principal. As a result, the court concluded that the signature was not “executed or adopted by [the principal of the defendant] with the intent to sign the record,” so it was not a proper electronic signature under E-Sign. The court concluded that if there was no proper "electronic signature," then the e-mail was not “subscribed by the party to be charged” under the Colorado Statute of Frauds.
Analysis
Unfortunately, the court and the parties missed the fact that the case is governed by the Colorado Uniform Electronic Transactions Act (“UETA”), not the E-Sign Act. E-Sign has a peculiar “reverse preemption.” Those who have been around long enough recall that in the late 1990's states were adopting electronic transaction laws, but in a non-uniform manner. In 1999, the National Conference of Commissioners on Uniform State Laws issued its final draft of the UETA, but states continued to enact UETA in a non-uniform manner. These non-uniform enactments were in part responsible for Congress passing E-Sign in 2000. In effect, Congress forced states to adopt UETA in a uniform manner by providing that the state version of UETA would control over E-Sign if UETA were adopted without modification. In most cases, then, if a state has adopted UETA substantially in final form, the state’s version of UETA is controlling over E-Sign. (To date, 47 states, plus the DIstrict of Columbia, Puerto Rico and the U.S. Virgin islands, have adopted UETA).
Would the analysis have been any different under UETA? It might be, because UETA is more comprehensive than E-Sign, including areas not covered by E-Sign.
Under Section 24-71.3-107 of the Colorado UETA, a contract may not be denied legal enforceability solely because an electronic record was used in its formation. So the court was correct in concluding that an e-mail exchange may satisfy the Statute of Frauds “writing” requirement.
But what about the e-mail exchange in this case? The Colorado definition of “electronic signature” is the same as the E-Sign definition. But Section 109 of UETA also allows for signatures to be “attributable” to a person where the person may not have “signed” the record himself (for example, a human agent with authority signs the record). The court concluded that the e-mail was not signed by the indiividual principal of Investordigs, but by an administrative employee. Under Section 24-71.3-109 of the Colorado UETA, whether the e-mail sent by the administrative employee could be attributed to the defendant “may be shown in any manner”. Thus, there is room for the investor to argue that the e-mail was sent on behalf of the principal of the company or that the administrative employee was acting as an agent of the principal. Unless there are additional facts not appearing in the court’s opinion, this would seem to be a classic issue of material fact, sufficient to defeat summary judgment. It is not clear from the record why the plaintiffs did not make this argument.
If the case does not settle, then it is likely that this decision will be remanded on appeal for findings of further fact consistent with the application of UETA, not E-Sign. It may be that, in the end, the investors will not be able to enforce the settlement agreement if they cannot attribute the e-mails to the company itself or the principal, or if the terms are not sufficiently definite to warrant enforcement. But, for the sake of argument, what if the employee was charged with taking notes for the meeting or was otherwise instructed by the principal to send out the e-mails containing the terms? Then it may be that the plaintiffs will be able to resurrect their claims.
Posted by John Ottaviani at 08:32 AM Permalink | E-Commerce , Licensing/Contracts | TrackBack (0) | Printable Version
July 27, 2010
Yet Another TM Owner Gives Up Against Google--Ezzo v. Google
By Eric Goldman
Jamil Ezzo has apparently given up his lawsuit against Google over AdWords. The dismissal. This was a silly lawsuit that never should have been brought (it was over the purported trademark "Locate Plastic Surgeon" for gosh sakes), and the only surprising thing is that the lawsuit lasted this long. The most noteworthy thing about this dismissal is that Google has successfully whittled the pending AdWords trademark cases down to five from a high water mark of a dozen--an impressive display of litigation skill and financial wherewithal.
The roster of pending AdWords cases (I most recently thoroughly double-checked the status of these cases on June 6, 2010):
* Ezzo v. Google
* Rescuecom v. Google
* FPX v. Google
* John Beck Amazing Profits v. Google and the companion Google v. John Beck Amazing Profits
* Stratton Faxon v. Google
* Soaring Helmet v. Bill Me
* Ascentive v. Google
* Jurin v. Google 1.0 (voluntarily dismissed), succeeded by Jurin v. Google 2.0
* Rosetta Stone v. Google
* Flowbee v. Google
* Parts Geek v. US Auto Parts
* Dazzlesmile v. Epic
Posted by Eric at 04:19 PM Permalink | Derivative Liability , Search Engines , Trademark | TrackBack (0) | Printable Version
Private Facebook Group's Conversations Aren't Defamatory--Finkel v. Dauber
By Eric Goldman
Finkel v. Dauber, 2010 WL 2872874 (NY Sup. Ct. July 22, 2010)
I previously blogged about this case last year. The case involves a private Facebook group comprised of 6 high school students apparently mocking and criticizing one of their classmates. Even if I acknowledge that the conversation was never meant for public consumption, to me the group's discussion is embarrassingly puerile and hearkens back to John Hughes' bleak depictions of high school life.
For reasons not explained in this opinion, the contents of the private group's discussion leaked out and got back to the target, who sued Facebook, most of the posters and the posters' parents. The suit against Facebook got some press when initially filed, but it was a farcically doomed legal endeavor, and I would have slapped it with a Rule 11 sanction if I had been the judge. The judge was more merciful than I would have been on the sanctions front but nevertheless dismissed the claim per 47 USC 230.
In last week's ruling, the court dismisses the plaintiff's defamation claims against the posters because, in context, the puerile discussion clearly did not constitute assertions of fact. The court says:
A reasonable reader, given the overall context of the posts, simply would not believe that the Plaintiff contracted AIDS by having sex with a horse or a baboon or that she contracted AIDS from a male prostitute who also gave her crabs and syphilis, or that having contracted sexually transmitted diseases in such manner she morphed into the devil. Taken together, the statements can only be read as puerile attempts by adolescents to outdo each other.
The court later reiterates the point:
The entire context and tone of the posts constitute evidence of adolescent insecurities and indulgences, and a vulgar attempt at humor. What they do not contain are statements of fact.
What baffles me is that this assessment was unmistakable from reading the complaint. Yet, despite the lawsuit's seemingly obvious futility, the plaintiff still thought this case was worth bringing. Why? Was it the hope of punching an ex post lottery ticket? Or was it an attempt to use the court system to redress the putative harms? If it was the latter, I wonder if some type of remedial action other than a judicial adjudication might have nevertheless satisfied the plaintiff, because the courts sure aren't providing a satisfying resolution to cyberbullying-style cases.
The court made two other rulings of interest. First, it rejected the plaintiff's efforts to impose negligence liability on the posters' parents for tortiously entrusting the kids with a dangerous instrument. The court says: "To declare a computer a dangerous instrument in the hands of teenagers in an age of ubiquitous computer ownership would create an exception that would engulf the rule against parental liability."
Second, the court rejects any standalone claim of "cyberbullying" as a tort. The court says: "the Courts of New York do not recognize cyber or internet bullying as a cognizable tort action."
This case reminds me a little of the DC v. RR "cyberbullying" case, which I have been meaning to blog for months and will get to eventually. The DC v. RR case is more serious because the taunts were publicly posted and much more violent, but in context, the postings were still obviously hyperbolic to me. Both cases present themselves as a combination of anti-social conversations by teens who don't realize the power of their words mixed with a plaintiff who perhaps felt more sensitive about such taunts than the average person. Either way, what's clear to me is that the court system is not doing a good job resolving cyberbullying claims to anyone's satisfaction. In my future post, I'll propose an alternative that might provide a better resolution for the plaintiff than bringing low-merit lawsuits.
Posted by Eric at 08:23 AM Permalink | Content Regulation | TrackBack (0) | Printable Version
July 26, 2010
Facebook's Anti-Spam Filter Blocks Legitimate Conversations about Power.com
By Eric Goldman
On Friday, Venkat and I posted about the latest ruling in Facebook v. Power.com. After Venkat or I make a blog post, I typically post the blog headline and URL to Twitter. I have enabled the app that makes my Twitter posts into my Facebook status reports as well, so the headline and URL on Twitter should automatically propagate to Facebook. On Friday, I tweeted the following:
"Blog Post: Important ruling on California's anti-computer trespass statute--Facebook v. Power.com http://bit.ly/bM7hQT"
However, I noticed that the Twitter-to-Facebook app didn't work properly and the headline didn't appear. So I tried to manually enter the headline and URL and got this message from Facebook:
"This message contains blocked content that has previously been flagged as abusive or spammy. Let us know if you think this is an error."
I do think that's an error, and I reported the problem through Facebook's automated reporting tool on Friday. Not surprisingly, I still haven't gotten a response to that. But I was baffled how my headline and URL could have been "flagged as abusive or spammy." Who flagged it? Why?
After a little more experimentation, I discovered that every instance of the character string "power.com" is blocked in Facebook. Therefore, every time I put "power.com" into my status reports or in comments to those status reports--even if it's the only content in the post/comment--I get the "blocked content" message. However, it's easily avoided; I can post "power . com" (notice the spaces before and after the period) just fine. Basically, Facebook is using a very dumb word filter.
I emailed my PR contacts at Facebook about this. They pointed to their anti-spam filter and this blog post from June. The blog post explains that "we've been working to improve our warnings and make them more clear" and that "people misunderstand one of these systems. They incorrectly believe that Facebook is restricting speech because we've blocked them from posting a specific link."
So this is where things have gone wrong. Facebook told me it has blocked Power.com because "we found that Power was spreading links to its pages in a way that violated our Statement of Rights and Responsibilities. For example, when a Power user accessed Facebook, Power would automatically create an event on Facebook (typically called 'Power.com Party' or something similar) without the person's knowledge or permission. It would then send invitations to all of the user's friends." Fair enough, and I'm glad Facebook is trying to keep its system safe for users.
However, Facebook's dumb word filter block means that every reference to "power.com," even if it's in plaintext and not linkable, is still treated as a link and therefore is blocked as well. The messaging then disparages the plaintext reference as "blocked content that has previously been flagged as abusive or spammy" when, in fact, a link to the URL, not the plaintext reference I made, has been flagged. So much for clearer error messages.
I pointed out to Facebook's spokespeople the difference between a plaintext reference to a company's name ("Power.com") and a spammy URL/link. Their response? "Spammers turning their malicious urls into plain text is the oldest trick in the book. Not blocking all of the variations of a bad URL leaves a gaping hole."
There is a kernel of truth to this, of course. A plaintext URL is not materially different from an active hypertext link--if the user chooses to cut-and-paste the link into the browser (or right-clicks on it, or whatever). However, Facebook's method of blocking spammy links by blacklisting every instance of the character string actually has the effect of blocking *every* discussion of a blacklisted company with the name [noun].[tld]. Because the main word in the name is a noun (e.g., "Power"), referencing the name without the TLD can lead to semantic ambiguity. However, the system prevents me from using the complete name (Power.com) because it can't distinguish between a link and a plaintext reference to a company's name that acts as a URL. I received a private email that another Facebook user encountered a similar block with the string seppukoo.com, the Facebook suicide tool.
In my case, the net consequence is that Facebook automatically blocks any conversations involving the string "power.com"--including my headline to my blog post--and provides an error message telling me that I am posting spammy/abusive content when I try to make the posting, which makes me feel like I did something wrong. With all of the bright engineers at Facebook, I bet they could figure out a way to more precisely tune the filter so that a plaintext reference to [noun].[tld] gets through while active links to that URL, or more fulsome plaintext URLs, remain blocked.
That is, assuming Facebook actually wants to enable Facebook users to talk about Power.com or Seppukoo.com or other enterprises that threaten the Facebook franchise. Frankly, I haven't seen much evidence of Facebook's interest in those conversations. In light of Power.com's antitrust challenges against Facebook, the fact that Facebook's system suppresses legitimate conversations about Power.com (whether it had a censorious intent or not) struck me as particularly noteworthy.
Posted by Eric at 10:33 AM Permalink | Content Regulation , Domain Names , Privacy/Security , Spam | TrackBack (0) | Printable Version
July 23, 2010
Judge Denies Facebook’s Request for Judgment on the Pleadings and Strikes Power.com Counterclaims -- Facebook v. Power.com
[Post by Venkat, with additional comments by Eric]
Facebook v. Power Ventures, Inc., Case No. C 08-05780 (N.D. Cal. July 20, 2010)
Background: Facebook and Power Ventures (Power.com) have been locked in a battle over whether Power.com should be allowed to access Facebook on behalf of users outside Facebook’s developer channels. Facebook wants all developers to go through its channel. Power.com seemed to go down in path but decided at some point that it didn’t like Facebook’s developer channel. It accessed (on behalf of its users) Facebook’s network. Facebook sued, and Power.com became an unlikely poster child for why data portability is important.
There’s been a lot of motion practice in this case. Facebook brought the typical array of copyright/computer fraud and abuse act claims that survived a motion to dismiss from Power.com. Power.com brought antitrust counterclaims that the court knocked out (with leave to amend). Facebook focused on its attention on its claims under the California computer crime statute (section 502), and moved for judgment on the pleadings. EFF filed an amicus brief arguing for a narrow construction of the statute. (In the meantime, there was a recusal by the judge who initially drew the case and dealt with the preliminary motions.) The court now deals with Facebook’s request for summary judgment or judgment on the pleadings that Power.com violated section 502, as well as a few other motions.
The Court’s Treatment of the Claims:
Standing under section 502: Power.com argued that Facebook lacked standing under section 502. The court easily disposes of this argument by noting that Facebook was forced (or decided it was prudent) to implement technical measures following its discovery that Power.com accessed its network. The court notes that there’s no dollar amount threshold, and rejects Power.com’s attempt to rely on its declaration that Facebook would not have had to invest any substantial amounts to implement these new technical measures.
Power.com’s liability under section 502: Facebook argued that Power.com accessed Facebook’s network without authorization because it exceeded the scope of the authorization allowed by Facebook’s terms of service. The court looks to the legislative history behind section 502 and declines to give legislative statements the broad-reaching meaning that Facebook urges. Facebook argued that any access in excess of authorization constitutes a violation of section 502, and the court doesn’t seem to agree with this. EFF filed an amicus brief arguing for a narrow interpretation of section 502. EFF also argued that Power.com’s actions did not violate section 502. The court settles on an interpretation of section 502 that requires some sort of circumvention of :
Technical or code-based barriers that a computer network or website administrator erects to restrict the user’s privileges within the system, or to bar the user from the system altogether.
[The court also drops a footnote noting that even though the defendant may not be liable under section 502, the defendant may still be liable for breach of contract. The footnote does not mention claims under the Computer Fraud and Abuse Act.]
Ultimately, the court leaves Facebook room to still make out a claim but says that (under section 502 at least) it can’t merely be based on a terms of service violation:
the Court finds that Power did not act “without permission” within the meaning of Section 502 when Facebook account holders utilized the Power website to access and manipulate their user content on the Facebook website, even if such action violated Facebook’s Terms of Use. However, to the extent that Facebook can prove that in doing so, Power circumvented Facebook’s technical barriers, Power may be held liable for violation of Section 502.
Power.com’s counterclaims based on Facebook’s alleged anti-competitive conduct: Facebook moved to dismiss Power.com’s antitrust claims against Facebook. The court focuses on Power.com’s allegations about Facebook’s acquisition of monopoly power. According to Power.com, Facebook gained monopoly power through allowing users to invite their friends (and making it easy), allowing people to access other networks through Facebook, while at the same time not allowing people to access Facebook through other networks. Power.com also alleged that Facebook alleged baseless intellectual property claims to dissuage new entrants into the market.
The court rejects these arguments, finding that Facebook has no obligation to allow others to access its network and it can set the terms of access without running afoul of antitrust rules. The court also finds that taking steps to protect its rights does not mean that Facebook is engaging in anti-competitive behavior.
Power.com’s affirmative defenses: The court previously struck Power.com’s affirmative defenses of copyright misuse and fair use. Power.com amended their pleadings and the court lets these affirmative defenses stand. The court’s discussion is a little sparse on whether these defenses actually are viable, but the court declines to strike them on the basis that the allegations provide Facebook with enough facts to put Facebook on notice as to what is being claimed.
__
I’d say overall it was not a big loss for Facebook. It still has viable claims under the Computer Fraud and Abuse Act and potentially copyright (in addition to auxiliary spam and other) claims. It has a chance to prove a violation of section 502 by showing that Power.com engaged in circumvention of a technical measure (IP address blocking, or additional security measures which Facebook implemented).
This is somewhat of a win for EFF, which got a ruling with a narrow construction under section 502. I’m not sure how useful this ruling will be in the Computer Fraud and Abuse context. Also, the court’s willingness to use circumvention of any technical measure to find a violation of section 502 sets a low bar. Still, in the garden variety context where an individual accesses a network in violation of the terms of service, section 502 claims don’t seem as likely (under the court’s ruling).
Power.com continues to slog it out. I’m guessing it will see this litigation as fairly unprofitable sooner rather than later, particularly with its antitrust claims out the window (I can’t imagine they thought these were terribly viable to begin with, judging by their initial set of allegations). Of course, they can bring their affirmative defenses and engage in some discovery, but this is not likely to bend the will of a company such as Facebook.
Additional Coverage:
Wendy Davis: “Facebook Rebuffed In Case Against Social Aggregator Power.com”
ars technica: “Social network aggregator no crook for violating Facebook TOS”
________
Eric's comments: A very small number of rulings have interpreted California Penal Code Sec. 502, the state law analog to the Computer Fraud & Abuse Act and a partial statutory codification of common law trespass to chattels. Based strictly on the statutory wording, Penal Code 502 (which authorizes civil suits in addition to being a criminal sanction) is the most plaintiff-friendly of the three doctrines because it does not require the plaintiff to show any minimum quantity of loss or harm from the defendant's harm.
This ruling partially reinforces why Penal Code 502 remains the most plaintiff-friendly of the three doctrines. Effectively, Facebook made the requisite showing of harm from Power.com's conduct even though Facebook's only purported harms appear to be remediation efforts. As the court says:
Defendants’ admissions that Facebook attempted to block Power’s access and that Power provided users with tools that allowed them to access the Facebook website through Power.com demonstrates that Facebook expended resources to stop Power from committing acts that Facebook now contends constituted Section 502 violations.
This is a bootstrapped type of loss that will be true in almost every anti-server use case.
The court then takes a decidedly less favorable turn when it comes to the authorization/permission question. Many CFAA rulings have allowed user agreements to delimit the authorized use of the plaintiff's servers. The court rejects that approach here, saying, in effect, that because Penal Code 502 is a criminal statute, allowing the user agreement to establish the boundaries of permitted server use is improper. I agree with that statement (some of you may recall my posts about the Lori Drew prosecution, conviction and dismissal). However, I would note Facebook's lawsuit is a civil case, not a criminal case, so the court could have distinguished between the legal requirements of criminal and civil cases. In particular, it was odd to see the court discussing constitutional limits to criminal prosecutions in a case where neither litigant really cared directly about the scope of criminality.
Even if the contract does not provide adequate notice to defendants, the court allows plaintiffs to delimit the permitted/authorized use of their severs technologically, and transgressions of those technological limits appears to satisfy the Penal Code 502 requirements and the constitutional protections applicable to a criminal prosecution. The court says:
the Court finds that accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers is “without permission,” and may subject a user to liability under Section 502.
This is because defendants are adequately put on notice when they encounter a technical block and try to route around it; therefore, with the technical block requirement, the statute will satisfy even the more stringent notice requirements of criminal law. There remained a factual dispute about Facebook's technical blocking efforts in this case based on the procedural posture of the case, so that point remains open for now.
If this case ends up setting the precedent that a user agreement cannot set the boundaries of authorized uses of computer servers in the California Penal Code Sec. 502 context, then this is a pretty important ruling. However, I don't really believe that result will necessarily be reached in other cases, especially given that Judge Ware disagreed with Judge Fogel's ruling in Facebook v. ConnectU on the same question.
In Cyberlaw I teach that an anti-computer trespass civil claim satisfying the four elements will probably win:
* Third party system use
* Damage
* Actual notice that use unpermitted
* Technological self-help
If Facebook can show these four elements, it has a good chance at winning the Penal Code 502 case; indeed, this ruling indicates that under Penal Code 502, the damage element is easy to meet and the notice/self-help elements effectively merge together. If you are prepping an anti-trespass case, the more clearly you can show all four elements, the more likely the court will find a legal doctrine to help you.
Posted by Venkat at 12:29 AM Permalink | Content Regulation , Licensing/Contracts , Privacy/Security | Printable Version
July 20, 2010
Book Review: Building Web Reputation Systems by Farmer & Glass
By Eric Goldman
Building Web Reputation Systems by F. Randall Farmer & Bryce Glass (O’Reilly 2010) [affiliate link]
As you may know, for the past couple of years, I have been researching how we regulate reputation systems. My most recent recap of my progress-to-date. As part of researching other disciplines’ approaches to reputation systems, I was pleasantly surprised to find this book, which discusses web reputation systems from a technical/product development standpoint. I'm not aware of other books directly on point, so that alone makes the book noteworthy. [If you know of analogous books that I should look at, I'd be grateful for the references.]
The word “reputation” is a complex and nuanced word. This book defines reputation as “information used to make a value judgment about an object or a person.” Notice how this definition treats reputation as actionable information (i.e., making a “judgment”). I favor that approach; my work also uses an actionable definition of reputation.
Their definition equally treats both objects and people as having “reputation,” and this does not work. In general, people are dynamic, i.e., they can change behavior; while content is static, i.e., an item of content does not change its character unless subsequently edited. This single definition of "reputation" created significant tension throughout the book. Recognizing this, the authors often bifurcated the discussion to separately address the process of establishing a person’s “reputation” (which they confusingly called “karma”). However, the book primarily focuses on grading and sorting content items, especially user-generated content, and I personally would not describe content items as having a “reputation.” As a result, I think the book is mistitled. It principally addresses content filtering, not “reputation” as I use the term.
Although this analytical tension pervades the book, the book nevertheless contained a lot of useful insights about both content filtering and establishing user trustworthiness. The authors have a lot of experience building filtering systems for different websites, so the book is packed with the kind of first-hand observations that only an insider can offer. There’s no substitute for the voice of experience when designing Web 2.0 UGC systems, and this book provides an easy and accessible way to learn some tips and tricks.
The book emphasizes the authors’ contributions to the reputation system at Yahoo Answers, and rightly so. Yahoo Answers has emerged into a bona fide success story and recently trumpeted its billionth answer. In my opinion, the book’s high point is Chapter 10, a case study of how Yahoo Answers developed a new filtering and reputation system that helped turbocharge the Yahoo Answers community.
Although the book doesn’t say this directly, two key lessons from Yahoo Answers’ evolution are:
1) UGC websites should let users vote on content, but not all user votes should be weighted equally.
2) UGC websites do not need to publish all user-supplied content items in an equally prominent manner. Perhaps some content should be obscure/hard-to-find until other users validate it.
The book pitches these conclusions as novel, but they seemed fairly intuitive to me. We implemented a very similar system embodying these two points back in 2000-01 at Epinions. Epinions allowed users to grade each others’ content; we weighted votes differentially based on users’ credibility; and we displayed ungraded and poorly graded content only to registered users (a small fraction of our readers). The fact that the authors “discovered” these conclusions at Yahoo Answers shows the dire need for books like this to help websites implement best UGC management practices without reinventing the wheel.
The fact that the authors didn’t acknowledge the Epinions precedent (and other systems like it) highlights another weakness of the book. There is a deep academic literature addressing the book’s topics (especially on content filtering and user incentive systems), but the book barely acknowledges this literature. For example, several times the authors cite Dan Ariely's Predictably Irrational for descriptions of human psychology and foibles. That's a perfectly credible citation, but it should be one of many literature citations, not the only citation. Instead of dipping into the rich academic literature, the book almost exclusively relies on the authors’ experience-based impressions. These impressions are a valuable information source that makes the book worth reading. However, because those impressions aren’t tempered with more rigorous academic findings, it’s not clear to me at all that the authors’ conclusions represent true best practices...or even state-of-the-art.
Because of its many structural flaws, this edition will not become a classic. Nevertheless, I have enthusiastically recommended the book to several UGC start-ups because the book provides a good repository of high-value experience-based perspectives that are not readily available elsewhere. Even if the book’s recommendations are debatable, it’s a debate worth having.
Posted by Eric at 06:39 AM Permalink | E-Commerce , Internet History | TrackBack (0) | Printable Version