« October 2009 | Main | December 2009 »
November 30, 2009
MySpace Quietly Won Goofy 230 Ruling in September--Riggs v. MySpace
By Eric Goldman
Riggs v. MySpace, Inc., 2:09-cv-03073-GHK-CT (C.D. Cal. Sept. 17, 2009)
This case has received some modest attention throughout its history (including a quick mention here when the court upheld MySpace's user agreement), but the district court's dismissal of the case appears to have been completely overlooked.
Riggs created a MySpace profile that she used to authenticate celebrities' MySpace pages to distinguish them from the many fake celebrity profiles on MySpace. Her most substantive gripe is that MySpace deleted Riggs’ profile twice, and she claims MySpace was negligent to do so. There are several reasons why MySpace should not be liable for deleting her profile, including most obviously the many self-serving provisions in MySpace's user agreement (which the court mentions as an alternative basis of its dismissal). However, 47 USC 230(c)(1) does not appear to help MySpace because it only immunizes MySpace from liability based on third party content. Nevertheless, the district court rules against Riggs on 230(c)(1) grounds, saying:
Given that both claims for negligence are based on the deletion of Plaintiff’s profiles, a decision by MySpace to effectively “remove content” created by Plaintiff from its website, MySpace’s actions are immune from liability under Section 230(c)(1) of the CDA.
After reading this sentence a couple of times, it appears that the court is treating Riggs' own content as the content that Riggs wanted to hold MySpace liable for—technically, the "information provided by another information content provider." I believe that treating a plaintiff's content as "information provided by another information content provider" is a novel reading of 230(c)(1). I also don’t think it’s the logical reading of 230(c)(1)’s grammar, especially the reference to “another.”
The court’s decision is even more puzzling because 230(c)(2), which immunizes a service provider for filtering content it subjectively deems "objectionable," seems to squarely cover MySpace’s deletion of Riggs’ account. Could the court have intended to rule for MySpace on 230(c)(2) grounds, not 230(c)(1) grounds, and just got confused? Or perhaps the court collapsed the two provisions together, which my research assistant and I found occurred with surprising regularity in our comprehensive survey of 230(c)(2) cases. So while I think the 230(c)(1) dismissal was goofy, I would support the same outcome on 230(c)(2) grounds.
Riggs also complained that MySpace should have taken more efforts to police against fake celebrity profiles. The court rejected this claim on 230(c)(1) as well (appropriately used this time).
The remainder of Riggs' arguments didn't fare any better, and the court dismissed the entire complaint without leave to amend. Riggs has appealed the case to the Ninth Circuit. It will be interesting to see what they do. Given the Ninth Circuit's apparent loathing of 230(c)(1) and the district court's goofy statutory reading, there is a non-trivial risk that the Ninth Circuit will do something crazy here.
Posted by Eric at 12:57 PM | Derivative Liability | TrackBack
November 27, 2009
Web Host Can Terminate Customer for Abusive Call to Customer Support--Mehmet v. Add2Net
By Eric Goldman
[This is a relatively minor pro se case, which is why I've let it sit this long, but it has a couple of interesting facets that make the case worth blogging even at this late date.]
Mehmet v. Add2Net, Inc., 2009 WL 3199876 (N.Y.A.D. Oct. 8, 2009). The opinion (starting on page 39).
This case is a nice example of online providers' broad discretion to terminate their users. The dispute involves a web host and its customer. The customer stopped payment, so the host (apparently legitimately) turned off his site. In response, the customer left a nasty voicemail containing an "obscene word." The provider then wrote back to say the relationship was finis. In support of this, the provider cited a user agreement provision banning customers from "abusing" any of the web host's employees. The host took the position that the customer's voicemail breached this clause, justifying the final termination.
The user agreement's exact clause says that customers agree "not to abuse whether verbally or physically or whether in person, via email or telephone or otherwise ... any employee or contractor." Have you ever seen a clause like this? I haven't, nor would I choose to include such an amorphous clause in any contract I drafted. I do appreciate the provision's spirit, especially with all of the mania about anti-cyberbullying and providing safe employment environments, but I have a hard time imagining a covenant that would be enforced more inconsistently or arbitrarily. As a result, a clause like this is virtually tantamount to saying that the vendor can turn off customers whenever it wants.
So, should online service providers add these provisions to their online user agreements? In the wake of the Lori Drew prosecutions where the courts and prosecutors have been overinterpreting user agreements, I have argued against laundry lists of negative covenants in user agreements, but here the clause proved useful. Then again, the customer's initial failure to pay might have given the web host all of the recourse it actually needed.
For virtual world enthusiasts, I would connect the dots between this case and the recent Estavillo v. Sony case, which said that virtual worlds are not company towns. In this case, relying on the ridiculously overbroad negative covenant, the web host wiped out all of the customer's data files in the final termination. Thus, this ruling would seem to support that a virtual world provider similarly could include overbroad negative covenants in its user agreement, arbitrarily enforce a breach against a customer, wipe out the customer's online presence (and all of the digital assets stored in the virtual world), and face no recourse for the loss of those digital assets. I trust this reinforces the uneasiness of virtual world enthusiasts.
More perspectives on the lawsuit from Mehmet himself. It appears he is a serial plaintiff. That may have been material to the court's consideration.
HT: Evan Brown
Posted by Eric at 01:37 PM | Licensing/Contracts , Virtual Worlds | TrackBack
November 24, 2009
Teeth Whitening System Brings "Sue the World" Lawsuit Against Ad Agency, Competitor and Search Engines--Dazzlesmile v. Azoogle
By Eric Goldman
Dazzlesmile, LLC v. Epic Advertising, Inc., 2:09-cv-01043-PMW (D. Utah complaint filed Nov. 23, 2009)
Dazzlesmile sells a teeth whitening system. Presumably these systems generate fat profits, because Dazzlesmile has brought an expensive "sue-the-world" lawsuit against its ad agency, its competitor and the search engines.
Azoogle/Epic
The lawsuit against Azoogle/Epic is partially based on a miscalibrated cost-per-acquisition (CPA) deal. Azoogle sold Dazzlesmile on a CPA deal which pays Azoogle $43 for making a $4 sale with negative-option continuing revenue streams, i.e., the consumer has to cancel after the free trial period or he/she automatically gets shipped and charged for more whitening stuff. If the ongoing revenue stream is great enough, it can make sense to pay out big upfront commissions to get the sale. However, this payment structure creates lots of mischief possibilities.
In this case, Dazzlesmile alleges that its competitor engaged in "CPA fraud" by placing thousands of orders, coincidentally generating over $100k of commissions to Azoogle in one week. Dazzlesmile also complains that its products were being promoted by spam, fake blogs and other problematic ads in contravention to Azoogle's promises. Finally, Dazzlesmile complains that a rogue affiliate packaged two different systems into the same ad, causing consumers to order both products and then renege when they realized Dazzlesmile's terms.
The odd thing about this complaint is that Dazzlesmile tries to portray itself as the white-knight advertiser that wants to do right by consumers, while the evil Azoogle kept tempting Dazzlesmile to cut corners and take undeserved money from consumers. I understand the value of this positioning, but I find it a little hard to believe. You kind of know what to expect when you're dealing with Azoogle, and I'd be surprised if Dazzlesmile is a fully innocent naïf.
Competitor Lawsuits
Dazzlesmile also claims that its competitor slapped counterfeit "Dazzlesmile" labels on a different teeth whitening system. It further claims that Azoogle and the competitor conspired to use Dazzlesmile's advertising copy in Azoogle's network to direct teeth whitening customers to the competitor. It also claims these defendants used the Dazzlesmile trademark in a host of inappropriate ways, including in spam, as keyword ad triggers, in domain names, and in astroturfed content. Dazzlesmile claims it has received 10,000 misdirected customer support inquiries from duped customers.
Lawsuits Against the Search Engines
Dazzlesmile drags Google, Yahoo and Microsoft into the lawsuit for selling keyword advertisements despite Dazzlesmile's cease & desist letter to stop doing so. Oddly, the complaint pleads the search engine's liability as "vicarious liability," which should be DOA. Vicarious trademark infringement requires an agency relationship between the search engines and the advertisers, which the complaint doesn't (and can't) plead. If it's a non-IP form of vicarious liability, then it's preempted by 47 USC 230. So I predict Dazzlesmile will have to amend its complaint against the search engines to allege some other legal theory, or the search engines will exit this particular matter quickly.
Interestingly, the complaint alleges ripoffs of both its copyrightable ad copy and its trade secret protectable marketing plans, but the complaint does not allege either copyright infringement or trade secret misappropriation.
Conclusion
Dazzlesmile's complaint, if completely accurate, tells a story filled with legal wrongs, but I'm not sure I found it all that convincing. I will have to see the defendants' responses before I can begin to form any conclusions about its overall merit.
It does point out one troublesome spot as a good practice pointer. I know a lot of advertisers think they prefer CPA pricing over CPC or CPM pricing because they are more clearly paying for results, but this case provides a good illustration that a miscalibrated CPA price is no better at reducing unwanted spending than a miscalibrated CPC or CPM. At minimum, I’m surprised that Dazzlesmile apparently didn't include some provision in the CPA formula allowing it to avoid payment for chargebacks or immediately returned products. If you're an advertiser doing CPA deals, make sure you have robust enough exclusions to the CPA obligations so that you are truly paying for bona fide results.
AdWords Lawsuit Roster
The updated roster of pending AdWords cases:
* Ezzo v. Google
* Rescuecom v. Google
* FPX v. Google
* John Beck Amazing Profits v. Google and the companion Google v. John Beck Amazing Profits
* Stratton Faxon v. Google (not initially a trademark case)
* Soaring Helmet v. Bill Me
* Ascentive v. Google
* Jurin v. Google 1.0 (voluntarily dismissed), succeeded by Jurin v. Google 2.0
* Rosetta Stone v. Google
* Flowbee v. Google
* Parts Geek v. US Auto Parts
* Dazzlesmile v. Epic
Posted by Eric at 06:05 PM | Derivative Liability , Marketing , Search Engines , Trademark | TrackBack
November 22, 2009
Keyword Advertising Lawsuit Survives Motion to Dismiss--Morningware v. Hearthware
By Eric Goldman
Morningware, Inc. v. Hearthware Home Products, Inc., 2009 WL 3878251 (N.D. Ill. Nov. 16, 2009)
I keep getting calls from reporters operating under the misimpression that trademark owner-vs.-search engine keyword advertising lawsuits are more common than trademark owner-vs.-keyword advertiser lawsuits. While the lawsuits against search engines certainly get way more press coverage, in reality they are relatively rare. I don't have an exact count of pending lawsuits, but only 10 immediately come to my mind (9 against Google and the AA v. Yahoo case). In contrast, trademark owner-vs.-advertiser lawsuits are so numerous that I don't blog on every complaint I see, and most trademark owners are wise enough to leave the search engines out of their litigation.
This is a fairly run-of-the-mill trademark owner-vs.-advertiser case. The parties compete in the "counter-top electric oven" market. The advertiser purchased the plaintiff's "Morningware" trademark as a keyword and displayed the following ad copy: "The Real NuWave ® Oven Pro Why Buy an Imitation? 90 Day Gty." NuWave is the advertiser's brand name.
The "why buy an imitation?" language (plus, perhaps the "real" earlier in the copy) creates the real friction because Morningware argues that the ad copy implies that Morningware's products are an imitation of (presumably) NuWave. Notice that the defendant didn't reference the plaintiff's brand in the ad copy, but IMO that contributes to the overall crypticness of the ad copy. Without both trademarks being referenced in the ad copy, searchers who are not already familiar with the various brands in the countertop electric oven space (like me) may not immediately figure out the relative (lack of) relationship between NuWave and Morningware. Because I don't know any of the electric oven brands, the ad presentation did not immediately communicate to me that NuWave competed with Morningware. However, because the advertiser didn't reference the plaintiff's trademark in the ad copy, Google will not do anything more for the trademark owner, meaning that the trademark owner must go to court to attack this ad.
(Note to plaintiff's counsel: please don't subpoena me to testify to my impressions of the ad copy. I have never shopped for countertop electric ovens and I don't expect I ever will, so I know nothing about the knowledge or expectations of a reasonable purchaser. If you think I'm being a Nervous Nellie with this note, see this post).
Moving onto the opinion, the court reached an irresolute outcome on the "use in commerce" prong of plaintiff's claim, correctly noting that (1) the Seventh Circuit has not ruled on "use in commerce" in keyword advertising, (2) the Second Circuit Rescuecom case did not involve a trademark owner-vs.-advertiser claim, and (3) "a review of case law outside of the Seventh Circuit reveals that a majority of courts have found that actions such as those taken by Hearthware in purchasing Morningware's trademark as a search term constitute a Lanham Act 'use.'" Noting the parallels to the Vulcan Golf case (also an N.D. Ill. case), collectively this was enough to reject the 12(b)(6) motion to dismiss.
The advertiser also argued for a 12(b)(6) motion to dismiss on lack of consumer confusion grounds. While I understand the advertiser's hope, I think it's hard to convince a judge that the trademark owner failed to allege sufficient confusion in the complaint. This is especially true when plaintiffs invoke the stupid "initial interest confusion" doctrine, which has no doctrinal contours and therefore is simply impossible for defendants to refute at the motion-to-dismiss stage (obligatory cite to my anti-initial interest confusion rant from 2005). Citing to the abysmal 2002 Promatek case, the court says the plaintiff alleged enough initial interest confusion to survive the 12(b)(6).
There is a little more interesting discussion in the opinion about the trademark owner's disparagement claims. In the end, the court completely rejects the advertiser's motion to dismiss. This doesn't ensure the trademark owner's ultimate litigation success, but chances are we won't reach a definitive and final court ruling either. As almost all trademark owner-vs.-advertiser lawsuits do, this case will probably settle because both parties are probably incurring litigation costs vastly in excess of any profits gained/lost from "diverted" customers.
Meanwhile, advertisers buying competitive keyword advertising should take note of the risks of implicitly calling your competitor an "imitation" without explaining the relative product positioning--which isn't possible due to the limited character count of a Google AdWords ad. Because the character limits prevent fully clarifying disclosures, advertisers should consider striking the phrase "why buy an imitation?" from their keyword advertising copy toolkit.
Posted by Eric at 07:36 AM | Marketing , Trademark | TrackBack
November 20, 2009
A Look at Twitter's Updated Privacy Policy (November 19, 2009)
[Post by Venkat]
As noted on Twitter's blog, Twitter refreshed its privacy policy yesterday. Given that virtually everything Twitter does is placed under the microscope, I'm sure the policy will be pored over in detail. (Here's a link to the updated policy and a link to the old policy.)
General thoughts on the policy: The policy is short, easy to understand, and in plain English. The thrust of the policy is that most users typically use Twitter to publicly disseminate information, and users should expect any of this information to be broadly disseminated. This includes dissemination by Twitter, third party applications, search engines, etc. To the extent you want to restrict use of this information, Twitter gives you the tools to do so in your profile settings.
Much of what's in the policy is very typical of what you would find in the privacy policy of any other website or social network. However, a few things are worth mentioning:
1. Geolocation: The policy provides that you can turn geolocation on and off, and if you have it turned on, your location information is obviously broadcast and also used by Twitter. Geolocation is opt-in and this makes sense.
2. Cookies: The policy also mentions that Twitter places cookies on your computer. Virtually all privacy policies contain this, since most websites use cookies. But for some reason this part of the privacy policy jumped out at me. I guess it's a reminder of the tremendous advertising power that Twitter could wield. Everyone who uses Twitter expresses their preferences through Twitter, by clicking on links, using applications, and just through general usage. Most people probably do more, such as expressing their food, drink, entertainment, political, and other preferences. (Some more than others.) By being able to identify the computer of someone who expresses those preferences, Twitter can build a valuable network that would be useful to advertisers. I'm not only talking about advertising on Twitter.com (the web client), but also advertising on other websites or networks as well. This is pretty common in the industry, and subject to attack by privacy advocates, some of whom are pushing for an opt-in system for this type of tracking. Thus far Twitter has been free of advertising, but this is likely to change, as indicated by Twitter's own statements. (See Scoble's link below.)
3. Metadata: Interestingly, the policy also treats tweet metadata as public information ("information you are asking us to make public"). This seems to create some grey area between information which you broadcast and is truly public, and information which is available to Twitter (but not to your followers) from your use of Twitter. Robert Scoble has a post with comments from Twitter's COO signaling Twitter's turn to advertising and possible use of metadata in this context. I didn't pick up on this at first, but I think this is significant.
4. Subpoenas: The part of the policy that talks about disclosing information in response to a subpoena provides plenty of wiggle room to either require law enforcement (or a civil litigant) to obtain a subpoena or for Twitter to respond to a "legal request" (presumably, this could be a letter from law enforcement). It's probably unreasonable to expect these types of companies to always take a stand and require a subpoena or fight for the privacy rights of users when a third party tries to unmask a commenter or user, but it would be nice from the user perspective to have some clarity. I'm guessing in practice Twitter provides notice when a third party seeks information from or about a user's account, but this doesn't seem to be required under the policy. (The social media dynamic is probably a strong check here.)
What Changed?: Other than the points mentioned above, I didn't notice any other significant changes to the policy (the cookie stuff was leftover from the old policy). The old policy made some statements regarding security measures implemented by Twitter which Twitter [wisely] removed from the current version. The provision that any transfer of information in connection with a sale of the business would be subject to the provisions of Twitter's privacy policy remains, although Twitter removed the notice provision.
It's worth mentioning that neither the old policy nor the new one clearly speak to whether Twitter or any third party can build a "profile" using information which you make publicly available. Twitter can crunch the data contained in someone's Twitter stream and obtain a wealth of information regarding a particular person. Anything ranging from their sleeping patterns, to their dietary habits and their political preferences. Of course, people make this information publicly available anyway, so they have no real argument as to why a third party should be prevented from using this information, but realistically, it would be tough to construct such a profile without access to Twitter's data and tools. Do users expect Twitter to use user information in this manner? Probably not at this juncture, but as a general matter there's nothing from a legal standpoint that would prevent this, and the privacy policy does not preclude it. These types of applications are not that far-fetched, given reports of tools to analyze someone's social network and assess their credit worthiness ("Rapleaf") or psychological profile ("TweetPsych"). Recently a story made the rounds about an insurer who denied an insurance claim based on the insured's photos posted on Facebook ("Depressed Woman Loses Benefits Over Facebook Photos"). (A host of specialized rules could come into play in this instance - ranging from rules governing financial privacy and fair credit to rules governing the employment relationship - so a privacy policy wouldn't necessarily provide a definitive answer to the question anyway.)
How Does it Compare to Facebook's Recently Revised Policy?: As far as volume, in comparison to Twitter's policy, Facebook's policy [link] reads like a (painful-to-read) epic saga. This is partially due to the fact that information sharing and interaction on Facebook is more complex, but Facebook's policy is simply impossible to read and digest in one sitting. The two policies are somewhat similar in their approach, although Facebook differs in that users don't make their Facebook data "public" in the same sense that Twitter users do. Of course, Facebook has a bit of a history of advertising initiatives and pitfalls that probably prompted the additional complexity. Facebook's policy has some interesting tweaks such as a "memoriam" for Facebook users where friends and relatives can post items about a deceased person. Also, Facebook has a deletion policy, which I didn't see in Twitter's privacy policy. (Deletion policies will become increasingly important as people try to obtain information (deleted by the user) from social networking sites in the context of litigation.)
***
The Trademark Guidelines: It's worth mentioning that Twitter also refreshed its trademark guidelines. They are pretty standard fare, but contain some rules that people pretty clearly are not following right now, for example: (1) use only the current Twitter logo to link to and promote your Twitter account ("40 cute free Twitter badges"); (2) don't use Twitter's logo on the cover of your book ("The Twitter Book"); (3) don't use screenshots of third party profiles or tweets without the third party's permission; (4) don't use Twitter marks on apparel or merchandise without Twitter's permission ("Sock Guy Socks"). The trademark guidelines also address some of the sore spots in the area of third party use of Twitter's trademarks (or terms which Twitter is trying to obtain trademark protection for): (1) "don't use Twitter in the name of your website or application;" (2) "don't register a domain name containing 'twitter';" and (3) "don't apply for a trademark with a name including Twitter or Tweet (or similar variations thereof)." Both Twitter and third party developers are trying to obtain trademark protection for the term "tweet," (see for example "CoTweet") and it's unclear as to how the battle between Twitter and these third party developers will play out. It's difficult to tell at this juncture whether Twitter's new trademark guidelines signal a true change in policy or whether it's business as usual. (See posts by Tom O'Toole here and Mike Masnick here for some discussion of Twitter's "laissez faire" attitude with respect to third party use of Twitter trademarks.)
[Edited: to add the point about disclosure in response to subpoenas or law enforcement requests. I should probably also note that I've been using Twitter for the past 15 months or so. I was going to say that I'm a "casual user," but at 5000+ updates, that's a tough claim to make!]
Posted by Venkat at 12:15 PM | Privacy/Security , Trademark
November 18, 2009
Citysearch Click Fraud Class Certified--Menagerie v. Citysearch
By Eric Goldman
Menagerie Productions v. Citysearch, 2009 WL 3770668 (C.D. Cal. Nov. 9, 2009)
While we don't hear much about click fraud litigation any more, there are still some click fraud lawsuits percolating through the courts, including this one against Citysearch. I initially blogged on the case under a different name, Lambotte v. IAC/InterActiveCorp.. Lambotte is out as a named plaintiff and Menagerie Productions now gets the honor.
The big news is that earlier this month, the judge certified claims for breach of contract and fraud under California’s unfair competition law for the following class:
All persons or entities in the United States who entered into form contracts for pay-per-click advertising through Citysearch.com, paid money for this advertising service, and experienced click fraud by reason of double clicks or Citysearch's failure to apply automatic filters to traffic from its syndication partners up through March 23, 2007
In light of the Vulcan Golf court's refusal to certify a class against Google's AdSense for Domains program, the class certification here is a mild surprise. However, that case involved trademarks, which are inherently more amorphous than even click-counting. Certainly, the plaintiffs' lawyers have to be happy about this development. Although Citysearch still has some powerful defenses, I'd be surprised if the plaintiffs walk away from this case empty-handed.
Posted by Eric at 07:04 AM | Licensing/Contracts , Marketing | TrackBack
November 17, 2009
AALS Law & Computers Meeting in New Orleans
By Eric Goldman
I'm pleased to announce the AALS Section on Law and Computers program at the AALS annual meeting in New Orleans on Saturday, January 9, 2010. This program was developed in response to the Call for Papers we did earlier this year, and I think this panel should be really interesting. Unfortunately, AALS misprinted the panel's composition in their program guide, so I'm hoping to correct the error here.
Program Title: Law & Wikis
Moderator: Eric Goldman, Santa Clara University School of Law
Papers:
* Crowdsourcing and Open Access: Collaborative Techniques for Disseminating Legal Materials and Scholarship, Timothy K. Armstrong, University of Cincinnati College of Law
* The Role of Wiki Authorship for the Curatorial Audience, Jon M. Garon, Hamline University School of Law
* Wikipedia and the E.U. Database Directive, Jacqueline D. Lipton, Case Western Reserve University School of Law and Visiting Professor, University of Florida Levin College of Law
* Wikitruth Through Wikiorder, David Hoffman & Salil Mehra, Temple University School of Law [the paper is co-authored but only Mehra will be presenting]
Also, the business meeting will be more interesting than most. The agenda includes:
* a proposed change to the section's name to the "Section on Internet and Computer Law"
* a long-term initiative to schedule a mid-year joint session between our section and the IP section
* the always exciting vote for next year's section officers
I hope you can join us. Look forward to seeing you there.
Posted by Eric at 09:24 PM | General | TrackBack
November 15, 2009
Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse -- Hayes v. SpectorSoft
[Posted by Venkat]
In what probably belongs in the "software doesn't surreptitiously record conversations, people do" file, a federal court in Tennessee rejected Electronic Communications Privacy Act and product liability claims brought by someone whose ex-spouse used software to log internet activity and communications. (Access a copy of the order here [scribd].)
The case presented a now-familiar fact pattern of the use of monitoring (in this case keylogger) software by a spouse to keep track of the online activities of the soon-to-be ex-spouse. The plaintiff (Thomas Hayes) sued SpectorSoft, which produced two pieces of software used by his ex-spouse and someone else to monitor his instant message, email, and browsing activities. Hayes alleged violations of the Electronic Communications Privacy Act and also asserted negligence and product liability claims. The court granted SpectorSoft's motion for summary judgment and dismissed the case.
With respect to the ECPA claims the court concluded that Hayes needed to prove that SpectorSoft intended for the communications to be wrongly intercepted, and that Hayes's evidence that SpectorSoft marketed the software to spouses who were conducting surveillance was insufficient to show this intent. According to the court, the type of intent required by the ECPA was that the defendant must have the "conscious objective" to cause the result (i.e., the unlawful surveillance and disclosure). The court cites to In re Pharmatrak where the First Circuit found that a web-monitoring company's gathering and inadvertent disclosure of information about web users did not violate the ECPA due to lack of intent. The court also relied on the fact that the person who installed the SpectorSoft software clicked through a terms of use agreement which contained a representation that the software would only be installed on computers which the user owned, or computers on which the user was authorized to install the software. (SpectorSoft is a classic passive conduit and presented ample evidence that it did not know of the underlying violations.)
Plaintiff also made a creative argument that the SpectorSoft software was "unreasonably dangerous." The court expressed doubt as to whether software qualified as a product at all, and in any event concluded that plaintiff failed to demonstrate that the software was unreasonably dangerous by putting forth evidence that SpectorSoft could have taken alternative measures that would have prevented the inadvertent disclosure.
The court's decision is not surprising, given that (1) SpectorSoft did not conduct the eavesdropping but only provided the tools to facilitate it and (2) the software could be used to conduct multiple lawful activities (monitoring children, employees, archiving messages). The decision was also not surprising given that the installation and use of the software could have been avoided if the user had taken adequate security precautions. (Sidenote: I wonder if it's farfetched to argue that one spouse has the right to access the email and other accounts of another spouse based on some community property-like theory?)
I guess at the extreme end of the spectrum a court may be willing to hold a software company liable for developing software where the only possible use is to conduct unlawful surveillance, but this fact pattern wasn't even close. Holding the software company in that instance would also raise potential First Amendment/crime-facilitating speech issues (?).
Related: In late 2008, a federal court halted sales of keylogger/do it yourself spyware software. (See coverage at Wired and JOLT Digest.) Also, this type of a claim has a higher likelihood of success when brought against the ex-spouse, rather than the software company, as noted by Tom O'Toole here.
Posted by Venkat at 08:13 PM | Privacy/Security
November 12, 2009
Tagged Settles Spam and Address Book Harvesting Claims Brought by NY and TX Authorities
[Post by Venkat]
Tagged, which is supposedly the "third-largest social networking site in the world" (whatever this means) recently settled enforcement actions brought by New York and Texas Attorneys General. (See coverage at Bits and Media Post.)
The basic allegations were that Tagged sent emails to people which falsely implied that the people were depicted (or "tagged") in photos in order to get people to sign up for the service. At sign up Tagged also allegedly failed to disclose that Tagged would access the address books of users and send emails trying to get friends of these users to sign up.
The Tagged settlements - details of which are recapped by David Johnson here - required Tagged to pay 250,000 and 500,000 to Texas and New York, respectively. The settlements also require Tagged to provide users with greater disclosure and require Tagged to jump through certain hoops before accessing the address book of a user. David notes that the enforcement actions were brought under a variety of New York statutes including New York's deceptive trade practices law and false advertising statutes. He notes that those statutes "would not be preempted by CAN-SPAM . . . [but] we will never know" for sure, since Tagged settled.
Although Tagged chose not to fight the battle, there's another case pending in California that is roughly analogous, where the court ruled that claims arising out of similar conduct were preempted by CAN-SPAM. (Hoang v. Reunion.com, discussed by Ethan here and here.) As Ethan notes, in the Reunion case, Judge Chesney ruled that CAN-SPAM preempted pretty much every type of email-based claim except for those sounding in common law fraud. Common law fraud has a high damage threshold and because none of the plaintiffs were able to show that they actually relied on, or suffered out of pocket loss due to, misstatements in any Reunion emails, Judge Chesney dismissed the claims against Reunion. (Incidentally, that case is mired at the district court level. Plaintiffs have indicated they plan to appeal, but defendants moved for sanctions based on the fact that plaintiffs represented to the court that they could file a third amended complaint containing adequate damage allegations but ultimately changed their minds and decided they wanted to appeal. The court deferred ruling on the pending motions and requested additional briefing from the parties.)
Tagged is also defending against a class action filed in California. The plaintiffs in this case allege claims under the Computer Fraud and Abuse Act and the Stored Communications Act, among other statutes. (You can access a copy of the complaint here (scroll down).)
So, what to make of these lawsuits against Tagged and Reunion?
1. I'm inclined to agree with Ethan that Reunion went too far in concluding that only claims for common law fraud are carved out of CAN-SPAM's preemption clause. Mummagraphics - the early appellate preemption case - concluded that immaterial errors are not actionable, but that's a far cry from the high bar set by the court in the Reunion case.
2. CAN-SPAM's preemption clause has a second exception for laws that "are not specific to electronic mail," I don't understand why plaintiffs don't try to rely on non-email specific laws. The Reunion plaintiffs brought claims under California spam statutes. Maybe there were structural (standing or damages-related) reasons for why they did so, but I was surprised they didn't just bring claims under California's unfair business practices statute. On a related note, with respect to the Tagged class action, the Computer Fraud and Abuse Act and Stored Communications Act don't seem like a good fit for these types of claims. The Computer Fraud and Abuse Act has a damage threshold that is probably tough to satisfy, and the Stored Communications Act regulates access to the contents of communications.
3. There isn't a ton of law on the scope of California's anti-spam statute, but the Ninth Circuit certified an issue to the California Supreme Court in Kleffman v. Vonage. I'm not sure if this ruling will add to the mix, but it should be interesting to see what the court does here.
4. It's tough to say whether these lawsuits illustrate that enforcement is better left in the hands of government regulators or whether private parties should play a role in enforcement. Excluding large ISPs, private plaintiffs don't seem to have accomplished very much by way of stopping spam. If anything, they have pushed the envelope, and ended up with a framework that makes private enforcement much harder. That said, here the Texas and New York enforcement actions followed the California class action against Tagged, so it's tough to say.
5. Where is the FTC in all of this? Busy regulating paid endorsements by bloggers I guess.
Posted by Venkat at 08:54 AM | Spam
November 11, 2009
Starbucks Data Breach Plaintiffs Try Their Luck in the 9th Circuit -- Krottner v. Starbucks
[Post by Venkat]
A lost laptop computer containing the personal information of Starbucks employees prompted a class action lawsuit against Starbucks (in Washington). The lawsuit received some coverage (see, for example Bob McMillan here, and Starbucks Gossip here), but the trial court's dismissal of the lawsuit received almost no coverage. (I mentioned the lawsuit, but failed to note the court's dismissal of it. Here is the one mention I came across of the dismissal.) Plaintiffs appealed the dismissal to the Ninth Circuit, and their just-filed appeal brief is worth a look. Access a copy of the brief at scribd here.
Background: As described in the complaint, in 2008, someone stole a laptop containing the personal information of approximately 97,000 employees. Starbucks notified the police and affected employees (plaintiffs claim Starbucks was slow in effecting this notice). Starbucks also offered one year of free credit monitoring to affected employees. The plaintiffs fall into a couple of categories, but significantly, one of the plaintiffs was notified that someone tried to open a bank account without his authorization. It was never determined whether this attempt to open a bank account with the information of one of the plaintiffs was connected to the underlying breach.
Ruling by Judge Jones: Judge Jones granted the motion to dismiss filed by Starbucks, finding that Washington courts would not recognize a cause of action as asserted by plaintiffs. (Access a copy of the order by Judge Jones dismissing the claims here: [scribd].) After concluding that plaintiffs had standing (given the broad scope of Article III standing this wasn't a surprise), Judge Jones focused on the issue of whether plaintiffs stated cognizable claims in negligence under Washington law. Judge Jones noted that Washington courts don't typically recognize claims where the sole injury is "risk of future harm," and if Washington courts were to recognize a common law cause of action arising from a data breach, they would be alone in doing so. Judge Jones also noted that the overwhelming majority of courts that have looked at the issue have declined to find that plaintiffs could recover merely because their data was stolen, and those that have recognized a possible cause of action have typically ruled against plaintiffs due to insufficient proof of misuse of the data. In Judge Jones's view, the Washington Supreme Court would likely conclude that the issue is best left to the legislature. In a footnote, he notes the enactment of data breach laws in other states, but points out that none of those laws provide for private causes of action, "much less a private right to damages."
With respect to the plaintiffs who did not have any proof that their personal information was misused, the court found that they could "claim only monitoring costs" as a potential injury, and these wouldn't fly under Washington law. With respect to the plaintiff who presented proof that someone tried to open a bank account in his name, the court acknowledged that "the timing of the [events permitted] the inference that someone acquired [plaintiff's] personal information from the laptop and misused it." Nevertheless, the court concluded that he did not assert a cognizable claim because he didn't suffer any out of pocket loss. The plaintiffs also asserted a claim based on implied contract, but the court didn't need to address whether Starbucks breached any implied obligations since it found that plaintiffs did not suffer any type of injury for which Washington law affords a remedy.
What to Make of the Appeal? Plaintiffs' appeal brief (filed on Monday) sort of canvasses the various theories under which plaintiffs should be entitled to relief under Washington law. Plaintiffs spend a fair amount of space discussing how Starbucks breached its (implied) contractual obligations to plaintiffs - Starbucks obtained this information in the employment context, and had policies in place which required employees to safeguard employee information. Given that Starbucks failed to fulfill these obligations, plaintiffs argue that the law would fashion some sort of remedy for the injured plaintiffs. Plaintiffs also attack the trial court's dismissal of the negligence claim from all angles, pointing out that stolen data is often misused long after it is compromised, and the fact that the underlying data breach is unsolved means that Starbucks can't conclusively show that the data will not be misused at some point in the future.
The dispute raises the familiar issue of whether the harm in the data breach context lies in the breach, or the actual misuse of the data. Courts have pretty uniformly taken the view that the harm flows from the actual misuse of the data, rather than the loss of the data. That said, the outcome here depends on the vagaries of state law, and what the Ninth Circuit predicts the Washington Supreme Court would do. My anecdotal observation is that Washington courts are very privacy friendly, but somewhat middle of the road when it comes to crafting "new" causes of action. Plaintiffs also asked the Ninth Circuit to certify the issue to the Washington Supreme Court, something the Ninth Circuit did recently in a spam case (Kleffman v. Vonage).
The Ninth Circuit has dealt with this issue once in an unpublished decision (Stollenwerk v. Tri-West Healthcare Alliance, 254 Fed. Appx. 664 (9th Cir. 2007).) In that case the Ninth Circuit affirmed the dismissal of data breach claims brought by plaintiffs who did not allege misuse of their data, but reversed as to the plaintiff who made a basic showing that the data could have been misused. Stollenwerk was inconclusive in that the Ninth Circuit (again, in an unpublished decision) merely stated that if the plaintiff was able to show actual damages, he would be entitled to relief. Interestingly, Stollenwerk was settled shortly after remand, on the heels of the district court's denial of a motion for class certification. One possibility to consider is that a monitoring claim seems much easier to fit into a class. An "actual damage" claim may be less amenable to class resolution.
On a related note, there's talk of federal data breach legislation winding its way through Senate. (Two proposals are mentioned here.) To my knowledge, neither of the proposals contain a private right of action, and both merely speak to notification upon a breach. There's also the familiar call for a federal standard which would displace disparate state standards. This debate sounds somewhat similar to the one that surrounded the passage of the CAN-SPAM Act.
Related: Tom O'Toole has a post from a while back about Ruiz v Gap Inc., a case from the Northern District of California also involving the loss of employee/applicant data (coincidentally, from an unencrypted laptop): "Court Finds No Cognizable Damages in Gap Laptop Theft Case."
Posted by Venkat at 03:51 PM | Privacy/Security
November 10, 2009
A New Way to Bypass 47 USC 230? Default Injunctions and FRCP 65
By Eric Goldman
I recently got the following email from David Gingras, the relatively new General Counsel of the Ripoff Report (reposted with his permission):
________
"As you know, Ripoff Report has defended, and won, a lot of CDA cases in the past few years. Although we still get a new case every so often, plaintiffs and their lawyers seem to have gotten the message that lawsuits against us aren’t likely to prevail. Good news, I suppose.
Despite this, a new strategy is arising....In a nutshell, what seems to be happening is that defamation plaintiffs are no longer naming Ripoff Report as a party (which is good). Instead, they are going after the original author (also good, assuming the claim is legitimate).
However, something odd is happening – these cases almost always result in a default. Without any defendant there to argue otherwise, the courts seem willing to grant virtually any relief requested by the plaintiff; i.e. an injunction requiring the removal of the offending material. Once that happens, the plaintiff will approach Ripoff Report with their default injunction and demand that we remove whatever postings they ask us to, even when we were not a party to the case and even if the truth of the statements has never been litigated. Their argument tends to be that under FRCP 65, injunctions can be enforced against non-parties as long as they are acting in “active concert” with a party, so they simply claim we are acting in concert with the author, whatever that means.
In this scenario, it’s almost as if 47 USC s. 230 doesn’t exist at all. In other words, if you are a plaintiff seeking to remove a negative online posting, you’re not going to succeed with any claims against the site. However, that need not stop you – all you have to do is file a lawsuit against someone, claim they were the author, make sure they default, and then ask the court for an injunction (even if it affects a non-party) and voila! You have just accomplished your goals without even really trying!....
[I]t seems to me that if courts allow this type of thing to happen, then the CDA is essentially meaningless – by “litigating” the merits of the case against a non-existent defendant and then approaching Ripoff Report after-the-fact, a plaintiff can obtain relief that they would never be able to get in a legitimate adversarial proceeding, and we’re stuck trying to get the judge to put the genie back into the bottle.
Can plaintiffs use this tactic to get damages from a website/host? Well, not initially, but once you have an injunction requiring the removal of material from the site, the door is open to asking for contempt sanctions if the website doesn’t comply, and that could allow essentially unlimited damages – even when the original claims were time-barred (note: the statute of limitations is an affirmative defense which is waived if the defendant defaults), or even if the original postings were true.
...I am very concerned that this is the start of a new trend. Using a baseball analogy, it’s almost like the plaintiff takes the field alone, plays the game, declares itself the winner, and then finally tells the other team about the game. Should the umpires allow this? No, of course not, but what happens when they do?"
________
David's email raises a fascinating doctrinal question of the interaction between FRCP 65(d) and 47 USC 230, but I wonder how often these issues come up in the field. Ripoff Report is relatively unique among consumer review sites (and UGC sites generally) because it vows never to remove user postings, even if a user asks Ripoff Report to remove the post. In contrast, most UGC sites would speedily comply with a default injunction, no questions asked—especially if the user is not around to protest the takedown. Or the user folds in the face of a demand from a putative plaintiff and deletes the content him/herself, at which point the service provider doesn't even know there was a problem.
Nevertheless, I think David may be witnessing a new and cutting edge way to effectuate illegitimate content takedowns. Many websites that initially stand up for their users, emboldened by the 230 shield, will instantly crumble when presented with a default injunction. For the price of a complaint and a defendant’s default (which can be engineered by targeting a phantom author), plaintiffs obtain an effective cudgel to excise unwanted content throughout the web. Because this could become a cost-effective way of suppressing socially valuable critical content, I encourage UGC sites to be circumspect about honoring default injunctions against user content.
If a UGC site chooses to contest a default injunction, 47 USC 230 should trump FRCP 65. FRCP 65(d) applies to non-litigants in "active concert or participation" with the defendant. Typically, the only relationship between the content producer/defendant and a UGC website is that the website is republishing the defendant’s content. 230 preempts any effort to treat a website as the publisher of third party content, and I think that’s exactly what FRCP 65(d) does.
Now, if a court has properly adjudicated some content as tortious or illegal, it would be socially desirable for the website to remove the content. This is why a court orders the injunction in the first place. However, David’s example assumes an incomplete adjudication because of the default. So if a website contests a default injunction against user-supplied content, a court should do a more thorough evaluation of the plaintiff’s merits. If the court concludes—following a properly contested proceeding—that the injunction was in fact appropriate, only then should the publisher be compelled to remove the content.
Unfortunately, most judges will expect websites to honor a default injunction without question, and therefore they will be reluctant to reconsider the injunction’s merits. Apropos of that, David sent me a report of a hearing from last week involving Ripoff Report's effort to contest a FRCP 65 default injunction. He says that the "judge was apparently ‘incredulous’ at our position – [wondering] why can’t we just agree to take the postings down?" Nevertheless, the judge gave Ripoff Report a chance to brief the matter. I’ll be interested to see if Ripoff Report can make any headway with the skeptical judge. Whatever you think about Ripoff Report generally, I applaud their efforts to defend their users’ words and ensure judicial accuracy rather than rolling over like most UGC sites would.
Posted by Eric at 11:50 AM | Derivative Liability | TrackBack
November 06, 2009
Google AdWords Litigation Keeps Rolling In--Parts Geek v. US Auto Parts
By Eric Goldman
Parts Geek LLC v. US Auto Parts Network Inc.,3:2009cv05578 (D.N.J. complaint filed Nov. 2, 2009) [warning: 3MB PDF]. The Justia page.
In my world, we have an honor code among geeks--thou shalt not harm other geeks. As you can imagine, then, I was a little sad to see geek-on-geek litigation like this one, where auto parts geeks are suing computer geeks. Can't we geeks all get along?
Parts Geek is an online retailer of auto parts. US Auto Parts Network is a competitor who has bought keyword ads triggered by Parts Geek's trademarks. (However, when I searched this morning for Parts Geek, I didn't see any US Auto Parts' ads). In response, Parts Geek is suing its competitor as well as Google for the keyword advertising.
With respect to Google's involvement, the complaint doesn't break any new ground. I'm pretty sure it's largely a rip of another complaint, but I can't remember which one(s). According to my count, this lawsuit brings Google back up to 9 AdWords lawsuits.
In contrast, there are a couple of interesting facets of the claims against US Auto Parts. First, Parts Geek alleges (para. 42) that US Auto Parts set up a blog entitled "Auto Parts Geek" to divert traffic. Can you imagine a more perfect descriptive fair use situation? I think this will become my new favorite example.
Second, Parts Geek makes a Computer Fraud & Abuse Act claim because US Auto Parts allegedly crawled Parts Geek's site to extract "proprietary data and pricing." The CFAA claim seemed like an afterthought tacked onto allegations that focused almost exclusively on the trademark issues, and it wasn't as fleshed out or robust as we normally see in anti-crawling lawsuits (i.e., no claims for breach of contract, trespass to chattels, copyright infringement or violations of a state computer crimes law). Nevertheless, I'm always interested in anti-crawling lawsuits, especially ones with anti-competitive angles like efforts to keep competitor A from learning competitor B's prices. Further, Parts Geek claims that US Auto Parts' access to its website was delimited by a "terms of use" which, from my limited review of the Parts Geek site, appears to be at best a very obscure "browsewrap." The CFAA is more tolerant of obscure disclosures than contract law is, and this CFAA claim is hardly unusual, but I'm nonetheless troubled by the implications of treating obscure browsewraps as effective anti-crawling mechanisms.
The roster of pending AdWords cases:
* Ezzo v. Google
* Rescuecom v. Google
* FPX v. Google
* John Beck Amazing Profits v. Google and the companion Google v. John Beck Amazing Profits
* Stratton Faxon v. Google (not initially a trademark case)
* Soaring Helmet v. Bill Me
* Ascentive v. Google
* Jurin v. Google 1.0 (voluntarily dismissed), succeeded by Jurin v. Google 2.0
* Rosetta Stone v. Google
* Flowbee v. Google
* Parts Geek v. US Auto Parts
Posted by Eric at 07:17 AM | Derivative Liability , Search Engines , Trademark , Trespass to Chattels | TrackBack
November 03, 2009
Law Professor Sues Over 'Above the Law' Blog Posts--Jones v. Minkin
By Eric Goldman
Jones v. Minkin, 1:09-cv-23256-MGC (S.D. Fla. complaint filed Oct. 27, 2009). The Above the Law blog post on the lawsuit with links to the posts in question.
Given its history of provocative and occasionally aggressive blog posts, it's actually a little surprising that popular law blog Above the Law has not been sued before. A blogger's life is inherently filled with peril. We bet our houses with every blog post, and eventually the law of large numbers starts working against us. The risks are even greater for bloggers covering legal topics. By definition, we routinely cover people who are prepared to mix it up in court. As a result, it's almost inevitable that blawgers who keep at it long enough will get sued eventually.
The plaintiff in this case is University of Miami law professor D. Marvin Jones, who in 2007 was improperly detained by police for possibly racist reasons. This prompted a series of blog posts on Above the Law that included an unflattering cartoon and unfavorable characterizations. Jones now claims that the blog posts put him in a false light, invaded his privacy and constituted copyright infringement because the blog posts used the photo from his university profile page. Although the complaint uses the word "defamation" earlier in the pleading, no defamation claim was alleged. For these violations, Jones asks for tens of millions of dollars to right the alleged wrongs.
I'm skeptical about all three claims, but the copyright claim is almost unquestionably bogus. It's not properly pleaded; there's no allegation of a copyright registration. More importantly, I would be shocked if Jones owned the copyrights in the photo on his faculty page. Usually faculty photos are taken by a university photographer or a third party vendor; in either case, the photo subject normally does not obtain ownership or an exclusive license to the copyright. Perhaps Jones has managed his IP affairs better than 99+% of professors. If not, 17 USC 505, the copyright fee-shifting provision, seems like it sets up Jones to potentially write a check to the defendants. (Fair use also seems strongly possible, but we don't need to get there if the plaintiff can't establish a prima facie case of infringement).
With respect to the alleged privacy violations, there is the obvious problem that police incident reports should be public documents. However, I’m also interested Jones' faculty bio does much to trumpet his high public profile. He self-describes himself as a "public intellectual" (a fairly rare self-characterization among academics) and says he has "appeared as an expert on national and local television" and "is a sought after speaker at many universities." These self-reported assessments about his public visibility don't obviate his privacy rights, but they do suggest that a police detention--especially one with racial overtones, exactly the type of thing he discusses in these public spaces—and the associated report either don't qualify as a "private fact" or are sufficiently newsworthy to trump his privacy interests.
Ben Sheffner's post on this case makes good points about the false light claim. He says it's DOA because (1) Florida doesn't recognize the cause of action, and (2) to the extent it's based on the cartoon, the cartoon was provided by a third party and therefore 47 USC 230 preempts the claim.
This lawsuit reminded me a little of the long-running Steinbuch v. Cutler lawsuit, which also involved a law professor/plaintiff Robert Steinbuch (now at UALR) claiming privacy violations against a blogger. That legal battle hasn't turned out so well for Steinbuch. Putting aside a number of substantive losses along the way, the lawsuit has been going nearly 5 years with no clear end in sight. Some of the delay was caused by Cutler's bankruptcy, but much more of it was due to the inherent weakness of judicial proceedings as a redress for unwanted speech. And in the end, I don't think the lawsuit has done much to enhance Steinbuch's reputation as a law professor or otherwise.
Two other minor points about the lawsuit. First, the complaint repeatedly criticizes Above the Law for referring to Jones as "D. Marvin Jones" rather than some other variation of his name, alleging that the usage was designed to ensnare searchers looking for his book. Perhaps that was the intent (doubtful, but possible), but I have chosen to refer to Jones by the name he uses on his faculty profile...which is "D. Marvin Jones." Second, it was jarring to see "Barack Obama" misspelled in a complaint (especially given the plaintiff's expertise) as "Barrack Obama."
Unfortunately for Above the Law, Florida does not have a robust anti-SLAPP statute. Nevertheless, given its facial lack of merit and the possibility that Jones will want to minimize the size of the check he has to write the defendants for his ill-conceived copyright claim, I hope this lawsuit will reach a quicker resolution than the Steinbuch v. Cutler saga.
FWIW, there is an attractive free conference tomorrow afternoon in San Francisco that, quite topically, will address the unique challenges of online reporting of legal cases. (The official page is down, but this page has all the relevant details). Hope to see you there.
UPDATE: Jones has voluntarily dismissed the case within days of bringing it.
Posted by Eric at 01:57 PM | Content Regulation , Copyright , Derivative Liability , Publicity/Privacy Rights | TrackBack
Court Sanctions Lawyer for Including Social Security Number and Date of Birth Information in Filing -- Engeseth v. Isanti County
[Post by Venkat]
I've blogged about parties who complain when opposing counsel wrongly includes personal information (usually social security numbers) in court filings. Attempts to assert counterclaims based on this type of conduct typically fail. For one example, see In re Killian, discussed here. (You can see a list of other cases rejecting these types of claims noted here.)
However, a judge in Minnesota recently sanctioned a lawyer for including the "full social security numbers and dates of birth for 179 individuals" in a court filing. (Engeseth v. Isanti County, Case No. 06-CV-2410 MJD/RLE (D. Minn.; Oct. 20, 2009).) After issuing a show cause order on its own motion (as best as I can tell, none of the parties complained), the court concluded that counsel's inclusion of the social security numbers and date of birth information in a filing violated Federal Rule of Civil Procedure 5.2(a), and demonstrated poor judgment. That rule requires truncation of certain personal information (e.g., social security number, taxpayer identification number) in court filings unless otherwise ordered by the court. (Here is a link to the rule: "Privacy Protection for Filings Made with the Court".)
The sanctions imposed by the court included: (1) notice to all injured parties, along with "individualized credit reports and credit monitoring," and (2) payment of $5,000 to the Second Harvest Heartland food bank.
Without minimizing the seriousness of the privacy interests at issue, it seems rough for the court to impose these types of sanctions on its own motion. The credit monitoring makes sense, but I'm not sure what's up with the donation to the food bank. Particularly rough from the lawyer's perspective, given that this appears to be a pro bono case where the lawyer achieved a good result for the clients. The filing containing the social security numbers was an accounting affidavit filed by the lawyer detailing the disbursements of settlement proceeds to his clients. I'm not suggesting that you don't have to follow the rules in pro bono cases. You obviously do, but the sanction must have stung, coming at the end of a successfully prosecuted pro bono case.
My own anecdotal observation is that courts are very reluctant to sanction lawyers these days, and I've seen courts reject sanctions for a lot worse. Nevertheless, the court's order illustrates the importance of adhering to court orders and rules that govern the inclusion of private information in court filings. As to whether this means that parties can assert claims based on the wrongful inclusion of personal information in filings, the answer is, no, they probably cannot. In any event, I would think the relief awarded by the court would be limited to notice and credit-monitoring, as is typically the case in consumer data breach cases. In other words, it's difficult to gain leverage in a case based on the opposing party's wrongful inclusion of personal information in a court filing.
Added: additional coverage at the Minnesota Lawyer Blog here (which first noted the order) and The Register here. The Minnesota Lawyer Blog also provides access to the order itself: [pdf].
(h/t Cathy Gellis)
Posted by Venkat at 01:04 PM | Privacy/Security
November 02, 2009
October 2009 Quick Links
By Eric Goldman
Just a reminder that I am posting most of these types of links exclusively to my Twitter feed.
* Tricome v. eBay, Inc., 2009 WL 3365873 (E.D.Pa. Oct 19, 2009). Court upholds eBay user agreement's venue selection clause. Evan Brown covers the case.
* The AutoAdmit case is over. Above the Law and the Yale newspaper.
* Google doesn't want to hear your complaints about your reputation management.
* Moneygram settles with the FTC (to the tune of $18M) that its money wiring service was used to perpetrate fraud.
* The FTC scores a rare COPPA settlement, this time with Iconix for $250,000.
* John Wiley & Sons, Inc. v. Kirtsaeng, 2009 U.S. Dist. LEXIS 96520 (SDNY Oct. 19, 2009). Another federal court holds that the purchase of foreign-manufactured textbooks and resale in the US via the Internet is blocked by the importation right and not excused by the First Sale doctrine. My coverage of the analogous Pearson v. Liu ruling.
* Utah's "Don't Spam the Kids" registry survived a constitutional challenge. That doesn't make it good policy!
* Saadi v. Maroun. Blogger hit with $90k judgment for defamation. MLRC coverage. My initial blog post on the case.
* Erik Estavillo, the gamer who sued for being kicked off the PlayStation Network, is appealing his district court loss to the Ninth Circuit. I guess he wants to lock in the adverse ruling as the binding law of the Western United States. My blog post on the district court ruling.
* Rep. Paul Kanjorski wants to end 47 USC 230 with respect to bogus stock investing info? This legislation needs careful monitoring due to its potential perniciousness.
* Venkat has his own version of Quick Links on his site.
Posted by Eric at 05:08 PM | Content Regulation , Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Privacy/Security , Spam | TrackBack