June 30, 2010
Must-Read Empirical Study of 47 USC 230 Jurisprudence by David Ardia
By Eric Goldman
David S. Ardia, Free Speech Savior or Shield for Scoundrels: An Empirical Study of Intermediary Immunity Under Section 230 of the Communications Decency Act, 43 Loyola of Los Angeles Law Review 373 (2010)
Let me start with the punchline: if you are interested in 47 USC 230 jurisprudence (and let's face it, who isn't???), then you need to read this article. In fact, clear your calendar for this afternoon. Although I am not completely sold on its conclusions, any cogent discussion about 47 USC 230 jurisprudential trendlines must acknowledge this article.
David Ardia directs the Citizen Media Law Project, a frequent outlink on this blog. He undertook the heroic (and some might say ill-advised) task of finding and coding 47 USC 230 cases--a total of 184 decisions--and then generating some statistical conclusions from the dataset. This is not a project I would have undertaken because empirical research is such a quagmire, but we as a community of 47 USC 230 scholars and practitioners get the benefit of David's efforts.
(I should note that David sent me a draft of this article last Fall, which sat unread in my inbox for 3 months. I then sent David an extremely lengthy and detailed set of comments about a week before his final edits were due to the law review. Some of my critiques are not news to David, but he may not have had a chance to fully address them based on my delayed feedback.)
(I further note that I have not doublechecked David’s dataset or coding. For this post, I assume he did it “correctly.”)
If you have limited time (the PDF is 134 pages), start on page 41 of the PDF, which is where the empirical discussions heat up. There is a lot to discuss and explore, but I will highlight two significant statistical conclusions.
First, the paper calculates that 230 defendants win the defense "only" about 2/3 of the time, leading him to conclude that the statute "has not been the free pass many of its proponents claim and its critics lament." This is an interesting conclusion, but it leaves me wondering how this compares with the hypothetical calculation of cases where the 230 defense should have failed vs. the situations where it should have succeeded. Still, I am one of the people who thinks 230 is a free pass for defendants, so the successful batting average was lower than I expected.
Second, the paper makes the following assertion on page 108:
"many of the intermediaries that invoked section 230 likely would not have faced eventual liability under the common law because they lacked knowledge of and editorial control over the third-party content at issue in the cases. Given this prediction, one might question whether section 230 is necessary."
Whoa! This is an important and implicitly troubling statement. The paper is positing an alternative scenario where 230 doesn't exist and arguing that we might not notice a difference. Of course, we know that other countries are having very different experiences with UGC due to the 230's absence. At the same time, US common law still differs from other countries' laws, so perhaps the US common law's trajectory would have reached a similar place. Having said that, for reasons the paper does explore, we are better off for having the statutory immunity than relying on common law developments. Furthermore, 230’s real brilliance is that it immunizes service providers *because they exercise* editorial control, which leads to better outcomes.
I'll briefly mention two other stats that puzzled me.
On page 59, the paper says: "in more than half of the section 230 decisions (58.8%), the speech at issue was not published anonymously." Later, on page 115, the paper advances the inverse stat: "41.2% of the decisions studied involved anonymous content." In theory, this means 40% of cases involve primary tortfeasors who can't be found, but I'm skeptical about this because successful online anonymity is really hard. After all, the AutoAdmit authors thought they were anonymous until they were de-anonymized. For more, see Paul Ohm's paper on reidentification.
On page 117, the paper says "in more than half of the cases (55%), the content plaintiffs sued over was no longer available as of mid-2009," which suggests plaintiffs can get content takedowns despite 230 because the service provider voluntarily helps or the author takes the content down him/herself (or, in some cases, the court ordered the takedown). This brought to mind the Ripoff Report's refusal to remove content at the author's request, a relatively unique posture for UGC hosts. See Blockowicz v. Williams.
The paper gives me another reason to remind you that SCU will be hosting a 47 USC 230 celebration on March 4, 2011, where I hope we will discuss cutting-edge research on 230 like this paper. More details to come, but mark your calendar now. If you are working on 230-related research that you think might be appropriate to present at this conference, please contact me.
UPDATE: David's CMLP blog post on his article.
In the thirteen years since its enactment, section 230 of the Communications Decency Act has become one of the most important statutes impacting online speech, as well as one of the most intensely criticized. In deceptively simple language, its provisions sweep away the common law’s distinction between publisher and distributor liability, granting operators of Web sites and other interactive computer services broad protection from claims based on the speech of third parties. Section 230 is of critical importance because virtually all speech that occurs on the Internet is facilitated by private intermediaries that have a fragile commitment to the speech they facilitate.
This Article presents the first empirical study of the section 230 case law. It begins by providing a doctrinal overview of common law liability for intermediaries, both online and offline, and describes how section 230 modifies these doctrinal approaches. It then systematically analyzes the 184 decisions courts have issued since the statute’s enactment. The Article also examines how courts have applied section 230, finding that judges have been haphazard in their approach to its application.
The Article closes by discussing the study’s findings and by offering some insights into how plaintiffs and defendants have fared under section 230. While section 230 has largely protected intermediaries from liability for third-party speech, it has not been the free pass many of its proponents claim and its critics lament. More than a third of the claims at issue in the cases survived a section 230 defense. Even in cases where the court dismissed the claims, intermediaries bore liability in the form of litigation costs, and it took courts, on average, nearly a year to issue decisions addressing an intermediary’s defense under section 230.
June 29, 2010
Payment Service Providers May Be Liable for Counterfeit Website Sales--Gucci v. Frontline
By Eric Goldman
Gucci America, Inc. v. Frontline Processing Corp., 2010 WL 2541367 (S.D.N.Y. June 23, 2010)
This case relates to an online seller of Gucci counterfeit goods called TheBagAddiction.com, run by Laurette. Gucci already successfully shut down the counterfeit website, but it remains on the warpath, looking to nail more defendants. It has sued three additional companies, Durango, Frontline and Woodforest. Durango helps hard-to-service merchants such as TheBagAddiction and other sellers of "replica products" find payment service providers. Frontline and Woodforest are both payment service providers that service Visa, Mastercard and AmEx (Frontline also services Discover). Thus, in this action, Gucci is chasing the payment service providers who helped the counterfeit site get paid. In this respect, the case is analogous to Perfect 10's suits against ccBill and Visa, except that Gucci is proceeding on a trademark claim and not copyright.
In this ruling, the court says that Gucci's contributory trademark claims survive the defendants' motion to dismiss. The court dismisses the direct and vicarious trademark claims.
The court says that Durango, the matchmaker/finder, could be liable on an inducement theory because it advertised its services as finding payment services for "high risk" merchants such as those selling "replica" merchandise. Gucci is basically taking the realpolitik position that everyone knows that high-risk merchants selling replicas are just counterfeiters and so Durango should be brought to justice for assisting that retailer niche. Gucci also alleges that Durango encouraged merchants to reduce chargebacks by including a checkbox on the consumer checkout screen saying that they acknowledged they were buying replicas. Although the checkbox didn't help Durango here, I wonder what it will do to the underlying questions of consumer confusion about product source.
In contrast, Frontline and Woodforest didn't induce because "they did not bring [the website] to the table the way Durango allegedly did." While that's true, I'm not clear about the line the judge is drawing.
The court instead evaluates Frontline's and Woodforest's contributory trademark liability (as well as Durango's) under the following legal standard: "if it supplied services with knowledge or by willfully shutting its eyes to the infringing conduct, while it had sufficient control over the instrumentality used to infringe." This appears to be a further bastardization of the loosely-drafted and gratuitous language in Tiffany v. eBay about "willful blindness." As I wrote in my post about the Tiffany ruling, "I expect plaintiffs to get frisky with this 'willful blindness' toy and start asserting that defendants had 'reason to suspect' user infringement and 'ignored that fact.'" This case appears to be an example of that friskiness.
Gucci's allegations against Durango satisfied the scienter requirement because:
Durango allegedly held itself out to high risk replica merchants. Its sales agent, Counley, traded emails with the Laurette Counterfeiters who expressly told him that they were unable to get credit card services because they sold “replica” items. Counley later wrote back to say he had found a U.S. bank that “can do replica accounts now.” Surely, a connection between an inability to get the services needed to transact goods online and the sale of replicas should have attracted Durango's attention.
[note: throughout this post, I have removed some citations from the blockquotes]
Gucci's allegations against Frontline satisfied the scienter requirement because:
Laurette completed an application to obtain Frontline's services, and Nathan Counley, though a Durango employee, is listed as Frontline's sales agent. Counley “acted as Frontline's agent in soliciting and directing credit card processing business from replica merchants like the Laurette Counterfeiters” and therefore Frontline may be charged with his knowledge, including his understanding of Laurette's difficulty to obtain services for selling replicas. Gucci alleges that the “replica acknowledgment” described above that was created for the Laurette website with Counley's assistance was also reviewed by Frontline, who made suggestions as to where they should place this warning on the website. Even more significantly, Frontline allegedly performed its own investigation of products sold through TheBagAddiction.com as part of Frontline's chargeback reviews. When faced with a chargeback, Gucci claims that Frontline received supporting documentation from Laurette that included information about the specific item ordered, including a description of the item purchased. Not only did Frontline allegedly review the specific item description, Plaintiff also claims that the relatively small price tag for the item, as well as specific complaints from customers who made chargebacks about not receiving what the website purported to sell, e.g. a product made of genuine leather, should have alerted Frontline that these were infringing products. These fact-specific claims are enough to at least infer that Frontline knew or consciously avoided knowing that the counterfeit products were sold on TheBagAddiction.com
There are a number of analytical problems with this reasoning, but I'm still stuck on the argument that the payment processor is charged with the knowledge of a third party entity's salesperson. What?
Gucci's allegations against Woodforest satisfied the scienter requirement because:
As was the case with Frontline, Counley represented himself on Laurette's application as Woodforest's sales agent. The application itself said that Laurette was a “wholesale/retail designer [of] handbags,” and listed the supplier as a Chinese bag manufacturer rather than Gucci. Gucci also claims that Woodforest specifically reviewed the website and the products listed on it as part of its initial decision to do business with Laurette. A Woodforest employee allegedly completed an “Internet Merchant Review Checklist,” which required him or her to review the website and confirm whether it contained a complete description of the goods offered. Based on these claims and the website images provided by Plaintiff, even a cursory review of the TheBagAddiction.com would indicate that they claimed to sell replica Gucci products. Indeed, Plaintiff alleges that Woodforest printed out a number of pages that displayed goods that were for sale, including counterfeit Gucci products, and maintained these pages as part of their business records. Woodforest would also perform a second-level review, performed repeatedly after it accepted the business, where an employee would complete a purchase and request a refund. Finally, like Frontline, Woodforest investigated chargeback disputes and received supporting documentation that allegedly should have tipped them off to the infringing conduct. These claims are more than sufficient to suggest, at this stage of the litigation, that Woodforest knew or shielded themselves from the knowledge that Laurette was selling counterfeit Gucci products with their credit card processing system.
Even with the court's generous standards for scienter, what about control over the infringing instrumentalities? In Lockheed v. NSI, a domain name registrar lacked that level of control because it simply provided a matching service between domain names and IP addresses. In contrast, in Louis Vuitton v. Akanoc, Akanoc arguably had the requisite control because it hosted the sites. Here, Durango was just a matchmaker between merchants and payment service providers, and on that ground lacked the requisite control. However, Gucci sufficiently alleged the requisite control by the payment service providers:
Gucci's complaint indicates that Frontline and Woodforest's credit card processing services are a necessary element for the transaction of counterfeit goods online, and were essential to sales from TheBagAddiction.com. Although other methods of online payment exist, such as online escrow-type services like PayPal, generally speaking “credit cards serve as the primary engine of electronic commerce.” Perfect 10, 494 F.3d at 794. Indeed, Gucci points out that Durango's website claims that “9 out of 10 people use a credit card for their online orders.” As such, without the credit card processing operation set up by these two defendants, Gucci alleges that TheBagAddiction.com would largely have been unable to sell its counterfeit Gucci products. They further support this claim with an affidavit by one of the website owners, who states that “[a]pproximately 99% of payments from my customers were made using credit cards.” Both Frontline and Woodforest processed transactions for cardholders with major credit card institutions-Visa, MasterCard, and so forth-and, according to Gucci, Laurette sold over $500,000 in counterfeit products “during the time they utilized Defendants' merchant bankcard services.” By processing these transactions, both companies allegedly earned significant revenue from the transaction fees they charged. Put another way, “[t]hey knowingly provide a financial bridge between buyers and sellers of [counterfeit products], enabling them to consummate infringing transactions, while making a profit on every sale.” Perfect 10, 494 F.3d at 810-11 (Kozinski, J., dissenting). Though both Frontline and Woodforest insist they are middlemen with no ability to prevent a transaction, they do not dispute that they could have simply refused to do business with “replica” internet merchants, just like the flea market purveyor who refuses to provide a booth to a counterfeiter. See Compl. ¶ ¶ 87-89 (Woodforest and Frontline “facilitated the Laurette Counterfeiters ability to quickly and efficiently transact sales for Counterfeit Products through their website by enabling customers to use personal credit cards to pay for purchases on TheBagAddiction.com”). According to one of the website operators, “[i]f I did not receive an approval for a credit card charge, I would not ship the customer's order.” These allegations indicate that the infringing products “are delivered to the buyer only after defendants approve the transaction ... This is not just an economic incentive for infringement; it's an essential step in the infringement process.” Perfect 10, 494 F.3d at 811-12 (Kozinski, J., dissenting).
While all of this is true, how does this relate to the *instrumentality* used to infringe? The court closes the loop by effectively reading that requirement out of the test, saying "instrumentality in this case is the combination of the website and the credit card network, since both are allegedly necessary elements for the infringing act-the sale and distribution of the counterfeit good." But using this standard, every "sine qua non" vendor to a counterfeit website is an instrumentality--the power company, the water company, the landlord, etc. That's exactly what the 9th Circuit rejected in Perfect 10 v. Visa. The court weakly distinguishes that case by noting the difference between rivalrous and non-rivalrous goods; the copyright infringing websites could continue publishing the non-rivalrous goods without credit card payment, while the Gucci counterfeit site wouldn't ship the rivalrous goods until credit card payment was made.
This is a terrible ruling on both a doctrinal and normative level. On a doctrinal level, the court bypassed the main holdings of Tiffany v. eBay (binding on the court), Perfect 10 v. ccBill and Perfect 10 v. Visa. Instead, the court stitched together crappy dicta from the Tiffany v. eBay case with Kozinski's dissent in Perfect 10 v. Visa to come up with an expansive secondary trademark liability rule applicable to vendors to counterfeit websites. I expect payment service providers to become the latest defendant-du-jour among trademark plaintiffs looking for deep pockets in web infringement cases. Something to look forward to.
Normatively, this ruling raises the specter that payment service providers will attempt to exercise even more business control over the businesses they service, effectively deputizing the payment service providers into cops on the Internet beat. As I mention in my notes about the OECD efforts on Internet intermediaries (which I will post soon), this deputization of private vendors into content cops has numerous disadvantages. I'm hoping this ruling gets fixed by the judge or on appeal so that we don't suffer the logical consequences of this bad ruling.
Steps to 'Internet-Proof' Your Cease and Desist Letter
[Post by Venkat]
I posted a ways back at Avvo's blog about how the internet increasingly affects litigation by shining the light on abusive lawsuits or those that overreach. I didn't mention something related that has become fairly common, and that's the mockery of cease and desist letters by the internet. It seems like not a week goes by without someone sending an ill-advised cease and desist letter that the internet enjoys a good laugh over. Last week's example was brought to you by the National Pork Board and its lawyers, who decided that ThinkGeek's "Canned Unicorn Meat" (released on April 1) infringed on NPB's "The Other White Meat" family of trademarks. (ThinkGeek: "Officially Our Best-Ever Cease and Desist.")
D.C. Toedt has a post titled "Cease-and-desist letters: Five ways to keep your client and yourself from looking foolish" that provides some helpful steps you can take to avoid NPB's plight:
1. Think about whether sending the letter is such a good idea.
2. Consider what the other side might do for a counter-attack.
3. Skip the histrionics – just the facts, ma’am.
4. Never threaten to sue – when the time comes, just do it.
5. Don’t set a compliance deadline, nor demand a written response.
That's pretty sage advice that people often seem to ignore.
Cease and desist letters should also be relatively short and to the point. You obviously want to be right on the facts and the law, but rare is the opponent who will be cowed into submission by extensive citations coupled with wonderful lawyerly prose. If it does not achieve compliance, it ends up being a way to sink a bunch of lawyer time into a letter that does not result in much. Often, a cease and desist letter to a lawyer becomes what a confirmation hearing is to a senator: an opportunity to drone on. (Cease and desist letters often serve other purposes, such as putting the other side on notice, revoking an implied license, etc.) On the other hand, a well-written response could sway the other side. Since the party who is sending the cease and desist will almost always see the response, a thoughtful response is an opportunity to demonstrate why the demands in the letter are out in left field.
Increasingly, lawsuits play out in the public arena, so it's also worth looping in the PR/messaging folks at the early stages (i.e., before you send the letter). If the recipient posts your letter and mockery ensues, you probably skipped one of the steps outlined in the post, but in any event, it would be helpful to have something articulating your rationale and position already out there or ready to go.
Of course, when all else fails, you could always try to assert a copyright in your letter (to prevent its reproduction), but that's just inviting further ridicule.
Added: an alternative via email: "don't include anything mockable in the cease and desist letter." That works as well.
June 24, 2010
The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?
[Post by Venkat]
Twitter recently agreed to a consent order with the FTC that requires Twitter to implement a variety of security measures with respect to "nonpublic consumer information" of Twitter users. The FTC probe (which was resolved by agreement) stemmed from highly publicized security breaches where hackers gained "unauthorized administrative control of the Twitter system." In the first incident, hackers gained control of 35 high profile Twitter accounts, including the accounts of Bill O’Reilly, Britney Spears, the Huffington Post, and Facebook. Separately, someone gained access to a Twitter employee's email account, which contained the employee's admin password for Twitter.
The consent order requires Twitter to implement a variety of security features which are above and beyond what many sites have in place. The consent order also requires Twitter to undergo a period audit by an outside auditor, and comply with some onerous-looking record-keeping requirements (retain consumer complaints, "widely-disseminated statements" about its security and privacy practices, etc.). Interestingly, the FTC faulted Twitter for failing to comply with security standards which many sites probably do not meet:
• requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;
• prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
• suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
• providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
• enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
• restricting access to administrative controls to employees whose jobs required it; and
• imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
NB: I noticed a few tweaks to Twitter's policy which was revised a couple of weeks ago. The revised policy makes clear that: (1) Twitter tracks user interactions with links; and (2) Twitter uses more than just Google analytics. Neither of these changes seem particularly material, although it's always nice to be reminded that websites track your interactions with links. Either way, I thought they were worth noting:
Links: Twitter may keep track of how you interact with links in Tweets by redirecting clicks or through other means. We do this to help improve our Services, including advertising, and to be able to share aggregate click statistics such as how many times a particular link was clicked on.
Third Party Services: Twitter uses a variety of services hosted by third parties to help provide our Services, such as hosting our various blogs and wikis, and to help us understand the use of our Services, such as Google Analytics. These services may collect information sent by your browser as part of a web page request, such as cookies or your IP request.
Added: The BBC reports (June 24, 2010) that "Obama's Twitter hacker receives a suspended sentence." According to French investigators, the hacker (Francois Cousteix) "deduced the passwords of Twitter administrators from public information on the web, thus gaining access to the accounts of important and famous individuals." Mr. Cousteix's actions spurred (in part) the FTC probe. Also, Gawker thinks that Twitter got off too easy: "The Pathetic Punishment of Twitter." Many people probably had the opposite reaction, but that's neither here nor there.
FTC analysis: [pdf] ("Analysis of Proposed Consent Order to Aid Public Comment
In the Matter of Twitter, Inc., File No. 0923093")
TechCrunch: (FTC Bars Twitter "For 20 Years From Misleading Consumers" About Privacy After 2009 Hacks)
Wired: (Twitter Settles With FTC Over 'Happiness" Breach)
CNET: ("Twitter, FTC reach agreement on security")
June 23, 2010
YouTube Gets Decisive Win in Viacom/FAPL Case
By Eric Goldman
Viacom International, Inc., v. YouTube, Inc., 2010 WL 2532404 (SDNY June 23, 2010).
The Viacom v. YouTube case has been noteworthy for numerous reasons. It involves the cherished Internet brands YouTube and Google, it's been going on forever (see my initial blog post on Viacom's complaint from March 2007), and it's generated lots of water cooler talk (see the salacious details from the parties' summary judgment motions).
Now, the case is also noteworthy because it hands YouTube a clean and decisive win on the DMCA 512(c) safe harbor. The ruling basically says that the current industry standard practices of notice-and-takedown for user-caused copyright infringement satisfies the safe harbor. Although this seems like an uncontroversial result when stated like that, the reality is that copyright owners have repeatedly angled to get a better deal than Congress gave them in 512. This case will squelch many of those copyright owner requests to force service providers to go beyond current industry-standard practices. Of course, we have to see how the opinion fares on appeal.
The opinion stays above the fray and avoids most of the messy facts from the parties' voyeuristic filings earlier this year. On the decisive question of what constitutes YouTube's actual knowledge or red flags awareness of infringement, the court immediately turns to the legislative history. Fortunately for YouTube, the legislative history is replete with defense-favorable statements. Thus, the court summarizes the legislative history by saying its "tenor" requires that service providers have "knowledge of specific and identifiable infringements of particular individual items. Mere knowledge of prevalence of such activity in general is not enough." Subsequently, the court reinforces that "General knowledge that infringement is 'ubiquitous' does not impose a duty on the service provider to monitor or search its service for infringements."
The court supports these conclusions by noting the difficulty service providers have monitoring/policing large databases of UGC and the fact that the notice-and-takedown system worked well in Viacom's case when it actually submitted notices. The court also favorably cites the ccBill, UMG v. Veoh, Corbis v. Amazon and Tiffany v. eBay cases. By doing so, the court subtly does two things. First, it imports 9th Circuit 512 jurisprudence into a 2nd Circuit-bound court, and second, it imports the 2nd Circuit's recent secondary trademark liability analysis into a copyright case. Both moves also favored YouTube.
The latter is particularly interesting because it seems to accept a notice-and-takedown regime for trademark--not the statutory requirement, but nevertheless the logical implication of Tiffany v. eBay. Perhaps we are seeing some convergence in secondary copyright and secondary trademark infringement cases, despite their different statutory foundations.
The court distinguishes Grokster "and its progeny" (Usenet.com, Fung and LimeWire) as having "little application here." Grokster, Fung and LimeWire all involved P2P file sharing services, which are not covered by 512 (although I've always thought 512(d) deserved more consideration than it did). The court distinguishes Fung as "an admitted copyright thief."
The court further distinguishes Grokster by saying "its application to the particular subset of service providers protected by the DMCA is strained." I completely agree with this, and the court properly notes the factual differences between a P2P file sharing service and a web host. In response to Viacom's apparent belief that Grokster was highly relevant, the court cites that "Viacom’s General Counsel said in a 2006 e-mail that '....the difference between YouTube’s behavior and Grokster’s is staggering.'" This was the only duplicitous statement the court pulled out of the many ones quoted (on both sides) in the summary judgment briefs.
The court makes a few other abbreviated rulings rejecting various attempts to kick YouTube out of the safe harbor:
* YouTube's video embedding feature does not eliminate the 512 safe harbor, citing the Io v. Veoh case. The court does indicate that some activities are beyond the fair meaning of "storage" and ancillary activities, and it appears the plaintiffs could try to push this angle (although I doubt they will get much play if they try).
* the court says that YouTube's "right and ability to control" must be measured on an item-specific basis, so the "right and ability to control" does not kick in until the service provider gets a qualifying notice or otherwise has red flags awareness. This is a powerfully restricted interpretation of that term.
* YouTube's method of counting three strikes did not disqualify it from the statute. This includes the fact that YouTube does not count a strike when Audible Magic automatically filtered UGC.
* the fact that the statute allows copyright owners to submit a "representative list" of infringed works does not override their obligation to specifically identify the location of any allegedly infringing UGC files in their notices.
The opinion does not clearly say it applies to all of the plaintiffs and not just Viacom. However, Google's post indicates that it thinks the opinion applies to all plaintiffs, thus effectively removing most issues from the case. The court orders the parties to talk further to see what's left open by this ruling. There isn’t much. One possibility: 512(c) only eliminates damages, not an injunction, so the plaintiffs could press for an injunction despite this ruling. However, based on the judge’s treatment of the plaintiffs’ arguments, I don't see how that would be productive. At most, I think this judge would only require YouTube to keep following the statute--something YouTube has already proven that it does. Therefore, probably the next major step in the case will be the appellate ruling--which, in the Second Circuit, could take years.
My OECD Position Paper Lauding 47 USC 230 (OECD Project on Internet Intermediaries, Part 1)
By Eric Goldman
Last week, I participated in an OECD expert workshop on Internet intermediary liability in Paris. I will blog more about the OECD project and my trip to Paris shortly.
In preparation for the event, I was asked to write a one page position paper on any topic related to Internet intermediary liability. Regular readers are surely not surprised that I chose to offer some laudatory remarks about 47 USC 230. My position paper (or see the PDF):
I am delighted to participate in the OECD’s workshop as a CSISAC expert. My remarks at the workshop will undoubtedly cover several subjects. This position paper outlines my thoughts on just one of the project’s topics.
My recent research has focused on “reputational information,” which I define as information about a producer’s past performance that can help a consumer decide whether or not to transact with the producer. Reputational information includes both objective data (e.g., product recall rates) and subjective data (e.g., consumer reviews).
Reputational information plays a crucial role in the efficient functioning of markets. We expect the market’s “invisible hand” to reward good producers and punish poor ones, but this occurs only when producers are, in fact, accountable for their performance. Reputational information can improve producer accountability when it is readily available and relatively free from distortions. Unfortunately, improperly calibrated regulation can undermine the optimal flow of reputational information in several ways. Two examples:
First, positive consumer reviews presumably help producers, but producers will seek to remove negative consumer reviews about them. If producers can easily take down negative reviews simply by alleging defamation or other legal violations, a “lopsided”—and unhelpful—database of only positive consumer reviews will remain.
Second, consumers expect Internet publishers to organize and filter voluminous amounts of reputational information while preserving the “wisdom of the crowd.” To meet these needs, Internet publishers constantly try new ways to procure, order and display reputational information. This type of experimentation can occur only when Internet publishers do not make editorial choices designed principally to minimize their legal risks.
The United States has seen an explosion of entrepreneurial activity from Internet publishers of reputational information—a process fostered by 47 U.S.C. § 230, which Congress enacted in 1996 as part of the Communications Decency Act. Content originators remain liable for their content, but 230 provides Internet publishers with a powerful immunization for content originated by third parties. With 230’s protection, Internet publishers are developing innovative ways to supply consumers with helpful reputational information, freed from concerns that innovation will increase their liability for user content. 230 also helps Internet publishers avoid lopsided databases because publishers can confidently resist demands to suppress negative reviews. Thus, 230 has improved both the quantity and quality of reputational information available to help consumers make their marketplace decisions.
As a result, 230’s liability immunity strengthens the marketplace’s ability to reward good producers and punish poor ones. In its review of regulatory options, I encourage the OECD to analyze the benefits of immunity regimes for Internet publishers that can achieve similar objectives.
You can see all of the submitted position papers here.
My position paper is effectively the abstract of a paper I am writing this summer entitled "In Defense of 47 USC 230." If you're currently working on a 230-related paper or have written a paper on 230 that you want to make sure I don't miss, please let me know.
Also, mark your calendars: on March 4, 2011, Santa Clara University will be co-hosting (with a distinguished list of co-sponsors) a 15 year retrospective/anniversary party for 47 USC 230 that I promise will be the biggest--and most exciting (if that's not an oxymoron)--47 USC 230 geekfest to date. We're still putting the program together, so we have not made a formal public announcement, but one is coming soon.
June 22, 2010
Three Gripers Get Disadvantageous Jurisdictional Appellate Rulings in Defamation Cases
By Eric Goldman
Three recent appellate rulings, coming within 8 days of each other, illustrate how hard it is for an online griper to stay out of his/her target's home court. None of these opinions are clearly wrong, but I wish courts could find better ways to ameliorate the terroram effects of litigation--especially remote litigation--on gripers.
Silver v. Brown, 2010 WL 2354123 (10th Cir. June 14, 2010)
David Silver is an investment banker at a small New Mexico investment bank, Santa Fe Capital Group. Brown, based in Florida, is CEO of GTI. GTI retained the investment bank to raise capital for it. The parties had a falling out. Brown then set up a gripe blog/website at DavidSilverSantaFe.com. The site is pretty standard for a gripesite, but allegedly Brown went out of his way to SEO the website and then offered not to launch the site if Silver refunded $6,000 that GTI had previously paid. Silver allegedly replied with legal threats, to which Brown allegedly promised to move the site offshore so it would be harder to take down. (The emails reprinted in the opinion indicate the parties used more colorful language). After the site launched, Silver made good on his threat to sue in New Mexico, but the district court dismissed for lack of jurisdiction.
The 10th Circuit reversed, citing the Calder v. Jones "Effects Test." The court says:
* Brown intended to damage Silver's reputation via the gripesite
* "Mr. Brown also expressly aimed his blog at New Mexico. It was about a New Mexico resident and a New Mexico company. The blog complained of Mr. Silver's and Santa Fe's actions in the failed business deal. Those actions occurred mainly in New Mexico. And the blog was widely available in New Mexico over the internet and all the various ways the internet may be accessed in this day and age."
* Brown knew the brunt of the injury would be felt in New Mexico.
I think this is mostly consistent with the Effects Test, but the court doesn't stop there. Instead, it expresses fear of all-powerful search engines and their effects on jurisdictional considerations:
sophisticated search engines do exist, and with their use it is becoming more and more irrelevant, for the purposes of our analysis, how many worldwide or nationwide internet connections there are, or how many men named David Silver exist in the world, because, with the use of these search engines, the people that are searching for information on this David Silver are the ones who are going to end up viewing Mr. Brown's blog. And Mr. Brown knows this, as evidenced by the concern for increased search engine optimization expressed in his e-mails. Consequently, it is clear that this is not a case of untargeted negligence that just happened to cause damage in New Mexico."
So what exactly did Brown do sealed the litigation's location in the target's home court? I can posit two alternative conclusions. Hypothesis A: he didn't do anything unusual--every griper would run afoul of this court's standard. Hypothesis B (and more likely): Brown crossed some invisible line by SEOing his site and threatening to move the site offshore (a point referenced later in the opinion). Advice to gripers: you might not want to say you're SEOing your site, but you might find ways to achieve the same result less explicitly.
Kauffman Racing Equip., L.L.C., v. Roberts, Slip Opinion No. 2010-Ohio-2551 (Ohio Sup. Ct. June 10, 2010)
This case is similar to the Silver v. Brown case. Kauffman makes high-performance aftermarket engines in its Ohio factory. Roberts, a Virginia resident, bought an aftermarket Pontiac engine. 8 months later, Roberts complained to Kauffman that the engine was defective. Kauffman offered to retrieve the engine and refund Roberts' purchase price if Kauffman had caused the defects. Instead, Kauffman claimed that the defects were due to Roberts' post-purchase modifications. Unsatisfied, starting in 2006, Roberts griped about Kauffman in forum posts at PerformanceYears.com and PontiacStreetPerformance.com and an item description on eBay Motors. From my perspective, the posts have a menacing/taunting attitude; you should check them out if you're curious why the court sided with its hometown employer. Kauffman subsequently sued Roberts in Ohio.
The court expressly bypasses the Zippo test because Roberts engaged in non-commercial activities and instead parses the state's long-arm statute. Kauffman alleged that five Ohioans read Roberts' posts. Thus, the court observes that "[d]espite the fact that Roberts’s publication of his comments did not emanate from Ohio, those comments were received in Ohio." As a backstop explanation, the court articulates a standard similar to the Calder v. Jones Effects Test, concluding that the state long-arm statute is satisfied "[w]hen defamatory statements regarding an Ohio plaintiff are made outside the state yet with the purpose of causing injury to the Ohio resident and there is a reasonable expectation that the purposefully inflicted injury will occur in Ohio," which the court apparently believes happened here.
The court then does a Constitutional due process analysis, notes Calder v. Jones, and says in language very similar to Silver v. Brown that "Roberts is not alleged to have engaged in untargeted negligence. Roberts’s Internet commentary reveals a blatant intent to harm KRE’s reputation" and Roberts knew Kauffman was in Ohio. The court summarizes all of the ways Roberts targeted his activities to Ohio:
The allegedly defamatory communications concerned KRE’s activities in Ohio. We are not dealing with a situation in which jurisdiction is premised on a single, isolated transaction. The posts detailed the transactions between Roberts and KRE. Moreover, the purchase of the engine block and subsequent transfers from Virginia to Ohio and back again served as the foundation from which this dispute arose. Roberts’s allegedly defamatory posts were predicated on his course of dealing with an Ohio resident corporation. At least five Ohio residents other than Kauffman read these postings. Finally, although KRE does business nationwide, its business reputation is centered in Ohio, because Ohio is the location of its sole base of operations. Roberts knew, and in fact intended, that the brunt of the harm caused be felt by KRE in Ohio. Thus, the focal point of the damage was Ohio, and Roberts’s actions therefore fulfill the requirement of causing a consequence in Ohio.
The dissent argues that the majority got the Calder v. Jones analysis wrong: "Roberts posted his comments on three general auto-racing websites and an auction site, none of which have any specific connection to Ohio or are more likely to be viewed by a resident of Ohio than by a resident of any other state. In fact, KRE could identify only five Ohio residents it believes actually viewed Roberts’s comments."
Thus, the dissent is concerned with the general applicability of the majority's rule to gripers: "While it is evident from Roberts’s Internet posts that he sought to discourage others from purchasing KRE’s products, any individual who posts a negative review of a product or service in a public forum arguably seeks the same objective. Subjecting all individuals to suit in Ohio who post Internet reviews — no matter how scathing — of purchases made from Ohio companies does not comport with the due process notions of 'fair play and substantial justice.'"
While I sympathize with the dissent's inclinations, I think the majority is closer to the current state of the law. Roberts appears to differ from an average online consumer who posts a negative product review in at least three ways. First, Roberts posted across multiple online fora, expanding the different audiences who would see the message. Second, Roberts appears to have sought out the focused community of folks interested in high-performance aftermarket Pontiac engines, and I suspect everyone knows everyone in that community--in which case, one high-profile community member calling out a key vendor is undoubtedly going to affect the entire community. Third, the specific wording of Roberts' posts suggested that he was on a vendetta/crusade.
Even so, the most remarkable thing about this case is that after four years of litigation and three court rulings, the litigation is still only in the preliminary stages. We now know where the case can be heard, but we have learned nothing about its substantive merits. Presumably, it will take more years of litigation to reach a final disposition. Given the associated financial expense and diversion of managerial attention, I can't believe that Kauffman's suit against Roberts is a rational profit-maximizing move.
Marshall, a Washington resident, operates tabathamarshall.com, a blog on consumer issues. In 2007, she made a critical post about VeriResume, an ISC operation. ISC sued her for defamation in its home court of Florida. The federal district court dismissed for lack of jurisdiction. On appeal, the Eleventh Circuit certified a question to the Florida Supreme Court. The Supreme Court restated the certified question to be:
DOES A NONRESIDENT COMMIT A TORTIOUS ACT WITHIN FLORIDA FOR PURPOSES OF SECTION 48.193(1)(b) WHEN HE OR SHE MAKES ALLEGEDLY DEFAMATORY STATEMENTS ABOUT A COMPANY WITH ITS PRINCIPAL PLACE OF BUSINESS IN FLORIDA BY POSTING THOSE STATEMENTS ON A WEBSITE, WHERE THE WEBSITE POSTS CONTAINING THE STATEMENTS ARE ACCESSIBLE AND ACCESSED IN FLORIDA?
As rephrased, the court answers the question "yes," saying "posting defamatory material on a website alone does not constitute the commission of a tortious act within Florida for purposes of section 48.193(1)(b), Florida Statutes. Rather, the material posted on the website about a Florida resident must not only be accessible in Florida, but also be accessed in Florida in order to constitute the commission of the tortious act of defamation within Florida under section 48.193(1)(b)."
Superficially, this answer makes sense. It's hard to say any legally significant activity occurred in Florida if no one in Florida read the content. But the court's answer only articulates a very low minimum baseline—one that will be satisfied in almost every case. Even relatively obscure web content is likely to be read by people in every state. It may be tricky for the plaintiff to make this showing, at least without evidentiary discovery, but the Florida Supreme Court's standard otherwise supports very few jurisdictional challenges.
Furthermore, the answer is incomplete. The Florida Supreme Court only interpreted the state long-arm statute, not the Constitutional due process overlay--which the court didn't address because that wasn't part of the certified question from the 11th Circuit. So effectively the court said that the state long-arm statute will be easily satisfied in online defamation cases and pushed all of the gatekeeping inquiry onto the Constitutional analysis.
June 21, 2010
Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute -- Kleffman v. Vonage
[Post by Venkat]
Kleffman v. Vonage Holdings Corp., Case No. S169195 (Calif. Supreme Ct.; June 21, 2010)
The California Supreme Court issued its opinion in Kleffman v. Vonage, a case certified from the Ninth Circuit. The California Supreme Court held that the transmission of "commercial e-mail advertisements from multiple domain names for the purpose of bypassing spam filters" does not violate California's spam statute. Kleffman was a putative class action, and in bringing claims based on the transmission of accurate emails from multiple domain names, plaintiffs tried to stretch the bounds of California's spam statute to the limit. The California Supreme Court - citing preemption, among other considerations - rightly rejected the arguments brought by Kleffman.
Background: Kleffman sued in state court, alleging that the transmission of emails on behalf of Vonage through domain names such as 'superhugeterm.com,' 'formmycompanysite.com,' 'ursunrchcntr.com,' and 'urgrtquirks.com' violated section 17519.5(a)(2), a provision of California's spam statute which prohibits the use of "falsified, misrepresented, or forged header information." Vonage removed to federal court (in the Central District of California). The Central District dismissed the lawsuit without leave to amend, finding that Kleffman's failure to allege anything misleading about the emails doomed the claims, and the claims were preempted anyway. Kleffman appealed to the Ninth Circuit, which certified the following question to the California Supreme Court:
Does sending unsolicited commercial e-mail advertisements from multiple domain names for the purpose of bypassing spam filters constitute falsified, misrepresented, or forged header information under Cal. Bus. & Prof. Code § 17529.5(a)(2)?
Discussion: The court starts out the discussion by noting a fact that to me starts and ends the discussion:
There is . . . no dispute . . . that the domain names used to send Vonage's e-mail advertisements . . . actually exist and are technically accurate, literally correct, and fully traceable to Vonage's marketing agents.
There's another case that turned a similar issue - Mummagraphics, covered by Professor Goldman here: "Fourth Circuit Rejects Anti-Spam Lawsuit." In that case, "the . . . header information [for the emails] incorrectly indicated that the e-mails originated from the server 'FL-Broadcast.net,' and  the messages' 'from' address read firstname.lastname@example.org, although that e-mail address was apparently non-functional' but the court says that these mistakes are immaterial because the 'e-mails at issue were chock full of methods to 'identify, locate, or respond to' the sender or to "investigate [an] alleged violation' of the CAN-SPAM Act." The court held that these immaterial errors do not state a claim under CAN-SPAM, and to the extent state law allows claims under these facts, it would be preempted. It's hard to see if the claims in Mummagraphics failed, how Kleffman's claims would be viable.
Kleffman tried to argue that the term "misrepresented" in section 17529.5(a)(2) should be construed with reference to other unfair business practices-type statutes, namely, the notoriously amorphous section 17200. According the Kleffman, the spam statute should cover not only header information that is deceptive, but also header information that's "likely to deceive." The court finds that Kleffman's argument is untenable as a matter of statutory construction (the specific provision of the spam statute uses the term "misrepresented," and does not use the term "misleading"). Second, the header information prong, which uses the term "misrepresented," can be contrasted with the subject line prong, which actually uses the term "misleading," and which the court implies has a much broader reach. The court also notes that there's a specific section in California's spam statute which speaks to the use of multiple domain names (17529.4), but section 17529.5(a)(2) says nothing about the use of multiple domain names. Finally, the court notes that the construction urged by Kleffman presents a huge preemption problem (citing Virtumundo).
It's nice to see the California Supreme Court come out on the right side on this one. That said, it's painful to see that the dispute had to be litigated through three different courts to achieve a clear answer. This is one of those arguments that anti-spam plaintiffs often make that is out in left field. At least there's some case law to point to in answer to these arguments.
Where does this leave us? In California at least, subject line claims continue to be viable under the broad "likely to mislead" standard. Header information claims, on the other hand, will be much harder to bring. As long as you don't violate any other rules in registering the domain names or acquiring the recipient's email addresses, sending emails from multiple (albeit accurate) sources is not a violation of either federal or state spam laws.
[corrected to note that the decision came to the Ninth Circuit from the Central District of California and to make a few edits (reversed "misrepresented" and "misleading")]
June 20, 2010
No Wrath in this Quon--Ontario v. Quon
The Supreme Court passes on almost every issue before it in City of Ontario v. Quon.
By Ethan Ackerman (with comments from Eric below)
On Thursday, the U.S. Supreme Court released its opinion in City of Ontario v. Quon, a Fourth Amendment case over the privacy government employees, and those who communicate with them, have in their workplace communications.
I noted with some surprise in December 2009 when the Court granted certiorari, and wondered whether this was a good or bad thing for online privacy. The glass half-full or half-empty quandary remains after the court's narrow opinion. The result for officer Quon and his text message recipients is a loss, but only because the Court found the city's search sufficiently narrow to pass muster even assuming he was entitled to all the possible Fourth Amendment protections, even while the Court declined to conclude whether or not he did actually have those protections. Everyone else will have to await the further development of Fourth Amendment case law, as Justice Kennedy's opinion for the unanimous Court said that "Prudence counsels caution before the facts in the instant case are used to establish far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communications devices."
There is more insightful commentary than this brief note at Scotusblog.
Eric's comments: after seeing the opinions, it remains baffling why the court granted cert in this case. The only obvious reason is that the Supreme Court felt like it had to fix the 9th Circuit’s mistakes, as it yet again reversed the 9th Circuit (like that wasn’t entirely predictable). Otherwise, the opinions are so limited to the facts of the case that they provide almost no value to anyone other than the litigants. That seems like a real lost opportunity for an appellate court with discretionary appeals. Even so, it's better than dealing with a Supreme Court screwup that could have easily occurred given the messy facts in this case.
I had a chance to moot the case earlier in Spring, so I read the litigants' SCOTUS briefs. By far the most compelling fact in that massive stack of paper was that Quon was a SWAT team member who was texting on the job using a government-issued device. The on-the-job conduct of SWAT team officers is especially likely to be subject to investigation/discovery requests if/when something goes wrong, so it makes total sense to narrowly circumscribe the privacy afforded to SWAT team members’ text messages. I would feel differently about the privacy rights of other government employees whose minute-by-minute choices don’t have the same instantaneous life-and-death consequences. I don't see how this case's outcome has any implications for private-sector employees or employers.
June 19, 2010
MySpace Photo and Internet Gang Roster Evidence Improperly Admitted -- People v. Beckley
[Post by Venkat]
People v. Beckley, Case No. B212529 (Cal. Ct. App. June 9, 2010)
Two defendants were convicted of a gang-related homicide in this case.
MySpace Photos: The girlfriend of one of the defendants offered an alibi that one of the defendants was babysitting her child at the time of the shooting. She also testified that the defendant ceased gang involvement (at her request) after the two became involved. In order to rebut the gang affiliation testimony, the prosecution offered a photograph of the girlfriend flashing a gang sign - the photograph was downloaded from the MySpace page of one of the defendants. The prosecution relied on the testimony of the detective who downloaded the photograph.
The court of appeals held that admission of the photograph was error (unfortunately for the defendants, the court held that this error was harmless). The court noted that there are two methods for authenticating a photograph: (1) testimony of a person who was present when the photograph was taken and (2) expert testimony that the photograph is not "a composite and had not been faked," along with foundational testimony. Here, neither method of authentication was used. The court urged particular caution when it came to digital photos and photos found on the internet:
Although defendants conceded that the face in the MySpace photograph was Fulmore's, neither method of authentication recognized in Bowley qualified the photo for admission as accurately depicting that Fulmore had assumed the pose shown in the photograph. [The detective] could not testify from his personal knowledge that the photograph truthfully portrayed Fulmore flashing the gang sign and . . . no expert testified that the picture was not a "'composite' or 'faked'" photograph. Such expert testimony is even more critical today to prevent the admission of manipulated images than it was when Doggett and Bowley were decided. Recent experience shows that digital photographs can be changed to produce false images. (See e.g. U. S. v. Newsome (3d Cir. 2006) 439 F.3d 181, 183 [digital photographs used to make fake identification cards].)
. . . .
Indeed, with the advent of computer software programs such as Adobe Photoshop "it does not always take skill, experience, or even cognizance to alter a digital photo." (Parry, Digital Manipulation and Photographic Evidence: Defrauding The Courts One Thousand Words At A Time (2009) 2009 J. L. Tech. & Pol'y 175, 183.) Even the Attorney General recognizes the untrustworthiness of images downloaded from the internet, quoting the court's warning in St. Clair v. Johnny's Oyster & Shrimp, Inc. (S.D. Tex 1999) 76 F. Supp.2d 773, 775 that "'[a]nyone can put anything on the Internet. No web-site is monitored for accuracy and nothing contained therein is under oath or even subject to independent verification absent underlying documentation. Moreover, the Court holds no illusions that hackers can adulterate the content of any web-site from any location at any time.'"
Online Gang Roster: The prosecution also sought to show that defendants belonged to a gang (the Southside Compton Crips) and as evidence offered a roster which appeared on a web page.
The court found that this evidence was also improperly admitted. The detective admitted that "he did not know who authored the roster." Although the detective claimed that "they themselves put [the list] together," he did not explain the basis for this assertion. The court noted that the issue with respect to authenticity was not "whether the computer's printer could be trusted to reliably print out what was . . . stored on some site but whether the content of what was on the site was reliable."
Unfortunately for defendants, the court held that admission of this evidence was also harmless error. This is not the first time a court has found that MySpace gang affiliation evidence was improperly admitted but that the admission was harmless.
Additional Coverage: "'Unauthenticated' Photo From Website Held Inadmissible" (Metropolitan News-Enterprise)
June 15, 2010
Judge Kocoras Cuts Down $11MM Award Against Spamhaus to $27,000 -- e360 v. Spamhaus
[Post by Venkat]
e360 Insight, LLC v. The Spamhaus Project, (N.D. Ill June 11, 2010)
e360 v. Spamhaus is one of these cases that's been around so long it feels like an old friend. A few years ago, e360 got some press for winning an eleven million dollar damage award against Spamhaus. In a less heralded development, following a bench trial on damages, last week a district judge modified e360's damage award down to only $27,000 on its tortious interference and defamation claims. I'm not sure what it is about spam that spawns wasteful litigation, but this is yet another example of a lengthy spam dispute which consumed a lot of resources but which ultimately ended with a whimper.
Background: e360 is (was) a company that provided marketing services (including email marketing) to its customers. Spamhaus is a company which maintains a list of alleged spammers and provides "blacklisting" services. In 2006 Spamhaus "listed e360 and [its principal] Linhardt as being involved in transmitting unsolicited email, colloquially referred to as 'spam.'"
e360 sued Spamhaus alleging claims for tortious interference and defamation. Spamhaus, which is located in the UK, initially appeared, but then "withdrew both its counsel and its answer." The court entered default in late 2006. e360 then moved for default judgment, relying on the declaration of its executive, David Linhardt. The declaration stated that Spamhaus's actions resulted in the cancellation of three contracts e360 had with customers, and the loss of the opportunity to work with prospective customers. e360 claimed a total in damages of $11,715,000, and the district judge awarded this amount.
Spamhaus then appealed, challenging jurisdiction, service, and pretty much everything else. The Seventh Circuit rejected most of Spamhaus's challenges, but found that "a more extensive inquiry" was required on the damages issue. So the case came back to Judge Kocoras for a determination of damages.
Damages: Despite litigating the case vigorously up to this point, when it came to damages, e360 seemed to muster a lot less energy. According to the court, e360 was "slow to provide information requested by Spamhaus . . . [and] missed several [d]eadlines." I'll spare readers a detailed discussion on damages, but the court's take can be summed up as follows:
The unreliability of [e360's] approaches is unmistakably demonstrated by the profound differences in claimed damages profferred at various points during these proceedings. Finally, it strains credulity that a company that made only a fraction of the profits [e360] asks for over the course of its five-year lifespan would have garnered profits in the amounts [e360] set out in [its] testimony or documentary evidence. The profit and loss statement [e360 provided] sets out the company's overall profits at $332,000. . . . .
At the time of default judgment, the damages claimed were $11,715,000. During discovery, Exhibit 5 was proffered reflecting damages of $135,173,577. At trial, proffered Exhibit 5(a) showed damages of $122,271,346. During final argument, the claimed amount was $30,000,000.
Note to plaintiffs: if your damages estimates vary by more than $100M from one iteration to the next, chances are you're not going to get any.
Everyone has their own calculus for when and how far to litigate a dispute, but a case that spanned almost four years and a Seventh Circuit appeal and which resulted in a final judgment of $27,002 doesn't sound like a particularly good outcome for the plaintiff. If you're wondering where the odd two dollars came from, the court awarded nominal damages on the tortious interference with prospective economic advantage and defamation claims. The court declined to award injunctive relief.
Spamhaus had a viable Section 230 argument here, but this argument got lost in the procedural quagmire. Section 230(c)(2) protects filtering judgments and insulates "action taken to enable or make available to information content providers or others the technical means to restrict access to material [that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable]." (See Professor Goldman's post discussing Pallorium v. Jared, a California state appeals court case where the court held that a publisher of list of IP addresses for open relays could not be held liable. See also Zango v. Kaspersky.)
The decision contains a detailed discussion of the volume of emails transmitted by e360, and which customers many emails were sent on behalf of. Ironically, through litigating this dispute, e360 caused to be memorialized in a court order, facts about its email practices (and the email marketing industry in general) that I'm guessing it would prefer not be in the public eye. Two facts jumped out at me from the order. First, e360 sent out 6.6 billion (!) emails through the course of its five year existence. Second, there were some familiar faces among the list of its customers: SmartBargains and Optinbig.
June 14, 2010
West Virginia Appeals Court Grants New Trial Based in Part on Undisclosed MySpace Friendship -- State v. Dellinger
[Post by Venkat]
State v. Dellinger, Case No. 35273 (Va.Ct. App. June 3, 2010)
Dellinger is a criminal case where the defendant was accused of channeling funds (which were intended for the purpose of hiring additional DUI-enforcement personnel) to pay for his own inflated hours spent on administrative duties. The defendant was employed as a deputy Sheriff. He moved for a new trial based on the conduct of a juror named Amber Hyre.
Prior to the trial, Ms. Hyre sent defendant a MySpace message:
Hey, I don't know you very well But I think you could use some advice . . . I can tell ya that God has a plan for you and your life. You might not understand why you are hurting right now but when you look back on it, it will make perfect sence. [sic] I know it is hard but just remember that God is perfect and has the most perfect plan for your life. Talk soon!
During trial, the same juror also posted a message on her MySpace page that she "just got home from Court and getting ready to get James and Head to church! Then back to court in the morning!" [She described her "mood" as "blah".]
The court set aside the verdict and granted a request for a new trial. Did the juror's MySpace postings form the basis of the court's decision?
The court focused on the fact that the juror was not candid about her friendship with the defendant or about her relationship with other witnesses. During voir dire, she never acknowledged a connection with either the defendant or with other witnesses, but it turned out that she used to live in the same apartment complex as the defendant. The juror was also related by marriage to one of the witnesses and her brother-in-law worked for another witness. Although the trial court found that these contacts were "minimal," and found her to to a "fair and impartial juror," the court of appeals disagreed.
The court of appeals focused on the juror's lack of candor and found that bias on the juror's part must be presumed because she failed to disclose connections to the defendant and two witnesses, despite her connections and despite the fact that other jurors disclosed their connections. Although she tried to justify the fact that she didn't disclose that she "knew" the defendant, because she didn't 'personally know him,' the court rejected her justification, pointing to the fact that she knew the defendant at least well enough to give him advice via MySpace. Although the appeals court found that the trial court erred in nor granting the request for a new trial, the court agreed with the trial court that the juror's posting about the trial was "benign in nature." Standing alone, this would not be sufficient for a finding of juror misconduct.
The case is a reminder that social networking contacts can undermine a verdict. That said, it's worth noting that a party's invocation of the Facebook/Twitter/MySpace mantra alone is not likely to be dispositive.
One interesting aspect of the case is the juror's own views on whether she "knew" the defendant. She testified at the juror misconduct hearing that although she knew him, she didn't really know him:
I knew in my heart that I didn't know him . . . I should have at least said that . . . he was on MySpace, which really [wasn't] important, I didn't think.
The trial judge's comments also noted the fact that the trial took place in a "rural area with a small population . . . ." There was ample evidence in the case that the juror was being less than candid, but it's possible that her conception of MySpace friendship may have differed from the standard definition of friendship, particularly given where she lived. Additionally, at least one court has recognized that Facebook friends may not be all that they are cracked up to be. (Quigley Corp. v. Karkus, 2009 U.S. Dist. Lexis 41296 (E.D. Pa. May 15, 2009) ("'friendships' on Facebook may be as fleeting as the flick of a delete button").) Maybe she was right that she didn't 'know' the defendant, at least based on the MySpace connection? Although a jury instruction instructed the jurors on the use of technology and social media, I'm guessing that the questioning at voir dire did not spell out social networking relationships.
Molly DiBianca: "W. Va.: New Trial for Defendant Who Was MySpace Friend of Juror"
Health Care Law Blog: "Reversal of Conviction Because Undisclosed MySpace Friendship Between Defendant and Juror"
June 11, 2010
Craigslist Loses 230 Defense to Promissory Estoppel Claim--Scott P. v. Craigslist
By Eric Goldman
In a situation not dissimilar to the venerable Zeran case, starting in March 2009, Scott P. was criminally victimized by a campaign of fake Craigslist posts, including ones falsely soliciting gay sex and offering to give away his possessions. Three times after such posts, he contacted Craigslist to request that they stop postings that contain his name, number or address, and each time Craigslist's CSRs allegedly replied that Craigslist "would take care of it." In the second exchange, Craigslist allegedly also said it would take steps to stop the fake posts. In the third exchange, Craigslist allegedly also said that it had already taken steps to stop the fake posts. I doubt the CSRs made any promise that fake posts would never occur again, but that's apparently what Scott heard (or wanted to hear).
All three Craigslist responses came just before the Ninth Circuit's ruling in Barnes v. Yahoo, which indicated that 47 USC 230 did not eliminate websites' liability for promissory estoppel if a website promises to fix user-supplied content. Post-Barnes, Craigslist probably no longer tells folks that it will "take care of it" or promise any remediation of any sort. Instead, I assume Craigslist is more equivocal in response to complaints about user activity, i.e., "We might or might not help you, but don't rely on anything we say." I'm not sure equivocal responses from sites like Craigslist are what society really wants, but that's the logical protocol following Barnes.
Unhappy that Craigslist didn't uphold the promises he thought it made, Scott sued Craigslist for promissory estoppel and CA B&P 17200 for unacceptably weak user verification procedures. Last week, the court partially granted and partially dismissed Craigslist's 230-based demurrer:
Defendant Craigslist, Inc's Demurrer to 1st Amended Complaint. Argued and the Court adopted its tentative ruling as follows: sustained without leave to amend as to cause of action 2 both because the claim is barred by Section 230 and because plaintiff lacks standing. Overruled as to cause of action 1 because plaintiff has sufficiently pleaded an agreement supported by promissory estoppel. 10 days to answer. Further, defendant Craigslist, Inc's oral request for a stay of discovery is granted for 2 weeks to permit defendant to seek a writ and give time to the court of appeal should it choose to accept that writ and extend a stay, should it choose to do so. Ms. McDougall to submit a proposed form of order.
So Craigslist successfully eliminated the 17200 claim per 230, but Scott's promissory estoppel claim survived the demurrer due to Barnes. I haven't yet seen too many 230 Barnes-style bypasses, but this is a fine example that the plaintiffs are paying close attention to any 230 workarounds. I'm skeptical that Scott can ultimately succeed with his promissory estoppel claim, though. What more could he have done that he chose not to do based on Craigslist's alleged promises? Meanwhile, my understanding is that Craigslist will seek an expedited writ from the appellate court, so this case could break more legal ground soon.
Overall, this case illustrates why 230 makes so much sense. The underlying problem involves a workplace harassment campaign that took place both online and off. Craigslist was just one of several tools used by the harasser(s) as part of the campaign. For example, the harasser(s) allegedly obtained a fake Hotmail account in the plaintiff's name, so why not sue Hotmail? The plaintiff didn't, even though the Hotmail account was an integral part of the scheme. Meanwhile, the people misusing the tools remain accountable for their choices. Most conspicuously, one harasser has already been criminally busted for his behavior in this matter. In light of the criminal bust, I don't understand why the plaintiffs think Craigslist should be part of the liability chain, and presumptively 230 reinforces its illogic by preventing the plaintiff from complaining about third party conduct. The Barnes promissory estoppel workaround will work for plaintiffs only so long as service providers actually respond to inquiries from victims like Scott. If this lawsuit shows any success, you can kiss those responses goodbye.
June 10, 2010
Google Can't Shake Cybersquatting Claim--Vulcan Golf v. Google
By Eric Goldman
Vulcan Golf, LLC v. Google Inc., 1:07-cv-03371 (N.D. Ill. June 9, 2010). My 2007 blog post when the complaint was filed. My 2008 blog post on the denial of a motion to dismiss. My 2008 blog post on denial of class certification.
A year ago I blogged about Solid Host v. NameCheap, a case that raised the specter of a "contributory cybersquatting" claim under the ACPA. This case also deals with a type of contributory cybersquatting. It might represent the vanguard of increased trademark owner efforts to proliferate ACPA cybersquatting claims against a wider range of defendants.
This long-running case involves Google's AdSense for Domains program, which the plaintiffs believe violates their trademark rights when the parked domains contain their trademarks or variations thereof. The case appears to be entering the home stretch. In late 2008, the plaintiffs were denied class certification, which substantially narrowed the scope of the lawsuit. All other defendants have now settled, leaving only Google's liability for resolution. This ruling addresses Google's unsuccessful attempt to knock out the ACPA claim on summary judgment. As a result, the ACPA claim is queued up for trial unless the parties settle.
Google's ACPA liability turns on whether it is an "authorized licensee" of the parked domains. If so, the ACPA is clear that a licensee of a cybersquat domain name can be on the hook. The court holds that if there is a license agreement that calls itself a license, then the ACPA applies to the agreement. However, the court will not infer a licensing agreement from some less explicit arrangement, i.e., presumably not from a parking arrangement where the ad provider (Google) does not expressly license the domain name. Therefore, it appears that where Google licensed the domain name from the parker (a seemingly unnecessary step for delivering ads to parked domains), Google put itself into the ACPA liability chain.
With the legal standard established, normally this should be an easy case to resolve on summary judgment. However, apparently Google and the plaintiffs can't agree on the accurate copy of the applicable agreements with domain parkers (specifically Dotster). If the parties can work out the confusion over documents, the ACPA claim is ripe for a settlement.
June 09, 2010
Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville
[Post by Venkat]
Barnes v. CUS Nashville, LLC, (M.D. Tenn) (June 3, 2010)
I mentioned Barnes v. CUS Nashville in my post about Crispin v. Audigier, a case where a court found that production of private Facebook messages and postings pursuant to a civil subpoena would be barred by the Stored Communications Act. In Barnes, the court also dealt with a civil subpoena to Facebook, and summarily denied a motion to compel, finding similarly that the Facebook information sought by the defendant was covered under the Stored Communications Act. The parties in Barnes engaged in further wrangling (wrangling is an understatement) over the Facebook information of plaintiff and other witnesses, and the magistrate judge came up with an interesting way to resolve the underlying discovery issues.
Barnes is a slip and fall case where plaintiff alleged claims based on injuries arising out of her fall one evening at the "Coyote Ugly" saloon in Nashville:
On or about September 19, 2008, Plaintiff was a business invitee of the Saloon and in that capacity was encouraged by employees of the Saloon to climb onto the Saloon's bar to dance. At the time of said encouragement, the Saloon's bar was wet and extremely slick. As a result of the Saloon's employee's encouragement, Plaintiff did attempt to climb onto the bar to be photographed with her friends. In so doing, Plaintiff slipped on the wet and slick bar and fell backwards a considerable distance, striking the back of her head on the ground.Defendant subpoenaed Facebook for plaintiff's Facebook information, including photos of plaintiff and her friends dancing on the bar. The court quashed the subpoena to Facebook, and in response, defendant issued a subpoena to plaintiff's friends, who are witnesses in the case. The defendant sought photos posted by plaintiff and her friends that depicted the events on the night in question. The court finds that the subpoenas issued to these witnesses cannot be enforced by the district court in Nashville, and if defendant wants to move to compel, it must do so in Colorado and Kentucky, the districts where the subpoenas were issued out of.
The magistrate judge chastises both parties for their failure to cooperate in the discovery process, and specifically calls out the defendant for its "mishandling of the Facebook subpoena." The judge then offers to create a Facebook account "for the sole purpose of reviewing photographs and related comments in camera . . . and disseminat[ing] any relevant information to the parties." Assuming the non-party witnesses (who will be located/contacted via email (!)) will accept the judge's Facebook friend requests, the magistrate judge agrees to review their Facebook information, provide any relevant information or photographs to the parties, and then close the Facebook account. (It doesn't seem like the court will store copies of the non-relevant portions of the Facebook pages, even under seal.)
I have to give credit to the court for coming up with this novel approach for resolving this issue. And they say judges are not technically savvy. It's nice to see a member of the judiciary who doesn't share the over-the-top view of Facebook friending that's held by the bar regulators in Florida. (That said, there may be a slew of issues lurking in the background here.)
June 08, 2010
Google Street View Litigation Mania--Seven Class Action Lawsuits and Counting
By Eric Goldman
It appears that virtually the entire plaintiff’s bar saw Google's blog post that it captured wi-fi payload data as part of its data collection for Google Street View. At least 7 class action lawsuits have been filed:
* Berlage v. Google (N.D. Cal. filed May 20)
* Carter v. Google (E.D. Pa. filed June 2)
* Colman v. Google (D.C. D.C. filed May 26)
* Galaxy Internet v. Google (D. Mass. filed May 25). I'm not sure about standing in this case because Galaxy Internet is an Internet access provider complaining that Google snooped on its customers' traffic.
* Keyes v. Google (D.C. D.C. filed May 28)
* Redstone v. Google (S.D. Ill. filed May 28, 2010)
* Van Valin v. Google (D. Ore. filed May 17). This is the first lawsuit filed, and it has already reached a ruling requiring Google to fork over the collected data.
Undoubtedly, all of these lawsuits (and any more still coming) will be consolidated into a single action. Let the jockeying for lead counsel position begin!
Looking at the group of complaints as a whole, I'm impressed with all of this previously undisclosed expertise with the ECPA, a notoriously tricky statute that I rank as one of the most indecipherable statutes of all time. With all of these newly identified ECPA experts, perhaps this will contribute to the birth of a new ECPA plaintiffs' bar?
It's remarkable that these lawyers were able to conclude to their satisfaction that their named plaintiffs in fact had their payload data captured in the process--presumably by confirming that payload data was actually being transmitted at the precise time the cars drove by. I'm not sure how I would research this issue sufficient to satisfy my Rule 11 obligation, but these attorneys surely didn't just assume Google captured their clients' payload data...did they?
Finally, it will be interesting to see how these cases will be affected by the countervailing legal trends requiring privacy breach victims to show some actual harm from the breach (see, e.g., Ruiz v. Gap). I'm not sure this showing will be required for the ECPA claims, but it could wreak havoc with the ancillary claims.
June 07, 2010
Another Trademark Owner Apparently Gives Up Lawsuit Against Google--Parts Geek v. US Auto Parts
By Eric Goldman
Parts Geek LLC v. U.S. Auto Parts Network, Inc., 5:10-cv-01713-JF (N.D. Cal. voluntary dismissal May 5, 2010)
In April, Google successfully transferred the Parts Geek keyword advertising lawsuit from New Jersey to its home court in Northern California. Then, in an abandonment reminiscent of Rescuecom's, Parts Geek quietly dropped the lawsuit last month against both US Auto Parts and Google. It's not clear if the venue transfer was fatal to the case, but it certainly didn't help Parts Geek's cause. There was an interesting competitive website scraping issue in the case as well; the dismissal means we won't learn more about the legality of that, either.
I have been waiting to blog on Google's successful dismissal of the Rosetta Stone case until I see the written opinion. That, plus this voluntary dismissal, means that Google has successfully whittled its docket of over a dozen trademark challenges to its AdWords program down to 6. Google has several nice intermediate wins with some of those other cases, including its venue transfer in the Flowbee case and its partial elimination of the Jurin case. After we see the Rosetta Stone written opinion, the remaining cases may be substantially undercut further.
The roster of pending AdWords cases (I most recently thoroughly double-checked the status of these cases on June 6, 2010):
* Ezzo v. Google
Rescuecom v. Google
* FPX v. Google
* John Beck Amazing Profits v. Google
and the companion Google v. John Beck Amazing Profits
Stratton Faxon v. Google
Soaring Helmet v. Bill Me
Ascentive v. Google
Jurin v. Google 1.0 (voluntarily dismissed), succeeded by Jurin v. Google 2.0
Rosetta Stone v. Google
* Flowbee v. Google
Parts Geek v. US Auto Parts
* Dazzlesmile v. Epic
June 06, 2010
Google Sued for Click Fraud for the First Time in Years--123 Lock and Key v. Google
By Eric Goldman
123 Lock and Key LLC v. Google, Inc. (Wash. Superior Ct. complaint filed May 21, 2010)
After Google and Yahoo settled their click fraud lawsuits in 2006, click fraud litigation has been fairly rare. There is a major battle brewing against Facebook (In re Facebook PPC Advertising Litigation) and only a smattering of other cases, such as the lawsuit against CitySearch (Menagerie v. CitySearch). Given the number of advertisers it has and the volume of business it does, it's remarkable that Google has gone so long--4 years--without a new click fraud lawsuit.
This new lawsuit isn't likely to be causing Google to be shaking in its boots. First, the lawsuit was filed in a Washington state court, so I anticipate Google will remove it to federal court and then transfer the case to the Northern District of California per its user agreement. Google has had great success invoking the mandatory venue clause in its AdWords contract recently. I'm not sure if the plaintiff actually expects to keep the case in Washington state courts, but that seems highly unrealistic.
Second, the alleged facts in the complaint didn't exactly cause me to reach for the hankies. As 123 Lock tells the story, it happily advertised on Google from October 2009 to March 2010, getting 15 clicks a day and having an 80% conversion rate (clicks/phone calls). Note: phone calls is an odd measure of conversion, and I wonder how the calls were tracked to the clicks (i.e., was there a unique phone number only clicking consumers saw?). Then, in March 2010, 123 Lock says it started getting 100-150 clicks/day, sometimes in a flurry, and none of these clicks converted to phone calls. 123 Lock then says it presented "this irrefutable evidence, in far more detail, with far more facts, and with substantiating evidence, to Google," who heartlessly rejected the evidence. I'd love to see the "irrefutable" evidence in its glorious detail, because there are so many explanations other than click fraud that could apply.
Third, even if 123 Lock was truly a click fraud victim and Google still charged it for those bogus clicks, it's hard to imagine any damages large enough to justify the lawsuit given the volume of clicks we're talking about. Google's AdWords contract poses a formidable threat to most theories that could result in any real money.
Finally, this could be another opportunity for Google to turn the table on a plaintiff and countersue it for various claims--such as Google's move of suing advertisers for breach of the mandatory venue clause by initially suing it in the wrong jurisdiction (see, e.g., the Flowbee counterclaim). It would not surprise me if 123 Lock ends up writing a check to Google when the litigation dust clears.
ClickZ presents a more sympathetic view of the lawsuit in its story entitled "Suit Against Google Highlights Surge in Click Fraud".
June 05, 2010
Contributory Copyright Infringement Claim May Need Direct Infringer as a Defendant to Succeed--Miller v. Facebook
By Eric Goldman
Miller v. Facebook, Inc., 2010 WL 2198204 (N.D. Cal. May 28, 2010)
This is my third time blogging about this case (Jan. 2010 post; April 2010 post). The facts as alleged by the plaintiff have always been a bit sketchy, but here's my understanding of plaintiff's beef. Plaintiff is a game developer who developed a game called Boomshine. He alleges Yeo created an infringing version of Boomshine. Yeo then distributed the allegedly infringing version via Facebook, but Facebook's misconduct has been a little muddled. Miller's latest attempt to explain Facebook's wrongful behavior is that (1) "the ChainRxn game was allegedly presented by Facebook's website to its users through the use of an inline frame (or an 'iFrame') so that the content appeared to be originating from Facebook's website" and (2) Facebook "'took the 'affirmative step' to approve the ChainRxn game for publication in the Facebook Application Directory." These allegations take the lawsuit squarely into territory governed by the Ninth Circuit's Perfect 10 v. Amazon ruling.
Miller sued both Yeo and Facebook. In January 2010, Facebook successfully invoked its user agreement to transfer the lawsuit from Georgia to its home court in California. Then, in April 2010, Facebook got the complaint dismissed with leave to amend. This ruling deals with Miller's request to file a second amended complaint, which the court mostly grants, although the court instructs Miller to provide some more factual clarity.
Miller's latest complaint removes Miller's direct and vicarious copyright claim against Facebook, proceeding only with a contributory claim, which still requires a showing of Yeo's direct infringement. The court says that Miller has properly alleged that except with respect to the public display right.
Miller also properly alleged the contributory claim:
First, there is no question that Facebook provides Internet services to the public as a social networking website. Second, the proposed complaint clearly alleges that Facebook had actual knowledge that specific infringing material was available using its system. Plaintiff sent Facebook a letter on May 7, 2009, demanding that Facebook remove ChainRxn from its website because it violated plaintiff's copyright in Boomshine. Third, plaintiff makes clear that Facebook could have taken one or two simple measures to prevent further harm to his intellectual property rights after this notice was provided-namely, by either disabling defendant Yeo's Facebook account or by removing ChainRxn from the Facebook Application Directory. Fourth, the proposed complaint alleges that despite this actual knowledge by Facebook and the availability of two simple measures to prevent further harm, Facebook continued to allow its users to search for and access the allegedly infringing work for some period of time thereafter. Fifth, given the immense popularity of the Facebook website, it is a reasonable inference that the continued listing of ChainRxn in the Facebook Application Directory and the access provided to ChainRxn through the Facebook website had the effect of significantly magnifying what might otherwise have been immaterial infringing activities had the ChainRxn game not been part of the Facebook social network.
The most interesting discussion relates to Miller's apparent inability to serve Yeo. Normally, a contributory copyright infringement claim can be successfully brought without naming a direct infringer as a defendant (see, e.g., most of the lawsuits against P2P file-sharing services). However, the court says that Yeo may be "essential" to Miller's successful claim against Facebook because, to establish direct infringement, Miller will need to prove:
Mr. Yeo unlawfully “reproduced” the protected elements of Boomshine's source code to create the accused ChainRxn video game. Without Mr. Yeo in the case to provide testimony and the ChainRxn source code, however, it is unclear how plaintiff would be able to prove such unlawful copying. Without such proof that ChainRxn is an unlawful “reproduction” of Boomshine, plaintiff's remaining claims all crumble.
I'm a little confused by this. The court apparently treats the case as a source code ripoff, but Yeo's game could infringe Boomshine's display/look-and-feel, and Yeo's testimony isn't critical to a look-and-feel comparison. Furthermore, in theory, Yeo could supply the necessary testimony without being a defendant. But it's clear the court expects Miller to find Yeo and try to bring him to justice. The court concludes with this ominous warning: "if plaintiff Yeo is not brought into this action BY JULY 30, 2010, evidenced by proof of service of the summons and complaint, the case will likely be dismissed." I'm sure Facebook wouldn't mind seeing the case end on such a technicality.
June 04, 2010
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
[Post by Venkat with a few comments from Eric at the bottom]
Ruiz v. Gap, Inc. (9th Cir. May 28, 2010)
In a decision that does not bode well for plaintiffs bringing privacy-based claims against Facebook in California, the Ninth Circuit recently affirmed the trial court's rejection of data breach claims against Gap.
Facts: The case arose out of the theft of two laptop computers from a Gap vendor who processed job applications for gap. The stolen laptops contained personal information of applicants who applied for a job at Gap. Ruiz, one of those applicants, brought claims on behalf of a putative class under theories of negligence, breach of contract, unfair competition (17200), the California constitution, and California Civil Code section 1798.85 (which addresses when a social security number could be required to access a website).
The district court rejected Ruiz's claims largely on the basis that he failed to articulated any cognizable injury. Increased risk of future harm was not sufficient to state a negligence claim under California law, and risk of future harm and credit monitoring were not recognizable damages for a breach of contract claim. In any event, Gap had offered credit-monitoring services, which Ruiz failed to avail himself of. (See Tom O'Toole's coverage of the case here.)
The Ninth Circuit's Ruling: The Ninth Circuit agreed with Judge Conti.
Negligence: With respect to the negligence claim, the court held that nominal damages cannot vindicate a "technical right" in the absence of "actual loss." While in the toxic exposure context, the court recognized that damages for monitoring may be available, the court declines to decide whether that rule should be extended to this context, given the total evidence of any time or money spent on credit monitoring. (And the fact that Ruiz failed to take up Gap's offer of credit monitoring, or demonstrate why it was insufficient.)
17200 (UCL) Claim: The court ruled that recovery under California's unfair competition statute is limited to individuals who suffer "actual losses of money or property." Ruiz could not make a colorable argument that he was entitled to any restitution from Gap, so this claim was a loser.
California Constitution: There were two problems with Ruiz's claim under the California constitution. First, cases have found that the breach must be egregious, and have yet to extend a cause of action under this theory to negligent or accidental conduct. Second, the court says Ruiz only alleges a "risk of privacy invasion, rather than an actual privacy invasion." In the court's eyes, the actual invasion only occurs when someone actually misuses the data which they obtained from Gap's vendor.
Section 1798.85: Ruiz also brought a claim under California Civil Code 1798.85. The court ruled that, by its terms, this section only required a person or entity conditioning access to a website on the use of an individual's social security number to also require the use of a password, a unique personal identification number, or an authentication device. Here, the social security number was not used to access the website of Gap's vendor, so the section did not apply.
This is not a surprising result. The overwhelming majority of courts have rebuffed data breach claims brought by affected persons (particularly those that have been offered monitoring) on the basis that those individuals have not suffered any appreciable injury. While a few cases have taken a different legal route by holding that these plaintiffs lack Article III standing, the end result is always the same: No actual injury = no recovery (and risk of future identity theft does not equal cognizable injury).
Eric's comments: In the past few months, I've noticed a disturbing trend. Whenever Google or Facebook make a privacy gaffe, the plaintiffs' lawyers go into full-tilt litigation mode. There have been too many complaints filed to blog them all, although I've been posting many of the complaints to my Scribd account. Unfortunately, Google and Facebook have made their lives harder by making too many unnecessary mistakes, but many of these mistakes are obviously inconsequential in the grand scheme of things. But the most disturbing thing is that so many plaintiffs' lawyers seem completely uninterested in pleading how their clients suffered any consequence (negative or otherwise) from the gaffe at all. Their approach appears to be that the service provider broke a privacy promise, res ipsa loquitur, now write us a check containing a lot of zeros.
Although this case was designated non-published and therefore isn't binding on the 9th Circuit, this case nevertheless illustrates that most of these plaintiffs' lawyers are wasting their time and significant social resources with their poorly developed cases. Instead, if they truly believe the privacy gaffe is worth suing over, they should do the advance legwork to find at least one plaintiff representative who actually suffered some harm. If they can't even do that, society would be better off if the lawyers redirected their energies elsewhere.
June 03, 2010
April-May 2010 Quick Links Part 1 (IP Edition)
By Eric Goldman
[Note: I just got back from the Netherlands, where I had extremely limited Internet connectivity, so sorry for my absence in the last week (although you were in good hands with Venkat). I will be posting more material from my Netherlands trip to my personal blog and Twitter. You might want to follow me at those places too. I have a long list of "quick links" to share with you as I get the opportunity. The first installment:]
* NYT: Current TV defeats a claim that in-line linking is copyright infringement.
* Google won a copyright challenge against Image Search in Germany, apparently on implied license grounds.
* Smoking Gun reports that ESPN sportscaster Erin Andrews has acquired the copyrights to the peephole videos made of her, which should make it a little easier for her to go after online republishers.
* UMG v. Veoh has been appealed to the Ninth Circuit. Although Veoh declared bankruptcy, its law firm, Winston & Strawn, is still fighting it. Ben Sheffner has posted the amicus briefs on behalf of UMG.
* Arista Records LLC v. Doe 3 (2d Cir. April 29, 2010). P2P file sharer can't claim anonymity to resist copyright owner's subpoena. This ruling also signals that the Second Circuit will take a dim view of fair use claims in P2P file sharing cases and might import the Napster standards for secondary infringement claims.
* Lyrics website hit with preliminary injunction, but not the shutdown requested by the plaintiffs. The court rejects a 17 USC 512 defense because the defendant did not file the required agent designation with the copyright office.
* International Swaps and Derivatives Ass'n, Inc. v. Socratek, L.L.C., 2010 WL 1780999
(S.D.N.Y. 2010). Socratek aggregates agreements from EDGAR and resells them on its website. The plaintiff is upset that Socratek aggregated and resold the plaintiff’s allegedly copyrighted order form for ordering derivatives. The plaintiff sells blank forms, but Socratek grabbed completed versions that had become material agreements for SEC filing purposes. The court denies Socratek’s dismissal motion but also denies a preliminary injunction.
* Zusha Ellison of the Recorder catches up on three copyright First Sale cases pending before the Ninth Circuit. This is a good time to remind you about our November 5 conference on the First Sale doctrine.
* Cosmetic Ideas v IAC InteractiveCorp (9th Cir. May 25, 2010): "receipt by the Copyright Office of a complete application satisfies the registration requirement of § 411(a)."
* Google has won the Rosetta Stone case, but we’re waiting to see the written opinion to figure out why (and how good the win is).
* Au-Tomotive Gold v. VW (9th Cir. May 6, 2010). Post-sale trademark confusion trumps the First Sale doctrine. We'll also be discussing trademark exhaustion at the November 5 conference!
* Boston Marathon sues CafePress and Zazzle for trademark infringement.
* Dan Burk, Cybermarks, Minnesota Law Review. The abstract:
The commercial development of the Internet has been punctuated with legal disputes over the use of trademarks as domain names, as metatags, as search terms, and as advertising keywords. As in previous disputes in copyright over the legal status of software, these Internet trademark disputes arise from the overlap of communicative and functional symbols in information technology. Such “cybermarks” are not merely indicators of product source, but function both as symbolic indicia for human recognition and as strings of computer code in the operation of automated search and indexing mechanisms. Application of trademark law’s functionality doctrine, perhaps with some modest amendment, could begin to resolve disputes over the use of cybermarks.
* Nature’s Footprint, Inc. v. Providnet Co Trust, 2010 WL 1903183 (W.D. Wash. May 11, 2010): “The Court is convinced that plaintiff sought to use its superior position vis-a-vis the trademark to, cause harm to a competitor. Given this Court’s strongly-held belief that a significant part of this litigation was motivated by plaintiff’s desire to quash competition, no fees will be awarded under the Lanham Act’s ‘exceptional case’ authority.”
June 02, 2010
Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier
[Post by Venkat]
Crispin v. Audigier, Case No. CV 09-09509 MMM (JEMx) (May 26, 2010)
With the proliferation of the use of social network profile evidence, it was only a matter of time before a court dealt with the issue of whether you can subpoena someone's Facebook page in a civil lawsuit. A judge in the Central District of California looks at the issue in Crispin v. Audigier [scribd].
Facts: Crispin sued Audigier, alleging that Crispin granted Audigier an oral license to use some of Crispin's works of art in connection with the manufacture of garments by Audigier. Crispin alleged that Audigier (1) failed to include Crispin's logo on the garments; (2) wrongly attributed Crispin's work to another artist; and (3) wrongly sublicensed Crispin's copyrighted material without permission. Crispin brought a variety of claims, including copyright infringement claims. Audigier subpoenaed third party businesses, including Media Temple, Facebook, and MySpace, seeking communications between Crispin and a tattoo artist (those communications which referenced or related to Audigier). [If I were the judge, I would have said this was awfully close to fishing expedition territory.]
14 days after Audigier served the subpoenas, Crispin moved to quash the subpoenas. [Facebook, MySpace, and Media Temple did not appear or file pleadings.] The magistrate judge found that the Stored Communications Act did not apply, and in any event only precluded voluntary disclosure (and did not apply to compelled disclosure pursuant to a civil subpoena). Finally, the magistrate judge found that the SCA only prohibited disclosure of communications held "in storage," which wasn't the type of information covered by the subpoena.
The Court's Ruling: The court largely reverses Magistrate Judge McDermott's ruling in an order that contains a lengthy discussion on the applicability of the Stored Communications Act to Facebook and MySpace profiles, wall posts, and messages. I can't tell if this case breaks any new ground (or whether the case gets it right), but given the growing importance of social networking evidence, I thought it was worth mentioning. (This post by David Johnson provides a good, basic overview of the issues at play: "Employer Access of Employee Digital Communications and Federal Wiretap Laws: It's Easier to Be Found Immune if the Communications Reside on Your Servers.")
A summary of the court's order:
1. The Stored Communications Act (passed in 1986) is woefully out of date, and was "enacted before the advent of the [web] and before introduction of the web browser . . . " In those days, "few could afford to spend hours casually exploring . . . [the internet] . . . ."
2. A third party whose information is sought by this type of a subpoena has "standing to move to quash a subpoena seeking personal information protected by the SCA."
3. 18 U.S.C. sec. 2703(e) does not permit disclosure pursuant to a civil subpoena.
4. Do not, under any circumstances, cite to Wikipedia as a source for a key factual issue (the court drops a footnote citing to Badasa v. Mukasey ("Respondent is admonished from using Wikipedia as an authority in this District again. Wikipedia is not a reliable source at this level of discourse.")). [emphasis added]
5. Facebook, Media Temple, and MySpace provide "private messaging or email services . . . such services can constitute ['electronic communications services'] . . . ." Case law looking to the treatment of private BBS services is helpful. Public BBS services are not entitled to protection under the SCA.
7. The privacy settings of services such as Facebook affect the outcome:
[since] Facebook permits wall messages to 'be viewed by anyone with access to the users profile page'. . . there is no basis for distinguishing between a restricted-access BBS and a user's Facebook wall or Myspace comments. There similarly is no basis for distinguishing between Media Temple's webmail and Facebook's and MySpace's private messaging, on the one hand, and traditional web-based email on the other. As a consequence, the court concludes that each of Media Temple, Facebook, and MySpace is an ECS provider.
8. That Facebook, MySpace and Media Temple are ECS providers doesn't end the analysis. "The court must also determine whether the information sought by the subpoenas . . . constitute 'electronic storage' within the meaning of the statute."
9. Citing to the City of Detroit text messaging decision (Flagg v. City of Detroit) the court notes that "an ECS provider [becomes] an RCS [remote computing service] provider after a communication has been read and stored." It seems factually unclear (but legally relevant) as to whether the services provide storage or backup/archival services.
10. Unlike the "messages," the "Facebook wall and MySpace comments present a distinct and more difficult question":
in the context of a social-networking site such as Facebook or MySpace, there is no temporary, intermediate step for wall postings or comments. Unlike an email, there is no step whereby a Facebook wall posting must be opened, at which point it is deemed delivered. Thus a Facebook wall posting or a MySpace comment is not protectable as a form of temporary, intermediate storage.The court concludes that "the postings, once made, are stored for backup purposes . . . Facebook and MySpace are ECS providers as respects wall postings and comments. . . ."
11. In the alternative, the court holds that Facebook and MySpace are RCS providers with respect to the wall postings and comments.
End Result: the court quashes the portions of the Facebook and MySpace subpoenas that sought "private messaging," and remands for further development of the record on the wall postings and comments.
It's a pretty dense order that is worth reading, if nothing, to get a sense of the complexity of the issues that arise in this context, and the lay of the land as far as case law.
From a practical standpoint, obtaining Facebook messages and private profile information in a civil lawsuit seems fairly tricky (although judging from media reports, people must do it all the time). Assuming you can't get access to some or all of this information through a subpoena, one option is to get the party (whose records are sought) to sign a consent or waiver. This has the downside of giving the party seeking the information access to all of the witness's information, including irrelevant, privileged, or other information that should remain private. As best as I know, Facebook doesn't perform e-discovery services on the side - you can't provide Facebook a set of search parameters and get Facebook to produce information that falls under those parameters. (Here's a good post on the topic, with references and suggestions: [pdf] "Obtaining Records From Facebook, LinkedIn, Google and Other Social Networking Websites and Internet Service Providers.")
Another interesting aspect of the dispute is that Facebook didn't appear or file any pleadings. I assume Facebook has a blanket policy objecting to these types of subpoenas, but maybe timing was an issue here? In contrast, Facebook recently successfully quashed a subpoena issued to it in another civil case (Barnes v. CUS Nashville, LLC, No. 3:09-0764 (M.D. Tenn.) (May 27, 2010)). There, the magistrate judge concluded that "the SCA prohibit[ed] the disclosure of [the sought after] information in response to a subpoena" [citing Flagg v. City of Detroit].