Technology & Marketing Law Blog: April 2011 Archives

Technology & Marketing Law Blog

« March 2011 | Main | May 2011 »

April 30, 2011

Cease & Desist Letter to iTunes Isn't Covered by 17 USC 512(f)--Red Rock v. UMG

By Eric Goldman

Rock River Communications, Inc. v. Universal Music Group, Inc., 2011 WL 1598916 (C.D.Cal. April 27, 2011)

We continue to get more cases telling us what 17 USC 512(f), the cause of action for bogus copyright takedown notices, DOESN'T cover. 512(f) wins are rarer.

In this case, the plaintiff remixed some Bob Marley songs with the permission of a purported licensee of Bob Marley songs. The defendants claim ownership or exclusive rights to most of Bob Marley's catalog and didn't consent to the remixes. They sent C&D letters to various parties republishing the remixes, claiming that the remixes were infringing. Naturally, those folks dropped the remixes after getting the C&Ds. This lawsuit is the remixer's attempt to punish the defendants for driving their remixes out of the marketplace.

As one of several claims, the remixer sued for 17 USC 512(f) based on the defendants' C&D letter sent to Apple for selling the remixes through iTunes. The court rejected the claim because iTunes is a retailer that exercises its own editorial discretion, not (in this situation) a web host storing material at the direction of users. Because iTunes wasn't performing the functions contemplated by 512(c), the C&D letter isn't the functional equivalent of a 512(c)(3) takedown notice and thus isn't governed by 512(f). In a footnote, the court explains:

where the manner of the alleged infringement is not of any of the types addressed in 17 U.S.C. § 512(c), (d), or (e), notice of claimed infringement given is not a section 512(c)(3) notification and therefore not subject to section 512(f)

Thus, in footnotes, the court rejects as irrelevant the plaintiff's contention that Apple qualifies a 512(k) "service provider" and the defendants' contention that Apple couldn't qualify for 512(c) because it had a financial interest in the sales.

The court doesn't address the issue of whether a C&D letter can qualify as a 512(c)(3) takedown notice, although I think the answer is clearly yes (see Brave New Films v. Weiner and Dudnikov v. MGA).

As I mentioned in my last post on 512(f), "512(f) is a limited remedy that addresses one--and only one--type of problem." This case bolsters that assessment.

Posted by Eric at 09:53 AM | Copyright | TrackBack

April 29, 2011

Department of Commerce Releases Worthless Report on Trademark Bullying

By Eric Goldman

Trademark Litigation Tactics and Federal Government Services to Protect Trademarks and Prevent Counterfeiting, April 2011.

[For background, see my earlier blog post on trademark bullies. The term "bully" appears only 4 times in the report; as FN51 explains, the statute didn't use the term and so the report doesn't either. I don't like the term "bully" because of all the baggage associated with cyber-bullying, but I suspect the decision not to use "bully" in the report reflects the report's heavy slant towards trademark owners instead of a retreat from the term's semantic ambiguity.]

We have Sen. Leahy to thank for ordering this report last year studying how trademark owners were overenforcing their rights against weak targets. Of course, Sen. Leahy parochially raised this issue only after one of his local constituents was targeted; but however he got there, at least he realized the importance of the issue. Unfortunately, maybe we should say "thanks for nothing," because the report he got back from the Department of Commerce got totally coopted by the trademark owner constituency and thereby was rendered worthless. Useless. A complete whiff.

The report takes two key ill-fated turns. First, the report says that the Department of Commerce got a lot of comments, but "few explicitly addressed whether and to what extent trademark abuse is a significant problem." It later denigrates those comments as "anecdotal." In other words: Problem? We don't see any problems here!

Yet, the report doesn't indicate that the Department of Commerce tried to scientifically research the problem, like conducting a survey to overcome the "anecdotal" defect. Instead, the report describes its efforts opaquely (page 7 of the PDF): it
* "reviewed data and research materials regarding trademark litigation tactics" (huh? Citations, please)
* read the submitted comments
* reached out to "a large industry organization" (INTA? Chamber of Commerce? Whoever it was, it was surely a trademark owner lobby)
* talked with its "Trademark Public Advisory Committee" (It's conspicuous that I don't recognize a single member of that committee, but a quick search suggests most of them are former PTO insiders or TM owner advocates--or both)
* held a roundtable in Detroit (a one-hour session bundled into a conference teaching businesses how to be IP plaintiffs), and
* reviewed an ABA IP section survey of 270 section members (basically, a survey of trademark owners or their counsel), who not surprisingly said everything was A-OK.

Given this apathetic and stacked research effort, it's hardly surprising the Department of Commerce found any problems worth getting excited about.

Second, the report says "a trademark is a property right that an owner has a duty to police." WHOA! Many folks would dispute the characterization of trademarks as "property"; and many folks (including me) insist that the "duty to police" is massively overstated. Later, the report says, "In view of the mark owner’s obligation to police violations, aggressive enforcement of one’s trademark rights does not automatically equate to abuse or bullying." In effect, the report says that it doesn't see any problem at all; but if there is a problem, it's just the natural consequence of that pesky duty to police....oh well, c'est la vie.

Given its apathetic nature, the report doesn't make the logical jump that any intellectually curious person would instantly make: if the "duty to police" might be driving trademark owners to be (over)zealous in their enforcement efforts, maybe we should fix the duty to police. After all, this "duty" isn't in the statute at all; it's barely in the caselaw; and it could be easily remedied with a statutory clarification that might very well be welcomed by both trademark owners and secondary trademark users because it might eliminate ambiguity plaguing both communities. C'mon, guys--that conclusion isn't exactly rocket science.

From my perspective, the "duty to police" is like the proverbial monster under a child's bed. It's not actually there, but boy, it sure seems scary. My academic writing queue is too thick right now to tackle this issue immediately, but I don't recall seeing a good comprehensive academic article grokking the duty to police (if I'm forgetting something, please let me know). That would be an excellent paper topic. I would be happy to work with someone on this project so that we can demonstrate just how massively the "duty to police" is overstated--typically as a business development tool for trademark litigators trying to afford their kids' private school tuition. Naturally, the Department of Commerce report undertook no such research effort into the trademark policing duty itself.

Consistent with the (lack of) effort invested in the report, the report's actual recommendations are also uninspired and lackadaisical. The recommendations include:

1. Engage the private sector about providing free or low-cost legal advice to small businesses via pro bono programs and intellectual property rights clinics;

2. Engage the private sector about offering continuing legal education programs focused on trademark policing measures and tactics;

3. Enhance Federal agency educational outreach programs by identifying resources that enable small businesses to further their understanding of trademark rights, enforcement measures, and available resources for protecting and enforcing trademarks.

Basically, since there's not really a problem, let the private sector fix anything that needs fixing. Gee, that's helpful. As I said, a WORTHLESS report.

If the report authors had even a modicum of inspiration, there are so many recommendations the report could have fruitfully explored, such as:

* as I indicated, a statutory codification/fix to the "duty" to police
* a way of capturing data so this issue could be more precisely studied in the future, such as funding for a real survey or, better yet, requiring C&D letters to be filed in a public repository so they could be studied more scientifically than the ChillingEffects database permits (given the voluntary nature of C&D tenders to the database). Leah Chan Grinvald's paper, "Shaming Trademark Bullies," gets into this idea more. Not surprisingly, her article wasn't cited in the report, but it's worth a read anyway.
* the "threats action" idea I mentioned in my prior blog post on the topic. The report expressly acknowledges that a trivial number of trademark disputes get to court, yet it fails to follow up on the possibility that the disputes "resolved" outside of court are actually the problem.
* a small claims IP court where low-stakes disputes could be adjudicated more cheaply than full-scale litigation.
* more aggressive fee-shifts to the defendant in abusive situations. Right now, the statutory standard for a fee-shift award is "exceptional," and many courts treat it as such. The report elsewhere makes the absolutely farcical statement that "in Federal court proceedings, Rule 11 of the Federal Rules of Civil Procedure provides an effective mechanism to combat overreaching." Another thing the report could have studied is how often courts actually award fee-shifts to the defense or assess Rule 11 sanctions against trademark plaintiffs to see if those tools effectively curb bad trademark owner behavior. That would be another good paper topic.

I could go on with more solutions, but then I would be doing the work that the report drafters should have done.

In response to this useless document, Sen. Leahy ought to haul the report drafters before him, chew them out, and ask them to redo the report properly. Instead, he'll probably thank the authors for their attention to this important matter and stick the report in his desk drawer to be ignored forevermore. Your tax dollars at work!

UPDATE: David Pardue's blog post is almost as harsh as mine!

Posted by Eric at 09:58 AM | Trademark | TrackBack

April 28, 2011

Copyright Takedown Notice Isn't Actionable Unless There's an Actual Takedown--Amaretto v. Ozimals

By Eric Goldman

Amaretto Ranch Breedables, LLC v. Ozimals, Inc., 2011 WL 1753479 (N.D. Cal. April 22, 2011). My initial blog post on this case.

The virtual horses and bunnies are back. This is the lawsuit between two vendors of virtual animals in Second Life. The bunnies believe the horses infringe their copyrights and sent 512(c)(3) takedown notices to Second Life to squash the horses. The horses then initiated this lawsuit to avoid a takedown. When we last visited this tale, the horses got an injunction against the bunnies sending Second Life further 512(c)(3) copyright takedown notices.

In the latest ruling, the court dismissed the horses' 17 USC 512(f) claim for sending bogus copyright takedown notices. The court says that the statute requires that the service provider actually act upon the takedown notices before a 512(f) cause of action exists. Here, Second Life never actually pulled the plug on the horses, so the statutory requirement wasn't met. The horses protested, rightly IMO, that it would make more sense to impose liability for sending bogus 512(f) takedown notices, irrespective of whether the service provider honors them. This argument doesn't sway the court:

limiting suits for damages to those caused by an actual takedown is a less effective deterrent than allowing suits based merely on the filing of a false Takedown Notification. But the statute is unambiguous in entitling an alleged infringer to damages caused “as the result of the service provider . . . removing or disabling access to the material"

I wouldn't say this opinion is a green light for copyright owners to send bogus takedown notices, but it does reinforce that 512(f) is a limited remedy that addresses one--and only one--type of problem.

Also interesting: the court doesn't dismiss a copyright misuse cause of action, although it says damages aren't available for it.

Posted by Eric at 03:39 PM | Copyright | TrackBack

Jury Rejects Lawyer's Claims Under DC's Anti-Spam Law -- CyberLaw v. Thelaw.net

[Post by Venkat Balasubramani]

Cyberlaw P.C. v. Thelaw.net, No 2009 CA 003615 (D.C. Sup. Ct. March 16, 2011) (complaint) (verdict form)

Lawyers receive a fair amount of spam from service providers and companies who offer CLEs and other services. Most lawyers simply hit the delete button, but not Eric Menhart. Menhart sued Thelaw.net alleging violations of the District of Columbia spam statute. Menhart is not just any lawyer. He is the one who tried to assert trademark rights over the term CyberLaw(TM). (See "Who Owns "CyberLaw"(TM)? Eric Menhart, a DC IP Attorney, Thinks He Does." After much (well deserved) public ridicule, including on this blog, he finally backed off: "Eric Menhart Backs Off CyberLaw Trademark Claim".))

Menhart alleged that he received 49 pieces of spam, and that the emails: (1) "contain[ed] false or misleading information in the subject line" and (2) had incorrect routing or transmission information.

The subject line claims: The subject line claims were a serious stretch to begin with. They included phrases such as "what you're missing with Westlaw," "Search Nationally in 2009!," and "make the transition." Most of them screamed "advertisement" and none of them suggested that they were from an acquaintance or contained a free offer. You can access a full list of the email subject lines on the verdict form here.

The routing information claim: Menhart did not detail his routing or transmission information claims, but the complaint cites to a listserv post which says that Thelaw.net "are constantly changing their email addresses" so their emails cannot be blocked.

___

Thelaw.net had solid preemption arguments with respect to both of these claims. CAN-SPAM cases have interpreted CAN-SPAM to only cover "material" errors or misstatements and to preempt any state causes of action which impose liability based on immaterial errors or misstatements. The claims in this case are precisely the type of claims based on non-material discrepancies or minor misstatements that CAN-SPAM preempts. The flagship cases for these principles are Omega World Travel v. Mummagraphics and Gordon v. Virtumundo; more recent examples of cases which have rejected precisely these types of claims are: Kleffman v. Vonage (use of multiple random domain names to bypass spam filter does not violate California's spam statute) and Martin v. CCH (claims for failure to label email using "AD:," and disclose alleged tracking preempted by CAN-SPAM).

It is unclear from the online record whether Thelaw.net argued preemption. Lawyers for Thelaw.net issued a press release following their victory, but expressing concern that the judge "ruled that whether an email subject line is false or misleading is a question of fact not law, which would mean future lawsuits under the DC statute, no matter how frivolous, could not be dismissed before trial." So maybe no one brought up the preemption issue?

The court should have dismissed this case and never have let it get this far. Menhart, who runs a law firm called CyberLaw(TM), should have known better. The CyberLaw trademark debacle may prompt lawyers to question Menhart's legal assessments from the standpoint of trademark law. It looks like the jury questioned his assessments (that the subject lines were misleading) as well.

Other coverage: "Jury Dismisses Spam Lawsuit Against Legal Research Company" (Wendy Davis)

Posted by Venkat at 12:14 PM | Spam

April 27, 2011

Court Says CAN-SPAM Plaintiff Can't Take Second Bite at the Apple -- Melaleuca v. Hansen

[Post by Venkat Balasubramani]

Melaleuca v Hansen, 10-cv-00553 (D. Idaho; Apr. 15, 2011)

This is a case where Melaleuca - a large multi-level marketing company - asserted spam claims against Daryl Hansen. That's probably a charitable way of putting it. Melaleuca looks like it had motives other than its injuries from allegedly receiving spam, and went after Melaleuca with legally unsustainable claims under CAN-SPAM.

Hansen, proceeding pro se, defeated Melaleuca's claims against him the first time around. The court concluded that Melaleuca was not a bona fide ISP and did not adequately allege damages (i.e., that it had suffered "adverse effects") as a result of the alleged spam. Melaleuca also argued in the first lawsuit that, even though it was not an ISP, it had obtained an assignment of claims from the ISP who received and processed the spam. The court was skeptical of this assignment, since it was procured after Melaleuca filed its complaint. (Here's the earlier blog post on the case and the court's rulings: "Another Federal Court Dismisses CAN-SPAM Claims Due to Lack of Standing - Melaleuca, Inc. v. Hansen." My instinct was the the district court's dismissal should have been with prejudice, but it turned out to not matter.)

Undaunted, Melaleuca filed a second lawsuit against Hansen. Hansen (again proceeding pro se) moved to dismiss, this time on the basis that the second suit was barred by preclusion principles. The court agrees with Hansen and dismisses the case. Melaleuca argued that the first decision was not a final decision on the merits, but the court rejects this argument. Both parties had the opportunity to brief the standing issue and the court issued a definitive order the first time around that was appealable (indeed, as the court notes, it was on appeal at the time of the second lawsuit). Melaleuca also argued that the deficiencies in its complaint were "curable," and it should be allowed to proceed. The court finds that while Melaleuca could have cleaned up the assignment (and obtained the assignment of claims prior to filing the complaint) it "alleges the same damages/types of harms as were raised in Melaleuca I that the court deemed insufficient to meet . . . CAN-SPAM . . . standing requirements." Regardless of whether Melaleuca should have been able to "cure" this deficiency, the court says Melaleuca did not bother to adequately allege injury the second time around!

The court was way too lenient with Melaleuca here. Maleleuca deserved a smackdown. I'm surprised the court did not consider sanctions, or at least a strong statement that sent a message to Melaleuca. Courts should do their best to strongly discourage this type of litigation. (CAN-SPAM has a fee-shifting provision (see "CAN-SPAM Defendant Awarded $111k in Fees/Costs"), but I'm not sure if Hansen can take advantage of it as a pro se defendant.)

Related: Professor Goldman previously posted on another dispute involving Melaleuca, this one involving an expedited DMCA subpoena which also touched on the copyrightability of a take-down letter: "Co-Blogger Identity Isn't Disclosed via 512(h), but Takedown Letters Are Copyrightable."

Posted by Venkat at 10:51 PM | Spam

April 26, 2011

Acknowledging Receipt of an Email Doesn't Form a Contract--Stebbins v. Wal-Mart

By Eric Goldman

Stebbins v. Wal-Mart Stores Arkansas, LLC, 2011 WL 1519390 (W.D. Ark. April 14, 2011). Lawsuits like these tend to be associated with repeat users of the judicial process; see the Justia Arkansas page for other lawsuits possibly from this plaintiff.

From the complaint allegations: Stebbins has Asperger's. He applied for a job at Wal-Mart and took a computerized assessment, which he says disproportionately hinders applicants with Asperger's. Despite having "failed" the assessment, he believes there were jobs at Wal-Mart that he could perform, such as janitor or night shelf-stocker. The case doesn't say it explicitly, but I infer Wal-Mart nevertheless dinged his job application.

Stebbins emailed Wal-Mart customer care with the following:

Notice to companies

My name is David Anthony Stebbins, and I live in Harrison, AR. I am sending a link to this webpage to various companies to put you on notice. If you contact me in any way, shape, or form, you hereby acknowledge that you have read, understand, and agree to be legally bound by the terms below.

...

You hereby agree that you, as well as any principal or employer that you are acting on behalf of, will initially attempt to settle all legal disputes, even those not relating to this contract by semi-binding arbitration using the services of www.net-arb.com, where you are bound but I am not.

(You can see the full contract at Stebbins' MySpace page, although recognize that visiting the page might create an extra degree of legal risk. This web page would make an excellent exam Q. Among other contract formation techniques, the terms say "This [contract] will also take effect if I attempt to contact you, and, upon hearing my name, you do not cease communications with me on the spot." Among the contract's terms: "You hereby agree to never: * Interrupt me when I am speaking, for all eternity. * Hang up on me in any phone call, for all eternity. * Block my attempts to communicate with you, for any reason, for all eternity. * Ask me a question that I have previously answered, for all eternity. * Demonstrate any rudeness, annoyance, or disrespect, however petty, against me, for all eternity." The "for all eternity" duration raises some interesting questions about post-mortem breach and enforcement. I also liked this line: "If you even so much as attempt to litigate a case with me, even if that attempt is unsuccessful, you automatically loose that case.")

OK, back to the lawsuit. Wal-Mart's customer care sent an apparently canned reply to Stebbins' email suggesting he contact a different department. Stebbins followed up with this email:

On November 8, 2010, I sent you a formal contract offer, via email. The email stated that, if you initiate communications with me, or if I initiate communications with you, and you entertain said attempt to communicate, you are bound by that contract.

You accepted that offer on November 11, 2010, when I purchased a gallon of milk from you, using a paper check. This check had my name and street address on it, so you knew who I was. Also, your employees asked me to see my ID, and I showed them my driver's license, so you had every opportunity to know who I was, then....

So, now, we must hold all legal disputes via arbitration, whether you like it or not!

Consistent with another provision of his purported contract on MySpace, Stebbins now asserts "since Wal–Mart did not accept the arbitration invitation within twenty-four hours of receiving it, he automatically wins regardless of the merits of the case and is entitled to an award of six-hundred billion dollars."

(Not that it really matters, but Wal-Mart's market capitalization today is $186B. Perhaps Stebbins would have found more litigation success if he had kept his damage request south of 100% of Wal-Mart's market cap. 3X its value was probably too much to ask for.)

Needless to say, Stebbins' attempted contract formation failed. In an unwaveringly straight-laced opinion, the court says:

Plaintiff maintains Wal–Mart accepted the contract by its “act” of replying to his e-mail....The e-mails from Plaintiff are self-serving documents that did not form the basis for any conduct or performance on Wal–Mart's part....In this case, Wal–Mart performed no act. It merely replied to two e-mails by directing the Plaintiff to the correct department. It performed no service and Plaintiff made no promise.

This result reminded me of the tactic used by Suzanne Shell, initially covered in a John Ottaviani blog post. She placed a notice on her website that popped up whenever anyone (including a robot) visited it, purporting to bind visitors simply by visiting her site. A court ultimately rejected this contract formation process. Contract-like terms buried in email footers are similarly ineffective (see also this post).

I like this ruling because it's a good reminder for everyone (especially contracts students prepping for their imminent finals) that courts tend to reject overly formalistic/tendentious approaches to contract formation. A contract does not exist simply because you can see things that you claim are an offer or acceptance. Ultimately, there needs to be a manifestation of assent to bind a party to a contract. A canned reply from a CSR should not manifest such assent, even if it was purportedly bargained for.

Having said that, I wonder if companies would benefit from training their CSRs not to reply to any email that purports to create some obligation simply by replying to the inquiry. I know that a non-response can be a harsh remedy, but companies have already learned the importance of not being too responsive from the Barnes v. Yahoo case. Here, Wal-Mart might have been better off simply deleting an email that contained the threat of contract formation simply by replying. (Of course, Stebbins probably would have still asserted contract formation from his purchase of a gallon of milk, paid by check). As counter-intuitive as it may seem for people in the business of providing customer service, this may be a situation where silence was golden.

Posted by Eric at 02:51 PM | Licensing/Contracts | TrackBack

Videos from the 47 USC 230 Conference Now Online

By Eric Goldman

Without any pretense of modesty, I think we have put on a number of first-rate High Tech Law Institute events over the years. However, unquestionably, the post-event buzz from our recent conference on 47 USC 230 has been as enthusiastic as any I can recall. Now, you can enjoy the event (or relive it, for those of you who were there) by watching the event's videos, now online. I hope you'll check it out.

Other resources related to the conference:

* Event recaps from me, Techdirt/Mike Masnick (1, 2, 3), BNA/Joyce Cutler, paidContent/Joe Mullin and Blog Law Blog/Eric Johnson
* Written remarks from Sen. Wyden and Ken Zeran
* Conference-related papers and other resources

Posted by Eric at 08:50 AM | Derivative Liability | TrackBack

April 25, 2011

Google Wins Lawsuit Over Unhappy Google Search Appliance Installation--Market America v. Google

By Eric Goldman

Market America, Inc. v. Google, Inc., 2011 WL 1485616 (D. Del. April 19, 2011)

I blogged about this case last year. Market America retained Google and its system integrator LTech to install a Google Search Appliance to support Market America's network. This installation did not go as planned, and eventually it led to this lawsuit. In the prior ruling from August, Google and LTech knocked out a big chunk of the case.

This ruling addresses some remaining consumer protection law claims. It turns out that the claims aren't tenable under the contract's governing law of Delaware, while Market America believed the claims were extra-contractual and should be governed by North Carolina law (Market America's home state). The court concludes that the contract's governing law clause applies to these additional claims, so it grants Google and LTech judgment on the pleadings.

Google's success in this lawsuit is a good outcome legally, but its failure to achieve a successful install for Market America is a less happy result.

Posted by Eric at 08:17 PM | Licensing/Contracts , Marketing | TrackBack

April 23, 2011

Republishing Entire Newspaper Story is Fair Use--Righthaven v. CIO

By Eric Goldman

Righthaven, LLC v. Jama, 2011 WL 1541613 (D. Nev. April 22, 2011). See my comprehensive blog post on Righthaven from October.

[Note: A month ago, the judge orally dismissed the defendant in this case. Yesterday, the judge issued its written opinion articulating that ruling.]

The defendants run a website on immigration issues. They posted to their website 100% of a 33 paragraph Las Vegas Review-Journal story on Las Vegas police targeting minorities. The post attributed the story to the Las Vegas Review-Journal. Righthaven then acquired the copyright to the story and, following its standard tactics, sued the defendants for copyright infringement without sending a takedown notice. The defendants asserted a fair use defense, and the court granted it on summary judgment. Its four factor analysis:

* the defendants' use was transformative because Righthaven is a litigation-driven business, the republication was to educate the defendants' audience, and it had no substitutive effects. The use was also non-commercial because the defendant organization is a non-profit with an educational focus. The fact that its website solicited donations was immaterial.

* the article was an "informational work" which put it closer to fact than fiction.

* even though the defendants took 100% of the work, doing so was reasonable because the article wasn't easily distilled or edited.

* because the use was transformational and non-commercial, the burden was on the plaintiff to show market harm. It failed (1) because Righthaven didn't allege there was a market for the article itself, and (2) "because Righthaven cannot claim the LVRJ’s market as its own and is not operating as a traditional newspaper, Righthaven has failed to show that there has been any harm to the value of the copyright."

Normally, we'd have to wait to evaluate the impact of this ruling until we see how it fares on appeal. However, I believe Righthaven will not be around long enough to see the appellate decision. I have consistently said that Righthaven's business model isn't sustainable, and the combination of their avoidable litigation errors (e.g., their 24 hour lawsuit against Eriq Gardner) plus their heavy staff turnover will hasten their demise. At this point, I assume it will only take one or two 17 USC 505 fee-shifts to the defendant to make Righthaven's economic model irreparably untenable. At this rate, I think 505 fee-shifts are inevitable for Righthaven.

Unless and until this ruling is reversed on appeal, its reasoning will accelerate Righthaven's losses in court. After Righthaven's loss in the Realty One case, which said the republication of an article excerpt was fair use, Righthaven said it was focusing on bringing cases only involving 100% republications. Now that this opinion indicates that even 100% republications can be fair use (an argument I proponed in my debate with Steve Gibson last September in the BC Edge call), all of Righthaven's lawsuits over 100% article republications by non-profit defendants (and perhaps others) are at risk.

Righthaven could still find more litigation success suing over 100% republications of photos instead of articles. However, Righthaven has gone out of its way to annoy the judge hearing ALL of those cases. As a result, I think those cases are in serious jeopardy too. With its losses in the Realty One and CIO cases and the possibility of losing the photo cases, I think at this point Righthaven has nowhere to go...except into the dust....

There has been some chatter that before Righthaven flames out financially, it will create a body of caselaw that is ultimately disadvantageous to newspapers and content owners generally. Indeed, with Righthaven's help, we are beginning to build out a body of blog-related copyright law, and I expect both the Realty One and CIO opinions to be frequent citations in future online copyright cases. We may ultimately owe a debt of gratitude to Righthaven and its newspaper participants--and the defendants who are bearing the cost and risk of standing up to Righthaven--for this public good.

Steve Green's writeup of this opinion.

Disclosure note: One of my ongoing clients was sued by Righthaven and settled its case.

Posted by Eric at 06:48 AM | Copyright | TrackBack

April 20, 2011

Blogger Gets 47 USC 230 Dismissal for Third Party Comment--Kruska v. Perverted Justice

By Eric Goldman

Kruska v. Perverted Justice Foundation Inc., 2011 WL 1260224 (D. Ariz. April 5, 2011)

This is my third time blogging this case. The latest ruling involves a blog, run by Brocious, for people fighting pedophiles. Someone (presumably a third party user) allegedly posted a comment to the blog saying that Kruska had "starved a child." In 2008, I blogged how GoDaddy--in its role as a web host--exited the lawsuit per 47 USC 230. Last Fall, I blogged how Kruska's allegation that Brocious "actively contributed" to the website defeated Brocious' 230 immunity on a motion to dismiss.

Five months later, this case came back to the judge as a summary judgment motion based on 47 USC 230, which the judge granted. Like the Smith v. TRUSTe case, this is a situation where the judge might have been too cautious on the 12(b)(6) motion, causing the case to go longer and cost more money only to reach the inevitable result. Bummer.

The court dismisses the defamation claim for both failure of the prima facie case and on 230 grounds. With respect to the latter, the court's application of the law to this case:

Defendant argues that he is immune from suit under s 230 because "Plaintiff plainly cannot show that Defendant was involved in any of the activities that might otherwise give rise to liability for defamation." Plaintiff asserts that Defendant is not immune because "[s ] 230 does not immunize the actual creator of the content, whether he is a blogger, commenter, or anything else." The Court finds that Defendant is immune from suit under s 230 because at most, Plaintiff sets forth the possibility that Defendant, as the alleged publisher of the Blog, "viewed an[d] approved [the comment] before [it was] published." Such alleged passive participation would be akin to the alleged conduct in Batzel, where the Ninth Circuit held that s 230 immunity applied to a website administrator who selected, edited, and published the contents of an allegedly defamatory comment. Even if Plaintiff's assertion that Defendant took active steps to publish the alleged comment on the Blog was true, such steps are not the type of material contribution to the alleged misconduct that the Ninth Circuit found in Fair Housing Council. [cites omitted]

Good result; but it would have been better if it came on the motion to dismiss. Note that this is yet another case where Roommates.com is cited in favor of the defense; and once again, affirmative publication of content is covered by 47 USC 230. Also, this is another rejection of the plaintiffs' general attack that a site's operator is so hands-on with the site's operations that he/she becomes responsible for all of the content.
____________

BONUS 47 USC 230 COVERAGE (Another hidden track blog post):

Supplementmarket.com, Inc. v. Google, Inc., 2010 WL 6309991, 17 Pa. D. & C. 5th 321 (Penn. Ct. Common Pleas July 26, 2010)

Occasionally Westlaw spits out a case months or years after it was decided with no apparent explanation for the lengthy delay. Sometimes I get email tips about these cases; other times, the cases just fall through the cracks. This is one of those cases.

This case involves an allegedly defamatory posting to the Usenet newsgroup alt.sport.bodybuilding. I don't get to talk about Usenet very often; see Novins v. Cannon for one similar case. The plaintiff sued because Google failed to remove the post from Google Groups after getting a C&D. This is an incredibly easy 47 USC 230 case, and the court dismisses the suit in a brief opinion. For an analogous Google case, see Black v. Google.

Posted by Eric at 02:35 PM | Content Regulation , Derivative Liability | TrackBack

A Look at the Commercial Privacy Bill of Rights Act of 2011

[Post by Venkat Balasubramani]

The Commercial Privacy Bill of Rights Act of 2011

Senators McCain and Kerry recently introduced the Commercial Privacy Bill of Rights Act of 2011. It will probably go through various iterations before being enacted, and its prospects are far from certain, but I thought would summarize what jumped out at me when I first read it.

Who does it apply to? It applies to anyone who "collects, uses, transfers or stores" information concerning more than 5,000 individuals in a 12 month period and who is subject to the authority of the Federal Trade Commission (or is a common carrier or a non-profit). However, it does not apply to government agencies. (See "Privacy 'bill of rights' exempts government agencies.")

Who gets to enforce it? The FTC and state attorneys general. The Bill does expressly state that it "may not be construed to provide any private right of action." A separate provisions says that other than as authorized under the Bill, no one can use the provisions of the Bill as a basis for state law claims. There are provisions which touch on customer rights, but end users cannot bring an action to enforce the provisions of the Bill.

What is the effect on state laws? The Bill would preempt state laws to the extent those laws relate to the collection, use, or disclosure of covered information, personally identifiable information, or personal identification information. The short title contains a nod to avoiding a "patchwork of inconsistent standards and protections." The Bill's preemption clause carves out (1) state laws addressing "health or financial information," (2) state data breach notification laws, and (3) state laws which relate to "fraud." If enacted, it looks like the states are going to have to take a back seat to this Bill and are going to have a tough time enacting online privacy statutes.

What information is covered? The Bill defines "Personally identifiable information," as (1) the first and last name of an individual; (2) postal (residential) address; (3) email address; (4) telephone number or mobile number; (5) social security number; (6) credit card number; (7) "unique identifier information that alone can be used to identify a specific individual"; or (8) "biometric data," including fingerprints and retina scans. [emphasis added]

The definition of PII also covers any of the following if stored or used along with (1) through (8) above: (1) date of birth; (2) birth certificate number; (3) place of birth; (4) unique identifier information "that alone cannot be used to identify a specific individual;" (5) "precise geographic location," excluding general geographic information that can be derived from an IP address; (6) information about an individual's use of "voice services, regardless of technology used;" and (7) a catch-all.

The Bill also contains a third category of information which it calls "sensitive" PII, which includes medical/health information and the "religious affiliation" of an individual.

The Bill excludes PII that is obtained from public records and "that is not merged with covered information." Information that is voluntarily shared (without restriction) and that is widely and publicly available is also excluded.

What is "unauthorized use"? Unauthorized use is broadly defined as use of "covered information . . . for any purpose not authorized by the individual." The definition contains a list of exceptions to deal with things like transaction processing, fraud prevention, and compliance with subpoenas. One of the exceptions deals with online advertising, and provides that use for marketing or advertising (from a covered entity in the context of the entity's own website, services, or products) is not unauthorized if the information is (1) used by the entity which collects the information or (2) used by a third party "at the affirmative request of the individual" or where the affected individual has "an established business relationship" with the individual. There's also a catch-all provision which states that the exclusions apply only where the use is "reasonable and consistent with the practices described in the notice" pursuant to which the information was collected.

The Bill directs the FTC to enact rules which will require any covered entity to offer a "clear and conspicuous" opt-out for any unauthorized use of PII, and specifically to offer "robust, clear, and conspicuous mechanism" for use of information by third parties for "behavioral advertising or marketing," and "clear and conspicuous" opt-in consent for the treatment of sensitive PII and the use or transfer to a third party of previously collected PII (if there is a material change in the entity's practices and the use or transfer creates a "risk of economic or physical harm").

Does the Bill allow users to force entities to correct their information? The FTC is directed to implement rules which would also require covered entities to allow users can access their information and a mechanism to "correct such information to improve the accuracy of such information." Finally, the FTC rules would address transfers in the event of a bankruptcy. The Bill also addresses security standards.
__

This is a meaty piece of legislation that will easily fatigue anyone who tries to digest it in one sitting. Whether or not it accomplishes anything in terms of user privacy, it will certainly keep many lawyers gainfully employed.

One of the big questions is how any privacy legislation will affect the online advertising market. How does it affect the use of cookies, which allow sites or advertising networks to collect information which is used for targeting? The rules which the FTC is directed to enact would:

offer individuals a robust, clear, and conspicuous mechanism for opt-out consent for the use by third parties of the individuals' covered information for behavioral advertising or marketing.

The National Advertising Initiative (which many advertising networks are a part of) offers an opt-out, and one question is whether this (or a similar) opt-out would suffice. There was speculation about a "do-not-track" list but "do-not-track" did not make it into the bill. It was unclear to me as to whether if someone exercised their opt-out right, a site or company in question (the third party) would have to stop using the person's data, or whether the opt-out would be passed up the chain (i.e., to an ad network).

Interestingly, the Bill only covers "personally identifiable information" (and sensitive PII). "Unique identifier information" is defined as information that "alone can be used to identify a specific individual." The definition of "covered information" in turn references PII and "unique identifier information," and information that is collected with either of these. This means that at least some tracking will not even be covered by the opt-out rules. Retailers, for example, who use cookies to track your browsing look like they may be covered (and would be entitled to the business relationship exception anyway, to the extent they collect personally identifiable information along with information used for tracking purposes), but sites that you don't register or provide your identifying information to are not necessarily using any "covered information" when they target advertising using cookies. (The practice of anonymization - stripping information of any personal attributes and then using it for targeting purposes - looks like it may be OK under the Bill as well.)

The Facebook exception is something that is worth flagging. Facebook reportedly sent an army of lawyers and lobbyists to the hill to fight for the "established business relationship" exception. The fight was successful, and the result is significant. The Bill defines established business relationship as any time an end user has "established an account" with an entity for the receipt of products or services "offered by the covered entity." The definition is somewhat clunky, but the consequence of this is that Facebook (or Twitter, Google, etc.) would not be considered a "third party" with respect to a website, if the user in question has an account with Facebook. So CNN.com (for example) and Facebook can freely use PII to target advertising, and Facebook would not be considered a third party. If I'm reading this right, this could be a huge boon for the likes of Facebook and Twitter, and a killer for ad networks. (The regulations which require covered entities to offer individuals an opt-out for behavioral advertising only apply to use by "third parties," and entities which have "established business relationships" are not considered third parties.)

I'm curious about how the Bill would affect off-line (paper) direct marketing. My read of the bill is that it could limit certain aspects of junk mail. (The preamble talks about on and off-line use of data, but the text of the bill doesn't seem to delve into details much with respect to off-line use.) The Bill treats a residential address as personally identifiable information, which is subject to various restrictions on use and transfer. The Bill treats advertising from a covered entity's "own . . . website" as authorized, but does not clearly state that direct mailing is authorized. (The language is somewhat clear on this point.) Certainly, the Bill could be read to reach the sharing of addresses from one retailer to another, or from one retailer to a clearinghouse? Will the Bill require an opt-out from catalog marketers? Did the direct mailer association miss the lobbying boat on this one?

The effect on data aggregators is another aspect of the Bill that's worth watching. Could the Bill be read to prevent retailers and other companies (such as cell phone companies) from transferring your information to companies that aggregate and sell your data, even for purposes such as a credit check?

Finally, since the Bill defines personally identifiable information to include email addresses, I wonder what effect this will have on email marketing, and the transfer of email addresses among various entities.

Other coverage:

ReadWriteWeb: "John McCain & The Wall St. Journal Should Not Determine the Future of the Internet"
Ad Age: "Proposed Privacy Law Serves Notice to Online Ad Companies" ("There is a section that protects Facebook and like enterprises under the "Established Business Relationships" section, which would allow the social network to continue to collect "likes" that appear on thousands of sites across the web.")
EFF: "Well-Meaning "Privacy Bill of Rights" Wouldn't Stop Online Tracking"
LA Times: "Facebook looks to cash in on user data"
cnet: "Privacy 'bill of rights' exempts government agencies"

Posted by Venkat at 09:03 AM | Privacy/Security

April 19, 2011

FTC Warns Debt Collector About Using Facebook to Contact Debtor

[Post by Venkat Balasubramani]

In the Matter of Gary D. Nitzkin, P.C. (FTC Letter; Mar. 10, 2011)

Debt collectors have gotten into trouble over the use of social media to contact debtors. (See "Judge Orders Creditor to Stay Off Debtor’s Social Networking Pages.") Facebook has also taken a stand against the use of its service by debt collectors. ("Facebook Warns Debt Collectors About Using Its Service.")

The FTC jumped into the fray as well, and recently issued a closing letter to a lawyer who used social media to contact a debtor. Although the FTC declined to take action in that particular case (because the lawyer only did this on one occasion and the debt in question was a commercial debt which does not fall under the Fair Debt Collections Practices Act), the FTC articulated its position that debt collectors may violate the Fair Debt Collections Practices Act and/or the FTC Act by doing any of the following:

(1) requesting to join debtors' social media networks (for example, by sending a "friend request" on Facebook), or making any subsequent communications, for the purpose of collecting a debt, without making the disclosures required by Section 807(11) of the FDCPA; (2) communicating with third parties other than in the limited circumstances permitted by Section 805(b) of the FDCPA; (3) communicating with third parties to obtain location information about debtors in a manner that violates Section 804 of the FDCPA; (4) utilizing social media in a manner that constitutes a publication of a list of debtors who allegedly refuse to pay debts, in violation of Section 806(3) of the FDCPA; and (5) communicating with debtors or third parties in a false, deceptive, or misleading way, in violation of Section 807 of the FDCPA.

I'm no FDCPA expert, but the FTC's interpretation seems fairly expansive. It looks like the FTC is drawing a protective wall around the social networking profiles of debtors. Effectively, the FTC's approach (for better or worse) will preclude a debt collector from joining a debtor's "social network" for information collection purposes. (Nothing in the FTC's letter restricts a debt collector from privately messaging a debtor, as long as the necessary disclosures are made along with the message. Whether or not a debt collector can privately message a debtor on Facebook without being their 'friend' depends on the debtor's privacy settings.)

Posted by Venkat at 02:23 PM | Content Regulation , Privacy/Security | TrackBack

Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe

By Eric Goldman

I've been so behind that it's taken me until now to blog these cases from last month. All three opinions involve the same basic fact pattern: a bulk emailer gets blocked by an email service provider (relying in part on third party filtering/blocking services) and sues to undo the block. These claims are largely preempted by 47 USC 230(c)(2), and the courts mostly get to the right place with the immunity (although not without small points of drama). The aggressive plaintiffs also assert claims not covered by 47 USC 230(c)(2), but these mostly don't go anywhere either. The lesson is pretty clear: if an email service provider blocks your email, the courts aren't going to help you out.

Holomaxx Technologies v. Microsoft Corp., 2011 WL 865278 (N.D. Cal. March 11, 2011), and
Holomaxx Technologies v. Yahoo, Inc., CV-10-4926-JF (N.D. Cal. March 11, 2011). Venkat's excellent prior blog post on the complaints. These rulings are substantially identical, so I'll discuss them together except where they diverge.

Holomaxx is a bulk email sender upset because Yahoo and Microsoft are blocking its emails based both on IP address blocks and reputation scores (including those provided by third parties). We've heard this refrain before in many cases over the years, and the law is pretty clear about this. Email service providers can't be obligated to carry emails they don't want to carry. There are a number of legal doctrines that help reach this conclusion, but the most salient one is 47 USC 230(c)(2), the immunity for filtering decisions.

In response to Holomaxx's lawsuit over the block, Microsoft and Yahoo interposed the 230(c)(2) defense on a 12(b)(6) motion to dismiss. Holomaxx objected that 230(c)(2) is an affirmative defense and not appropriate response for a 12(b)(6) dismissal motion. This is the issue that vexed the Ninth Circuit in the Barnes v. Yahoo case until they fixed the opinion. In this case, Judge Fogel properly concludes that 230(c)(2) can support a 12(b)(6) motion to dismiss. (He reached the same conclusion in Goddard v. Google).

Holomaxx then argued that 230(c)(2) does not prevent blocking of legitimate email because such a block doesn't fit within 230(c)(2)'s "otherwise objectionable" language. The judge says:

No court has articulated specific, objective criteria to be used in assessing whether a provider’s subjective determination of what is “objectionable” is protected by § 230(c)(2).

And Judge Fogel isn't going to be the first. Instead, he sidesteps the issue, holding that the service providers could deem the emails "harassing" because, even if Holomaxx had a 0.1% error rate, as it claimed in the Yahoo case, that still netted 2M bad emails/year. Therefore, the filtering decisions fit within the other statutory language in 230(c)(2). This is a cute intellectual move which potentially expands the scope of 230(c)(2) by reading "harassing" broadly.

Holomaxx also attacks the "good faith" requirement of 230(c)(2), but does so in a generalized way. The judge rejects the argument, saying (in the Yahoo case):

Holomaxx alleges no facts in support of its conclusory claim that Yahoo!’s filtering program is faulty, nor does it identify an objective industry standard that Yahoo! fails to meet. While it suggests that Yahoo! is “using cheap and ineffective technologies to avoid the expense of appropriately tracking and eliminating only spam email,” it offers no factual support for these allegations. Nor does Holomaxx cite any legal authority for its claim that Yahoo! has a duty to discuss in detail the particular reasons for blocking Holomaxx’s communications or to provide a remedy for such blocking. Indeed, imposing such a duty would be inconsistent with the intent of Congress to “remove disincentives for the development and utilization of blocking and filtering technologies.”

The Microsoft opinion's text is similar. Holomaxx gets another chance to marshal better allegations, but I'm guessing they won't be able to do so.

The court rejects the ECPA claim (which 230(c)(2) doesn’t immunize) because Holomaxx didn't explain clearly enough how the email service provider "intercepted," "used" or "disclosed" Holomaxx's email or how the ESP improperly accessed stored communications. The 17200 claim (which I think should be preempted by 230(c)(2), although that issue isn't discussed) also fails for lack of Holomaxx's specificity. A Microsoft-only defamation claim doesn't survive either:

Holomaxx alleges, on information and belief, that Microsoft "informed Dragon Networks in writing" that it had blocked all IP addresses originating from Dragon Networks because "certain of Holomaxx's .78 addresses had been rejected 'for policy reasons,' and were blocked manually 'or for spamming.'" Holomaxx does not explain how the alleged statement was defamatory or produce a copy of the alleged defamatory correspondence between Microsoft and Dragon Networks. Nor does it explain how the alleged communication amounts to "a statement of fact that is false."

As a result, the judge dismisses the lawsuit but with leave to amend.

Smith v. Trusted Universal Standards in Electronic Transactions, Inc. (d/b/a TRUSTe, Inc.), 2011 U.S. Dist. LEXIS 26757 (D. N.J. March 15, 2011).

Like Holomaxx, Smith sends a lot of email through Comcast. Comcast blocked his outgoing email twice. The first time, Comcast pointed to Microsoft's Frontbridge/Exchange Hosted Services (EHS) quarantine system. The second time, Comcast pointed to Cisco's IronPort/Senderbase blocklist. Smith sued all three entities (and others). Last year, the court rejected a 12(b)(6) motion to dismiss based on 47 USC 230(c)(2).

Ten months later, after presumably lots of wasted effort, the court converts Cisco's and Microsoft's 12(b)(6) motions into a summary judgment motion and grants the dismissal on 230(c)(2) grounds. I'm sure the defendants appreciate the dismissal, but I'm sure they would have been even more appreciative if the court had reached the result on the last go-around. The court still can't let the case go with respect to Comcast, however.

Cisco/SenderBase gets the 230(c)(2) defense as a blocklist provider. This may sound easy, but the statutory drafting makes the court’s analysis more arduous than it ought to be.

Cisco's senderbase.com website constitutes an ICS. This makes Cisco a "user" of an ICS because it uses its website to publish the blocklist. It is also a provider of an ICS because it runs the website. This is the issue that tripped up the court in the last ruling, and although it got to the right result, I don't think the court has fully wrapped its head around the statutory language. I read the court's discussion at least 6 times, and I couldn't make it make sense. Just know that a blocklist provider probably is both a provider and user of an ICS, so this element is met.

The blocklist easily satisfies the requirements of 230(c)(2)(B). As the court notes (citing Zango v. Kaspersky), whether material is "objectionable" is measured subjectively. Thus, the court dismisses Cisco, noting:

The Court notes that Plaintiff's breach of contract and defamation claims are dismissed because they specifically relate to Cisco's SenderBase service. Plaintiff defamation claim is based upon the fact that Cisco publishes IP scores. Plaintiff's breach of contract claim is based on the fact that Cisco refused to provide Plaintiff with the information that it used to calculate the reputation score for the IP address assigned to Plaintiff by Comcast.

Microsoft's EHS quarantine operates in the cloud by routing all email through its servers, which screen out emails based on its blocklist (as modified by customers' parameters). This should be even easier to qualify as a provider/user of an ICS. The court's discussion on this point doesn't make any sense either, but it reached the right result. As with Cisco, the court says the blocklist qualifies for 230(c)(2)(B) and the contract breach claim fails for the same reason.

Comcast doesn't get so lucky. The court once again finds that Comcast could have acted in "bad faith" which could disqualify it from 230(c)(2) coverage:

the Court finds that a reasonable jury could conclude that Comcast acted in bad faith when it failed to respond to Plaintiff's repeated requests for an explanation why it continually blocked Plaintiff's outgoing email...the Court is not convinced that an internet service provider acts in good faith when it simply ignores a subscriber's request for information concerning an allegedly improper email blockage...there is no reason why Comcast could not articulate its immunity (or provide another rationale for the blockage) when asked to do so by a paying customer.

Whoa. Hold on a sec. The court is saying that online providers have to provide explanations to their customers for their back-end choices. First, that's not in the statute. Second, Judge Fogel expressly rejected this argument in his Holomaxx rulings. Third, the court’s position is ridiculous. Being legally obligated to explain business decisions to affected customers would add an extra layer of expense/hassle to everyday business decisions, and the explanations will just become additional grist for the plaintiff's mill (see, e.g., Barnes v. Yahoo and the resulting incentives to tell customers less, not more). I'm 99%+ confident that an appellate court would reverse this judge on this point. I think he went off the rails. As a result, I don't plan to advise clients that they have to provide explanations for their blocking decisions, and I don't recommend you advise otherwise.

Although Comcast doesn't get the 230(c)(2) immunity, the court still ends up granting it summary judgment on all of the claims. There's some interesting discussion there too.

The court rejects Smith's ECPA claims and the substantively identical state claims. Cisco doesn't actually intercept emails, and Microsoft quarantines emails with its customers' consent.

Smith's contract breach and promissory estoppel claims against Comcast fail because Comcast didn't make any promises it failed to keep and because Smith was using a personal account for unpermitted commercial activities. (To me, this is facially inconsistent with any argument that Comcast had bad faith for 230(c)(2) purposes, but the court ignores that implicit contradiction).

Smith's NJ Consumer Fraud Act claim against Comcast also fails because he can't show fraud or ascertainable loss (because he only alleged that he lost time). The court dismisses a couple other claims, too.

Posted by Eric at 11:04 AM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam | TrackBack

April 18, 2011

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou

[Post by Venkat Balasubramani with comments from Eric]

Claridge v. RockYou, 2011 WL 1361588 (N.D. Cal.; Apr. 11, 2011)

RockYou is a developer and publisher of applications for use with Facebook, MySpace, hi5, and Bebo. RockYou's applications allow users to share photos, write text on a friend's page, or play games with other users. In order to sign up, users are asked to provide an email address and create a password. Users may also be required to provide their social network user name and passwords. RockYou displays advertisements on the apps. RockYou claims to have "more than 130 million unique customers using its application on a monthly basis."

RockYou was alerted to an alleged security problem with its SQL database in late December 2009 by an online security firm. Plaintiff claims that RockYou failed to act quickly enough to address this problem, and as a result

at least one confirmed hacker known as 'igigi' accessed RockYou's database, and in the process accessed and copied the email and social networking login credentials of at least 32 million registered RockYou users.

Plaintiff sued RockYou in a putative class action, alleging a slew of claims: breach of contract, the Stored Communications Act, negligence, California's anti-hacking statute, and California's unfair competition and consumer protection statutes.

Standing: RockYou argued that plaintiff lacked standing - i.e., that the unauthorized access of plaintiff's login credentials did not cause plaintiff any "concrete, tangible, non-speculative harm." In response, plaintiff argued that:

[RockYou's] customers, including plaintiff, 'pay' for the products and services they 'buy' from [RockYou] by providing their PII, and that the PII constitutes valuable property that is exchanged not only for [RockYou's] products and services, but also in exchange for [RockYou's] promise to employ commercially reasonable methods to safeguard the PII.

The court agreed with plaintiff and found that plaintiff alleged an injury in fact sufficient to confer standing. The court noted that the case law is mixed on the question of whether data breach plaintiffs have standing to sue. The court recognized the novel context in which the claims arose:

the unauthorized disclosure of personal information via the Internet - is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.

Although the court expressed "doubts about the plaintiff's ultimate ability to prove [plaintiff's] damages theory," the court declines to dismiss on the basis of standing.

Contract Claims: The court initially rejects RockYou's request to dismiss the contract claims (based on a breach of RockYou's privacy policy) on the basis that plaintiff did not lose anything of value. For pleading purposes,

plaintiff . . . sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified 'value' and/or property right inherent in the PII.

RockYou argued that the privacy policy terms expressly provided that it could not be held liable for any unauthorized third party access to users' personal information, but the court disagrees, citing to RockYou's privacy policy. The policy disclaims liability where a third party accesses user information contained in RockYou's "secure servers," but the court notes that RockYou's servers were not in fact secure. The court also cites to flowery language in RockYou's privacy policy to the effect that RockYou takes "commercially reasonable . . . safeguards" to protect user information.

Consumer Protection Claims: Plaintiff loses on his California consumer protection act claims. With respect to his claim under California's unfair competition law, one of the two requirements is that the plaintiff has to have lost "money or other property" in order to bring a claim. The court holds that the UCL's standing requirements are stricter than Article III standing requirements, and require the plaintiff to have paid money or "parted with some particular item of property he formerly possessed." The court does not buy plaintiff's novel theory that plaintiff's "PII constitutes 'currency'" under the statute. No luck for plaintiff under the UCL.

Similarly, the court rejects plaintiff's claim under the California Consumer Legal Remedies Act, because the statute only applies to plaintiffs who "purchase or lease" goods or services for "personal, family, or household purposes." Here, plaintiff has not purchased or leased any goods or services.
__

Plaintiff's other claims received mixed results. The court dismissed the Computer Fraud and Abuse Act claim with leave to amend (plaintiff admitted that it cited the wrong statutory provision), found that RockYou was not liable under California's anti-hacking statute (section 502), and found that plaintiff adequately stated a negligence claim.

Data breach cases have uniformly rejected the claims of plaintiffs who have not actually lost any money out of pocket. Some cases have done so on the merits, and other cases have done so on the basis of standing (some cases, such as Krottner v. Starbucks, have rejected the claims on the merits but have expressly found standing). The big question is whether this ruling moves the needle in any way. I'm inclined to say no, but the way in which the plaintiff cast his claim and the court characterized it is interesting.

The privacy policy / breach of contract analysis was also interesting. There is case law expressing skepticism as to whether a privacy policy is even a contract that can support a breach of contract action ("When Does a Privacy Policy Breach Support a Breach of Contract Claim?"), but courts lately don't think twice about analyzing privacy policy claims under the breach of contract framework. Companies (for whatever reason) continue to include flowery language in their privacy policies that courts latch on to when putting them on the hook for privacy foibles.

Eric's comments

There is a lot to dislike about this opinion.

First, RockYou's privacy policy promised "RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information..." This is industry-standard fluff language in a privacy policy. I bet we could find tens of thousands of privacy policies with similar language. I believe the prevailing view among lawyers is that this language couldn't be actionable. It doesn't promise security or integrity; it just promises the company will deploy *some* safeguards. Further, the efforts are only supposed to be "commercially reasonable"--language which many lawyers believe is equivalent to "we'll try."

Here, the plaintiff attacks the language by arguing that RockYou didn't encrypt its data. Now, I recommend to clients that they encrypt their databases of user data in all circumstances, but is it commercially unreasonable to do so? The defendant doesn't get the decisive win it expected on that point. (The plaintiff also asserts that the defendant was derelict in patching a security flaw that allowed the bad guys to do an SQL injection attack, so the two arguments may have reinforced each other enough to convince the judge there may be something to this case). As Venkat suggests, it's time to cut the fluffy language from privacy policies. Courts and plaintiffs are overresponding to it.

Second, the court's decision not to use Article III standing to kick out the case was unfortunate. Although I am sympathetic that Article III standing dismissals are harsh on plaintiffs--they never get a chance to say anything--the doctrine has been very useful at squelching unmeritorious privacy cases early. This case is effectively indistinguishable from the other cases where Article III standing has been used; it's a garden-variety security breach with no known tangible consequences (other than lawyers looking for a little gravy). Based on the precedent, an Article III standing dismissal would have been a logical outcome.

The court's acquiescence to the plaintiff's argument ("defendant’s customers, including plaintiff, “pay” for the products and services they “buy”from defendant by providing their PII, and that the PII constitutes valuable property") smacks of the old academic debates in the late 1990s/early 2000s about whether personal data should be propertized. It was a weird debate because many of the academics who oppose copyright doctrinal expansion were simultaneously advocating for increased propertization of personal data as a privacy/anti-advertising technique. Personally, I had hoped all of those theories had been lost in the dustbins of history. Instead, this court moves in that direction. Privacy advocates might rejoice, but be careful what you wish for.

The court's embrace of a "novel" theory is especially frustrating because the court goes on to say that it has doubts about the plaintiffs' ability to prove damages in the end. So instead of doing the socially optimal thing--killing a meritless lawsuit early--the court embraces a theory likely to fuel privacy advocates to bring other meritless cases; while keeping this case open may very well cause both parties to spend a lot of money only to kill a meritless case later. This may be a situation where the judge is being just a bit too careful.

Third, assuming that personal data is "property," this isn't a situation where the vendor sold the data or misused it for advertising. Instead, there was no impairment to the users' "property right"; it was a security breach. So this is a particularly poor case for the personal-data-as-property meme.

One small piece of good news from this opinion: the court interprets California Penal Code Sec. 502 narrowly and effectively prevents the plaintiffs from converting it into a sword to be used against companies that get hacked. We don't have many Penal Code 502 rulings, but most of the extant rulings read the statute pretty broadly. I'm glad to see the court was more circumspect on that point.

Posted by Venkat at 09:19 AM | Internet History , Licensing/Contracts , Marketing , Privacy/Security , Trespass to Chattels | TrackBack

April 14, 2011

YouTube and its Amici File Their Briefs in the Viacom v. YouTube Appeal

By Eric Goldman

I'm catching up with the YouTube-side briefs in the Viacom v. YouTube appeal. (See my analogous post on the Viacom-side briefs). Once again, Michael Barclay has been kind enough to organize the briefs into a single post.

YouTube's brief, another fine piece of advocacy, didn't contain anything surprising to me on my cursory review. Then again, YouTube has the advantage of a solid district court win, so it doesn't have to get too fancy. I did like that YouTube is emphasizing that even Viacom's lawyers can't figure out which clips were authorized and which weren't. As the brief says: "Even Viacom’s lawyers were tripped up by Viacom’s stealth marketing: in the district court, they submitted two documents under penalty of perjury that incorrectly swore that Viacom had not posted any of the clips at issue." To me, this is pretty much dispositive on the question of whether YouTube had--or could have--"red flags" of infringement.

13 amicus briefs came in for YouTube. Overall, the briefs were pretty well done; I thought none of these briefs were "clunkers" (I would not say the same for the Viacom stack). However, I also thought many of the briefs were redundant with each other, plowing over the same statutory language, legislative history and relatively small number of precedent cases. I'm sure a law clerk or two will get glazed eyes seeing the same basic arguments presented over and over again, no matter how elegantly those arguments are expressed. A number of the briefs highlighted the recent Wolk v. Kodak case, and I wonder if the Second Circuit will find it interesting.

Some specific observations about the amicus briefs:

The Anaheim Ballet brief is from content owners with over 3.3 billion YouTube views, a nice touch. To similar effect is the NAMAC et al amicus brief--a not surprising convergence because the briefs both came from different Samuelson clinics (Anaheim Ballet from the one at Fordham; NAMAC from the one at Berkeley).

The Anaheim Ballet brief argues the "Safe Harbor provision acts as a check on consolidation in traditional media by fostering growth of OSPs which serve as competitors for new content and viewers," and this allows the amici to "avoid the old media’s bottlenecked model and connect directly with their audience." I like the "power of the long tail" sentiments, although the brief seemed animated by the 1990s view that the Internet was going to cause widespread disintermediation. It has disintermediated folks, all right, but in their place are new intermediaries with their own agendas--including YouTube. For more on this, see my Brand Spillovers article.

The Consumer Electronics Association amicus brief, from Michael Barclay and UNC prof. Deborah Gerhardt, does a nice job building off Mark Lemley's article in recounting the history of paranoid and mistaken content owner overreactions to new technology.

The Human Rights Watch et al amicus brief argued that (1) "Social media platforms, including YouTube, have become vital tools in global struggles for human rights, free expression, and political liberty" and (2) an expansive copyright liability scheme would threaten that benefit. I wasn't convinced that the conclusion in (2) followed from the premise in (1) (47 USC 230 plays a much bigger role on this front than 17 USC 512 ever will), but even the premise in (1) was helpful in explaining the legitimate uses that people make of YouTube.

I joined the IP and Internet Law Professors amicus brief by David Post and Annemarie Bridy. The brief reinforces the problems with "red flags of infringement" and the "least cost avoider" argument when content owners are spiking the databases with their own content.

I was spiritually in tune with the National Consumers League et al amicus brief, which made the argument that YouTube has become an important venue for consumer product reviews, and some of those reviews may use copyrighted material. Thus, the brief argues that without the notice-and-takedown scheme, these reviews would never make it to the web due to publisher liability fears. While this is unquestionably true, as we just pointed out in the doctoredreviews.com website, consumer reviews are vulnerable to bogus removal even in a notice-and-takedown world. I'll get to the misuse of IP doctrines to suppress consumer reviews in an academic paper in a few years.

I loved how the National Venture Capital Association amicus brief started out:

Twitter. eBay. Facebook. Yelp. Google.

These companies are the stars of the Internet, contributing billions of dollars a year to the American economy. They exist only because the American venture capital community risked investing in them, long before they had made a nickel, while they were still in the "inventor's garage." And they exist only because the DMCA's safe harbor, 17 USC 512, shields them from liability for their users' activities, providing investors with the certainty that they will not face the sort of ruinous damages Viacom seeks in this case.

That's really elegant prose; but I'm pretty sure at least some of it is counter-factual. I'd have to doublecheck when these companies first got VC funding, but I think some of them got the money well after they were out of the garage and actually earning revenue. And although it may not disprove the assertion, I would note that eBay was already a pretty successful company before 17 USC 512 even got enacted.

The Public Knowledge amicus brief responds to the Audible Magic and Vobile amicus briefs, both of which were sales pitches for their services. Public Knowledge points out that regardless of the accuracy of filtering technology in identifying third party content, filters can't make good judgments about the legitimacy of content republication. The brief also scored this point about error rates with identification:

Audible Magic, for instance, notes a 99% correct identification rate, with a false positive rate of better than 1 in 10,000....However, this percentage must also be measured against the volume of material to which it is being applied. YouTube claims that 35 hours of video are uploaded each minute of every day....Assuming that these videos are limited to 15 minutes in length, each year would yield at least 73,634,400 uploaded videos. If just 1 in 10,000 are incorrectly identified as matching submitted videos when they do not, this could mean that every year, some 7,363 videos would be flagged for infringements when they did not even match a clip provided by a cooperating copyright holders.

UPDATE: Michael Barclay has more comments about the briefs.

The case library (also see the EFF's helpful library):

Posted by Eric at 02:04 PM | Copyright , Derivative Liability | TrackBack

April 13, 2011

Announcing DoctoredReviews.com, a Website Against Doctors' Efforts to Squelch Online Patient Reviews

By Eric Goldman

I'm pleased to announce the launch of DoctoredReviews.com, a website that addresses Medical Justice's form contract that seeks to restrict patients' online reviews of doctors by taking a prospective copyright assignment in the patients' unwritten reviews. Medical Justice's practices have bothered me for years, but I never had the chance to organize my thoughts fully. Fortunately, last August, Jason Schultz of the Samuelson Law, Technology & Public Policy Clinic suggested that I could work with him and two Berkeley law students on this issue. After evaluating our options, we decided to pursue an advocacy website. Should the website fail to curb the bad practices, we may need to reconsider more aggressive options.

I have given some recent talks about Medical Justice and the misuse of copyright law to manage online reputations. See my talk slides and my related academic paper. I'd welcome the chance to discuss these issues in more detail.
____

Our press release announcing the site launch:

NEW WEBSITE EXPOSES MOVE TO SQUELCH PATIENTS' ONLINE REVIEWS

Media Contacts:
Susan Gluss, 510.642.6936, sgluss@law.berkeley.edu
Deborah Lohse, 408.554.5121, dlohse@scu.edu

SANTA CLARA and BERKELEY, CA, April 13, 2011 —Some U.S. doctors are using a questionable legal strategy to restrict patients’ rights to post online reviews about their medical care. In response, Santa Clara University’s High Tech Law Institute and UC Berkeley Law School’s Samuelson Law, Technology & Public Policy Clinic have created a new website, doctoredreviews.com, to expose the legal and ethical risks of restricting a patient’s right to free speech.

A private company, Medical Justice, has been marketing a contract to doctors designed to give them the legal right to expunge critical online comments. The company, originally formed to ward off malpractice suits, says the contracts give doctors the right to remove patients’ posts on sites like Yelp or Angie’s List— even if the comments are truthful and accurate.

“This practice poses a grave threat to the integrity of online consumer reviews,” said Eric Goldman, director of Santa Clara University’s High Tech Law Institute and a former general counsel to Epinions.com. “Doctors are trying to misuse a loophole in copyright law so that they can suppress any patients' reviews they don't like.”

Patients are typically asked to sign the contract before they first see a physician—often as part of a thick stack of other paperwork. As a result, patients may not realize that they’re relinquishing their rights to review the doctor. The contracts also promise greater privacy, but patients are already protected under federal and state information privacy laws.

“Doctors who use these gag-order contracts are essentially telling patients ‘if you want medical care, you must sign away your right to free speech,’” said Jason Schultz, co-director of Berkeley Law’s Samuelson Law, Technology & Public Policy Clinic. Schultz says this may be counterproductive for both patients and physicians, as many patients now want to see reviews—both good and bad—from other patients before choosing a doctor.

Rather than remove reviews from patients, doctors may publicly respond to negative reviews, said Schultz, as long as they maintain their patients’ anonymity. “More speech is the answer,” he said, “not censorship and copyright abuse.”

Schultz said the contracts could violate consumer protection laws and medical ethics rules, by using deceptive language and by putting a doctor’s financial interest ahead of the patient’s.

The doctoredreviews.com website delves into these issues in more depth with a wealth of information for patients, doctors, and online review sites. The site includes:

* Copies of the anti-review contracts.
* Suggested responses for patients asked to sign anti-review contracts.
* Material for doctors on why these contracts may be bad for business.
* Information for online review sites on why they do not need to honor takedown notices from participating doctors.
* Details about existing federal and state health information privacy laws that protect patient confidentiality.

Posted by Eric at 09:20 AM | Copyright , Derivative Liability | TrackBack

April 12, 2011

UC Irvine Virtual World Conference Notes

By Eric Goldman

Last week, I attended and spoke at a conference at UC Irvine entitled "Governing the Magic Circle: Regulation of Virtual Worlds." I didn't take notes for every speaker, and as usual, these notes are my impressions, not verbatim transcriptions. If you want more depth, the indefatigable Rebecca did her typical comprehensive coverage (panels 1, 2, 3, 4).

Sal Humphreys. Rebecca's coverage

What kind of space is game space? Typical argument: game space is a magic circle, separated from other spaces. Game scholars disagree with this characterization. Her approach: game space is a heterotopia = between real space and utopia (placeless) place. Game boundaries are permeable, where legal rules, community norms and game rules are overlapping.

Ex 1: David Myers and Twixt. In City of Heroes, he complied with game rules but violated social norms, so he was driven from the community.

Ex 2: WoW funeral massacre. One guild held an in-game memorial service for a deceased member. A rival guild swept in and massacred all of the memorial service attendees; then posted video to YouTube. Split reactions to this. View #1: massacring guild violated social norms by disrupting a funeral. View #2: the memorial guild imported an out-of-game social norm (respect the dead) into the game without consent. In large-scale games across cultures, it’s not possible to reach a single consensus on group norms.

Ex 3: A GLBT Guild in WoW. Community manager tried to ban the guild, saying it invited harassment. Lambda Law threatened suit, then WoW backed down.

Conclusions: rules don’t respect the magic circle. Instead, the heterotopia approach may better describe the actual situation.

Mark Lemley. Rebecca's summary.

He’s playing the role of an old Internet curmudgeon. The first generation of Internet law resembles the current regulation of virtual worlds. In the old days, the Internet was a small, insular culture with its own norms, it regulated itself through its own norms, and many activities online didn't seem that important to outsiders (like virtual worlds, which are routinely dismissed as “just games”). However, the Internet’s status as a second class citizen had a benefit—it meant the regulators left us alone. That didn’t last.

As virtual worlds become more important to more people, and as more people spend more money in virtual worlds, more regulators will take notice. We’re going to see the magic circle breached by regulation. The attitude that “it’s just a game” won’t last. Virtual worlds won’t stay “virtual.”

[Eric’s note: for a similar riff, see my Third Wave of Internet Exceptionalism paper.]

In 1994, Mark’s paper “Shrinkwraps in Cyberspace” argued that having three dozen Internets is no better than having no Internet at all. In contrast, virtual worlds don’t need to interoperate. They can act as laboratories for experimentation, and one virtual world’s failure won’t have the same catastrophic consequence as the failure of the Internet generally.

Novel technology creates the possibility of that we won’t make law-by-analogy; instead it's possible we could create zones of legal doctrinal novelty. This could teach us about new changes in law, but it could also lead to bad outcomes.

Another lesson: Openness breeds creativity. This is surprising from IP law’s perspective, which assumes openness is a failure, so it closes down/propertizes things. The law can help promote openness. Ex: 47 USC 230. But incumbents have incentives to kill that openness.

Farnaz Alemi. Rebecca's summary.

Minors are important consumers in virtual worlds arena. Kids play freemium games and rack up big charges. Who should be responsible for kids’ virtual worlds purchases? Options include parents, game providers, credit card companies and children.

Exceptions to disaffirmance:
• necessaries
• can only be used as shield, not sword
• certain labor contracts or IP licenses

Children know what they are doing online, and they understand games better than we do. So what more can gaming companies do to make things clearer to kids? Without protection, game providers will shy away from marketing games to kids.

Her argument: There should be a rebuttable presumption that kids understand what they were doing online. If kids feel they were scammed, then they can rebut.

My observations: (1) this argument discounts that kids are more easily manipulable than adults. Consider, for example, on a freemium model, a deliberately youngster-oriented site could get a child to become emotionally invested in tending a virtual cow. Then, after a period of time, the site threatens to send the cow to the burger manufacturing plant unless the child pays $X. A child might respond differently to the opportunity/threat than an adult. So even if the child “voluntarily” pays to save the cow from the meat grinder, we might still view this as an appropriately voidable transaction. (2) the presentation didn’t address the possibility that the transactions are complete and therefore no longer voidable to the children. (3) my bigger problem with kids online are when kids sign up to a mass market TOS/EULA and the vendor has no way of knowing that the person signing was a child. In these situations, it might be appropriate to suspend the voidability rules because there’s nothing different we’d want the vendor to do to accommodate the possibility of kids as customers. Surprisingly, this issue rarely comes up in the caselaw; and in the most obvious case where it has, the AV v. iParadigms case, the court found a way to stick the minors.

Ben Duranske. Rebecca's summary.

Professional responsibility issues in virtual worlds. Most obvious one: client identity issues. One avatar may be shared by many people, one person may have multiple avatars, and an avatar could be an individual or a representative of the individual’s employer. In each case, the lawyer may have issues determining client conflicts and maintaining client confidentiality.

In Second Life, avatars receive lots of unsolicited information, and an avatar identified as an attorney will get inquiries containing confidential information. Lawyers can avoid this through some type of clickthrough before allowing submissions. Better yet, don’t identify oneself as an attorney. [My note: this wasn’t clearly different than a lawyer receiving an email at a published email address. This appears to be a an unavoidable truth of modern electronic communication. So I wonder if Ben’s recommendations were unduly virtual world exceptionalist.]

Maintaining client confidentiality in the face of Second Life’s TOS that LL “may observe and record your interaction within the Service.” His solution: don’t give legal advice through Second Life.

My Talk. Rebecca's summary.

I spoke about the preemptive effect of 47 USC 230(c)(2) on many of the claims that accountholders might bring if the virtual world provider terminates their accounts. My talk slides. I have an associated paper I'm writing for the UC Irvine Law Review. My talk focuses on 47 USC 230(c)(2), but I have repeatedly blogged about the inability to sue online providers for account termination. See, e.g.:

* Facebook Not Liable for Account Termination--Young v. Facebook
* Life May Be "Rad," But This Trademark Lawsuit Isn't--Williams v. CafePress.com
* Terminated eBay Vendor Gets Day in Court Against eBay--Crawford v. Consumer Depot
* Web Host Can Terminate Customer for Abusive Call to Customer Support--Mehmet v. Add2Net
* Online Game Network Isn't Company Town--Estavillo v. Sony
* MySpace Quietly Won Goofy 230 Ruling in September--Riggs v. MySpace
* Search Engines Defeat "Must-Carry" Lawsuit--Langdon v. Google
* Google Wins Publisher's Lawsuit over AdSense Termination--Bradley v. Google

April 10, 2011

Court Smacks Down Lawyer Who Tries to Enforce Copyright in 23 Word Email -- Stern v. Does

[Post by Venkat Balasubramani]

Stern v. Does, 09-cv-01986 (C.D. Cal.; Feb. 10, 2011)

Professor Goldman mentioned this case in his quick links roundup, but I think it's worth a standalone post. A lawyer sends an 23 word email to a listserv and then tries to being an infringement claim against someone who forwarded the email. Not surprisingly, the court smacks down the plaintiff.

Plaintiff is a lawyer who had concerns about whether an accounting firm he used was overbilling. He sent an email to the listserv operated by the Consumer Attorney's Association of Los Angeles:

Has anyone had a problem with White, Zuckerman . . . cpas including their economist employee Venita McMorris over billing or trying to churn the file?

One of the defendants who was a member of the listserv accessed the post and forwarded the email to his sister. His sister was a client of White Zuckerman and forwarded the email to White Zuckerman. In response (after some delay), plaintiff brought suit for copyright infringement.

[After dropping a footnote to Sun Tzu ("he will win who knows when to fight and when not to fight"), the court delves in to the discussion.]

The Listserv Confidentiality Agreement: Plaintiff relied in part on the listserv terms of use in arguing infringement - i.e., recipients had a license to access and use the material posted on the listserv in accordance with the listserv terms, and forwarding the email in breach of a member's confidentiality obligation was a breach of the terms of the license.

The court finds that the listserv terms concern confidentiality, and not work product or ownership. In any event, the court rules that plaintiff is not an intended beneficiary of the listserv agreement (which is enforceable by CAALA's Executive Director, Executive Committee Members and/or Board of Governors).

The Listserv Post Lacks Sufficient Creativity: The court finds that plaintiff's sentence (or phrase) lacks sufficient creativity to be copyrightable. Although there is no bar to copyrighting a short sentence (Jabberwocky, also a 23 word work, was easily copyrightable), the "smaller the effort . . . the greater must be the degree of creativity in order to claim copyright protection." The court finds that plaintiff's post "displays no creativity whatsoever." Plaintiff tried to come up with variations on how he could have expressed the same idea, but the court says that plaintiff's proposed "trivial" alterations to his post does not mean that it is sufficiently creative. The court also pokes holes in plaintiff's alternate formulations, showing that the alternatives mean slightly different things.

Fair Use: Even assuming plaintiff's post was entitled to copyright protection, the court runs through the fair use analysis and finds that defendants' use of the post constituted fair use:

The copying of Plaintiff’s entire sentence was also reasonable in light of the purpose for which it was reproduced—to alert White Zuckerman about Plaintiff’s potentially libelous statement.

Plaintiff tried to argue that White Zuckerman made use of plaintiff's writing "claiming that plaintiff had . . . 'slandered' [White Zuckerman, and threatened to sue plaintiff]," but the court found that use of copyrighted material in litigation or pre-litigation can constitute fair use. (In a footnote, the court smacks plaintiff with its grammar stick for confusing "libel" with "liable." Unbelievably, plaintiff took issue with White Zuckerman's use of the word "slander," arguing that White Zuckerman intended to say "liable" rather than "slander," but in the process demonstrated plaintiff's own confusion between "liable" and "libel".)

Attorney's Fees: Upon concluding that plaintiff's claims lacked merit, the court goes on to find that defendants are entitled to attorneys' fees. The court finds that not only did plaintiff bring "his copyright claim in bad faith," his failure to disclose the post in question to defendants unreasonably delayed the litigation. (The court does find that defendants failed to submit a proper accounting (detailed billing records) for their fees and instructs them to submit something more detailed in any amended motion.)

There's a lot to be learned from this dispute.

First, people who are looking to sue for infringement based on a single Tweet or Facebook post should take note. It's not going to be easy.

Second, the lawyer who is arguing that a single 23 word post of his was sufficiently creative should probably have a brief that's crisply written and reasonably free of typographical errors. The tone of the judge's order is: "sure, a 23 word post could be sufficiently creative to warrant copyright protection . . . if the person writing it had an ounce of creativity in their bones." (A court will not argue with an artist over whether something he or she did was sufficiently creative. Are courts more likely to do this when it comes to written material?)

Third, copyright litigation is more than out of control. (See Righthaven.) Although plaintiffs can inflict some pain on defendants by subjecting them to litigation, courts seem pretty well equipped to sift through non-meritorious claims.

Other coverage:

Techdirt: "Is Forwarding A Single Sentence Email From A Mailing List Infringement?"
Volokh: "Forwarding a Sentence-Long Message from a Listserv = Copyright Infringement?"
Blog Law Blog: "Court in Cali Bounces Copyright Suit Over 26-Word Listserv Post"
43(B)log: "Today's copyright zinger"

Posted by Venkat at 12:02 PM | Copyright

April 09, 2011

Contacting a Person's Facebook Friends Isn't Stalking--People v. Welte

By Eric Goldman

People v. Welte, 2011 WL 1331900 (N.Y. Just. Ct. April 7, 2011).

The defendant was subject to the following order protecting the mother of his two children: “Respondent is to have no contact with Petitioner including personal or through third person.” The defendant allegedly accessed the mother's Facebook friends list and sent messages to her friends accusing the mom of bad acts. The prosecution's theory appears to be that the defendant anticipated that these friends would pass along defendant's accusations to the mom, so the defendant was accomplishing indirectly what he couldn't do directly.

The court states the "questions presented":

Does communication to a person's acquaintances listed as friends on a facebook account violate a no contact order of protection? Does communication to a person's acquaintances listed as friends on a facebook account onstitute stalking in the fourth degree?

The court says no to both questions. With respect to the no-contact restriction, the prior order didn't expressly restrict the defendant's contact to third parties. With respect to the no-stalking restriction, the prosecution didn't show the defendant had an illegitimate purpose, engaged in a bad course of conduct, intended to harm the mom, or was clearly informed not to have such contact.

As a result, the court dismissed the prosecutor's complaint. Even so, the defendant should probably consider himself lucky here. Many courts would be less sympathetic to the defense, especially where an existing no-contact order is on the books. Plus, the defendant might have violated Facebook's user agreement, creating the possibility of a Lori Drew-style server misuse prosecution by an activist prosecutor. Meanwhile, this is yet another reminder that everyone should keep their Facebook social graph private, especially people who have obtained a no-contact protection order.

* State v. Pierce
* Court Finds Juvenile Delinquent Based on Allegedly Offensive Instant Messages -- In re Alex C.
* Sending Politically Charged Emails Does Not Support Disturbing the Peace Conviction -- State v. Drahota
* State v. Ellison

Posted by Eric at 09:54 AM | Content Regulation | TrackBack

April 08, 2011

Intelius Dodges a Bullet Over Allegedly Deceptive Online Marketing Practices -- Hook v. Intelius

[Post by Venkat Balasubramani]

Hook v. Intelius, 10-CV-239(MTT) (M.D. Ga.; Mar. 28, 1011)

I mentioned a class action in Washington against Intelius over its online sales practices in a couple of weeks ago. ("Intelius May be Liable for Deceptive Online Marketing Practices Based on Third Party Transaction at Checkout.") Although the Washington court denied Intelius's motion to dismiss and allowed the claims to go forward, a judge in Georgia came to a different conclusion and dismissed a similar complaint against Intelius.

Motion to Strike the Screenshots: Intelius took an interesting approach in its motion to dismiss. It attached archived versions of the screenshots which reflected the webpages which the plaintiff ostensibly viewed when he made the purchase at Intelius. Intelius also convinced the court to allow limited discovery on the authenticity of the screenshots, and if found to be authentic, rule on the motion to dismiss while considering the screenshots. The court finds that there is no evidence to indicate that the screenshots were not authentic representations of

the webpages that resulted from running [plaintiff's] email search request on the regenerated archived code from [the date in question].

Plaintiff argued that Intelius's evidence could be self-serving and that Intelius representatives could have concocted a scheme to conduct a fraud on the court, but the court finds that there's no evidence to back this up (and that if such a scheme existed and was discovered, it would "subject the Defendants and their attorneys to the harshest possible sanctions"). [Convincing the judge to allow limited discovery into the webpages in question was a creative approach by Intelius to avoid lengthy drawn out discovery that would otherwise accompany a lawsuit.]

The Transaction Process: The court describes the flow of the transaction in "laborious" detail. In the first step, the customer conducts a search for an email address (at one of Intelius's partner sites). In the second step, the customer "lands" on the Intelius site. The results page are displayed on the third step. On the fourth page, the customer is presented with pricing information for the first time. "Identity Protect," the product that plaintiff claims he unwittingly signed up for is also mentioned. Here, the customer can choose between the standard pricing ($4.95) and a "special price" of $1.95:

[t]he unmistakable impression one gets from viewing this page is that there are two purchase options: one, at the "Regular Price" of $4.95, and another at the "Special Price!" of $1.95, which is 60% off and comes with a "FREE Identity Protect Trial." However, it is not clear at this point that the 60% discount is conditioned on the customer selecting the free Identity Protect trial.

The fifth page contains an explanation of Identity Protect, as well as the fact that the customer is charged $19.95 if the customer does not cancel after the 7-day trial. As the court notes:

At this point, the ambiguity of the previous page with respect to the Identity Protect trial's relationship to the discount is resolved, one can only receive the $3.00 discount by signing up for a free, seven-day trial of Identity Protect.

After the fifth page, there are five additional pages - the customer actually receives the requested information at the tenth page. The confirmation page does not provide any information about how to terminate the Identity Protect membership.

EFTA Claim: Plaintiff claimed that Intelius engaged in an "unauthorized fund transfer." The court says no, the transfers were "clearly . . . preauthorized."

ECPA Claim: Plaintiff also claimed that Intelius unlawfully intercepted an electronic communication. The court rejects this claim as well, finding that Intelius was a party to the communication (i.e., was intended to receive plaintiff's credit card information) and "used the information for the purpose it was given."

Unjust Enrichment: The court also rejects plaintiff's unjust enrichment claim, finding that Intelius performed according to the terms of its agreement with plaintiff, and plaintiff took six months to cancel the trial membership. Unjust enrichment applies where there is no contract and here there was a contract which both sides performed.

Georgia Unfair Trade Practices Claim: Plaintiff had a few theories as to how Intelius violated Georgia's unfair trade practices statute, but the court shoots them all down. With respect to the core claim that Intelius failed to disclose material facts about the membership program, the court states:

Intelius disclosed the details of the Identity Protect program at least five times before the Plaintiff made his purchase. One wonders, if these five disclosures were not sufficient to make the Plaintiff aware of the nature of the transaction, what would have been?

___

The tenor of this court's decision is different from the Washington court's. There, Judge Lasnik noted that

[t]he capacity of a marketing technique to deceive is determined with referenced to the least sophisticated consumers among us.

The court here did not delve into the standard but one does not get the sense that the court evaluated the transaction from the perspective of the "least sophisticated internet consumer."

On the other hand, the transactions in question were slightly different. I've uploaded the pages from the court's order which contain the screenshots in question (which are worth a look and which you can access here), and there is a fair amount of disclosure that if you don't cancel the Identity Protect trial within seven days, you will be billed $19.95 monthly. However, you do get the sense that customers are put through a transaction labyrinth to make it hard for the customers to jump between the two tracks. Once the customer goes down the free trial path, the customer is not given much of an opportunity to simply remove the free Identity Protect trial and continue with the transaction. Unlike the Georgia court, the Washington court focused on the process and whether it would be deceptive to the consumer.

One thing is for sure, Intelius is definitely not taking the "one click" approach to online transactions!

Previous post:

"Intelius May be Liable for Deceptive Online Marketing Practices Based on Third Party Transaction at Checkout"

Posted by Venkat at 12:07 PM | E-Commerce | TrackBack

March 2011 Quick Links, Part 3

By Eric Goldman

Search Engines

* Lots of Google antitrust activity:
- Apparently, an EU antitrust investigation IS something that Microsoft would wish on its worst enemy.
- Every legal regulator in the world is considering antitrust investigations into Google, including Ohio and Wisconsin (see my prior blog post about Texas’ investigation) and the FTC.
- The DOJ approved the Google-ITA merger—with conditions. This is superficially a win for Google, but I expect the anti-merger coalition won’t go away quietly.
- I interviewed with the SF Chronicle about Google and search engine bias (with photos!).

* New Google design features:
- Google lets each person individually block websites from their search results.
- Will Google’s +1 become the gold standard for personalized search, or will it be another failed attempt by Google to get social?
- A rundown of Google Autocomplete and its quirky blocking approaches.

* Blekko blocks 1.1M websites from its search index. Does this create 1.1M new plaintiffs who will sue for their "right" to be in Blekko's index?

* More eye-tracking studies showing that searchers mostly ignore the ads on the right side of the page.

* Rebecca notes that the litigation between eBay and Craigslist has a keyword advertising component.

* Expedia and American Airlines have kissed and made up. My prior blog post.

Social Networking Sites

* Facebook is doing real-time ad targeting. Does this mean we'll get Facebook's notoriously poorly targeted ads faster? Something to look forward to.

* U.S. v. Gamory, 2011 WL 832554 (11th Cir. March 11, 2011). YouTube video being shown in court was a harmless error.

* New York Times: "Across the nation, millions of young people are lying about their ages so they can create accounts on popular sites like Facebook and Myspace....Parents regularly go along with the age inflation, giving permission and helping children set up accounts. They often see it as a minor fib that is necessary to let their children participate in the digital world." My related blog post.

* Spooner v. Associated Press: Another lawsuit over an allegedly defamatory tweet.

* NYT on evolving norms about Twitter etiquette.

* Evan Brown on another sad case of online impersonation.

* Ceglia v. Zuckerberg, 2011 WL 1108607 (W.D.N.Y. March 28, 2011). Mark Zuckerberg is domiciled in CA for purposes of jurisdiction.

* I participated in an ABA Journal Podcast entitled “What Are the Ethics of Lawyer Review Sites Like Avvo?”

Content Regulation

* ICANN approved .xxx. India has already announced it will block .xxx. Meanwhile, how long until the .xxx registry vendor, in a rent-seeking fiesta, goes around to various state legislators and asks them to pass laws requiring pornographers to locate only at a .xxx domain?

* French court tosses a criminal libel prosecution over an academic book review--with sanctions.

* Craigslist drops its lawsuit against former South Carolina AG McMaster.

* The oft-cited study that Craigslist contributes to human trafficking may be junk science.

* An entrepreneurial law firm sets up anti-bullying practice. Expect lawsuits galore to ensue.

* Nature reports on lawsuits over rebuttals to scientific research and how a federal anti-SLAPP law might help. My prior blog post.

Miscellaneous

* A blogger takes down a DHS sting site for underage sex tourism.

* Latest iAWFUL list of bad Internet proposed legislation.

* National Federation of the Blind complains about universities that put students on Gmail accounts, saying the accounts don't work well with speech reading software.

* Senators ask various companies to pull apps that identify drunk driving checkpoints.

* Believe it or not, some ban in-bound links. A list.

Posted by Eric at 11:16 AM | Content Regulation , Domain Names , Evidence/Discovery , Search Engines | TrackBack

April 07, 2011

StubHub Denied Section 230 Defense in Scalping Case--Hill v. StubHub

By Eric Goldman

Hill v. StubHub, Inc., 2011 WL 1675043 (N.C. Super. Ct. Feb. 28, 2011). My previous blog post in this case.

This is a putative class action lawsuit against StubHub for violating North Carolina's anti-scalping laws, which both restrict the resales prices of tickets and service fees charged for the resale. The plaintiffs claim StubHub violates both provisions.

StubHub interposed a 47 USC 230 defense, something that StubHub has asserted with mixed success before. The court rejects the defense.

The court begins with a survey of Section 230 jurisprudence. Principally building off the bloated statements in Roommates.com, the court summarizes its legal assessment:

A review of the cases below leads this court to conclude that an internet service provider crosses the line and becomes liable for content on its website when the internet service provider (“ISP”) materially contributes to and/or specifically encourages the offending content. To “materially contribute” in this context means to influence the offending content in a way that promotes the violation of law that is represented by the offending content. To “specifically encourage” means to elicit and make aggressive use of the offending content in the business of the internet service provider. Each case must be decided on its own facts, giving deference to the public policy embodied in the statute. Cases in which the offending content is unlawful require a heightened degree of materiality and specificity. Intent to violate the law is not required. Conscious disregard by an internet service provider of known and persistent violations of law by content providers may impact the courts’ determinations of the service provider’s claim to immunity, especially where the ISP profits from the violations.

Elsewhere, the court says Section 230 "protects those ISPs which are truly innocent bystanders in use of the web."

What is the court talking about? It is a weird way of trying to distill the state of the law (which the court mischaracterizes by saying the "case law governing the question of loss of immunity as an internet service provider is not extensively developed"). Oddly, after spending 40% of its opinion supporting various cases that led it to draw this legal conclusion, the court doesn't explicitly use this recap to guide its analysis. Yet another reason not to give the recap much credit. One other point that undercuts the court's credibility: the court didn't address the highly relevant Milgram v. Orbitz case which reached the opposite result on similar facts.

In my opinion, the most interesting part of the court's opinion relates to Section 230's application to the ticket price. The court acknowledges that each seller sets his/her own price for the ticket. Nevertheless, StubHub can be responsible for the price sellers choose because StubHub does a number of things to manage prices on the site. (StubHub wants sellers to sell at the highest obtainable price because that maximizes StubHub's fees; but prices above the market-clearing price mean that no deals are done, in which case StubHub doesn't get any cut).

The court enumerates several ways that StubHub shapes the prices:
* StubHub decides which events it supports in the first place (it doesn't allow ticket sales for every event)
* "It actively solicits listings for high-demand events. It monitors its competition for listings."
* It cuts special deals for "LargeSellers" (a point also raised in the NPS v. StubHub case). The court says "StubHub influences the pricing of the LargeSellers" through various programmatic details.
* StubHub shows sellers pop-up windows telling them if their price is out of a targeted pricing range and encourages sellers to rethink the price.
* Later, the court gives other examples of how "StubHub is in total control of the transaction."

The court summarizes and concludes the pricing discussion:

StubHub’s business model does not require scalping practices. It encourages them. It is designed to produce the highest volume of ticket sales at the prevailing market price for events which are sold out, and thus likely to generate market prices higher than the face value of the tickets irrespective of the fees involved on both sides. Having engaged in detailed studies of pricing and pricing habits of its users and competitors, it strains credulity that StubHub had no information about the relation of market value to face value. It could not reasonably drive its customers’ prices to market value without that information. It does not provide information on the face value of tickets to buyers on its website. Further, it controls its website to prevent communication between buyers and sellers, thus facilitating its role as the arbiter of market price.

I feel like I'm missing something pretty fundamental. Don't all retailers--even marketplaces like eBay--try to drive their prices to "market prices"? Is there any other logical pricing outcome?

In its conclusion, the court says that StubHub

directly participated in developing the pricing on its system....StubHub encouraged illegal content. Phrased differently, the use of its website to scalp tickets in violation of North Carolina law was a predictable consequence of its business model. StubHub encouraged, materially contributed to, and made aggressive use of the pricing content on its website. It profited from tickets sold at prices higher than face value. It was consciously indifferent and willfully blind to the illegal prices being posted, knowing that the predictable consequences of its pricing model would be the generation of illegal prices. It is not entitled to immunity. It does not qualify as a Good Samaritan.

The odd thing about the court's pricing discussion is that, by the court's own admission, StubHub is usually encouraging sellers to reduce their offered prices. So if StubHub changes its practices in response to this opinion to improve its Section 230 defense, ironically consumers will likely pay higher ticket prices, not lower. Talk about a Pyhrric victory.

If it holds, this ruling about steering price-setting might apply to any e-commerce site that wants Section 230 protection for seller pricing choices. For that reason, obviously this opinion has risk for StubHub's parent, eBay, but I would note that the reason could be applied to Google's AdWords auctions. Google does a number of things to affect advertisers' bids in the auction, and this ruling could potentially affect Google's Section 230 coverage for those auctions. On the other hand, so much of the court's opinion turns on the illegality of scalping. If the marketplace auctions lead to a legal price, this opinion's rationale might drop away.

Then again, retailers have an increasingly tough time claiming 230 immunity for items they sell, especially items delivered offline. See, e.g., my post about Parisi v. Sinclair. Clearly, this judge thought StubHub was closer to a retailer than a marketplace.

The court says StubHub's buyer's fee is also illegal under the anti-scalping law.

StubHub's counsel has told me that they plan to appeal this opinion. It will be interesting to see how this ruling fares on appeal.

A final note: this ruling is just the latest detritus from the legally disastrous 2007 Hannah Montana concert tour. The legal developments arising from that tour have been horking the law for years--Ticketmaster v. RMG being the flagship example. Add this ruling to the list of reasons why Cyberlawyers should hate Hannah Montana.

Posted by Eric at 12:14 PM | Derivative Liability , E-Commerce | TrackBack

Claims that Emails were not Labeled as Ads and did not Disclose Tracking Preempted by CAN-SPAM -- Martin v. CCH

[Post by Venkat Balasubramani]

Martin v. CCH, 10-cv-3494 (N.D. Ill.; Mar. 24, 2011)

Plaintiff received two emails from CCH, with the following subject lines:

"Buy now pay Feb. 15"

[and]

"Offer extended - Buy now pay Feb. 15"

Based on these emails, plaintiffs files a putative class action against CCH alleging that CCH violated the Illinois spam statute. The court grants CCH's motion to dismiss, finding the claims preempted by CAN-SPAM.

The Illinois spam statute contains the standard prohibitions on misleading subject lines and falsifying the point of origin or transmission path of an email. The statute also requires email ads to contain "ADV: as its first 4 characters." Plaintiff alleged in the complaint that the emails were deceptive because

the subject lines do not state that the e-mails are advertisements, and the language used is misleading because it has the purpose and effect of making the recipient think the e-mail is from someone with whom he has a preexisting relationship.

The court finds that plaintiff "wisely" abandoned these arguments at the briefing stage. The emails both contained the word "buy" (and "pay") and it's hard to think of words that more clearly denote an invitation to engage in a commercial transaction. To the extent plaintiff argued that the emails were actionable because they were not labeled with "ADV:" this claim was "clearly" preempted by CAN-SPAM. With respect to plaintiff's claim that the emails improperly implied that the parties had some sort of pre-existing relationship, this did not rise to the level of fraud, or at worst, was a claim for "less than comprehensive information regarding the sender."

Plaintiff also argued that the emails were deceptive because they did not disclose the "'secret' 'information-harvesting' purpose of the e-mails." The court treats this as a misleading subject line claim. Citing to Virtumundo and Mummagraphics, the court finds that this claim is also preempted:

[t]hat claim also appears to be for 'incomplete' or 'less than comprehensive information' in the subject lines regarding the content of the e-mails. Plaintiff essentially argues that if Defendant had provided more information or 'complete' information, in the subject line, Plaintiff would not have opened the e-mail . . . . [T]wo circuits have held that less than comprehensive information outside the body of an e-mail is at best a technical allegation that finds no basis in traditional tort theories and thus falls within CAN-SPAM's express preemption clause (and outside the exception). And even if the omitted information could be deemed not only incomplete but also 'misleading,' Plaintiff's claim would still be preempted by the express language of the CAN-SPAM Act, which prohibits subject headings likely to 'mislead a recipient about a material fact regarding the contents of the message.'

In a footnote, the court also notes that the Illinois General Assembly is unlikely to have required - in the subject line of a commercial email - "a potentially lengthy and somewhat technical description of the process through which information is transmitted from recipient to sender when the recipient opens an e-mail." Indeed, in some instances, "it may not be possible to include on the subject line" the kind of disclosure plaintiff argued for.
__

Spam plaintiffs continue to come up with wacky theories of liability, and courts continue to reject these theories.

Posted by Venkat at 08:59 AM | Privacy/Security , Spam | TrackBack

April 06, 2011

Republisher of Youthful Sexting Photos Avoids Liability (For Now)--Doe v. Peterson

By Eric Goldman

Doe v. Peterson, 2011 WL 1120172 (E.D. Mich. March 24, 2011)

This is an interesting sexting lawsuit. Doe took explicit photos of herself and sent them via MySpace to her then-boyfriend. She did not follow my recommendations for good legal practices when sexting. The parties dispute how old she was when she took the photos. Doe claims she was just under 18; the ex-boyfriend says she was over 18.

The photos subsequently started appearing at various websites. The opinion doesn't say whodunit. Eventually, someone uploads the photos to exgfpics.com, run by Erik Peterson. (Erik's dad got dragged into the lawsuit as well, but we'll just focus on Erik in this post). [Note: the website is strictly NSFW] The website did not conform to various practices that a lawyer might recommend. Erik apparently curated the photos but didn't verify the age of the women in the uploaded photos, he added his own comments about the photos (sort of in a "thedirty.com" way, although perhaps not as mercilessly mean), and he didn't maintain any 2257 records. Thus, the website occupied a weird zone between a "pure" UGC site and an editorially controlled publication; it's much closer to the latter, but it didn't appear to be run with the legal compliance that is expected of such publications.

Doe learned of the photos at exgfpics.com and asked her ex-boyfriend for an explanation. The case omits details of that conversation. In any case, her ex-boyfriend said he sent some takedown notices to exgfpics.com without results. Then, Doe sent her own takedown notices. Erik says he never saw those. Eventually, Doe sued and served Erik's dad. It still took a few more days before the photos came down.

The case first addresses Erik's "in pari delicto" defense--basically, that Doe broke the law by creating and distributing child porn (pictures of herself), and therefore the law shouldn't help her out. The court rejects the defense, concluding that Doe is considered a victim of the child porn statutes and therefore should not be denied the statutory protection.

At the same time, the court denies Doe's summary judgment motion under 18 U.S.C. 2252A(a)(2), the law that prohibits child porn distribution. The law has a civil remedies component to it, which is at issue here. (The opinion doesn't mention if the feds are considering a prosecution).

The parties still dispute Doe's age when she took the photo, but the court says it would deny Doe's motion even if that wasn't in dispute. The court disregards Erik's failure to maintain 2257 records, saying that only gives rise to criminal liability, and the absence of such records does not satisfy 2252A's "knowing" requirement.

Doe's takedown letters don't confer 2252A knowledge either. The court seems to require that the plaintiff send the republishing website evidence of her real age (such as a driver's license); merely asserting that she was underage aren't enough to create scienter. However, her notices did create inquiry notice, which the court doesn't resolve in this ruling. The court also says that Doe's asserted minority status wasn't apparent from the photos themselves (a fact Doe admitted).

Thus, on the knowledge standard, the court concludes:

At best, Plaintiff's allegations establish that there is a genuine issue of material fact regarding whether Defendants knew she was a minor in the pictures (because they read her emails) or that they were deliberately indifferent to that fact (because they had no verification procedures in place and failed to monitor the website's email accounts). This does not, however, amount to proof that Defendants violated 18 U.S.C. s 2252A as a matter of law.

There are so many oddities about this case, I'm not even sure where to begin. Let's start with the most obvious: why didn't Doe claim a copyright interest in her photos? Either Erik was the original publisher of the photos, in which case he would be strictly liable, or he was storing the photos at the direction of the uploader, in which case a 512(c)(3) takedown should have done the trick. (Although exgfpics.com doesn't have a 512 agent for service of notice, and obviously the site's legal compliance work wasn't the sharpest). I'm still a little confused why Doe didn't bring a copyright claim. Perhaps, like the Moreno v. Hanford Sentinel case, the copyright damages weren't worth the effort. Cf. the Lara Jade Coton case.

Now, a totally different oddity: could Erik claim 47 USC 230 protection here? After all, the photos came from a third party source, and Doe is suing Erik for republishing third party content. 47 USC 230 wouldn't protect Erik from a federal criminal prosecution, but it should apply to Doe's civil claim under federal anti-porn statutes. See, e.g., Doe v. Bates and Voicenet v. Corbett. Perhaps the site's overall structure as a quasi-revenge site might make the site more vulnerable to a Roommates.com attack (it's similar to the harassthem.com analogy in Kozinski's first opinion). Even so, it would have been logical to try the defense, but the opinion didn't mention it at all.

Next, if we're not governed by either 17 USC 512 or 47 USC 230, then exactly what legal standard applies to a web republisher of alleged child porn? The notice-and-takedown approach Doe tried here was potentially less legally effective than it would have been for copyright. That discrepancy seems odd for a civil child porn claim. Even though there is the obvious difficulty ascertaining the depicted individual's age, that information gap is what 2257 tries to fill, and determining age often isn't any more difficult than determining if a photo is free to republish under copyright law.

Finally, it is disquieting to see a commercial web publication publishing nude photos of women without their consent and without any effort to verify their age. (Given the site's premise as a quasi-revenge site, it's not surprising that neither the uploaders nor the site operator attempt to get the depicted individual's consent). Due to child porn's toxicity, this basic architecture seems like bad news. Erik appears to be lucky that this judge was able to maintain a cool head; many other judges would have thrown the book at him. Still, if it turns out that Doe was underage, can a criminal prosecution be avoided?

For another example of sexting gone wrong, you might want to look at this NYT story about what happens when a 13 year old sends a nude picture of herself to her then-boyfriend, who forwards it on to her nemesis, which leads to the photo goes viral, which leads to lots of bad things happening.

Posted by Eric at 09:02 AM | Content Regulation , Derivative Liability | TrackBack

April 05, 2011

March 2011 Quick Links, Part 2

By Eric Goldman

Trademark

* Apple is on the road to CrazyTown with its attempt to secure and protect trademark rights in “App Store.” Among the "highlights" this month:
- it sued Amazon. Marty’s comments. The Justia page.
- Microsoft has been scoring a lot of points in its TTAB opposition. My comments on the latest developments. This battle is so pitched, it’s devolved into a font war.
- Apple successfully “persuaded” MiKandi, an "app store" for adults, to change its description to "app market."

* Google's trademark win for "Android" is being appealed to the Seventh Circuit.

* Advocate General's opinion in the EU keyword advertising case of Interflora v. Marks & Spencer. Let me know if you have the patience to read the whole thing. I don't.

* Jim Jansen: "it probably doesn't pay, on average, to bid on competitors branded phrase."

* At SSRN: Counterfeiters: Friend or Foe? The article tries to evaluate when knockoffs create demand for the original or act as substitutes: "The advertising effect dominates substitution effect for high-end authentic product sales, and the substitution effect outweighs advertising effect for low-end product sales."

* BoingBoing: NYT shuts down the @freeNYTimes auto-retweeting account on trademark grounds because the re-tweet service blows apart NYT's paywall. BTW, given its holes, I don’t think it should be called a “paywall.” Maybe more like a “pay-chain-link-fence”?

* GoDaddy takes down a website that tried to emulate Reed College's website.

* Washington Post caves in response to demand from Washington Redskins' team and changes a blog name from "Redskin Insider" to "Football Insider."

Retailing and Manufacturing

* WSJ: Manufacturers and retailers are beginning to push back on the paradox of choice. AdAge on Walmart using its market share to promulgate private regulations on its suppliers.

* Fast Company: How to sell more carrots? Market them like junk food.

* Illinois is the latest state to enact an "Amazon tax," so Amazon and Overstock tossed their Illinois affiliates overboard. When are states going to learn that the Amazon tax doesn't actually improve their financial situation? They don't get the increased sales tax revenue, and they lose the income tax from state-based affiliates. This is the opposite of a Pareto optimal move--no one gets made better off, but some get made worse off. This is also a good example of how state tax policy can degrade our national economy.

* SaferProducts.gov is now live.

* NYT: Car manufacturers are asserting copyright to prevent the National Highway Transportation Safety Administration from republishing their “technical service bulletins” describing warranty extensions and other unusual problems with their cars.

Privacy

* From the FTC: "in the last 15 years, the FTC has brought more than 300 privacy-related actions, including: 32 data security cases, 64 cases against companies for improperly calling consumers on the Do Not Call registry, 86 cases against companies for violating the Fair Credit Reporting Act (FCRA), 97 spam cases, 15 spyware (or nuisance adware) cases, and 15 cases against companies for violating the Children’s Online Privacy Protection Act (COPPA)."

* FTC busts Chitika for having opt-out cookies expire in 10 days. According to ClickZ, Chitika claims it was a bug; the cookie was supposed to expire in 10 years.

* ClickZ: "Device Fingerprinting Could Be Cookie Killer." A follow-up story on privacy concerns.

* Time Magazine: Data Mining: How Companies Now Know Everything About You

* The FTC gave final approval to its settlement with Twitter. Prior blog post.

* Jane Yakowitz, Tragedy of the Data Commons. Brooklyn VAP Jane Yakowitz takes on Paul Ohm's reidentification paper. The abstract:

Accurate data is vital to enlightened research and policymaking, particularly publicly available data that are redacted to protect the identity of individuals. Legal academics, however, are campaigning against data anonymization as a means to protect privacy, contending that wealth of information available on the Internet enables malfeasors to reverse-engineer the data and identify individuals within them. Privacy scholars advocate for new legal restrictions on the collection and dissemination of research data. This Article challenges the dominant wisdom, arguing that properly de-identified data is not only safe, but of extraordinary social utility. It makes three core claims. First, legal scholars have misinterpreted the relevant literature from computer science and statistics, and thus have significantly overstated the futility of anonymizing data. Second, the available evidence demonstrates that the risks from anonymized data are theoretical - they rarely, if ever, materialize. Finally, anonymized data is crucial to beneficial social research, and constitutes a public resource - a commons - under threat of depletion. The Article concludes with a radical proposal: since current privacy policies overtax valuable research without reducing any realistic risks, law should provide a safe harbor for the dissemination of research data.

* Woodrow Hartzog, Promises and Privacy: Promissory Estoppel and Confidential Disclosure in Online Communities, 82 Temp. L. Rev. 891 (2009). The abstract:

Online communities often provide significant support for those who seek it. Yet in order to take advantage of that support, users must frequently disclose sensitive information such as dating profiles, candid thoughts, or even past substance abuse. What happens when other community members fail to keep this potentially harmful information confidential? Traditional remedies will likely fail to protect people when members of an online community violate the confidentiality of other members. In this Article, I contend that promissory estoppel, an equitable doctrine designed to protect those who detrimentally rely on promises, can ensure confidentiality for members of online communities. The application of promissory estoppel via a website's terms of use agreement as a method for protecting disclosure has substantial advantages over tort-based, technological, or contractual remedies. Under the third-party beneficiary doctrine or the concept of dual agency, these agreements could create a safe place to disclose information due to mutual ability to enforce promises of confidentiality.

Posted by Eric at 02:33 PM | E-Commerce , Privacy/Security , Trademark | TrackBack

Online Booksellers Get 47 USC 230 Immunity for Publisher-Supplied Marketing Collateral--Parisi v. Sinclair

By Eric Goldman

Parisi v. Sinclair, 2011 WL 1206193 (D.C. D.C. March 31, 2011). The complaint. More source documents.

Sinclair self-published a book that Parisi believes defamed him. The book showed up in Books-a-Million, B&N and Amazon. All of the retailers published an allegedly defamatory promotional statement supplied by the "publisher" (in this case, the author). In B&N and Amazon's cases, it appears that Sinclair's self-publication venue, Lightening Source, supplied a data feed that they used to automatically build a display page containing the allegedly defamatory statement.

With respect to the publisher-supplied promotional statement, the online booksellers claimed 47 USC 230 immunity. This proves to be an easy case because the online booksellers simply republished the third party-supplied content. The court explicitly rejected an argument that Books-a-Million "adopted" the publisher's collateral as its own. This is consistent with the uncited Black v. Google opinion. The court also explicitly granted Books-a-Million's 12(b)(6) motion to dismiss, saying that was appropriate when the immunity is apparent on the complaint's face, as it was here. (B&N and Amazon brought summary judgment motions).

Despite this being an easy 230 case, the court delineates two 47 USC 230 boundaries. First, it refuses to embrace the Perfect 10 v. ccBill conclusion that 230 preempts state IP claims, but it doesn't accept the alternative proposition (from the Project Playlist and Friendfinder cases) either. Instead, it dismisses the false light claim (which the court liberally construed as a publicity rights claim) on newsworthiness grounds.

Second, in FN3, the court says that B&N and Amazon can't claim 47 USC 230 immunity for the online sale of physical books delivered in realspace. The court distinguishes the republication of marketing collateral, which are covered by 230, from sale and delivery of the physical books themselves, which are not. This seems like a sensible distinction. Even though 230 immunizes offline conduct when the claim is based on online communications (see, e.g., Doe v. MySpace), offline deliveries of tortious material by the defendant should be outside the scope of 230. For more on this, see the uncited Curran v. Amazon.com case. The court suggests that a Kindle sale--where the online retailer sells third party materials but delivers them electronically--would also drop out of 230's protection. This is consistent with the uncited the Accusearch case, although I personally think 230 can apply in that situation.

Even though 230 isn't availing for the book sales themselves, the booksellers exit the case because they lacked the required actual malice.

Despite the two 230 limits identified by the court, this case is a good 230 win for the defense. Among other things, it reminds us that online retailers are fully eligible for 47 USC 230's immunity if they meet the requisite elements. Also, at our 230 retrospective, Kai Falkenberg of Forbes expressed a worry that this case may require online publishers to clearly demarcate their content from third party content. As it turns out, the consumers' perceived source of the allegedly defamatory content didn't come up in the court's discussion.

Posted by Eric at 10:12 AM | Content Regulation , Derivative Liability , E-Commerce | TrackBack

April 04, 2011

Court Denies Request for Discovery of Facebook and Twitter Account Information, Finding that the Request is a "Digital Fishing Expedition"

[Post by Venkat Balasubramani]

Caraballo v. City of NY, Index No. 75535/08 (N.Y. Sup. Ct.; Mar. 4, 2011)

Plaintiff suffered personal injuries "while performing work at 417 O'Gorman Avenue, also known as 45 Keegans Lane, on Staten Island." Predictably, defendant sought discovery of

plaintiff's current and historical Facebook, Myspace and Twitter pages and accounts, including all deleted pages and related information.[emphasis added]

Plaintiff objected on the grounds that the discovery was overbroad, intrusive and the information sought was irrelevant. Defendant argued that the records from the social networking sites were:

just as relevant as plaintiff's medical records to the extent that there are photographs, status reports, [and] videos that depict plaintiff engaging in activities that contradict his injury claims in this case.

Defendant also pointed to a prior case where a defendant's request to access plaintiff's MySpace account was granted. However, in that case, the plaintiff had testified as to the types of information she had posted to her MySpace account. Here, the defendant put forth no such evidence. It tried to obtain access to the Twitter and Facebook accounts hoping to find something there. The court denies the request:

the discovery demand at issue is overly broad, and [defendant] has failed to establish a factual predicate with respect to the relevancy of the information the sites may contain. In the opinion of this Court, digital “fishing expeditions” are no less objectionable than their analog antecedents.

A previous case from a trial court in New York granted a similar request to discover plaintiff's Facebook and MySpace Posts (Romano v. Steelcase, discussed in this post: "Deleted Facebook and MySpace Posts Are Discoverable--Romano v. Steelcase".) That case dealt primarily with deleted posts, and didn't address the question of plaintiff's privacy interests in private posts or messages.

This case (like the other cases involving discovery of social network information) illustrates some of the practical difficulties that courts and litigants will face when trying to get access to a party or witness's social network information. The party seeking the information has to demonstrate that it seeks information that is relevant to the dispute (and that the account will contain such information). Defendant did not make that showing here, but if it had, was the court willing to give defendant unfettered access to the account? That doesn't seem like a tenable result. In any event, it's good to see that courts are imposing some minimal threshold before allowing litigants to access the contents of a party's social networking account.

Previous posts:

Deleted Facebook and MySpace Posts Are Discoverable--Romano v. Steelcase
"Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier"
"Court Refuses to Set Aside Order Requiring Disclosure of Twitter Users' IP Addresses"

Posted by Venkat at 07:19 AM | Evidence/Discovery , Privacy/Security | TrackBack

April 03, 2011

By Eric Goldman

* Big news #1: Judge Chin rejected the Google Book Search settlement. The opinion. If you read only one commentary about the rejection, it should be James Grimmelmann’s recap. My 2008 comments on the settlement.

* Big news #2: The US Supreme Court granted certiorari in Golan v. Holder. The SCOTUS Blog recap.

* Big news #3: In Righthaven v. Center for Intercultural Organizing, Judge Mahan granted a dismissal on fair use grounds even though the defendant republished 100% of a 33 paragraph article. Steve Green’s writeup of the hearing. We’re still waiting for the court’s official opinion, and we’ll have to see how this ruling fares on appeal. If this ruling stands, it eviscerates much of Righthaven’s basic legal argument and should accelerate the company’s demise. See also my October writeup of Righthaven v. Realty One, the other defense win on fair use.

More Righthaven news this month:

- Righthaven sued Eriq Gardner, a reporter and blogger for The Hollywood Reporter, for showing a court filing which contained a reproduction of the TSA pat-down photo. Righthaven voluntarily dismissed the lawsuit within 24 hours. Ars Technica tells the story of this pathetic flip-flop. Righthaven claimed that filing the complaint was a “clerical error.” However, this isn't like a typo in a complaint. An erroneously filed complaint seems like a prima facie violation of Rule 11's obligation to verify the facts before signing the complaint; and it may constitute a breach of the signing lawyer’s obligations under the applicable ethics rules. It will be interesting to see if this “mistake” leads to any discipline for the errant lawyers. Meanwhile, calling the suit a clerical error seems pretextual. While the lawsuit was still pending, Righthaven’s CEO didn’t give Joe Mullin any indication that the suit was a mistake.

- Righthaven v. Vote for the Worst, 2011 WL 1304463 (D. Nev. March 30, 2011). The court rejects a challenge to Righthaven’s allegedly defective copyright assignment process. More importantly, the court applied the personal jurisdiction Effects Test even though the copyright infringement is based on a user's upload:

It is undisputed however, that votefortheworst.com provides multiple user forums and message boards wherein content can be freely posted at the user’s discretion. Defendants do not articulate or implement any form of copyright enforcement policy or impose any rules or guidelines directed towards controlling copyright infringements that may occur on their website....Defendants cannot claim that their lack of knowledge of infringement, when such activity is reasonably foreseeable, can shield them from being subject to this forum’s jurisdictional reach.

This is a bad ruling. The Effects Test should require the defendant's knowing efforts to direct activity into the forum state. If a user does the posting, then the site operator lacks the requisite intent.

- Righthaven, LLC v. Mostofi, 2011 WL 1098971 (D. Nev. March 22, 2011). Another refusal to dismiss personal jurisdiction:

It would be a substantial burden on Defendant to have to litigate in Nevada. However, all of the other factors favor Plaintiff. Arguably, the forum state has an interest in adjudicating an infringement upon a news article originated by the forum state's largest local newspaper publisher written about actions taken by the Nevada State Bar. The Las Vegas Review Journal's subscribers are purportedly primarily residents of the forum state of Nevada and the LVRJ advertisers consist mainly of local Nevada businesses. Any infringement could reasonably be expected to affect them as well. Finally, Plaintiff has named numerous Defendants in other identical suits each from numerous other states. “The interstate judicial system would benefit from the efficient resolution of this case in the same forum as the others. This would serve fundamental substantive common social policies.” Majorwager.com, 2010 WL 4386499, at *4. Accordingly, the Defendant has not overcome the presumption of reasonableness and this Court has personal jurisdiction over Defendant.

- As Wendy Davis reports, Righthaven is suing other newspaper publishers—its prospective customers. Hasn't Righthaven learned from the RIAA that suing prospective customers doesn't improve future sales?

* Also on the personal jurisdiction front, and consistent with the broad jurisdictional rulings in the Righthaven cases, in Penguin Group v American Buddha, New York’s highest state court ruled that the state’s long-arm statute says that online copyright infringement lawsuits can take place in the copyright owner's home court.

* Two rulings in Arista Records LLC v. Lime Group LLC that appear to slightly limit Limewire’s damages exposure. First, on March 11, the court held that copyright owners are only entitled to one statutory damage per work infringed, regardless of the number of P2P file sharers who shared it. Then, on March 18, the court says (2011 WL 1097558):

If a LimeWire user infringed a work prior to the Registration of the copyright for that work, Plaintiffs are barred from seeking a statutory damage award from Defendants with respect to that work. However, Plaintiffs may still seek to recover actual damages for those works, and will thus be compensated in the event that those works were infringed on the Lime Wire system.

My previous blog post on the case.

* Updates on the lawless DHS domain name seizures (my prior blog post). First, Techdirt explains why the DHS seizures are illegal. Second, the DHS arrested Brian McCarthy for criminal copyright infringement for streaming sports, but as Techdirt explains, this too looks like a lawless action.

* Stern v. Does (C.D. Cal. Feb. 10, 2011). A 23 word listserv posting isn't copyrightable; and if it is, forwarding to a non-list member was fair use. (Naturally, it was a lawyer who authored the post and advanced the tendentious claim). The court awarded attorneys' fees to the defense. A sad commentary on copyright adjudication: it took a 30 page opinion to resolve the legal issues of forwarding a 23 word email.

* IP Czar Victoria Espinel issued more recommendations (blog post; white paper).

* Rebecca Black has a surprise (and painful) viral hit on YouTube. Let the copyright battles begin!

* Copyright geeks, rejoice—a full scan of Selden's Condensed Ledger (1861) from Baker v. Selden is now online!

Posted by Eric at 10:09 AM | Copyright | TrackBack

April 01, 2011

Trademark Owner Gets Injunction Against Keyword Ad Campaign That Generated No Sales for the Advertiser

By Eric Goldman

InternetShopsInc.com v. Six C Consulting, Inc., 2011 WL 1113445 (N.D. Ga. March 24, 2011)

[I know the headline sounds like an April Fools joke, but no April Fools here...although, as I will show, this case definitely involved some foolishness.]

I hate sounding like a broken record, but I'll say it again. Most keyword ad lawsuits are not economically justified, so trademark owners are almost invariably making a bad business decision bringing them. Check out this beautiful case study of that principle.

The plaintiff has a trademark in "Dura Pro" for practice golf mats. Six C is a competitor who outsourced its PPC campaign to Channel Advisor. Channel Advisor placed competitive keyword ads triggered by "Dura Pro." In January 2009, the trademark owner complained to Six C, who promptly told Channel Advisor to drop the keyword. Channel Advisor didn't follow this instruction completely, meaning that some ads continued despite Six C's instructions. The plaintiff sued March 2009, and the court indicates that Channel Advisor fully dropped the term by April 2009 (although elsewhere it says the rogue ads persisted for 14 months).

For reasons not explained in this opinion, Six C admitted that its keyword ad buys constituted trademark infringement, narrowing the issues in this case to remedies for the admitted infringement.

The court rejects the plaintiff's claims for lost sales. The plaintiff submitted a spreadsheet showing a decrease in sales, but the court says the spreadsheet showed monthly fluctuations in sales, and the plaintiff only showed correlation, not causation, with the post-advertising decrease.

The plaintiff also sought the defendant's profits from the keyword advertising, and this is where the lawsuit gets farcical. It turns out that the defendant only got 1,319 impressions on its Dura Pro ads, 35 clicks from those impressions (2.6% clickthrough rate) and NO SALES from those clicks. Are you kidding me? The plaintiff sued over a keyword ad campaign that generated ZERO SALES for the defendant? It seems like the plaintiff should have been thrilled that its competitor was wasting money on an ineffective campaign. Instead, foolishly, the trademark owner spent its own money to pay its lawyers to get the defendant to stop wasting its advertising dollars. Great business decision, guys.

The court also denies attorneys' fees, citing Six C's responsiveness to the trademark owner's initial C&D (even if Channel Advisor didn't properly execute Six C's instructions). The court does award the trademark owner the court costs of the action, but these should be relatively small.

Finally, the court grants the trademark owner's request for an injunction (with the exact restrictions to be hashed out), but big whoop. Six C dropped the keyword a long time ago, and given the keyword's conversion rate, that wasn't really a sacrifice. The court says that the trademark owner was suffering irreparable injury "regardless of the fact that defendant's unauthorized use appears to have been unintentional, and that it did not result in any readily quantifiable harm to plaintiff." I think the judge could have more aggressively scrutinized the trademark owner's arguments on this point, but an injunction is a logical outcome for an admitted trademark infringement, even if it's mostly inconsequential in this case.

Notice that the defendant gets a decent outcome here in large part because it chose to quickly drop the keyword at the trademark owner's request. Not all advertisers would be so risk-adverse. Then again, I would expect most advertisers to fight the trademark infringement claim rather than admitting to it.

I'm adding this outcome to the list of irrational keyword ad lawsuits. Other precedents in that genre:

- King v. ZymoGenetics. The defendant advertiser got 84 clicks.
- Storus v. Aroa. The defendant advertiser got 1,374 clicks over 11 months.
- 800-JR Cigar v. GoTo.com. The search engine defendant generated $345 in revenue from the litigated terms.
- Sellify v. Amazon. The defendant got 1,000 impressions and 61 clicks.
- 1-800 Contacts v. Lens.com. 1-800 Contacts spent no less than $650k (and was willing to spend $1.1M) to pursue Lens.com, which made $20 of profit from competitive keyword ads. It also tried to hold Lens.com responsible for affiliate ad buys which generated about 1,800 clicks, which under the most favorable computations were worth about $40k.
- and now InternetShopsInc.com v. Six C. The defendant got 1,319 impressions, 35 clicks and zero sales.

Posted by Eric at 11:56 AM | E-Commerce , Marketing , Search Engines , Trademark | TrackBack

N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM -- Facebook v. Maxbounty

[Post by Venkat Balasubramani]

Facebook, Inc. v. Maxbounty, Inc., CV-10-4712-JF (N.D. Cal.; Mar. 28, 2011)

The Northern District of California ruled that commercial posts to a Facebook user's wall, news feed, and home page constitute "electronic mail messages" that are subject to CAN-SPAM. Two other courts in California had taken a similar approach with respect to MySpace messages (MySpace v. Wallace and MySpace v. TheGlobe.com).

Facebook brought claims against Maxbounty, which it alleged set up an affiliate scheme in violation of Facebook's policies and procedures. As described in the complaint:

MaxBounty, through its network of affiliates, creates fake Facebook pages that are intended to re-direct unsuspecting Facebook users away from Facebook.com to third-party commercial sites . . . In the first step, MaxBounty establishes a network of affiliates; in the second step, MaxBounty's affiliates create numerous Facebook pages that function like (and in effect are) advertisements; in the third step, the page displays a message indicating that upon registration a user will be able to take advantage of a "limited time offer," such as receiving a gift card or becoming a product tester for a high-end product (e.g. an Apple iPad); in the fourth step, the Facebook user is induced by the page and begins the registration process. The registration process requires three discrete user actions: (1) to become a "fan" of the page, (2) to invite all of his or her Facebook friends to join to the page, and (3) to complete additional administrative registration requirements. Upon completion of these requirements, Facebook users are not sent the promised item but instead are directed "to a domain registered to and managed by Maxbounty that then redirects the user to a third-party commercial website . . . ." The third-party commercial site informs the user that he or she must complete still more steps in order to obtain the promised item. Such additional steps include signing up for numerous "sponsor offers," which typically are offers for memberships in subscription services.

CAN-SPAM has three broad requirements: (1) no misleading subject lines; (2) no false or misleading header information; and (3) inclusion of a means to opt-out. I'm not sure how these requirements track to Facebook posts. Maxbounty argued (among other things) that the Facebook posts by its affiliates were not "electronic mail messages" that are subject to CAN-SPAM. CAN-SPAM defines an electronic mail message as":

a message that is sent to a unique electronic mail address . . . [i.e.] a destination, commonly expressed as a string of characters, consisting of a unique user name of mailbox and a reference to an internet domain . . . whether or not displayed, to which an electronic mail message can be sent or delivered.

The court declines Maxbounty's invitation to construe CAN-SPAM's definition of electronic mail message narrowly, pointing to congressional intent in curtailing the scourge of spam and to the two prior cases that held that MySpace posts could constitute email messages that are subject to CAN-SPAM.

From a practical standpoint, the court's order omits one question - whether the Facebook users actually received the messages in question via email. Some Facebook users would not set their Facebook accounts to forward posts or messages via email, so although the messages may be "routed" by Facebook, they may never be received (or even viewed) by the user. There's also the issue that the users in question "liked" the pages in question. My understanding is that people (or companies) that you are not "friends" with cannot post messages to your wall or message you, so the people who received unwanted wall posts or messages in question had to take an affirmative step before they were sent the messages in question. Are these messages truly unsolicited?

This is a pretty expansive reading of CAN-SPAM. When you get to the point that social networking messages can constitute messages that are regulated by CAN-SPAM, there's really no stopping point. How about blog comments? Tweets? Are the Facebook posts in question subject to the Telephone Consumer Protection Act as well, if the user had set his or her Facebook account to forward messages via SMS?

A case from Utah deciding whether pop-up ads were emails illustrates some of the practical difficulties with treating Facebook wall posts as email messages. (Riddle v. Celebrity Cruises, Inc.) The Utah statute required commercial emails to be labeled as advertisements (with "ADV") and the court (which found that pop-up ads do not constitute email messages) noted:

[a]ny requirement to include the "ADV:" designation on the subject line of a pop-up ad would be meaningless because there is no subject line per se.

The same difficulties can arise when you treat Facebook messages as emails which are subject to CAN-SPAM.

Maxbounty also argued that Facebook failed to plead its Computer Fraud and Abuse Act claims with particularity. The court finds that CFAA claims are not subject to the heightened pleading standards of Rule 9(b), and that Facebook satisfied the lower pleading standard.

Posted by Venkat at 07:30 AM | Spam

Search

Categories

Archives

Recent Entries

April 30, 2011

Cease & Desist Letter to iTunes Isn't Covered by 17 USC 512(f)--Red Rock v. UMG

April 29, 2011

Department of Commerce Releases Worthless Report on Trademark Bullying

April 28, 2011

Copyright Takedown Notice Isn't Actionable Unless There's an Actual Takedown--Amaretto v. Ozimals

Jury Rejects Lawyer's Claims Under DC's Anti-Spam Law -- CyberLaw v. Thelaw.net

April 27, 2011

Court Says CAN-SPAM Plaintiff Can't Take Second Bite at the Apple -- Melaleuca v. Hansen

April 26, 2011

Acknowledging Receipt of an Email Doesn't Form a Contract--Stebbins v. Wal-Mart

Videos from the 47 USC 230 Conference Now Online

April 25, 2011

Google Wins Lawsuit Over Unhappy Google Search Appliance Installation--Market America v. Google

April 23, 2011

Republishing Entire Newspaper Story is Fair Use--Righthaven v. CIO

April 20, 2011

Blogger Gets 47 USC 230 Dismissal for Third Party Comment--Kruska v. Perverted Justice

A Look at the Commercial Privacy Bill of Rights Act of 2011

April 19, 2011

FTC Warns Debt Collector About Using Facebook to Contact Debtor

Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe

April 18, 2011

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou

April 14, 2011

YouTube and its Amici File Their Briefs in the Viacom v. YouTube Appeal

April 13, 2011

Announcing DoctoredReviews.com, a Website Against Doctors' Efforts to Squelch Online Patient Reviews

April 12, 2011

UC Irvine Virtual World Conference Notes

April 10, 2011

Court Smacks Down Lawyer Who Tries to Enforce Copyright in 23 Word Email -- Stern v. Does

April 09, 2011

Contacting a Person's Facebook Friends Isn't Stalking--People v. Welte

April 08, 2011

Intelius Dodges a Bullet Over Allegedly Deceptive Online Marketing Practices -- Hook v. Intelius

March 2011 Quick Links, Part 3

April 07, 2011

StubHub Denied Section 230 Defense in Scalping Case--Hill v. StubHub

Claims that Emails were not Labeled as Ads and did not Disclose Tracking Preempted by CAN-SPAM -- Martin v. CCH

April 06, 2011

Republisher of Youthful Sexting Photos Avoids Liability (For Now)--Doe v. Peterson

April 05, 2011

March 2011 Quick Links, Part 2

Online Booksellers Get 47 USC 230 Immunity for Publisher-Supplied Marketing Collateral--Parisi v. Sinclair

April 04, 2011

Court Denies Request for Discovery of Facebook and Twitter Account Information, Finding that the Request is a "Digital Fishing Expedition"

April 03, 2011

March 2011 Quick Links, Part 1 (Special Copyright Edition)

April 01, 2011

Trademark Owner Gets Injunction Against Keyword Ad Campaign That Generated No Sales for the Advertiser

N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM -- Facebook v. Maxbounty