Technology & Marketing Law Blog: May 2011 Archives

Technology & Marketing Law Blog

« April 2011 | Main | June 2011 »

May 31, 2011

April-May 2011 Quick Links, Part 2 (Copyright Edition)

By Eric Goldman

* COICA is dead, but S. 968, the PROTECT IP Act, has arisen from its ashes. Criticisms from technologists and the EFF.

* The Department of Homeland Security's domain name seizures are probably the single worst US government abuse of the Internet ever. Further confirmation of that: Techdirt: “Why We Haven't Seen Any Lawsuits Filed Against The Government Over Domain Seizures: Justice Department Stalling."

* CA SB 550: Latest ridiculous proposal from the RIAA, especially in light of the DHS f-ups: “The bill would authorize law enforcement officers to perform inspections, as specified, at commercial optical disc manufacturing facilities during regular business hours without a warrant for the purpose of verifying compliance with these provisions and would authorize law enforcement officers, in performing these investigations, to seize any optical disc or production part manufactured in violation of these provisions.” Wired's coverage: “RIAA Legislation: No Warrant Required to Search, Seize Optical-Disc Plants.”

* S. 978: proposal to amend criminal copyright infringement laws to create a felony for streaming. In my work on criminal copyright infringement, I explained that criminal copyright infringement was an inexorable path to become meaner.

* There were a lot of interesting developments in the LimeWire case leading up to the damages trial.

- statutory damages are computed on a per-song basis so long as the songs were commercially available individually. Contrast the Bryant case.

- the labels had already collected damages from the direct infringers in 104 recordings. Nevertheless, the court says the labels can collect statutory damages from LimeWire for these recordings as well, but the judge can adjust the award to reflect this. [Arista Records LLC v. Lime Group LLC, No. 06-5936 (S.D.N.Y. April 6, 2011)].

- LimeWire could not introduce evidence that it had a good faith belief that they were not operating an unlawful business [Arista Records LLC v. Lime Group LLC, No. 06-5936 (S.D.N.Y. April 20, 2011)].

- The parties ultimately settled for $105M.

- In a partially related development, CNET was sued for facilitating copyright infringement by distributing LimeWire. Tertiary infringement anyone?

* Another copyright owner gets a Pyhrric victory on damages. In Gaylord v. US, the Postal Service reused a photo for one of its stamps and the court found copyright infringement. The photographer asked for $3M; instead, the court awarded damages of only $5,000.

* ACEMLA v. ASCAP (1st Cir. April 21, 2011). Copyright fee shift (17 USC 505) available for the defendant even if the plaintiff didn't make a timely registration of the copyright.

* There were many lowlights in the Righthaven train wreck over the past two months. Two of the lowest:

- Righthaven's Strategic Alliance Agreement with Stephens Media was released (starting on page 6). Joe Mullin's recap. In response to the agreement, the court in Righthaven v. Pahrump Life ordered Righthaven to show cause why case should not be dismissed for a sham copyright assignment, and Judge Kane has stayed all of the Denver Post-related Righthaven litigation in Colorado pending an analysis of Righthaven’s standing under its agreement with MediaNews.

- Righthaven dropped the Brian Hill lawsuit after the judge had some impliedly critical remarks about the case. The dismissal. In the dismissal, Righthaven griped that "Righthaven was unaware of the Defendant’s alleged medical condition prior to filing suit." Well, that's why respectable copyright owners send takedown notices before running to court without all of the facts. It's hard to be sympathetic to Righthaven when it fails to do even basic pre-suit research and then bitches about being surprised. Pathetic. Righthaven continues: "Defendant’s incessant use of the Internet as a means to post inflammatory statements about Righthaven and about these legal proceedings say more about his cognitive ability than one would otherwise surmise from the press statements made by his counsel." Classy... The court didn't appreciate Righthaven's saber-rattling and struck that part of the pleading. As Joe Mullin indicates, Righthaven's antics have annoyed the judge, and Righthaven may want to rethink its entire Colorado litigation strategy. Righthaven struck back with an incredible F-U to the judge. Meanwhile, was Righthaven pressuring Hill to agree to a false press release as part of the proposed settlement?

* AdAge: When It Comes to Ad Avoidance, the DVR Is Not the Problem

* Google lost its Belgian appeal in the Copiepresse case.

* Eros v. Linden settled.

* Angst over Lady Gaga's requirement that photographers assign over the copyrights to the photos they take at her concerts.

* Perfect 10 v Giganews complaint.

* Flowserve Corp. v. Hallmark Pump Co., 2011 WL 1527951 (S.D. Tex.). A company copied-and-pasted its competitor’s product shots as depictions of its own products, which you can’t do. Rebecca is on the case.

* Venkat and I participated (with Evan Brown and Jonathan Bailey) on TWiL 111, mostly discussing copyrights. Listen in.

Posted by Eric at 08:48 AM | Copyright , Derivative Liability | TrackBack

May 30, 2011

April-May 2011 Quick Links, Part 1 (Trademarks and Advertising Edition)

By Eric Goldman

Trademark

* Facebook has quite an active trademark docket.

- Facebook, Inc. v. Teachbook.com, LLC, 2011 WL 1672464 (N.D.Cal. May 3, 2011). Facebook’s trademark suit against Teachbook was dismissed for lack of personal jurisdiction. Facebook promptly refiled in Illinois.

- Facebook sues Various over a "Face Book of Sex" site.

- Facebook v. Bearbook. Facebook forced a name change at a site for "bears."

* What are people bringing trademark lawsuits over? Sears is suing over DieHard sex spray, whiskey manufacturers are suing over “Give ‘Em the Bird,” and the Huey P. Newton Foundation is suing CafePress over "All Power to the People" (one of the rare times when "Power to the People" and trademark enforcement will be in the same sentence). And don't forget the laughable claim that the NYSE has trademark protection in its trading floor.

* Newport News Holding Co v. Virtual City Vision (4th Cir. April 18, 2011). Newportnews.com is the subject of an ACPA loss 10 years after it survived a UDRP. What went wrong? "[I]n making changes to its website in 2007, VCV shifted its focus away from the legitimate service of providing information related to the city of Newport News and became instead a website devoted primarily to women’s fashion....VCV cannot escape the consequences of its deliberate metamorphosis....newportnews.com went from being a website about a city that happened to have some apparel advertisements to a website about women’s apparel that happened to include minimal references to the city of Newport News." Result of the ACPA loss: $80k in damages, $10k in sanctions and attorneys' fees.

* It was a bad two months for plaintiffs suing keyword advertising defendants:

- Starsurgical, Inc. v. Aperta, LLC, 2011 WL 2037554 (E.D. Wis. May 24, 2011): “Star also claims that defendants infringe its mark by using it as a “keyword” on internet search engine advertising such that whenever a customer performs a search for the phrase “Wittmann Patch” defendants' website appears as a sponsored search result. Star, however, makes no effort to explain how this activity confuses consumers. Cent. States, SE & SW Areas Pension Fund v. Midwest Motor Express, 181 F.3d 799, 808 (7th Cir.1999) (arguments not developed in any meaningful way are waived); see also Network Automation, Inc. v. Advanced Sys. Concepts, No. 10–55840, 2011 U.S.App. LEXIS 4488, at *37–39 (9th Cir. Mar. 8, 2011) (using a trademark in keyword advertising does not violate Lanham Act absent showing of likelihood of confusion).”

- World Entertainment, Inc. v. Brown, 2011 WL 2036686 (E.D. Pa. May 20, 2011): “Plaintiffs showed Brown's use of their protected trademarks in advertising and diverting internet traffic to Grand Entertainment's website through search engine phrase matching using Google Adwords and meta tags, but they did not offer any evidence suggesting the percentage of their business downturn caused by such infringement.” Accord InternetShopsInc.com v. Six C Consulting, Inc.

- The Scooter Store v. SpinLife.com, 2011 WL 1460438 (S.D. Ohio amended opinion April 18, 2011). The Scooter Store sued SpinLife for buying its trademarks in Google AdWords. This ruling preserves SpinLife’s antitrust counterclaims.

- Traveler's Joy, Inc. v. Haycco LLC, 2011 WL 1587132 (S.D. Ind. April 26, 2011): "In an attempt to stave off dismissal, Joy points to numerous screenshots of Google's search results and pages generally discussing how Google's “AdWords” keyword-based advertising program operates. Based on this “evidence,” Joy jumps to the conclusion that Haycco's advertisements are specifically targeted to users in Indianapolis. However, this evidence is in no way sufficient to establish that Haycco engaged in any such intentional targeting of Indiana. Instead, the credible evidence establishes that Haycco only engages in general web advertising."

* Architectural Mailboxes, LLC v. Epoch Design, LLC, 2011 WL 1630809 (S.D. Cal. April 28, 2011). In a case involving critical comparative advertising, the court grants the advertiser’s nominative use defense on a motion to dismiss. Rebecca’s coverage.

* Koch v. Does. A hoax press release survives a trademark challenge. Coverage from EFF and Bill McGeveran.

* Eva Bridal Ltd. v. Halanick Enterprises Inc. (7th Cir. May 10, 2011). A botched franchising attempt leads to a finding that the purported franchisor abandoned the mark.

* be2 LLC v. Ivanov, 2011 WL 1565490 (7th Cir. April 27, 2011). An alleged knockoff website didn't have jurisdiction when it had only 20 registered users in the plaintiff's home court.

Advertising

* The plaintiffs voluntarily dropped the Taco Bell beef lawsuit. But Taco Bell may not be done with the plaintiffs.

* NYT: A study suggests that 3 credit card merchant account providers support the vast majority of spammers. The paper. Unfortunately, this will almost certainly encourage politicians to deputize credit card providers as the Internet police.

* In a crackdown on fake "news" sites promoting acai berries, the FTC takes another broad view about affiliate liability (1, 2).

* Similarly, “The FTC has consistently maintained that sellers are responsible for their marketers’ telephone calls to solicit purchases of the seller’s goods or services.”

* NYT: angst about advergames oriented towards kids. Evidence that kids don't understand ad labeling.

* The vegan-oriented magazine VegNews used stock photos of items containing meat to accompany the vegan recipes it publishes (and didn't disclose this fact). The vegan community erupted in anger. VegNews initially stood its ground but finally relented and apologized.

* NYT on functional foods.

* Patton Boggs: "FTC Enforcement Against Individuals: Legal Standards Impacting Individual Liability for Alleged Violations Enforced by the FTC’s Bureau of Consumer Protection."

Posted by Eric at 08:24 AM | Derivative Liability , Marketing , Trademark | TrackBack

May 27, 2011

Review Website Should Get 47 USC 230 Dismissal But Judge Keeps Case Open in "Abundance of Caution"--Frontier Van Lines v. MoverReviews.com

By Eric Goldman

Frontier Van Line Moving & Storage, Inc. v. Valley Solutions, Inc., 2011 WL 2110825 (W.D. Pa. May 24, 2011)

MoverReviews.com is a review website for moving companies. Frontier Van Lines alleges that a MoverReviews user, Schmidt, made 2 defamatory posts and that MoverReviews "published, authored, created, or acted in concert with Schmidt in authoring, creating, and posting and in failing to remove the alleged defamatory statements."

Pled this way, it should be an easy 47 USC 230 dismissal. Calling MoverReviews the "publisher" seals the deal; and the rest of the verbs are the kind of bald-faced factually unsupported assertions that a plaintiff proffers to get around the obvious 47 USC 230 problem. To bolster this plead-around, Frontier Van Lines makes the typical move of invoking the Roommates.com decision.

The court does a few savvy things in response. First, the court recognizes that MoverReviews is more like the "free text" area in Roommates.com, which the Roommates.com case said qualified for 47 USC 230, because Frontier Van Lines didn't allege that MoverReviews "shaped" the allegedly defamatory reviews. Second, because of Frontier Van Lines' unsupported conclusory allegations, the court says that "Frontier has failed to 'nudge' its claims 'across the line from conceivable to plausible.'" (citing Iqbal).

Yet, like some other courts faced with an obvious 47 USC 230 immunity recently (see, e.g., Smith v. TRUSTe, Kruska v. Perverted Justice Foundation and Robins v. Spokeo), the court just couldn't bring itself to grant a 12(b)(6) motion to dismiss. Instead, the court says:

out of an abundance of caution, the Court will provide Frontier an opportunity to develop the record with respect to this issue; and therefore, will deny the motion to dismiss without prejudice for Valley Solutions to file a prompt motion for summary judgment after the exchange of the Rule 26(a)(1) disclosures, and limited discovery

If the court thinks Frontier Van Lines could replead a plausible claim, it should have dismissed the complaint with a leave to amend. That's what I think Iqbal requires. Instead, the court put the financial burden on the defendant to engage in discovery and file a summary judgment motion. Even if the discovery is "limited," MoverReviews shouldn't have to bear that costs if Frontier Van Line can't make the threshold showing. If the court was going to impose these costs on the defendant, I think it should have said that Frontier Van Lines has a choice: it can tuck its tail between its legs and go away now at no cost, or it can pay for the costs that MoverReviews incurs to fulfill these obligations if MoverReviews wins its summary judgment motion (which seems highly likely).

Notice that this case probably comes out very differently in California under its generous anti-SLAPP protections. So long as the reviews addressed, even tangentially, a matter of public interest, then a CA court almost certainly would have granted MoverReviews' anti-SLAPP motion and made Frontier Van Lines pay MoverReviews' attorneys' fees. So even though this case is mostly a strong defense-side win, it's also a great case study of why we need federal anti-SLAPP legislation.

Posted by Eric at 10:00 AM | Content Regulation , Derivative Liability | TrackBack

May 26, 2011

Online Insurance Application Constitutes “Writing” for Purposes of Waiving Insurance Coverage for Medical Benefits--Barwick v. GEICO

By John Ottaviani

Barwick v. Government Employee Insurance Co., Inc., 2011 Ark. 128 (March 31, 2011) [link]

Although 47 states, the District of Columbia, Puerto Rico and the Virgin Islands have adopted the Uniform Electronic Transaction Act (UETA), we have had very few cases discussing or interpreting UETA. Here, we have a case where the court is asked whether a waiver in an online insurance application is a “writing” for purposes of a state insurance law that requires coverage waivers to be in writing.

The facts are fairly simple. In 2009, a woman (who subsequently married the plaintiff) purchased automobile insurance coverage online at GEICO’s website. In the online application, the woman rejected coverage for medical benefits as permitted under Arkansas law. The online form bore the woman’s electronic signature. In a discovery deposition, the woman also acknowledged that she completed the form on the website, that she did not select the coverage for medical benefits, and that she signed the application electronically.

The lower state court granted summary judgment to GEICO and dismissed the husband’s claim for medical benefits. On appeal, the husband argued that the electronic application containing his wife’s electronic signature did not meet the requirement that a rejection of coverage be “in writing” under the terms of Arkansas Code Annotated Section 23-89-203 (Repl. 2004). The husband argued that because a general statute does not apply when a specific one governs the subject matter, the insurance statute requirement that the waiver of coverage be “in writing”, takes precedence over the more general provisions in the UETA. He also argued that pressing a computer button did not constitute a “writing” for purposes of waiving coverage.

The Arkansas Supreme Court reviewed the history of UETA and noted that Arkansas had adopted UETA in 2001 to facilitate electronic transactions. The court found that the online application was an “electronic record” under UETA. The Court also found that there was no conflict between the insurance statute and UETA, and that the two provisions can be read “harmoniously” to mean that an electronic record can fulfill the requirement of written rejection for coverage. As a result, the Arkansas Supreme Court affirmed the lower court’s grant of summary judgment to GEICO.

A few thoughts:

• The court’s analysis is straightforward and correct. One would think that the legal issue is obvious, but there have been very few cases interpreting UETA to date (perhaps because the statute is so simple?). UETA was drafted so that the state legislators did not have to amend the numerous statutory requirements for “writings” in each statute. Instead, UETA provides a global approach that a record or signature may not be denied legal effect or enforceability solely because it is in electronic form, and a contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation. But it’s nice to now have a case to point to when a client questions the validity of online agreements.

• GEICO also argued that the plaintiff should be estopped from questioning the validity of the electronic waiver of coverage, because he is also seeking to benefit from the insurance policy obtained throughout the online application. Because the court dismissed the appeal on the UETA grounds, it did not need to address the estoppel argument.

• There do not seem to be any evidence issues in this case. The woman in question did not deny that she completed the online application and affixed an electronic signature. She also gave a deposition testimony that she completed the form on the website, that she and did not select coverage for medical benefits, and that she signed the application electronically. Query whether or not the court would have denied summary judgment if any of these facts had been in dispute.

• Unlike the court in Colorado last year, the Arkansas Supreme court correctly determined that EUTA, and not the federal Electronics Signatures In Global and National Commerce Act (commonly known as “E-Sign”), applies to this case. E-Sign has a peculiar “reverse preemption”. E-Sign governs in the absence of a state law or in states that made modifications to UETA that are inconsistent with E-Sign. In effect, Congress forces a state to adopt UETA in a uniform manner, by providing that the state version of UETA controls over E-Sign if UETA is adopted without modification. Here, Arkansas appears to have adopted UETA without any significant modifications, so UETA’s provisions should govern questions of contract formation and enforceability in Arkansas.

See also this brief post on a Federal Circuit UETA case.

Posted by John Ottaviani at 07:00 PM | E-Commerce , Licensing/Contracts | TrackBack

Ninth Circuit: FACTA Does not Cover Emailed Receipts -- Simonoff v. Expedia

[Post by Venkat Balasubramani]

Simonoff v. Expedia, No. 10-35595 (9th Cir.; May 24, 2011)

FACTA is a statute which requires merchants to truncate the customer's credit card information on receipts that are "electronically printed." Plaintiffs have brought claims against online retailers for including credit card information on emailed receipts. Courts have not been receptive to these claims, and in Simonoff v. Expedia, the Ninth Circuit joins other circuit courts in holding that FACTA does not apply to email receipts.

Venue Selection

Before getting to the substantive issue, the court addressed the parties' arguments regarding the applicability of the forum selection clause. Expedia's online agreement provides that users

consent to the exclusive jurisdiction and venue of courts in King County, Washington.

Simonoff argued that "courts in King County" referred only to state courts, and therefore jurisdiction was not proper in federal court. The court disagrees, noting that if the online agreement used the words "courts of King County," this would have mandated a different result, because:

the phrase "the courts of" a state refers to courts that derive their power from the state—i.e., only state courts—and [a] forum selection clause, which vested exclusive jurisdiction in the courts "of" [a particular state, would limit jurisdiction to courts of that state.]

[It appears Expedia heeded the Ninth Circuit's advice from Doe 1 v AOL. Note to self! I think saying "federal or state courts" works, if you are open to jurisdiction in federal or state courts, but if you used this language you would say "federal or state courts in King County."]

FACTA and Electronic Receipts

On the issue of whether FACTA applies to emailed receipts, the court followed the approach taken by other circuits, including Shlahtichman v. 1-800 Contacts, Inc., discussed in this blog post: "Electronically Printed" Does not Include Automated Merchant Email." The court notes that although the technologies around the dissemination of information have changed over the years, "print" still means to imprint onto something tangible—no one ever says "print this to your iPad":

'Print' refers to many different technologies—from Mesopotamian cuneiform writing on clay cylinders to the Gutenberg press in the fifteenth century, Xerography in the early twentieth century, and modern digital printing—but all of those technologies involve the making of a tangible impression on paper or other tangible medium. Although computer technology has significantly advanced in recent years, we commonly still speak of printing to paper and not to, say, iPad screens. Nobody says,"Turn on your Droid (or iPhone or iPad or Blackberry) and print a map of downtown San Francisco on your screen." We conclude that under FACTA, a receipt that is transmitted to the consumer via email and then digitally displayed on the consumer’s screen is not an "electronically printed" receipt.

Congress's use of the term "electronically printed" isn't particularly precise, but the court finds that if Congress intended the statute to cover email receipts it could have easily said so:

in enacting FACTA, Congress did not use language that would have clearly extended FACTA’s protection to electronically mailed receipts. For example, Congress could have applied FACTA to 'electronically printed or transmitted receipts,' to 'electronically printable' receipts, or to 'electronically displayed' receipts. Congress, however, chose not to do so, even though it has referred to digital methods of communication and commerce in numerous other statutes. We can’t fill in the blanks with words that Congress didn’t supply. [emphasis in original]

The court also notes that the structure and staggered implementation of FACTA supports its interpretation that "electronically printed" does not cover emailed receipts. The statute is intended to cover the printing of receipts to the extent this is within the merchant's control, and not a situation where the printing or display happens at the consumer's end:

if computer screens were deemed to 'print' receipts within the meaning of the statute, merchants' liability would hinge on the date the customer purchased and began using a computer screen—an unintended, nonsensical, and unpredictable result.

The statute was intended to protect against identity theft, and it is difficult to see where the risk of identity theft is when the customer is emailed a receipt. To the extent the risk exists, it is something the customer, and not the retailer, is better situated to protect against. In any event, as the court in Shlahtichman noted, there are other statutes directed at protecting against identity theft when the information is stored or transmitted in electronic form (e.g., the Computer Fraud and Abuse Act).

At the end of the day, this was another attempt by plaintiffs' lawyers to push the envelope and sue under a statute which created a civil cause of action without any showing of harm. The court smacks down the plaintiff's attempt.

Other coverage: "Ninth Circuit: FACTA does not apply to credit card receipts sent via email" (Evan Brown)

Posted by Venkat at 02:11 PM | E-Commerce

Cyberbullying and Restorative Justice [a Long-Delayed Post on DC v. RR]

By Eric Goldman

[I've mentioned before that some posts get stuck in my blogging queue. This one got stuck for an incredible FOURTEEN months. Although its discussion about the specific case ruling is almost farcically untimely, I've decided that the post is still worth sharing. I hope you agree.]

DC v. RR, 2010 WL 892204 (Cal. App. Ct. March 15, 2010)

This case has been gnawing at me for some time. The case involves an alleged 2005 cyberbullying incident among students at the tony Harvard-Westlake private high school in the Hollywood Hills. I previously blogged about this case in 2009 when I learned about DC's lawsuit against Harvard-Westlake, which an arbitrator dismissed per 47 USC 230 in 2007 and awarded a half-million in attorneys' fees to the school. While that disposed of DC's lawsuit against the school, DC's lawsuit against the alleged cyberbullies kept going. The March 2010 ruling affirmed a rejection of the alleged cyberbullies' anti-SLAPP motion to strike. The details of why the court rejected the anti-SLAPP motion are interesting but not really the point of this post.

Instead, the March 2010 ruling marked the 5 year anniversary of DC's litigation, and the lawsuit had only reached the anti-SLAPP stage. I emailed Rex Julian Beaber, RR's counsel, for the latest status of the lawsuit, and earlier this week he sent me the following (which I've edited a bit, but not substantively):

After the Supreme Court denied review, the remittur was issued and the case was returned to the Los Angeles Superior Court. Not long after the case was returned, the parent defendants (i.e. the parents of [RR]) and the plaintiff parents (i.e., the parents of the "victim" DC) were dismissed from the case. The dismissals took place for reason unrelated to the first amendment issues.... The net result of this ruling was that it was left as a child versus child case.... After the dismissal, the lone defendant, RR, filed his answer. Accordingly, the case is presently in the pre-trial discovery stage.

Given that the case has basically just finished the pleading stage, it could take another few years to reach a resolution in the trial court. Further appeals could delay a final resolution for years more. Ultimately, this case--involving actions by 15 year old boys--could potentially last until they are into their 30s.

No matter who "wins" in the courtroom, a protracted court battle like this seems like a loss for everyone--including the taxpayers. Let's start with consequences of decade-long litigation for the alleged cyberbullies. Let's assume they did it--that they published harmful content with the intent to bully a classmate. I cannot apologize for this behavior in the least. However, I also can't ignore that they were 15 years old and thus not fully mature in the law's eyes, and their punishment through a decade of litigation might be disproportionate to the crime. The financial drain of litigation is overwhelming, and the time spent fighting in courtrooms is irreplaceable time diverted away from cultivating professional skills and transitioning from teenager to adult.

To weigh the punishment of protracted litigation against the alleged crime, it's helpful to look more closely at the posts at issue. DC was an aspiring entertainer who set up a self-promotional website with a guestbook. The complaint alleges that Harvard-Westlake students flooded the guestbook with hate-filled homophobic and threatening posts, such as:

One post read, "Faggot, I'm going to kill you." Another read, "[You need] a quick and painless death." One student wrote, "Fuck you in your fucking fuck hole." Another commented, "Fucking ass clown. Nigga what?" One post announced, "You are now officially wanted dead or alive." Another threatened, "I will personally unleash my manseed in those golden brown eyes."

May 25, 2011

Ohio Appeals Court: GoDaddy can be Held Liable for Wrongly Transferring Control Over Domain Name and Email Accounts -- Eysoldt v. ProScan

[Post by Venkat Balasubramani]

Eysoldt v. GoDaddy, et al., C-100528 (Ohio Ct. App.; May 18, 2011)

Actions against registrars for allowing domain names to be wrongly transferred have been relatively rare. Members of the Eysoldt family brought claims against GoDaddy alleging these types of claims. A jury ruled in their favor and the Ohio Court of Appeals declined to set aside the verdict.

Jeff Eysoldt registered Eysoldt.com through GoDaddy. He used this account for personal purposes--he stored photos and used it for email, and he allowed other family members to do so. He also registered and managed a domain name for his sister's business through this account. Separately, he entered into a business arrangement with ProScan, and the parties sought to build out a website which would promote cosmetic surgery centers. As part of this project with ProScan, he registered Myrejuvenate.com and placed this domain name in the same GoDaddy account as his personal domain name and his sister's domain name.

The relationship between Eysoldt and ProScan soured, and ProScan sought control of the domain name and the website. One of the ProScan executives called GoDaddy directly. GoDaddy's customer service representative saw that the domain name was registered under Eysoldt's name but "verified" the account information with the ProScan executive by confirming the method of payment and account number used to pay.

GoDaddy gave ProScan control over the Myrejuvenate.com domain name. Unfortunately, it also gave ProScan control over the other domain names and associated email accounts in Eysoldt's GoDaddy account. Eysoldt contacted GoDaddy to fix the problem, but he was told he had to fill out a verification form and fax this along with his drivers license. He did this, but GoDaddy responded to him that his face was not legible in the copy of the drivers license. The ProScan executive also contacted GoDaddy and asked that the domain names other than Myrejuvenate.com be transferred back to Eysoldt, but this too was unsuccessful.

Ultimately, Eysoldt sued GoDaddy. He sued ProScan as well but settled with them. The jury ruled in favor of the Eysoldt and awarded him $50,000 ($20,000 for invasion of privacy and $30,000 for conversion). Two other Eysoldt family members were awarded $10,000 each ($7,000 for invasion of privacy and $3,000 for conversion). (Here is a link to the verdict form.)

GoDaddy made several technical arguments on appeal and the court rejects them all.

Economic Loss doctrine: GoDaddy argued that Eysoldt's claims were barred by the economic loss rule, but the court says that this rule only applies to negligence claims and not to intentional torts.

Conversion: GoDaddy argued that a domain name cannot form the basis for a conversion action because it is intangible property. The court says (citing to CRS Recovery, Inc. v. Claxton) that times have changed. A domain name is readily identifiable and can be converted. GoDaddy also argued that the family members could not assert conversion claims because they testified that they lacked any ownership interest in the accounts. On this point, the court ruled that there was sufficient evidence from which a jury could conclude that GoDaddy converted the "conditional email and private communications [of the family members] that were contained in the GoDaddy account."

Invasion of Privacy: Finally, GoDaddy argued that there was insufficient evidence to support an invasion of privacy claim because there was no evidence that GoDaddy accessed the email accounts. The court rejects this argument also, noting that Eysoldt testified that someone had accessed the emails. According to the court, the harm flowed from the disclosure and not the misuse of the emails. In any event, the court cites to the fact that GoDaddy took control of personal emails, websites, and communications and just handed them over to a third party.

---

GoDaddy had a pretty tough argument here given the facts. To treat a domain name as anything other than valuable third party property would be a mistake by registrars. There was some confusion early on as to whether domain names are contract rights (which do not support conversion claims) instead of property, but courts have long moved on from this question. (See Kremen v. Cohen, CRS v. Claxton, Office Depot v. Zuccarini, Bosh v. Zavala, etc.) I'm surprised GoDaddy didn't raise an argument based on waivers or limitations of liability contained in its end user agreement, but the opinion does not discuss them.

The court's conclusion regarding the invasion of privacy claim is worth noting because the court did not take the approach numerous courts have taken in data breach cases and require any showing of out-of-pocket loss. The likely explanation for this is that the plaintiff here asserted claims under the "intrusion" theory, where the harm flows from the mere disclosure, rather than the misuse, of data, but this should require a showing that the accounts contained information that was of an intimate nature. The court alludes to this in describing what type of information was contained in these email accounts, but does not come out and explicitly state this or cite to any specific information which would support a claim of intrusion.

The court's conclusion that the other family members could recover for conversion also glosses over a few nuances. The sister had a domain name registered through GoDaddy, but the court does not connect the dots on how giving Proscan control over the GoDaddy account translates into a conversion claim for the other family members. The court instead focuses on the email accounts and notes:

[w]hile Jill and Mark [the other family members] acknowledged that the account was registered to Jeff, the evidence showed that each of them had email accounts set up within Jeff's account. Additionally, Jeff and Jill had created content for Jill's website for her business, Good Karma Cookies. When Go Daddy gave control of the account to Wallace and ProScan, Jill could not access her website. Likewise, Jill and Mark could not access their email accounts. Thus, as the trial court stated, 'there was sufficient evidence produced at trial that would support the jury finding that GoDaddy converted the conditional and private email communications of Mark and Jill Eysoldt that were contained in the GoDaddy account.'

The court's focus on control over email accounts and content does not square well with the cases which say that domain names can be converted because they are freely transferable and can be bought and sold. Under the court's approach, a registrar could be found liable for terminating access to an email or hosting account, and this sounds problematic.

[Eric's comment: indeed, I read this opinion as hinting that any cloud service provider could "convert" a user account's to the extent that service provider "wrongfully" "cuts off" the user's access to his/her own intangible files. I don't think the court means to go there, but holding that GoDaddy converted the emails (as opposed to the domain names) naturally leads to a very dark place.]

It's clear that courts are not reluctant to impose some sort of obligation on the part of registrars to guard against identity theft. Registrars may need to adopt authentication procedures as rigorous as the procedures that banks use to authenticate bank accounts. Of course, even this approach is not infallible, and not easy to implement, given that much of the customer service interaction between a registrar takes place over the phone. Another suggestion is for registrars to respond promptly to any claims by customers of domain name theft. Sending a canned response from customer service when a customer frantically emails saying that his or her domain name has been stolen is not going to look good in the eyes of the fact-finder.

I'm struck at how often people register business and personal domain names in the same account, and how often the web-person ends up registering the domain name for a project in his or her account, rather than in the name of the entity, or a separate account which both joint ventures have control over. The domain name as a bank account analogy is useful here, and if you are part of a joint venture, think about whether you would want to give your co-venturers sole control over the bank account.

Posted by Venkat at 09:20 AM | Domain Names , Internet History , Licensing/Contracts , Publicity/Privacy Rights

May 24, 2011

Keyword Advertising and Domain Name Law Slides

By Eric Goldman

Today, I spoke to an audience of Chinese IP judges about keyword advertising and domain names in the United States. I put together some slides and written materials. These materials aren't especially profound, especially for regular readers, but you might find them a useful recap nonetheless. I learned a number of things from the talk:

1) It's very hard and unnatural for me to slow down my presentation enough for translators to keep up!

2) One judge believed that all of Baidu's search results are pay-for-play, i.e., rank-ordered based on the amounts that advertisers pay Baidu. Is this true? (It feels like something I should know, but the information I'm finding online is surprisingly scrappy). If Baidu is pure pay-for-play, this would reinforce why it was so detrimental for Google to pull out of China. I made the point last year that Google's departure could be a long-term drag on the Chinese economy because the Chinese economy will have less effective search engines than other economies.

3) Although there was a significant language barrier that might have obscured their intent, it seemed like the Chinese judges were having a hard time wrapping their heads around the idea that Google's trademark liability for selling keyword advertising wasn't notice-and-takedown. In fact, we don't know that notice-and-takedown for Google's keyword sales won't ultimately prevail in the United States; but it hasn't yet.

Posted by Eric at 05:54 PM | Domain Names , Search Engines , Trademark | TrackBack

Copyright and Tattoos: Hangover II Injunction Denied, But the Copyright Owner Got Some Good News Too--Whitmill v. Warner Bros. (Guest Blog Post)

by Yvette Joy Liebesman

[Eric's note: Yvette is a law professor at Saint Louis University specializing in copyrights and trademarks. She attended the hearing and sent in this first-hand field report!]

Whitmill v. Warner Bros. Entertainment Inc., 4:11-cv-00752 (E.D. Mo.). The complaint.

This morning, at the US District Court for the Eastern District of Missouri, Chief Judge Catherine D. Perry denied local tattoo artist S. Victor Whitmill's motion for a preliminary injunction, thus ensuring that The Hangover Part II will be released as scheduled Thursday evening. While that's good news for Warner Bros., the ruling also gives Whitmill some reason to believe he'll be compensated for his troubles.

This is a copyright infringement case involving the use of a tattoo that was created by Whitmill and tattooed onto Mike Tyson's face, which Warner Brothers has inked on one of the characters in the movie "The Hangover Part II." Mike Tyson is not a party to the suit as either a plaintiff or defendant. He, in fact, appears in the movie, though he has an agreement with Whitmill which apparently allows Tyson to make such appearances while denying Tyson the right to reproduce the art in other forms. Tyson has no right to license use of the tattoo design to others, and Warner Brothers did not obtain a license by either Tyson or Whitmill. Whitmill registered the copyright in the work, but after the statutory period which would allow him to claim statutory damages.

Chief Judge Perry based her decision on four factors. The first two -- the likelihood of Whitmill succeeding on the merits, and whether Whitmill would suffer irreparable harm -- were both weighed in favor of the Whitmill. The court made it clear that Warner Brother's defenses to infringement were "silly," and soundly rejected the defendant's novel argument that tattoos are not protected by copyright, even if they had first been expressed on paper or another tangible medium of expression. Judge Perry briefly discussed the defense's claim of Fair Use, opining that there was no parody or transformative use, the entire tattoo in its original form was used (not in any parody form), the tattoo was not necessary to the basic plot of the movie, and that Warner Brothers used the tattoo substantially in its marketing of the movie. The court was concerned with the Plaintiff's loss of control over his design as irreparable harm, and that while there was no presumption of harm, this was a low bar to reach, and was met by the Plaintiff.

The remaining two -- the balancing of the equities an the harm to the public if the injunction was granted -- were weighted in favor of Warner Brothers. The balancing of the moneys that Warner Brothers would lose versus the irreparable harm suffered by Whitmill over the loss of control of his work weighed slightly in favor of Warner Brothers. It seemed, however, that the factor weighed most heavily in deciding to deny the injunction appeared to be the harm to the public -- namely, the economic harm that would be suffered by movie theaters, concession vendors and others who were not Warner Brothers and not party to the suit.

In denying the preliminary injunction, Judge Perry got it right. Her ruling was sound and it seemed to give the plaintiff ample reason to be optimistic in winning on the merits and a permanent injunction (scheduled to be heard in about a month, after the economic harm to third parties would be greatly diminished).

Since the plaintiff is seeking actual damages, and Warner Brothers expects to take in hundreds of millions of dollars in profits in the first few weeks of release, the combination of denying the preliminary injunction, the threat of a permanent injunction, and losing millions of profits to the damages awards puts the plaintiff in a good position to get a nice settlement, should he choose that route.
______

Eric's update: The NYT article quotes the judge as saying “This use of the tattoo did not comment on the artist’s work or have any critical bearing on the original composition. There was no change to this tattoo or any parody of the tattoo itself. Any other facial tattoo would have worked as well to serve the plot device.” From my perspective, this latter sentence seems plainly wrong. Any other tattoo would not be a Mike Tyson face tattoo, with all of the associated meaning in the context of the movie's storyline. If the judge maintains a hardline on this point, I could see Warner Bros. needing to appeal the district judge's liability ruling, and I would expect a more sympathetic ear from the appellate panel.

Eric's Update #2: Prof. Nimmer's declaration in the case, taking the very odd position that a human body cannot constitute a tangible medium of expression. As Ann Bartow highlights, this is a very convenient shift in opinion for Prof. Nimmer.

Posted by Eric at 11:41 AM | Copyright | TrackBack

May 23, 2011

College Course Description Aggregator Loses First Round in Fight Against Competitor in Scraping Case -- CollegeSource v. AcademyOne

[Post by Venkat Balasubramani with comments by Eric]

CollegeSource, Inc. v. AcademyOne, Inc., 10-3542 (E.D. Pa.; Apr. 22, 2011)

This is a scraping case between CollegeSource and its competitor AcademyOne. It looks like it's part of a long running dispute between the parties. AcademyOne previously brought cybersquatting and false advertising claims against CollegeSource and lost. CollegeSource separately sued AcademyOne for a violation of its terms of use in California. The court dismissed on the basis of lack of personal jurisdiction and CollegeSource appealed the dismissal to the Ninth Circuit. CollegeSource then re-filed the same lawsuit in Pennsylvania, and a ruling from that court is the subject of this blog post. That's a lot of litigation over pdf copies of college course catalogs!

Background: CollegeSource digitizes course catalogs and descriptions and makes them available online in pdf form. It also slaps a splash page, logo, and its terms of service on the pdfs which it creates. AcademyOne is also in the business of providing information regarding college course descriptions. The parties also both offer services which "evaluate the transferability" of college courses, but those particular services were not directly at issue in this dispute.

AcademyOne tried to license the pdf versions of CollegeSource's catalogs, and CollegeSource refused. AcademyOne then crawled the web to obtain this information from other sources, including the colleges directly, but in the process, ended up copying and posting on its own site course catalogs which bore CollegeSource's logos and terms of use. CollegeSource in turn sent AcademyOne a cease and desist letter, which AcademyOne largely complied with. AcademyOne received the letter in 2007 and removed the CollegeSource catalogs by mid-2007. AcademyOne also put in place safeguards to make sure CollegeSource's pdfs did not end up on AcademyOne's site again.

Despite these safeguards, two of the CollegeSource course catalog pdfs ended up on AcademyOne's site. In response, in July 2010, CollegeSource sued. It moved for a TRO which was denied. Around the time the lawsuit was filed, AcademyOne's CEO sent Freedom of Information Act (FOIA) requests to various colleges, seeking the details of agreements between the colleges and CollegeSource, to the extent those agreements existed. The letter said that the information was sought in the context of a pending copyright dispute.

In December 2010, CollegeSource moved for a preliminary injunction. It asserted that it was entitled to an injunction based on its breach of contract and unjust enrichment claims, and based on false advertising premised on statements in the letters sent to colleges by AcademyOne.

Breach of contract and unjust enrichment: Although CollegeSource asserted copyright claims in its cease and desist letter, in the lawsuit, it relies on AcademyOne's alleged breaches of its terms of use. It would not have been able to claim copyrights in the course descriptions since these are likely factual in nature, and it did not create the course descriptions in the first place. With respect to CollegeSource's breach of contract claims, the court finds that CollegeSource is not likely to be able to show irreparable harm for breaches of its terms of use and thus isn't entitled to an injunction. The court notes that AcademyOne took steps to comply with any takedown requests and instituted safeguards to make sure no CollegeSource course catalogs ended up on AcademyOne's website again.

False advertising: The crux of CollegeSource's false advertising claim at this stage was centered around a letter sent by Academysource to various colleges. The letter sought copies of any agreements in place between the college and CollegeSource:

[that would] grant [] CollegeSource . . . the authorization to create and claim a derivative copyright of [the academic institution's] printed or digital catalog for [2006-2010]; limit the rights of distribution of the electronic version located on their website; archive the file; add their logo and Terms of Use to the front of each catalog and charge for access to the catalog.

CollegeSource claimed that the letter is false because it stated that it was sent in connection with copyright claims asserted in the lawsuit. The court says that there is nothing literally false about referencing copyright claims since that's the subtext of CollegeSource's claims. Ultimately CollegeSource sought control of the catalogs. The court also addressed CollegeSource's argument that the letter had the tendency to deceive and resulted in at least one institution requesting that CollegeSource remove its catalogs from CollegeSource's website. The court notes that there's no evidence as to the precise reason for the college's request.

This is a dangerous dispute for CollegeSource. The idea that it should be able to somehow claim exclusive rights in college course descriptions is crazy. Once the institutions realize that this is what CollegeSource is doing with the course catalogs and descriptions they provide to CollegeSource, there is a high likelihood that many of them will tell CollegeSource to stop this practice. There's not much room to claim copyright in course descriptions, and in any event, CollegeSource's attempt to slap its logo and terms of use on the pdf copies of the descriptions looks like a naked rights grab which the colleges are not going to be happy with. This is almost similar to a city claiming copyright in its ordinance. It's worse. It's as if a public citizen or a corporation does this after slapping a logo and terms of use on a pdf version of it. Using a breach of contract claim to get around an ineffectual copyright claim can work in some circumstances, but courts will rightly be skeptical. (The court does not address the copyright preemption argument but I think there's one lurking in the background, since the conduct CollegeSource is complaining of is the copying its materials by AcademyOne.)

The false advertising claim was extremely tenuous. It was sent in the context of a public records request in the middle of a dispute. I'm surprised there's not a claim of privilege (or a SLAPP exception) that would have protected AcademyOne's statements. Maybe it's a jurisdictional quirk but I imagine in some jurisdictions, CollegeSource's false advertising claims would have been slapped out of court.

More on this case from Rebecca.
__________

Eric's comments

I've hinted at the issue before, but let me put my philosophy on the table explicitly: it is extremely dangerous for aggregators to bring IP enforcement actions. The enforcement lawsuits can directly backfire (see, e.g., the Barclay's v. theflyonthewall lawsuit) because the plaintiff ends up talking out of both sides of its mouth: it says X isn't permissible when we're the rightsholders, but X is permissible when we're the aggregator. At best, that kind of duplicity never impresses judges. Further, even if the enforcement lawsuit doesn't lead to a direct form of collateral estoppel, it has the potential to create adverse legal precedent. For these reasons, plus the risk Venkat identified about educational institutions cutting off CollegeSource, it seems like an unnecessarily high-risk move for CollegeSource to bring this iteration of the lawsuits.

Having said that, AcademyOne's experience reiterates the potential problems with scraping. Inevitably, scraping will gather up legally risky content; and as this case shows, that's true even if the scraper institutes procedures designed to screen out that content. This particular ruling is good news for AcademyOne, but scraping remains a legally ambiguous proposition.

Posted by Venkat at 09:10 AM | Copyright , Licensing/Contracts , Marketing

May 22, 2011

Dentist Pays Sizable Penalty for Not Knowing 47 USC 230--Wong v. Jing

By Eric Goldman

Wong v. Jing, 1-08-CV-12997I (Cal. Superior Ct. May 13, 2011). Wendy Davis' story on this ruling, plus coverage in DrBicuspid.com.

At DoctoredReviews.com, we discussed that doctors upset with patients' reviews can always bring a lawsuit. However, as we note, doctor-vs.-patients lawsuits should be an extraordinary step for extraordinary circumstances. Otherwise, suing patients can become a big--and costly--mistake.

This lawsuit involves a Yelp review of a dentist. In my previous blog post on this case, I explained how the court issued a split ruling in the case. Several of the dentist's claims were tossed on anti-SLAPP grounds, while the defamation claim against the author survived the anti-SLAPP motion and remains a possible risk to the patient. Because the court granted the anti-SLAPP motion, the defendants were entitled to their attorneys' fees and costs for the anti-SLAPPed claim. In this ruling, the court awards those fees and costs to the tune of $80,000.

The dentist foolishly sued Yelp in the lawsuit but voluntarily dismissed Yelp after the plaintiff's lawyer decided that 47 USC 230 immunized Yelp. The prior ruling was vague about whether Yelp's attorneys' fees were awardable, but this ruling awards those fees as part of the $80k. The court doesn't break out the portion of the attorneys' fees attributable to Yelp as opposed to the other defendants. I contacted the defense attorney, Mark Goldowitz of the California Anti-SLAPP Project, and it appears that at least $8k of the fees could be attributable to Yelp's portion of the defense. Accordingly, the dentist (or almost certainly her attorney) will be writing a decent-sized check to the defense for the attorney's 47 USC 230 error. Another cautionary tale for plaintiff's counsel.

Posted by Eric at 09:39 AM | Content Regulation , Derivative Liability | TrackBack

May 21, 2011

Another Unhappy Facebook User's Lawsuit Tossed--Kamango v. Facebook

By Eric Goldman

Kamango v. Facebook, 2011 WL 1899561 (N.D.N.Y. April 19, 2011). The judge approved the magistrate order on May 19, 2011. See Kamango v. Facebook, 2011 WL 1899277 (N.D.N.Y. May 19, 2011). The initial complaint.

Kamango claims that Facebook blocked (terminated?) his account for spamming friend requests. He claims the account block violated his right to express himself and be free from bias. The magistrate tossed the case as frivolous (using the standard applicable to pro per cases), and the judge upheld the dismissal even after Kamango objected. Because both opinions are appropriately efficient, there isn't much detail to explore, but the judge does note "Plaintiff’s claim under the First Amendment is futile because the First Amendment applies only to governmental action (and he has alleged no facts plausibly suggesting such governmental action)."

No matter how much we might question Facebook's policies, the lesson from Young v. Facebook plus this one is clear: stop suing Facebook for account terminations!

Posted by Eric at 11:12 AM | Content Regulation , Licensing/Contracts | TrackBack

Massachusetts Supreme Court Finds Email Sufficiently Authenticated Based on Surrounding Evidence -- Commonwealth v. Purdy

[Post by Venkat Balasubramani]

Commonwealth v. Purdy, 2011 WL 1421367 (Mass.; Apr. 15, 2011)

Defendant was prosecuted and convicted for maintaining a house of prostitution and deriving support from the earnings of a prostitute. The trial judge admitted various emails allegedly authored by the defendant. The emails related to the massage service offered by the defendant. Predictably, one of the emails had the cliched "personal assistant with benefits?" subject line.

Defendant objected to admission of the emails on the basis that the emails were not properly authenticated as having been authored by him. Defendant did not contest that the emails came from the computer which was seized from the premises in question following defendant's arrest. Defendant pointed out that he shared his computers with others at the salon and denied authoring the emails. The prosecution had put forth evidence that the emails originated from an email address that bore defendant's name, and that defendant was able to recite (from memory) the passwords necessary to access the computer and its programs. The emails had additional characteristics that indicated that they were likely to have been authored by the defendant. For example, one of the emails had the defendant's picture attached to it.

The court rules that admission of the emails was not improper and there was sufficient evidence to let the jury determine if the emails were authored by the defendant. The court cites to other cases dealing with circumstantial authentication such as phone calls and letters, and notes that the principles remain the same with respect to email or social networking evidence:

While emails and other forms of electronic communication present their own opportunities for false claims of authorship, the basic principles of authentication are the same. Evidence that the defendant's name is written as the author of an email or that the electronic communication originates from an email or a social networking website such as Facebook or MySpace that bears the defendant's name is not sufficient alone to authenticate the electronic communication as having been authored or sent by the defendant. There must be some "confirming circumstances" sufficient for a reasonable jury to find by a preponderance of the evidence that the defendant authored the emails.

The court concludes that those additional "confirming circumstances" were present here. The emails originated from an account bearing defendant's name and acknowledged to be used by the defendant. The emails were found on the hard drive of a computer the defendant acknowledged he owned. In addition, at least one email contained a photograph of the defendant.

The court contrasts this case with Commonwealth v. Williams, where the court held that MySpace messages were not property authenticated as having been authored by the defendant's brother. (Here's a previous blog post discussing Commonwealth v. Williams: "MySpace Evidence: Maryland Appeals Court Allows Circumstantial Authentication.") In that case, there was no testimony "regarding how secure a MySpace Web page is, who can access it, or whether codes are needed for such access." In addition, the author of the messages in Williams did not identify himself in the messages.
__

Social networking communications are subject to a different standard than other communications such as instant message conversations, text messages, and emails. It's unclear as to whether this is based on the view that anyone can create a social network profile in someone else's name, or whether a factfinder can more easily determine if the person who is alleged to have authored the communication actually did so, because emails and other communications often provide greater context. Courts have also alluded to the fact that it's often unclear who can post messages on a social networking site and therefore difficult to tell whether a particular message should be attributed to the person who owns the site or someone else.

In the context of email, it should be sufficient to show that the person "owned" the email account in question or that the emails were sent from a computer which the author owned. Here, it's conceivable that one of the defendant's co-workers (or underlings) may have sent the email, but the court's decision leaves it up to the defendant to explain this in order to rebut the claim of authorship.

Previous posts and related posts:

"Maryland Supreme Court Rejects "Circumstantial Authentication" Standard for MySpace Evidence -- Griffin v. Maryland"
"MySpace Evidence: Maryland Appeals Court Allows Circumstantial Authentication -- Griffin v. Maryland"

Posted by Venkat at 07:11 AM | Evidence/Discovery | TrackBack

May 20, 2011

Court Allows Fair Credit Reporting Act Claims Against Spokeo to Move Forward -- Robins v. Spokeo

[Post by Venkat Balasubramani with comments from Eric]

Robins v. Spokeo, No. CV10 05306 ODW (AGRx) (C.D. Cal.; May 11, 2011)

I previously blogged about Spokeo, which is being sued for disseminating reports which allegedly contain inaccurate information about plaintiff. The court initially dismissed the lawsuit without prejudice due to plaintiff's failure to allege actual harm.

Plaintiff refiled its lawsuit and alleges harm sufficient to satisfy the court:

the court finds that plaintiff has alleged sufficient facts to confer Article III standing. Specifically, Plaintiff has alleged an injury in fact - the "marketing of inaccurate consumer reporting information about plaintiff" - that is fairly traceable to defendant's conduct - alleged FCRA violations - and that is likely to be redressed by a favorable decision from this court.

This just sounds like a formulaic recitation of harm, but it's good enough for the court. To allege standing under certain statutes you, just have to allege a violation of the statute. In other cases, you have to allege actual harm.

Apart from lack of standing, Spokeo argued that it is not a "consumer reporting agency" under the Fair Credit Reporting Act. Spokeo pointed its disclaimers which stated that the reports furnished by Spokeo "cannot be used for FCRA purposes." The court is not swayed by this argument and points to plaintiff's allegations that Spokeo marketed its reports to "HR professionals and potential employers." Plaintiff presented the court with some typical gotcha website copy that easily made the case at the pleading stage that regardless of what the disclaimers said, Spokeo intended the reports to be used for employment and credit verification purposes.

Spokeo also argued that it was entitled to protection under Section 230. The court punts on the Section 230 issue. The court's discussion of this issue is somewhat disappointing in that it gives the parties very little to work with as far as how the court will ultimately deal with the issue. The details around how the collection and dissemination of information occur could end up being important to the Section 230 analysis. (Prof. Goldman's post on Accusearch discusses this: "Roommates.com Infects the Tenth Circuit--FTC v. Accusearch.") Spokeo should be able to take in information from various agencies, aggregate it, and redistribute it without losing Section 230 protection. (See, e.g., AOL v. Drudge.) To the extent Spokeo is just taking in reports that third parties already create, it should be difficult for plaintiff to argue that Spokeo falls under the Ninth Circuit's Roommates decision and somehow plays a role in the creation of the content. It's also worth separating the "score" assigned by Spokeo, with respect to which Spokeo will likely be able to argue some First Amendment protection (see Brown v. Avvo), from the information that is taken in from third parties and disseminated. Maybe the pleadings and the briefing didn't highlight what exactly whether plaintiff was complaining about the information that came from third parties or the "score" assigned by Spokeo, but these seem like issues the court could have delved into in order to provide some clarity to the parties.

The court also dismisses plaintiff's claims under California's unfair competition statute on the basis that the plaintiff did not allege that he "lost money or property" as a result of the unfair competition. Here the court finds that the plaintiff's conclusory allegations of lost income from continued unemployment are insufficient.

Previous post: "Court Dismisses Class Action Against Spokeo for Lack of Standing"
____________

Eric's comments

The court's 47 USC 230 discussion is terse. The entire substantive discussion:

Defendant asserts that it is immune under the CDA because it is an “interactive computer service” that “passively displays content that is created entirely by third parties.” Plaintiff, however, alleges that CDA immunity does not apply to Defendant because unlike information content providers that simply reorganize information obtained from other content providers, “Defendant develops original content based on information obtained from a variety of sources and posts it online[.]” Accordingly, application of the immunity is not clear at this time and the Court declines to dismiss the Complaint on this basis.

This could be another example of a judge being too cautious to use 230 on a motion to dismiss. The court appears to have allowed the bald assertion that Spokeo "develops" content to survive the dismissal motion. As Venkat says, what the judge should have done is require the plaintiff to be more specific about exactly what Spokeo did to develop the content.

We've seen a couple other recent examples where courts have let bald assertions like this survive a 230 dismissal, only to come to its senses at the summary judgment stage and decide 230 applied after all. (See the Kruska and Smith cases). My guess is that something similar will happen here too, with the twist that anything Spokeo actually develops will be its protected opinion (much like the Avvo case, as Venkat notes). A late 230 defense is better than no 230 defense, but it still incurs a lot of needless costs and wasted motion. It's unfortunate this judge wasn't more aggressive at policing the obvious 230 issue at the pleading stage.

Posted by Venkat at 08:08 AM | Derivative Liability , Publicity/Privacy Rights

Another Ruling that the Americans with Disabilities Act Doesn't Apply to Websites--Ouellette v. Viacom

By Eric Goldman

Ouellette v. Viacom: The magistrate report: 2011 WL 1882780 (D. Mont. March 31, 2011). The judge's approval of the magistrate's report: 2011 WL 1883190 (D. Mont. May 17, 2011). The original complaint (he filed an amended complaint that served as the basis of these rulings).

[Note: this lawsuit is gossip-worthy because the plaintiff named YouTube and Viacom as co-defendants, leading to the possibility that they might work together on a joint defense despite their bitter feud in Viacom v. YouTube.]

Just yesterday, I blogged about Young v. Facebook, in which Judge Fogel held that Facebook wasn't covered by the Americans with Disabilities Act because it wasn't a physical place. In this unrelated ruling (there were no cross-citations between the opinion), YouTube and MySpace get a virtually identical ruling. Perhaps we will see enough precedent develop that websites aren't covered by the ADA to suppress further plaintiffs forays. Today's rulings also have some interesting discussion about the application of 17 USC 512's safe harbors to a user whose content is removed.

Plaintiff filed this lawsuit pro se and in pro per. Trying to summarize, it appears his main allegations are that YouTube and MySpace wrongfully removed his videos in response to allegedly bogus takedown notices from Viacom and other content owners. Because of his pro per status, the court does an initial screen to determine if the claims are frivolous. In February, the court determined that Claim I, the "DMCA" claim, wasn't frivolous--presumably, a 512(f) claim against the content owners for a bogus copyright takedown notice.

The two rulings prompting this post--the magistrate report and judge's approval--dismiss the other claims as frivolous, including the rejection of:

* a claim that the defendants violated his fair use rights. The court says that fair use is a defense, not a cause of action.
* a 512(f) claim against the defendants other than the content owners. Even though 512(f) could apply generally, the plaintiff never alleged any actual misrepresentations made by the specified defendants.
* claims that YouTube's contract had an improper venue clause (even if true, Google let the case proceed in Missoula, so the clause wasn't used) and that the contract let third parties harass him, to which the magistrate says "Under the facts alleged by Ouellette, however, Google and YouTube cannot be liable for the conduct of any third party."

After breezing through those claims, the magistrate takes a little more time with the ADA claim. The plaintiff is dyslexic. The magistrate summarizes his contention: "he alleges those Defendants discriminated against him based on his reading disability, and deprived him of access to their internet services and their “online theater”—a “place of public accommodation” governed by the ADA." Citing the AccessNow v. Southwest Airlines case, the magistrate says "an internet website, by itself, is not an actual place, or a physical, concrete structure that would qualify as a place of public accommodation under the ADA." Similar to the discussion in yesterday's Young v. Facebook ruling, the magistrate responded:

His allegations fail to identify any actual, physical place where Defendants' services are made available, and fail to assert any connection between the internet websites he sought to access, and any actual, physical structure or facility through which Defendants' services could be accessed or provided. To the contrary, Ouellette alleges only that Defendants' conduct has impeded his access to certain internet websites

In approving the magistrate report, the judge rejects the plaintiff's objection that a website's servers are the requisite physical place:

Neither a website nor its servers are “actual, physical places where goods or services are open to the public,” putting them within the ambit of the ADA. Weyer v. Twentieth Cent. Fox Film Corp., 198 F.3d 1104, 1114 (9th Cir.2000). The public access production facility might amount to such a place, but there is no nexus between the websites and Ouellette's inability to access that physical place.

The magistrate also rejects the plaintiff's attempts to turn 17 USC 512 into an affirmative cause of action. As I read it, the plaintiff argued that the defendants' failure to follow the notice-and-takedown and counter-notice/putback provisions of 512 creates an affirmative cause of action for a user who posted the affected content. This claim is putatively separate from the 512(f) claim, which I believe is the only affirmative cause of action in 512; in my opinion, the remainder of 512 is all a safe harbor. The magistrate (approved by the judge without substantive comment) rejects the plaintiff's argument:

Ouellette's reliance on the takedown and counter notice safe-harbor procedures in the DMCA is misplaced. The Defendants' alleged compliance, or non-compliance with the procedures does not provide a basis for liability. Defendants' liability to Ouellette, if any, could only be imposed under existing principles of law independent of the DMCA's procedural requirements. Ouellette's allegations, however, do not invoke any independent theory of liability. Therefore, his claims founded upon the DMCA should be dismissed.

I'd be more excited about these rulings if it didn't involve a pro per plaintiff, because then they might be more persuasive to other judges. Nevertheless, these rulings are a useful warning to future plaintiffs that it's frivolous to argue that websites are governed by the ADA and that failure to follow the notice-takedown-counternotice-putback procedures in 512 creates a cause of action.

Posted by Eric at 07:35 AM | Content Regulation , Copyright , Derivative Liability , Licensing/Contracts | TrackBack

May 19, 2011

Facebook User Loses Lawsuit Over Account Termination--Young v. Facebook

By Eric Goldman

Young v. Facebook, Inc., 2011 U.S. Dist. LEXIS 52711 (N.D. Cal. May 17, 2011). My post on Judge Fogel's Nov. 2010 dismissal of this case with leave to amend. Karen's lawsuit-related website.

I respect people of conviction, especially when they persevere in the face of long odds. Karen Young is such a person. After Facebook terminated her account, she drove across the country to try to get answers from Facebook in person--and after a very brief return home, stayed in the Bay Area to get results from Facebook (via litigation or otherwise) over her terminated account. Indeed, she dropped by my office a few months ago (unscheduled) to talk about her case. I told her in person that she should go back home because it didn't make sense to put her life on hold fighting Facebook. A woman of conviction, she has held fast. Nevertheless, after this ruling, perhaps she will decide to end her vigil.

Young has bipolar disorder. She sued Facebook for ADA violations for failing to provide adequate customer support to individuals with mental disabilities. The court rules that the ADA is inapplicable to Facebook because it's a website, not a physical place. The court says:

Despite its frequent use of terms such as "posts" and "walls," Facebook operates only in cyberspace, and is thus is not a "place of public accommodation" as construed by the Ninth Circuit. While Facebook's physical headquarters obviously is a physical space, it is not a place where the online services to which Young claims she was denied access are offered to the public.

To get around this, Young argued that some other circuits have directly or impliedly extended the ADA to virtual places. Judge Fogel rejects this as inapplicable in the Ninth Circuit. Young also invoked Judge Patel's troubling opinion in NFB v. Target, arguing that (like Target) Facebook had the requisite "nexus" to a physical place because it sells gift cards in physical retail stores. This argument fails because Facebook doesn't own or control those physical outlets.

The related state claims also fail. The Disabled Persons' Act claim fails for the same reasons as the ADA claim. The Unruh Act claim fails because Young was griping that Facebook's customer support was too hard for someone in her condition to navigate, but she didn't show that Facebook treated bipolar individuals discimrinatorily or that Facebook's policies targets disabled individuals.

Young's breach of contract claim fails because Young never specifically identified a breach, and her negligence claim fails because he didn't allege any source of a duty. Judge Fogel also shuts down the implied good faith obligation bypass. In his prior ruling, he left open the door, saying "[i]t is at least conceivable that arbitrary or bad faith termination of user accounts, or even termination of user accounts with no explanation at all, could implicate the implied covenant of good faith and fair dealing." Young doesn't clear this threshold because the only evidence she cited--Facebook's termination email--expressly explained Facebook's reasons for the termination. (The opinion doesn't tie this knot, but it seems that those expressed reasons didn't show bad faith). Although this isn't expressly connected to the Smith v. TRUSTe ruling, it's interesting that this is the second judge in a few months interested in whether the website told users why they are getting ousted. This is in conspicuous contrast to the pressures coming from Barnes v. Yahoo for websites to tell users less, not more, to avoid promissory estoppel arguments.

The opinion concludes with a little advice for Facebook:

The Court is not without sympathy for Young's plight. Young was understandably frustrated that she could not discuss the termination of her account with a live person, and both this frustration and the loss of her access to Facebook's social network had a particularly acute impact on Young because of her bipolar condition. As customer service functions increasingly are handed over to automated systems, it is important that service providers, such as Facebook, understand the implications that such practices can have for the less sophisticated and more vulnerable. However, because Young's amended complaint does not state a cognizable legal basis upon which relief may be granted, it must be dismissed. Because the amended complaint fails to address many of the issues identified by the Court in its previous order, and because it appears that there is no realistic possibility that further amendment could cure the deficiencies in Young's pleadings, leave to amend will be denied.

A few observations about this result:

* the opinion doesn't mention 47 USC 230(c)(2), although I think the immunity might very well apply to some or all of Young's claims. I will have more to say about that in an upcoming UC Irvine Law Review article.

* whether or not 47 USC 230(c)(2) applies, it almost never makes sense for a user to sue a website over account termination. Those lawsuits are almost always a huge waste of time and money.

* Even though the ADA and related state statutes do not apply to websites, websites often can and should voluntarily do more to accommodate users with various physical and mental challenges. Not only is that often a smart business decision, it's often the right thing to do.

UPDATE: Facebook emailed me the following statement: "We want Facebook to be available to everyone, including people with unique needs, and have worked hard to create tools and resources to educate people about our service and its rules. While we're pleased with the court's decision, we'll continue to invest in this area."

Posted by Eric at 01:29 PM | Content Regulation , Licensing/Contracts | TrackBack

Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson

[Post by Venkat Balasubramani]

Piccolo v. Paterson, No. 2009-04979 (Pa. Ct of Common Pleas; May 5, 2011) [.pdf]

In addition to cases dealing with whether Facebook posts are discoverable in civil cases, courts and litigants continue to grapple with the logistical issues of how a party seeking such evidence can get access to it, or make arguments about whether or not they are entitled to access certain information contained in the profile.

Piccolo v. Paterson was a personal injury case where the plaintiff claimed she suffered lacerations to her face from the impact of an air bag. In her deposition, she was asked whether she posted pictures to Facebook and she said yes. Defense counsel asked if Piccolo would accept a "neutral" friend request from defense counsel so defense counsel could view the pictures. Piccolo later demurred, stating that the "materiality and importance of the evidence ... is outweighed by the annoyance, embarrassment, oppression and burden ...." Defense counsel brought a motion to compel. Defendant cited to McMillen v. Hummingbird Speedway, where the court ordered the plaintiff to provide his Facebook password to defense counsel.

The court rejected defendant's arguments, noting that defendant had already been provided an accurate photographic representation of the relevant evidence. As the Legal Intelligencer notes:

Piccolo [the plaintiff] allowed the insurer to come to her home in 2008 and take photographs of her face. She also gave the defense 20 photos of her face from the week following the accident as well as five photos from the months just before the accident. She allowed the defense to take more pictures at the September 2010 deposition.

Plaintiff's counsel argued that there was no showing from the defendant that plaintiff had posted photos which were inconsistent with what she alleged in the lawsuit, or that any of the other material in plaintiff's Facebook profile was in any way relevant to the case. The court granted plaintiff's motion in a brief one paragraph order which did not contain any reasoning, so it's tough to tell the precise basis for the court's decision.

It looks like litigants (or their lawyers) are overreaching when they seek social media evidence, and at least some courts are pushing back. (Plaintiff's lawyers are also starting to advise their clients as to the dangers of using social networking sites, at least during the pendency of ligitation. See "Social Networking Warning Letter Form for Clients.") In this case, there was little justification to force plaintiff to "friend" defense counsel and give defense counsel access to personal details that only plaintiff's Facebook friends would be privy to. There was some confusion as to whether plaintiff's profile was "public," so it's unclear as to whether defense counsel truly would be privy to information that only a select group of individuals would have access to. Regardless, given that defense counsel had access to ample photos of plaintiff's face from shortly after the incident, and was provided photos later, and could evaluate plaintiff's injuries contemporaneously, defendant didn't have a credible argument for rooting around in plaintiff's Facebook profile. As a Facebook friend, defense counsel would be exposed to information, including personal details about the plaintiff's life, that would not be relevant to the case.

I blogged about McMillen v. Hummingbird Speedway and had some qualms with the court's approach of forcing a litigant to turn over their Facebook password. Among other things, there is no way that all of the information in a profile could be relevant:

for starters, the court totally glosses over the relevance analysis. There is no way that all of the information in the plaintiff's social networking site can be relevant to the dispute, and the court's decision grants defendant access to both relevant and irrelevant information.

It looks like the court took the correct approach here.

In another decision addressing a similar issue, the court ordered the litigants to both friend the judge so the court could review the materials and address the question of relevance. ("Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute.") That was a wacky approach to say the least, but it looked like the court did not even need to consider it in this case, given the lack of relevance of the materials which defense counsel was seeking.

Social networking evidence is generally viewed as an evidentiary treasure trove for lawyers, but as is becoming increasingly clear, it's easier said than done to get access to it. Statutes such as the Stored Communications Act restrict the networks' ability to disclose private communications, which may or may not include wall posts, in response a civil subpoena. An alternative is to get the information directly from the party in question, but if the party seeking the information doesn't know exactly what is in the profile, they will have a tough time articulating relevance.

As a final note, I wonder if there are any ethical issues lurking in the background for a lawyer who "friends" a party in order to gain access to evidence (even when there is no deception involved in the friending process).

Other coverage:
Legal Intelligencer: "Facebook Postings Barred From Discovery in Accident Case"
The Employer Handbook: "Court bars Facebook "friending" in discovery"

Previous posts:
"Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway"
"Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville"
"Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier"

Posted by Venkat at 08:30 AM | Evidence/Discovery , Publicity/Privacy Rights

May 18, 2011

No Computer Fraud and Abuse Act Violation for Access of Facebook and Personal Email by Employee -- Lee v. PMSI

[Post by Venkat Balasubramani]

Lee v. PMSI, 8:10 cv 2904 T 23TBM (M.D. Fla; May 6, 2011)

I blogged last week about US v. Nosal, a Ninth Circuit case where the Ninth Circuit held that access of a computer in violation of an employer's acceptable use policy can support a criminal indictment under the Computer Fraud and Abuse Act. ("9th Cir: Access of Computer in Violation of Employer's Use Policy Violates Computer Fraud and Abuse Act -- US v. Nosal.") One judge dissented in Nosal, noting the absurd claims that could flow from this ruling, including that an employee's access of a website such as espn.com for personal purposes could now be rendered criminal if it violates the employer's policy. The case from Florida involved an analogous scenario.

Lee sued PMSI, her employer, for pregnancy discrimination. PMSI counterclaimed, alleging that she violated the Computer Fraud and Abuse Act by engaging in "excessive internet usage" and "visiting personal websites such as Facebook." PMSI also alleged that she violated the statute by "sending personal email through her Verizon web mail account."

The court rejects the employer's claims in a ruling that I'm surprised did not include stronger language directed at defense counsel. The court notes that the CFAA was designed to prevent hacking. According to the court, "[b]oth the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working." [As a side note, if any such statute were enacted, we'd all be in trouble. I would be violating the statute as I write this blog post!]

The court notes that PMSI failed to allege that it suffered the requisite amount of damage as a result of Lee's alleged violation. PMSI argued that the loss in productivity from Lee accessing her personal account satisfied this jurisdictional requirement, but the court rejects this argument, noting that "loss" must related to damage to the "system or data, rather than lack of productivity." The court also notes that there was no allegation by PMSI that Lee "obtained or alter[ed] information in the computer" which she accessed - she merely accessed third party websites. (Although the legal theories are different, this case is reminiscent of Intel v. Hamidi, where the California Supreme Court held that a departing employee could not be held liable under a trespass to chattels theory for sending mass emails to Intel because there was no showing of damage to Intel's servers.)

The court dismisses the claims with prejudice. The court does not cite to Nosal, which represents a sharp departure from Brekka. I guess you can say that the jurisdictional threshold places some sort of limitation on the far reaching implications of Nosal, but given the ease with with parties can allege the jurisdictional threshold, I'm not sure this limitation is very meaningful. Nosal is still a disturbing ruling for the reasons stated in the dissenting judge's opinion.

Other coverage:

Evan Brown: "Employee did not violate Computer Fraud and Abuse Act by checking Facebook and personal email at work"
Info. Law Group: "District Ct. Holds Use of Facebook at Work Does Not Violate the CFAA"

Posted by Venkat at 02:24 PM | Privacy/Security , Trespass to Chattels

Thoughts on the Lawsuit Over the @OMGFacts Twitter Account -- Deck v. Spartz, Inc.

[Post by Venkat Balasubramani]

Deck v. Spartz, Inc., 2:11-cv-01123-JAM-DAD (E.D. Ca.; Apr. 26, 2011) (Complaint) (Agreement)

An Associated Press story reports on the lawsuit over the @OMGFacts Twitter account. (Here's a link to the story with comments from Professor Goldman.)

Background: @OMGFacts is a Twitter account which was created by Adorian Deck. It rose to prominence in 2010. As alleged in the complaint:

In September 2009, [Deck] created a Twitter feed [@OMGFacts]. The feed retrieved and republished titillating, sometimes trivial, factual tidbits about such subjects as celebrities, pop culture, world history and commerce. The feed quickly amassed more than 300,000 followers, including many celebrities. It became the 18th most active Twitter trend in 2009, and remained among the top ten trending terms until January 2010.

Most interesting about this dispute is that Deck was a high school student and a minor when he created the account.

Deck was allegedly approached by Emerson Spartz, who ostensibly agreed to help Deck capitalize on this success. The two entered into an agreement which provided that Deck, who was labeled as a "contractor" in the agreement, would be entitled to 30% of the revenues from the OMGFacts YouTube channel and 100% of the revenues from the sales any "OMG Facts" t-shirts. Under the agreement, Spartz agreed to promote the sale of these t-shirts and deal with the OMG Facts YouTube channel. The agreement also provided that any "documents or records or creations . . . which are made by [Deck]" would be owned by Spartz's company. The agreement also had copyright assignment provisions which purported to assign to Spartz's company "any copyright in any existing or future works . . ." that are created by Deck. The duration of the agreement was one year. Deck had limited termination rights under the agreement, but Spartz's company could extend the term for 10 additional one-year periods.

Complaint: The complaint says that Spartz breached. It alleges:

[Deck has] received less than $100 in compensation from Spartz, and has received no account or other disclosure of the revenues associated with the YouTube channel.

The complaint also alleges false designation of origin and false advertising claims, and it asks for recission of the agreement.
__

Some initial observations about the lawsuit and agreement.

First, with respect to ownership, the agreement focuses on the content. The blogosphere has tackled ad nasuem the issue of whether or not you can copyright a Tweet and who owns the content in a Twitter feed. The complaint contains a small concession or two that could end up being harmful to Deck's copyright claims - it says that the feed consists of "factual tidbits" which are "retrieved and republished" by Deck through the Twitter feed. Small bits of content are not easily the subjects of copyright protection, and if they are factual in nature that raises the bar for copyrightability. If Deck did not come up with the content himself and merely republished content found elsewhere, this also poses a barrier. Still, maybe Deck can argue that the compilation as a whole should be protected. (The agreement also speaks to the Twitter account itself and states that Deck has to keep Spartz apprised of the passwords for the @OMGFacts Twitter account.)

However, as the Associated Press article points out, this lawsuit is not about the content of the Twitter account at all or even over the ownership of it. The core of the dispute is over the @OMGFacts (or OMG Facts) brand, even though the complaint does not expressly alleged a claim for trademark infringement. Unfortunately, the agreement says very little about trademark rights. (Here is a link to the .pdf version of the agreement.) Spartz will argue that he was the one who commercialized the brand in the first place and therefore should own any trademark rights. On the other hand, the agreement provided that Deck will deal with all aspects of the shirt sales and retain 100% of the revenues from it, so Deck may still argue that he was the one who truly commercialized it. Deck can also argue that the hundreds of thousands of followers which he amassed prior to Spartz coming into the picture demonstrate that he already had a brand and had built up common law rights in @OMGFacts and "OMG Facts."

This of course raises the issue of whether someone can establish trademark rights by putting out a Twitter feed. In recent trademark disputes, companies have argued about whether their use on Facebook or Twitter is sufficient to establish trademark rights. Those cases have presented situations where companies have included stray references to products or services on their Twitter feeds, and none of the cases to date approach a situation where someone has amassed a substantial following on Twitter. (The Boathouse v. Tigerlogic dispute over the "POST POST" mark for "social search services" touches on this: "Social Search Services Duel Over "Post Post" Mark -- Boathouse Group v. TigerLogic.")

The equities obviously favor Deck. The agreement is very one-sided and contains an Indiana forum selection clause. When you take into consideration Deck's minority status, I can see a factfinder poking the agreement so full of holes that it becomes the contractual equivalent of swiss cheese. The agreement acknowledges Deck's minority status and includes Deck's mother as a signatory, but given the novelty of the subject matter of the agreement, you can't fault Deck's mother for not negotiating for a clearer and less one-sided agreement--to the extent she even took the agreement seriously. Deck also asks for recission of the contract, citing to a California Code section 6710 which looks like it allows minors to disaffirm contracts they enter into, except as provided by other statutes. I'm not familiar with any statutory exceptions to this rule that restrict the ability of minors to disaffirm contracts, but there must be some limitations on a minor's ability to disaffirm an agreement which the parent or guardian reviews and signs. Either way, even if the court does not end up rescinding the agreement, the agreement does not offer Spartz a definitive win. Nothing in the agreement says that Spartz owns the trademark rights, or even that he or his company have a license to use the marks.

A final comment on the agreement. It's easy to second-guess an agreement after the fact, but joint venture agreements should always deal with trademark rights, and should also provide for some sort of procedure for ownership of the trademark rights when the agreement falls apart. Some sort of formal wind-down procedure is optimal. This is discussed in Professor Goldman's article on Co-Blogging Law, which specifically talks about trademark rights.

Additional coverage:
Hollywood, Esq. (Eriq Gardner): "Teen Who Created OMGFacts Twitter Feed Sues, Claiming Swindle"
Ben Kerschberg (Forbes): "Twitter Brands, @OMGFacts, and an Allegedly “Predatory” Contract"
Emerson Spartz (the defendant): "OMG Fact: There are two sides to every story"

Posted by Venkat at 09:34 AM | Copyright , Licensing/Contracts , Trademark

May 15, 2011

Quityerbitchin: Relative Search Results Placement Doesn't Support Trademark Injunction--Bitchen Kitchen v. Bitchin' Kitchen

By Eric Goldman

Martha Elizabeth, Inc. v. Scripps Networks Interactive, LLC, 2011 WL 1750711 (W.D. Mich. May 9, 2011)

It seems inconceivable to me that people would litigate over the term "Bitchin" almost 30 years after the Valley Girl song popularized the term. Didn't the term become passe DECADES ago? For a similar observation, see my post on the trademark battles over the term "Rad." (Partially related: saying "awesome" was worth $1.2M).

This is a sophisticated and interesting dispute over the trademark "Bitchen Kitchen"/"Bitchin Kitchen" as used by a kitchen supply retailer (the alleged senior user), a Canadian food podcaster who morphed into the eponymous star of a food-oriented cable TV show, and show producers (the alleged junior users). Rebecca runs down the complete details. This post focuses on just one small piece about the intersection between search engine placement and the trademark analysis.

The retailer argues that the emergence of the TV show pushed it down in the search engine rankings. The TV show contests that assessment and submits more recent search results from Google, Bing, Yahoo and Ask.com. The defendants also note that the retailer didn't show its search engine placement before the TV show's emergence, so without a baseline, we don't know for sure that the retailer has actually gone down. Either way, the court rightly says this inquiry isn't that useful:

In any event, whether or not the mark “The Bitchen Kitchen” has become less prominent on search-engine results because of Bitchin' Kitchen, and whether or not MEI/Rapp's underlying business has correspondingly suffered vis-a-vis what it would have been without the existence of Bitchin' Kitchen, the record does not support the plaintiffs' rather extreme allegations that The Bitchen Kitchen has “all but disappeared” from search-engine results on the Internet. The court therefore accords little weight to the plaintiffs' evidence and assertions regarding search-engine rankings.

This argument reminded me of Chad Doellinger's uncited article from a decade ago (Chad J. Doellinger, Trademarks, Metatags and Initial Interest Confusion: A Look into the Past to Reconceptualize the Future, 41 IDEA 173) where he argued that trademark infringement should be based on relative search engine placement--i.e., if a junior user got better placement than the senior user, that should support a trademark infringement claim.

It was a wacky argument at the time, and history has not been kind to it. First, search engines don't agree with each other--so what happens if one search engine ranks plaintiff first and another ranks defendant first? Second, search engines don't agree with themselves over time. In fact, a search engine's result placements can change from moment-to-moment for reasons completely outside of any individual website's control. As a result, basing legal analysis on relative placement could easily mean that the legal outcome could vacillate from day to day. Finally, search engines deliver different results to the same keyword searches at the same time based on who is asking. Search engines personalize results and deliver geographic-specific results. So often person A's search results aren't replicable by person B. Given that there is a potential infinite variety of search results ordering for the same keywords at the same search engine conducted at the same time, how do we decide which ordering dictates the legal conclusion?

For more on these arguments, see my 2005 Deregulating Relevancy article and James Grimmelmann's more recent search neutrality article. Rebecca gets at some of the same issues in her comment on this case:

The search results are complicated by various forms of personalization/geolocation, and it seems to me a reliable foundation would have to be provided to show that any of these are the types of results a reasonable consumer is likely to get. For example, my own search for bitchen kitchen (I did not use quote marks) produced a first page with links only to defendants’ sites, which may be because Google autocorrected to bitchin kitchen (no apostrophe), and then offered me the opportunity to search instead for bitchen kitchen, which search did indeed provide top results for plaintiffs' site. Also, it seems like it’s about time to start including Facebook in these evaluations, especially here since (a) some of the confusion evidence here is about Facebook and (b) both parties encourage potential customers/viewers to use Facebook.

Back to the Bitchen Kitchen case. The court says it is more "significant and helpful" to the plaintiff that the TV show apparently bought its trademark as a keyword and used the misspelled phrase "bitchen" in the ad copy. Later, the court says that this misspelling could support a bad faith inference.

Nevertheless, the court declined to issue a preliminary injunction against the TV show based on First Amendment considerations. The way I read the opinion, the court did not enjoin even the TV show's misspelled keyword ad copy. However, the court did enjoin the podcaster's individual behavior.

Posted by Eric at 10:27 AM | Search Engines , Trademark | TrackBack

May 13, 2011

Facebook Scores Initial Win Against Privacy Plaintiffs Over Data Leakage Claims -- In re Facebook Privacy Litigation

[Post by Venkat Balasubramani]

In re Facebook Privacy Litigation, 2011 WL 2039995 (N.D. Cal.; May 12, 2011)

There are so many recent privacy class actions out there, it's become tough to keep track of them all. One of the early lawsuits against Facebook was consolidated in the Northern District of California, in front of Judge Ware. In an order issued yesterday, Judge Ware granted Facebook's motion to dismiss the complaint. Although he granted leave to amend on certain counts, he certainly expressed some skepticism about the overall merits of the case.

As the court summarizes them, the facts boil down to Facebook's transmission to third-party advertisers of the user ID or "username" of Facebook users who clicked on advertisements. This started "no later than February 2010 and ... continued until May 21, 2010." The transmission of this information forms the basis of putative class action claims for violations of the Stored Communications Act and the Electronic Communications Privacy Act, California's anti-hacking law, and a slew of state law claims.

Standing: The court first tackles Facebook's argument that plaintiffs lack Article III standing because they have not suffered "injury in fact." Because plaintiffs have alleged violations under a statute which "can be understood as granting persons in the plaintiff's position a right to judicial relief," the court finds that plaintiffs have standing to sue.

Wiretap Act/Stored Communications Act: With respect to plaintiffs' claims under the Wiretap Act and the Stored Communications Act, court says that:

there are two possible ways to understand Plaintiffs' allegations. On the first view, Plaintiffs alleged that when a user of Defendant's website clicks on an advertisement banner displayed on that website, that click constitutes an electronic communication from the user to Defendant. Under this interpretation, the content of the user's communication with Defendant is a request that Defendant "send [a further] electronic communication to [an] advertiser." On the second view, Plaintiffs allege that when a user of Defendant's website clicks on an advertisement banner, that click constitutes an electronic communication from the user to the advertiser. Under this interpretation, Plaintiffs are merely "asking [Facebook]" to pass the communication along to its intended recipient, who is the advertiser.

The court finds that neither approach states a claim under the Wiretap Act. Citing to the language of the statute, the court notes that it restricts entities who provide electronic communication services from divulging the contents of any communication, other than a communication "to such person or entity or an agent thereof." Similarly, the statute restricts a provider from divulging the content of a communication to any person or entity "other than an addressee or intended recipient of such communication."

The court arrives at a similar conclusion under the Stored Communications Act, which contains an exception for disclosure where the "addressee or intended recipient" consents to the disclosure.

Unfair Competition Claim: The unfair competition claim requires plaintiffs to have "lost money or other property as a result of the unfair competition." The court finds that "personal information" does not constitute "property" for purposes of California's unfair competition law. Plaintiffs cited to the AOL data search case (Does v. AOL, LLC) for the proposition that "personal information" can be property for this purpose, but the court points to a significant difference between the two cases: plaintiffs in the AOL case paid fees for the service. In contrast, plaintiffs in this case used Facebook's service for free. The court footnotes plaintiffs' argument that personal information "constitutes currency" as not being supported by any case law. The unfair competition law claims are dismissed with prejudice.

California Penal Code sec. 502: Plaintiffs brought claims under California anti-hacking statute. This was most recently construed in Facebook v. Power.com, where the same judge said that the words "without permission" should be interpreted to require circumvention of some technological measure and not just access in violation of a website or service terms of use. The court finds that plaintiffs failed to allege that Facebook bypassed any technical barriers in transmitting plaintiffs' personal information. The court dismisses these claims with prejudice, but gives plaintiffs leave to re-allege the claim under subsection (c)(8) of the statute, which covers the introduction of "any computer contaminant into any computer."

Consumer Legal Remedies Act: The court finds that this only applies to individuals who "purchase or lease" goods or services for personal or household use. Plaintiffs have not paid any money to use Facebook. Plaintiffs relied on their "personal information is currency" argument, but the court doesn't give it the slightest credit. This claim is dismissed with prejudice.

Contract Claim: The contract claims fail for lack of any allegation of "actual damages." The court will allow plaintiffs to amend to "allege specific facts showing appreciable and actual damages in support of their claim."

Fraud: No luck on the fraud claim either. Plaintiffs fail to allege reliance on any alleged fraudulent misrepresentations. The court grants leave to allege reliance.

Unjust Enrichment: The court says plaintiffs cannot simultaneously pursue an unjust enrichment claim while simultaneously pursuing a contract claim. This claim is also dismissed with prejudice.

Plaintiffs have one more chance with respect to several of these claims, but the court is pretty unimpressed with the lawsuit overall. In the last paragraph of the court's recitation of the facts, it notes plaintiffs "suffered injury." This looks like the judicial version of using air quotes.

I'm somewhat surprised at how easy the court's conclusions seemed on the ECPA and SCA claims. The court's conclusion on these issues is similar to the conclusion from the Doubleclick lawsuit over cookies from 2001 (In re Doubleclick). With respect to California penal code section 502, I don't see how the transmission of information states a claim under this statute. There have not been many rulings construing this statute, but it looks like the Power.com ruling will certainly be a meaningful hurdle for claims under this statute.

The interesting part of the lawsuit is the treatment of personal information as "property." The court is extremely skeptical of this theory. There was speculation as to whether acceptance of the classification of personal information as property for standing purposes would empower privacy plaintiffs when it came to the merits. Only a few results are in, but so far this does not seem to be the case. (See the discussion of Claridge v. RockYou, where this theory seems to have first been given credit for standing purposes: "Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff.") A lawsuit over flash cookies was recently dismissed for lack of actual harm, and the court in that case also expressed skepticism over the "personal information as valuable property" theory. (See Professor Goldman's post on that case: "Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media.") I don't know if there was a hearing on this particular motion, but if there was, I can see the judge taking off his glasses, looking down at plaintiffs' counsel and giving the "you can't be serious here" look. At least, that's the tone of the order. It's also worth noting that plaintiffs who are subscribers of free services will have challenges bringing claims under some of the state statutes because they are not paying customers. Whatever the viability of the "personal information as valuable property" theory for other causes of action, courts do not appear very willing to treat personal information as the equivalent of money, in order to turn an otherwise free service into a paid service.

I'm with Professor Goldman on these lawsuits. I have a really tough time seeing the harm here. Maybe there's an example out there of a company finding out the identity of someone on Facebook who clicked on their banner ads, and all sorts of real-life negative consequences that flow from this. This sounds implausible enough that plaintiffs should have made some sort of attempt to explain why this is the case or provide an example or two. Judging from the court's order, plaintiffs didn't bother doing this, or did not do so effectively. I haven't even read any newspaper articles which points to any compelling examples of real world harm that resulted from this disclosure of information by Facebook.

Plaintiffs get another chance for some of the claims, but it looks like they have a judge who is going to take a serious look at their claims. It's going to be a long road for these plaintiffs.

Posted by Venkat at 10:09 AM | Licensing/Contracts , Privacy/Security , Trespass to Chattels

May 12, 2011

Judge Refuses to Block Seattle's Yellow Pages Opt-out Law -- Dex Media v. Seattle

[Post by Venkat Balasubramani]

Dex Media West, Inc. v. City of Seattle, C10-1857JLR (W.D. Wash.; May 8, 2011)

I blogged a ways back about Seattle's yellow pages opt-out law and a First Amendment challenge brought by yellow pages companies. I thought the law violated the First Amendment in several respects. ("Yellow Pages Companies Challenge Seattle Opt-out Ordinance on First Amendment Grounds.") As of the first round at least, I'll have to eat crow. Judge Robart rejected plaintiffs' First Amendment arguments and denied a request brought by several yellow pages companies to enjoin application of the statute.

First, the court concludes that yellow pages are commercial speech, which is not entitled to "the highest level of First Amendment protection." Plaintiffs argued that even if the directories constitute commercial speech, they are still deserving of a high degree of protection because the commercial and non-commercial speech in the yellow pages are 'intextricably intertwined'. The court rejects this argument.

Using an intermediate level of scrutiny applicable to commercial speech, the court finds that plaintiffs are unlikely to succeed on the merits of their First Amendment claims. The court credits the city's significant interests in reducing waste, protecting the privacy of its residents, and cost recovery. The court notes that the opt-in nature of the system means that the residents (and not the city) make their privacy choices vis-a-vis the yellow pages.

The court finds that the means chosen by the city to regulate the evils in question bear a "reasonable fit" to the ends. The opt-out registry provides "more than ineffective or remote support" for the city's stated interests. [You know when the court holds the government to a "more than ineffective" standard, the First Amendment plaintiff will be out of luck.] The court also rejects plaintiffs' argument that inclusion of the city's required message is compelled speech because it's more of a labeling requirement, which requires disclosure of "purely factual and uncontroversial information."

The court didn't discuss in detail what I thought were the two most problematic aspects of the statute: the fact that the statutory scheme singles out yellow pages and creates exceptions to satisfy local business interests and creates a licensing scheme for yellow pages.

I'm not a fan of yellow pages and promptly recycle any yellow pages that are delivered to me. I suspect many people are in the same boat. But our distaste for particular pieces of content shouldn't necessarily result in tolerance for ill-structured attempts at regulation. Interestingly, the court finds that the city had a valid basis for singling out yellow pages, because it did so "in response to concerns raised by Seattle residents regarding the unwanted delivery of yellow pages directories." If all that is required to single out particular categories of speech is complaints from a few citizens - as opposed to legislative findings - the government will end up having leeway to block all sorts of unpopular speech.

We'll see what the Ninth Circuit says if the yellow pages plaintiffs appeal (no word yet if they plan to do so). Of course, at a certain point, given the travails of the paper phone book industry, this will become a moot issue.

Other coverage:

"Judge's ruling lets Seattle residents opt out of receiving yellow pages" (Seattle Times)

Posted by Venkat at 08:59 AM | Content Regulation , Marketing

May 11, 2011

47 USC 230 and Message Board Cases

By Eric Goldman

[I've been sitting on this blog post since March, so this post is slightly out of date. For example, I believe the recent Kruska ruling would be a new addition to the list. Putting aside any recent developments, I think this post tells a strong story about 47 USC 230's sweet spot.]

In March, I had the opportunity to research cases where 47 USC 230 applied to message board postings. Here's a report on what I learned:

In general, 47 U.S.C. § 230 means that websites are not liable for third party content except for federal criminal prosecutions, intellectual property claims, or claims under the Electronic Communications Privacy Act or state law equivalents. All other claims predicated on third party content are preempted.

As a specific application of the general rule, the statute immunizes websites from defamation claims based on user-submitted content. When websites allow users to post comments and those comments are defamatory, 47 U.S.C. § 230 eliminates the website’s liability for the comments.

The 47 U.S.C. § 230 immunity applies to media publishers who publish their articles online and let readers respond to those articles via defamatory comments. Two recent cases illustrate this point.

In Miles v. Raycom Media, Inc., 2010 WL 3419438 (S.D. Miss. Aug. 26, 2010), the WLOX television station in Southern Mississippi posted an allegedly defamatory article about the plaintiff to its website and allowed reader comments. She sued the television station for defamation based on both the article and reader comments submitted in response to the article. The court dismissed her defamation claim based on reader comments per 47 U.S.C. § 230.

In Collins v. Purdue University, 703 F. Supp. 2d 862 (N.D. Ind. March 24, 2010), the Journal & Courier newspaper in Lafayette, Indiana, published an article allegedly defaming the plaintiff in both the newspaper’s print and online editions. The online edition allowed reader comments. The plaintiff sued the newspaper for defamation based on both the article and reader comments submitted in response to the article. The court dismissed his defamation claim based on reader comments per 47 U.S.C. § 230.

A larger number of cases address a website’s liability for operating online “message boards” or similar functionality that allows third parties to post allegedly defamatory messages. 47 U.S.C. § 230 immunizes the website for the third party defamatory messages. I found over a dozen examples where 47 U.S.C. § 230 applied to such defamation claims since 2005 [current as of March 2011]:

Two Plus Two Publishing LLC v. Jacknames.com, 2010 WL 4281791 (D. Nev. Sept. 30, 2010)
Milo v. Martin, 311 S.W.3d 210 (Tex. App. Ct. April 29, 2010) (note: posts were to “guestbook”)
Shiamili v. Real Estate Group of New York, Inc., 892 N.Y.S.2d 52 (N.Y. App. Div. Dec. 17, 2009)
Finkel v. Facebook, Inc., 2009 N.Y. Slip Op. 32248 (N.Y. Sup. Ct. Sept. 15, 2009) (note: posts were to private user group)
Joyner v. Lazzareschi, 2009 WL 695539 (Cal. App. Ct. March 18, 2009)
Raggi v. Las Vegas Metropolitan Police Dept., 2009 WL 653000 (D. Nev. March 10, 2009)
Higher Balance, LLC v. Quantum Future Group, Inc., 2008 WL 5281487 (D. Or. Dec. 18, 2008)
Best Western International, Inc. v. Furber, 2008 WL 4182827 (D. Ariz. Sept. 5, 2008)
DiMeo v. Max, 248 Fed. Appx. 280 (4th Cir. Sept. 19, 2007)
Universal Communication Systems, Inc. v. Lycos, Inc., 478 F.3d 413 (1st Cir. Feb. 23, 2007)
Eckert v. Microsoft Corp., 2007 WL 496692 (E.D. Mich. Feb. 13, 2007)
Faegre & Benson v. Purdy, 367 F. Supp. 2d 1238 (D. Minn. Apr. 27, 2005)
Donato v. Moldow, 865 A.2d 711 (N.J. App. Div. Jan. 31, 2005)

Many other 47 U.S.C. § 230 cases involve methods of online user-to-user communication beyond article comments or message board posts, such as online classified advertising, consumer review websites, social networking site user profiles and chatrooms. Those cases are equally clear that the website operator is not liable for user-posted defamatory content per 47 U.S.C. § 230.

Posted by Eric at 08:46 AM | Content Regulation , Derivative Liability | TrackBack

May 10, 2011

Twitpic Modifies Terms and Claims Exclusive Rights to Distribute Photos Uploaded to Twitpic

[Post by Venkat Balasubramani]

I posted about the dispute between a photographer and Agence France-Presse over images AFP allegedly downloaded via Twitpic and used without permission. AFP argued that the license terms of Twitter or Twitpic authorized its use of the photos in question. A court rejected that argument. Twitpic has now modified its user agreement to address some of the issues raised by the dispute. The revised terms which were modified on May 4, 2011 would not alter the result between AFP and Morel, but they contain some interesting tidbits. However, the terms are fairly confusing and do not offer much certainty for users or for Twitpic.

Twitpic purports to be the sole point of distribution for photos uploaded to Twitpic: The revised Twitpic terms state that users who upload content:

may not grant permission to photographic agencies, photographic libraries, media organizations, news organizations, entertainment organizations, media libraries, or media agencies to retrieve from Twitpic for distribution, license, or any other use, content you have uploaded to Twitpic.

So this means that if you upload content to Twitpic, you can't license it to third parties?

Use of content within the ecosystem: If you "publish" content uploaded to Twitpic for personal and noncommercial purposes, "you are required to link back to the original content page on Twitpic and attribute credit to Twitpic as the source where you have taken the content." In order to publish content for any commercial purpose or for distribution:

beyond the acceptable Twitter 'retweet' which links back to the original content page on Twitpic . . . you are required to obtain permission from Twitpic in advance of said usage and attribute credit to Twitpic as the source where you have obtained the content.

The terms also provide that "[n]o user may grant a third party permission to copy or save content that has been uploaded to Twitpic." [Does this include the user who originally uploaded the content?]

Retention of ownership: After saying that you will not be able to control the distribution of content uploaded to Twitpic, the terms say that "[y]ou retain all ownership rights to Content uploaded to Twitpic," but grant Twitpic a broad, non-exclusive [??] license to exploit the content "in connection with the [Twitpic] service and Twitpic's (and its successors' and affiliates') business . . . "

I'm confused by these terms. On the one hand, Twitpic looks like it wants to be the exclusive point of distribution for content uploaded to Twitpic. On the other hand, it is telling users that they retain "all ownership rights" in photos they upload to Twitpic. To top it all off, the terms state that if you delete any content you upload to Twitpic, the licenses granted to Twitpic terminate.

People have often raised the alarm over ownership of content posted to networks and services. Much of this seemed like paranoia, based on the broad license any intermediary or service would want granted to it. In this instance, it looks like Twitpic is making a power grab, albeit a potentially ineffectual one.

This terms were confusing enough to make me think twice about uploading anything other than throwaway photos to the service, at least until it cleans up it terms.

Update: After initially revising the terms on the May 4, 2011, Twitpic revised its terms again on May 10, 2011, and removed the paragraph which said users could not grant permission "to retrieve from Twitpic" photos from distribution. (See "Your content, your copyrights" (TwitPic Blog); "Twitpic changes its terms of service".) It’s clunky to say the least, but this language arguably applied only to distribution of photos that are "retrieved" from Twitpic. Also, Twitpic looks like it’s distributing photos uploaded to its service. World Entertainment News Network recently announced (after the second round of changes to Twitpic's terms) that WENN entered into a deal with Twitpic which "will give WENN exclusive rights to sell images posted on the TwitPic service." (See British Journal of Photography (May 11, 2011): "TwitPic signs controversial deal with celebrity photo agency.")

Related: "Stars Gain Control of Online Images" (NYT):

While most people on Twitter use a service like TwitPic, Yfrog or Plixi to share photos with their friends and followers, for celebrities, these services can come with strings attached, as they gain ownership rights to uploaded photos and can sell ads alongside them. A company called WhoSay — a little-known start-up with a clientele that is anything but little known — offers similar services, but grants ownership of the images to the stars themselves.

Previous posts:

Court Rejects Agence France-Presse's Attempt to Claim License to Haiti Earthquake Photos Through Twitter/Twitpic Terms of Service
Agence France-Presse Claims Twitter's Terms of Use Authorize Its Use of Photographs Posted to TwitPic

(h/t) Oliver Platz

Posted by Venkat at 12:38 PM | Copyright , Licensing/Contracts

The FTC's Proposed Settlement With Google Over Buzz Privacy Breaches

[Post by Venkat Balasubramani with additional comments from Eric]

[Eric's note: This topic festered in my blogging queue for far too long, so we are finally posting this after the FTC's comment window closed. Nevertheless, this is such an interesting and important settlement that it's worth reviewing at this late date.]

In the matter of Google Inc., FTC File No. 102-3136 (Consent Order [pdf]) (FTC Press Release)

The FTC proposed a tentative settlement with Google over Google's ill-fated rollout of Google Buzz. The settlement includes the following terms:

No misrepresentations: The proposed agreement prohibits Google from making any misrepresentation regarding its information collection and use, and "the extent to which consumes may exercise control over the collection, use, or disclosure of covered information."

Opt-in for new sharing: To the extent Google shares previously collected information in a way that is different from what is stated in its policy at the time it collected the information (or any sharing occurs as a result of a new product feature), Google must (1) give notice separate from any terms of use or privacy policy, (2) disclose the identity or specific category of the third party recipients of the information (and the purpose), and (3) obtain "express affirmative consent."

Develop a privacy program: Google is mandated to develop a "comprehensive privacy program", and appoint a privacy czar who must, among other things conduct ongoing risk assessments, implement reasonable controls and procedures, and evaluate and adjust its privacy program in light of the results of any monitoring or any material changes.

Ongoing assessments: Google must obtain biennial assessments from third party experts regarding Google's "privacy controls," and how the controls are appropriate, and are implemented to meet the requirements of the settlement.

Record keeping requirements: Google has to comply with ongoing record keeping requirements, including of its own privacy pronouncements, consumer complaints, any documents that question its compliance with the settlement, and underlying data used to prepare any assessments.

___

This looks similar to the settlement Twitter and the FTC entered into over Twitter's privacy (and security) practices. ("The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?") Both agreements impose a variety of fairly onerous obligations on the companies for a fairly long period of time. The FTC's proposed agreement with Google imposes significantly more obligations on Google than its settlement did with Twitter and it applies across the board to all of Google's various initiatives. (This includes YouTube, Google street view, Android etc.) I did not pick up on this at first, but Commissioner Rosch concurred but issued a separate statement speculating about Google's own anti-competitive motivations in agreeing to restrictions that would make it harder for potential entrants into the field. ("Concurring Statement of Commissioner J. Thomas Rosch" [pdf].) Professor Goldman comments on this below, but maybe Google wanted this consent decree to be extraordinarily broad in its application?

I don't have a sense of the inner workings of an agency and what sorts of considerations go into bringing an enforcement action, but this seems over the top. Google acknowledged that its rollout of Buzz was fumbled - I don't think anyone thinks this was some nefarious plot to get everyone to share their email addresses and contacts and then exploit this information sharing. Apart from the outcry from privacy advocates, the service received a tepid response and was pretty much a flop. Google took reasonably prompt action in response to user outcry. I doubt this type of a botched rollout will happen to Google again. If there was ever a situation where a slap on the wrist would have been appropriate, this is it. Instead, Google is subjected to potentially onerous ongoing compliance obligations, and the failure to follow any one of these will result in a potential call from the FTC.

It's also odd that Twitter and Google who are viewed to be on the more privacy-friendly end of the spectrum are both under FTC jurisdiction for twenty or so years when the FTC hasn't taken action against Facebook. If anyone should be jumping through hoops and filing periodic reports with the FTC about privacy, it should be Facebook! [I'm sure Apple is viewing this with interest, in light of the ongoing commotion over its location tracking. (See "Apple Blames Bug For Extensive Location Tracking.")] As Professor Goldman points out, maybe this is part of an FTC strategy to bypass Congress when dealing with online privacy in general. When and if this settlement is approved, the FTC will have two of the biggest companies in the space under its thumb. It only has a few more to go before all of the major players are accounted for.

Two specific observations about the language of the agreement.

The definition of "covered information" includes:

(a) first and last name; (b) home or other physical address, including street name and city or town; (c) email address or other online contact information, such as a user identifier or screen name; (d) persistent identifier, such as IP address; (e) telephone number, including home telephone number and mobile telephone number; (f) list of contacts; (g) physical location; or any other information from or about an individual consumer that is combined with (a) through (g) above. [emphasis added]

This language is slightly different from the language in the privacy bill recently proposed by Senators McCain and Kerry. The proposed bill does not treat an IP address as personally identifying information but instead uses the term "unique identifier information that alone can be used to identify a specific individual." This may indicate a slight but potentially significant difference in the way that Congress and the FTC view an IP address as being "personally identifiable information".

The language also references "information [Google] collects from or about an individual." Initially, I assumed that the parties intended to refer to information Google collected while an end user is using one of its products or sites or information that is provided to Google by an end user, and not include the information Google "collects" about an individual. This latter category includes a whole lot more than information individuals provide to Google while using any of its products or services (e.g., information Google collects when it crawls the web). An FTC chat on Twitter regarding the proposed settlement makes clear that the FTC intends that any information Google collects about an individual is covered. (See FTC's "March 30 Twitter Chat regarding the proposed settlement with Google" [pdf], A5.)

Finally, the agreement requires disclosure of any new or additional uses of "covered information" clearly and conspicuously, and requires this disclosure to take place "separate and apart" from any end user agreement or privacy policy. Ouch. The requirement that disclosure take place separate and apart from an end user agreement strikes me as new. I'm sure there are ways this can be implemented without killing user adoption, but it speaks to the FTC's views on the efficacy of disclosures in terms of use and privacy policies.

There's also the issue of the class action over Buzz which Google settled which is awaiting final approval from the trial court. ("Google Settles Buzz User Privacy Litigation.") The lawyers are entitled to up to $2.5 million from the settlement, but the settlement did not extract from Google 1/10th of the provisions as the ones in the FTC's proposed settlement. If there was ever a situation that highlights the need for scrutiny of lawyers' fees in privacy class action, this is it. (As a sidenote, EPIC whose complaint prompted the FTC inquiry is objecting to the proposed settlement in the class action.)
____________

Eric's Comments

To me, one fact about the FTC-Google settlement stands out above all others: Google isn't paying a dime to the FTC. Given that Google already paid $8.5M to settle the civil lawsuits and the fact that very few (if any) consumers were actually harmed by the botched Buzz launch, a no-cash settlement with the FTC is logical. But it still leaves me pondering: if it wasn't looking for cash, why did the FTC initiate an enforcement action in the first place?

One possible answer is that the FTC is using this settlement to establish de facto legislation without having to deal with Congress, and it found a pliable target who thinks de facto legislation could help increase barriers to entry for its competition. After all, Google is already doing some of the things required by the settlement; but maybe Google's competitors aren't, in which case agreeing to the settlement has the backdoor benefit for Google of raising its competitors' costs. Commissioner Rosch hints at this possibility in his concurring statement.

Like Venkat, I see the similarities between this settlement and the Twitter settlement. Both involved Silicon Valley companies, both were no-cash deals and both involved lengthy behavioral restrictions. Another hypothesis to explain the enforcement action is that the FTC has had it with the Silicon Valley "cowboys," so it is going to lock down the leading Silicon Valley companies, one-by-one if it has to, into settlement agreements that give the FTC greater control over their activities. If this hypothesis is correct, then this settlement apparently has plenty of implications for Facebook and Apple and other leading Silicon Valley Internet companies--the FTC *will* be calling at some point based on some "technical" breach of the FTC Act, looking to put you under their thumb too.

I would also link this settlement with the DOJ's conditions on the Google-ITA merger, which also imposed substantial reporting requirements on Google. Maybe the DC powers-that-be are craving deeper looks into key Silicon Valley companies, and the reporting requirements give these regulators lots of extra information to improve the future ability to bust Google whenever they want.

The "fencing-in" part of the settlement is also particularly interesting. The actual commitment by Google--get express opt-ins for secondary data uses--isn't earth-shattering; it's always been my position that such permission was legally required anyway. However, the requirement in the settlement agreement has two implications.

First, the restriction applies across Google's entire organization for the next 20 years. If any part of Google violates the restriction, even accidentally, then the FTC comes a-callin' for a violation of the settlement agreement rather than an enforcement of the FTC Act from scratch. Procedurally, this puts the FTC in a more advantageous position to turn the screws on Google if there's a slip-up; or stated differently, Google has less room for minor errors than its competitors.

Second, Internet technologists widely believe that it's OK to launch half-baked web services on a beta basis and quickly iterate to fix any issues identified by the beta test. This approach doesn't work from a legal standpoint. If a beta version of an Internet service has a privacy problems, the privacy plaintiffs' bar will swarm all over the company like flies to honey; the "but it was only a beta test" defense is legally irrelevant. This settlement, and the de facto legislation binding Google, is an indication that the FTC won't give anyone a free pass for botched beta launches either. Ultimately, this standard may be a good thing; companies should resolve issues before they put their users at risk. On the other hand, making new services error-proof before they go live is hard, and doing that level of fit-and-finish makes the innovation cycles harder. Unquestionably, the innovation process at Google will get gummier due to this settlement.

Admittedly, it's hard to feel sorry for Google in this situation. After all, I could comfortably live the rest of my days on only 0.1% of their 2010 profits, and their Buzz offering was misarchitected and too addled by Facebook envy. But given Google's large cash settlement of the civil lawsuit and the seemingly complete failure of Buzz in the marketplace, I don't see how the FTC's appearance at this party was either necessary or desirable. Thus, I still have this queasy feeling that the FTC settlement isn't designed to advance the public interest.

Posted by Venkat at 09:03 AM | Privacy/Security

May 06, 2011

Two Recent Social Media Defendants Avoid Personal Jurisdiction

By Eric Goldman

As I've said repeatedly, I try to stay away from blogging Internet personal jurisdiction cases. It's hard to get excited about any civil procedure topic (no offense to the litigators and Civ Pro profs reading the blog!), and it's rare that a new case represents a major change in the Internet jurisdiction jurisprudence. Instead, most cases are very much bound up in their specific facts. Nevertheless, I accumulated two more-interesting-than-average personal jurisdiction cases to share with you now.

Lifestyle Lift Holding, Inc. v. Prendiville, 2011 WL 830280 (E.D. Mich. March 9, 2011)

Pugnacious plaintiff Lifestyle Lift is at it again. The background from the opinion:

In February of 2009, Prendiville posted the following message on a question and answer message board at Realself.com: "Lifestyle Lift: Its just a marketing entity. Lifestyle Lift can be equated to an 'Ask Gary' in legal terms or a "1-800 Dentist." In January of 2010, Prendiville posted more messages on the same website: "Many of the results shown appear to have been multi-hour procedures and are not the results that your average Lifestyle Lift journeyman will be able to achieve in 'about an hour.'" "[C]hoose the Surgeon, not some hyped-up quickie procedure performed by journeymen surgeons ." In April of 2010, Prendiville posted on the site again: "Why would any surgeon work for Lifestyle Lift? There are two reasons, because a successful surgeon is very unlikely to choose this career path: a) just out of training and need the business, b) have been in practice for years and never attained any degree of success."

Lifestyle Lift sued Prendiville for a Lanham Act violation and related claims. The court dismissed the suit for lack of personal jurisdiction:

LLH has failed to demonstrate that Prendiville's page on RealSelf is sufficiently interactive to establish purposeful availment in Michigan. LLH has also failed to show that Prendiville purposefully availed itself of acting or producing consequences in Michigan because his actions are not sufficient focused on the state nor would the state feel the brunt of any alleged injury.

Selected prior blog posts on Lifestyle Lift:
- Lifestyle Lift Settles NYAG Claim Over Fake Consumer Reviews
- Lifestyle Lift Tries to Use TM Law to Shut Down User Discussions; Website Countersues for Shilling--Lifestyle Lift v. RealSelf. As you can see, having failed to shut down RealSelf’s discussion of Lifestyle Lift generally, Lifestyle Lift may be going after individual RealSelf contributors.

Shymatta v. Papillon, 2011 WL 1542145 (D. Idaho April 21, 2011)

Shymatta is a retailer operating at celljunkie.com. He brought a trademark infringement suit against Papillion for running a blog that reviews cellphones at cellphonejunkie.com. The court dismissed the lawsuit for lack of personal jurisdiction. The court’s relevant discussion:

Mr. Shymatta's argument that Mr. Papillon maintains a commercially interactive website available to Idaho users that falls at the extreme end of the Zippo sliding scale is unavailing. Mr. Papillon does not manufacture, design, stock, sell, or ship any cell phone related product; when he reviews a cell phone or related product, he provides a link to a retailer that sells the product for the ease of the reader. No profit is received by Mr. Papillon for these links….The fact that Mr. Papillon sells a small number of premium podcast subscriptions advertised on his website does not render it commercially active. To subscribe, an interested party must e-mail Mr. Papillon separately; the transaction is not conducted on the website….The podcasts are also available for free listening on the website. At most, Mr. Papillon's website falls into the middle ground of the Zippo sliding scale because there is some minimal user interactivity. Visitors to the website may post their own personal comments at the end of Mr. Papillon's blog posts. Such minimal interactivity, coupled with the lack of commercial activity, is insufficient to convey general personal jurisdiction subjecting Mr. Papillon to being "haled into court in the forum state to answer for any of its activities anywhere in the world."

This discussion is garbled, of course, because the Zippo test applied to specific jurisdiction, not general jurisdiction, although "high" level of interactivity in the Zippo test is the de facto equivalent of general jurisdiction. This ruling is nice because it denies jurisdiction not only for normal blogging activities but also "enhanced" blogging activities like putting podcasts behind a paywall.

Selected related posts

* Creation of False Blog and LinkedIn Account Targeting Utah Resident Supports Personal Jurisdiction in Utah -- Buckles v. Brides Club, Inc. (August 2010)
* Three Gripers Get Disadvantageous Jurisdictional Appellate Rulings in Defamation Cases (June 2010)
* Ripoff Report Sues Blogger, Loses on Jurisdictional Grounds--Xcentric Ventures v. Bird (February 2010)
* Defamation Lawsuit Against Blogger Dismissed on Jurisdictional Grounds--Fahmy v. Hogge (October 2008)
* Connecticut Blogger Not Subject to Texas Jurisdiction--Healix Infusion v. Helix Health (May 2008)
* Blog Defamation Lawsuit Lacks Jurisdiction--TrafficPower.com v. Seobook.com (February 2006)

Posted by Eric at 09:40 AM | Content Regulation | TrackBack

May 05, 2011

Court Finds Webloyalty Rewards Program Disclaimers Sufficient to Defeat Misrepresentation Claims -- Berry v. Webloyalty

[Post by Venkat Balasubramani]

Berry v. Webloyalty.com, Inc., et al., 10-CV-1358-H (CAB) (S.D. Cal.; Apr. 11, 2011)

This is another online membership program case. Plaintiff purchased tickets from movietickets.com using his debit card. He alleges that he was offered a $10.00 discount and, when he took advantage of this discount, he unwittingly signed up for a rewards program operated by a third party that resulted in monthly recurring charges. Plaintiff asserted a variety of claims, including for unfair business practices against defendants. Based on the disclosures at the time of the transaction, the court rejects the claims and dismisses the case.

The court cites to and reproduces the disclosures in its order, and finds that:

the explicit and repeated disclosures that Defendants made in their enrollment page suffices to defeat the . . . claims.

Plaintiff cited to Keithly v. Intelius, where the court found that disclaimers did not defeat a plaintiff's claim of being misled into signing up for a rewards program. ("Intelius May be Liable for Deceptive Online Marketing Practices Based on Third Party Transaction at Checkout.") The court notes that in contrast to Keithly, in this case, the customer was not taken through a byzantine transaction process. Here, the plaintiff took a "voluntary step to click on the coupon offer" that looks like it was presented in the page before the checkout page. As the court notes, in all, the plaintiff "took three affirmative steps to accept the terms of the club membership," and had an opportunity to decline. The court held that the disclaimers around the offer were "sufficient to place reasonable consumers on notice that they are entering into the Shopper Discounts & Rewards club and that they are accepting the offer by clicking on the 'YES' button."

The Defendants used the same strategy used by defendants in similar cases to focus on the screenshots of the signup process and thereby limit discovery. Defendants initially presented the screenshots. Plaintiff challenged the authenticity of the screenshots. The court allows limited discovery into the issue of authenticity, and plaintiff is unable to come up with anything to adequately challenge the authenticity of the screenshots. As a result, the court takes judicial notice of the screenshots and adjudicates the issue on the basis of the pleadings and the screenshots of the signup process. The court also takes judicial notice of the acknowledgment page, confirmation email, and account history as well. This is a good strategy on the defendants' part to narrow the case and take a case that may have otherwise resulted in a potential discovery quagmire and focus it on the individual signup process for the plaintiff in question.

This case is distinguishable from Keithly on the basis that in Keithly, the checkout process was much more convoluted. On the other hand, in Keithly, the court expressly cites to the "least sophisticated consumer" standard, and there's no such reference by the court in this case. The implication is that any consumer who is duped into signing up for the rewards program in this case is per se unreasonable. In addition, although it did not apply to the conduct in question since it had not been enacted at the time of the transaction, the recently passed "Restore Online Shoppers' Confidence Act" speaks directly to the issue of post-transaction offers that result in recurring charges for the consumer. The statute prohibits the passage of credit card or billing information from one online merchant to another, finding that:

[t]he use of a 'data pass' process defied consumers' expectations that they could only be charged for a good or a service if they submitted their billing information, including their complete credit or debit card numbers.

Plaintiff tried to rely on this and requested that the court take judicial notice of this Congressional finding, but the court says that the Congressional statements issued in the statute "are subject to dispute." Ordinarily, it does not make sense for a court to take judicial notice of a particular industry practice since the experience in a particular case may vary, but I wonder if the court should have given greater weight to the findings, at least with reference to the question of whether a particular online practice was reasonable. As to the point quoted above which relates to billing information being transmitted to a third party, there is no dispute that Webloyalty engaged in this practice and that Congress thinks it's sufficiently out of touch with consumers' expectations that it should be prohibited. Either way, it's worth mentioning what the statute covers:

- before obtaining billing information, the third party seller has to clearly and conspicuously disclose the material terms of the transaction;
- the fact that the third party seller is not affiliated with the initial merchant has to be disclosed to the consumer;
- the third party seller has to obtain (directly from the consumer) the consumer's billing information, name and address and contact information, along with the consumer's affirmative consent.

The statute imposes a blanket ban on the practice referred to as "data-pass" - i.e., disclosure of the consumer's credit or debit card or other account information by the initial merchant to the third party merchant. The statute also prevents "negative option marketing," where a merchant interprets the consumer's failure to take action as assent for future charges.

Previous posts:
Fifth Circuit Blesses Vistaprint's Rewards Program Sign-Up Process -- Bott v. Vistaprint USA Inc.
Internet Rewards Program Class Action Survives Initial Motion to Dismiss -- In re Easysaver Rewards
Intelius May be Liable for Deceptive Online Marketing Practices Based on Third Party Transaction at Checkout -- Keithly v. Intelius
Intelius Dodges a Bullet Over Allegedly Deceptive Online Marketing Practices -- Hook v. Intelius

h/t: "Screenshotapalooza:Webloyalty disclosure sufficient as a matter of law" (Professor Tushnet) ("The court, however, found that the disclosures were prominent enough that no reasonable consumer could have been fooled by them (essentially deeming all the people who feel cheated by programs of this type unreasonable).")

Posted by Venkat at 04:36 PM | E-Commerce

Student Loses First Amendment Fight To Call School Officials “Douchebags” After Four Years Of Litigation--Doninger v. Niehoff (Guest Blog Post)

By John E. Ottaviani*

*John Ottaviani is a partner in the firm of Edwards Angell Palmer & Dodge, LLP, and is an occasional guest blogger. The opinions expressed are his own, and are not attributable to his Firm, to Eric Goldman or to any other organization.

Doninger v. Niehoff, No.09-1452-cv (L) (2d Cir. Apr. 25, 2011)

Maybe it’s just a sign of the times. Why would anyone spend four years and who knows how much money making a federal case over a high school’s refusal to permit a girl to run for Senior Class Secretary in response to her off-campus blog post in which she called school officials “douchebags”? If the Internet had been around when we were in high school and I did something like that, my parents would have ensured that my consequences would have been swift and immediate, and most likely physically painful.

Background

The basic facts are not too complicated, although there are differing accounts as to some of the facts. In the Spring of 2007, Ms. Doninger (then a junior at Lewis S. Mills High School in Burlington, Connecticut) and other Student Council members were planning an annual battle-of-the-bands concert called “Jamfest.” Several days before the event, the students were told that the concert would either have to be moved to the smaller cafeteria or rescheduled, due to the unavailability of the teacher responsible for operating the school’s sound and lighting equipment in the auditorium.

Acting like typical teenagers with no impulse control, the students (including Ms. Doninger) accessed a personal e-mail account from the school’s computer lab (in violation of a written school policy) and sent a mass e-mail alerting parents, students and others that the concert could not be held in the school auditorium and urging them to contact the administration and ask that the students be allowed to use the auditorium.

Some facts are in dispute about what happened later that day when the school’s principal met with Ms. Doninger. The principal claimed that she told Ms. Doninger that the e-mail was inaccurate, that the student’s could hold the concert in the auditorium at a later date if they did not want to use the smaller cafeteria, and that Ms. Doninger’s conduct was unbecoming of a class officer. Ms. Doninger’s version is that the principal cancelled the concert, with the possibility of rescheduling later “if [the students] play [their] cards right,” and that the principal said nothing about her responsibilities as a class officer.

What is undisputed is that Ms. Doninger went home that night and posted an entry on her LiveJournal blog in which she advised that “jamfest is cancelled due to douchebags in central office …” and urged parents and students to contact the superintendent and principal “to piss her off more.”

A few weeks later, when Ms. Doninger met with her principal to accept her nomination for Senior Class Secretary, the principal asked her to withdraw her candidacy because her behavior violated the principles governing student officers set out in the school’s student handbook. The principal refused to let Ms. Doninger’s name appear on the ballot, to let her speak at a school assembly regarding the election, or to let students wear T-shirts promoting Ms. Doninger’s candidacy. Apparently, Ms. Doninger still won the election with a plurality of the votes cast, but she was not allowed to serve. Ms. Doninger was not otherwise disciplined or suspended from school at any time.

Ms. Doninger’s mother filed a complaint in 2007 in Connecticut state court, alleging violations of Ms. Doninger’s Constitutional rights and state law. The school officials removed the case to federal court. Ms. Doninger then filed a motion for a preliminary injunction asking the court to void the election for Senior Class Secretary and to require a new election. The request for the injunction was denied (514 F. Supp. 2d 199 (D. Conn. 2007)), and the denial was affirmed on appeal (527 F.3d 41). After Ms. Doninger graduated from high school, the request for the injunction was moot, but she amended the complaint to seek damages for the alleged violation of her Constitutional rights. In January 2009, the district court denied Ms. Doninger’s motion for summary judgment and granted the school’s motion in part. (594 F. Supp. 2d 211 (D. Conn. 2009)). [See Eric’s note of the case]. After motions for reconsideration were denied, both parties appealed to the Second Circuit again.

Decision

The Second Circuit decision exonerated the school officials on all counts. In particular, the Second Circuit: (1) affirmed the District Court’s holding that the school officials had qualified immunity for the claim that Ms. Doninger’s First Amendment rights were violated when the principal prohibited her from running for Senior Class Secretary; (2) reversed the District Court’s holding that the school officials were not entitled to qualified immunity for the claim that Ms. Doninger’s First Amendment rights were violated when they prohibited her from displaying a “Team Avery” t-shirt in the election assembly: (3) affirmed the District Court’s dismissal of Ms. Doninger’s Equal Protection claim that other student officers were not similarly punished; and (4) affirmed the District Court’s dismissal of Ms. Doninger’s claims based on the Connecticut Constitution.

The Second Circuit spent a good part of the decision discussing the First Amendment issues and the Tinker-Fraser-Hazelwood trilogy of U.S. Supreme Court cases governing student expression. The Second Circuit expressly refused to adopt a rule (urged by Ms. Doninger) that students are completely insulated from discipline for speech-related activity occurring away from school property, no matter its relation to school affairs or its likelihood of having effects in school. But then the Second Circuit avoided deciding whether Ms. Doninger’s First Amendment rights were violated when she was prevented from running for Senior Class Secretary, by finding that the school officials were entitled to “qualified immunity” from the claims.

Under a qualified immunity analysis, a court conducts a two-part inquiry: (1) whether the facts, when viewed in the light most favorable to the plaintiff, show that the official’s conduct violated a Constitutional right; and (2) whether the right at issue was clearly established at the time of the official’s alleged misconduct. If it is objectively reasonable for an official to believe that his or her conduct did not violate such a right, then the official is protected by qualified immunity. The Second Circuit did not reach a conclusion as to whether the school officials violated Ms. Doninger’s Constitutional rights. Rather, the court concluded that any First Amendment right Ms. Doninger may have had “was not clearly established” given the uncertainty in the legal decisions in this area to date, and that the school officials acted reasonably in the circumstances and were thus entitled to qualified immunity from the claims.

Discussion

Overall, the Second Circuit appears to have reached the proper conclusion here. The court emphasized that the discipline was relatively minor, and that Ms. Doninger’s conduct violated several written school policies to which she had agreed. Ms. Doninger did not simply make the comments orally, on in text messages sent to her friends with some expectation that the school officails would not see them. Rather, she posted her comments on a public website and then made sure school officals would see them by inciting readers to contact the school officials. Unlike some other school discipline cases involving off campus postings or communications (see here and here), the principal here did not overreact. Ms. Doninger was not suspended, and the students were given the choice as to whether to hold the concert on the original date but in the cafeteria, or on a new date in the auditorium. Ms. Doninger was sanctioned because her conduct was viewed as inappropriate for a class officer in that school.

Unfortunately, by avoiding any conclusions on the Constitutional issues, the Second Circuit’s decision did not provide any new practical guidance for the difficult issue as to when a student’s off-campus speech so affects or disrupts school activities that the student can be disciplined in school for the speech. (For example, see Eric’s post from last year where Third Circuit panels reached opposite conclusions on similar facts). Hopefully, the court’s emphatic beatdown of Ms. Doninger’s claims will end this particular dispute, although her attorney has stated that he would take an appeal to the U.S. Supreme Court.

I’m a big defender of the First Amendment, but this case appears to be another example of what we were taught in law school that “bad facts make bad law.” There is no significant freedom of speech issue here, just a refusal by a student and her parent to accept consequences for the student’s bad behavior. Ms. Doninger graduated in 2008, and is now attending college. It’s time to move on.

For additional information and other points of view, some other links:

* Citizen’s Media Law Project
* Student Press Law Center press release

Posted by John Ottaviani at 09:19 AM | Content Regulation | TrackBack

May 04, 2011

9th Cir: Access of Computer in Violation of Employer's Use Policy Violates Computer Fraud and Abuse Act -- US v. Nosal

[Post by Venkat Balasubramani]

US v. Nosal, 10-10038 (9th Cir.; Apr. 28, 2011)

The Ninth Circuit reversed the district court's dismissal of an indictment under the Computer Fraud and Abuse Act, holding that an employee's access of an employer's protected computer in violation of the employer's "use policy" violates 18 U.S.C. 1030(a)(4).

Background: Nosal, the defendant, worked for Korn/Ferry International, an executive search firm. He left the firm in October 2004 and signed a separation agreement under which he agreed to help Korn/Ferry as a consultant. After leaving employment with Korn/Ferry, Nosal allegedly engaged three Korn/Ferry employees to help him start a competing business:

[t]he indictment alleges that these employees obtained trade secrets and other proprietary information by using their user accounts to access the Korn/Ferry computer system. Specifically, the employees transferred to Nosal source lists, names, and contact information from the 'Searcher' database - 'a highly confidential and proprietary database of executives and companies' - which was considered by Korn/Ferry 'to be one of the most comprehensive databases of executive candidates in the world.'

The indictment indicates that Korn/Ferry took certain steps to secure its "highly confidential' database, and among other things, required its employees to enter into agreements which "restricted the use and disclosure of all [confidential] information, except for legitimate Korn/Ferry business."

LVRC Holdings v. Brekka: The district court, relying on LVRC Holdings LLC v. Brekka, dismissed, on the basis that the cooperating Korn/Ferry employees had authorization to access the confidential database for legitimate Korn/Ferry business, and therefore, their access of the database was not "without authorization." In Brekka, an LVRC sued an ex-employee under the Computer Fraud and Abuse Act, alleging that the ex-employee accessed LVRC's computer's without access when the employee emailed himself documents. The employee was authorized to access the documents in question, but accessed them for his own purposes, rather than in furtherance of LVRC's goals. The court rejected LVRC's claims, holding that "access without authorization" means access of a computer that was never authorized, or where access was expressly revoked - i.e., access of information that the employee is authorized to access, but accesses for a purpose contrary to the employer's purpose does not constitute access "without authorization." In a footnote, the court also rejected LVRC's "implicit" argument that Brekka "exceeded the scope of authorization" on the basis that the statute defines "exceeding the scope of authorized access" as the access of a computer that the person has permission to access, but where the person accesses information that the person is not entitled to access.

The Ninth Circuit's Opinion in Nosal: The Ninth Circuit does a 180 from Brekka and holds that an employee who accesses a protected computer in violation of the employer's use restrictions "exceeds authorized access" for purposes of the CFAA:

as long as the employee has knowledge of the employer's limitations on that authorization, the employee 'exceeds authorized access' when the employee violates those limitations. It is as simple as that.

The court distinguishes Brekka and states that while in Brekka there was no express policy in place (and the employer relied on state law duties of loyalty), in Nosal, the Korn/Ferry employees "were subject to a computer use policy that placed clear and conspicuous restrictions on the employees' access both to the system in general and to the . . . database in particular."

Judge Campbell dissented, arguing that the majority's interpretation would:

make criminals out of millions of employees who might use their work computers for personal use, for example, to access their personal email or to check the latest basketball scores.

Judge Campbell points out that this case is analogous to US v. Drew case, where the court rejected the government's interpretation that a violation of a website terms of service could support a criminal violation of the CFAA. Judge Campbell also points out that although section 1030(a)(4) requires an intent to defraud, section 1030(a)(2)(C) also contains identical "exceeds authorized access" language but does not contain an intent requirement.
___

Nosal bolsters employer claims based on the Computer Fraud and Abuse Act, but it raises the same issues that the Lori Drew prosecution raised. The legal theory behind both prosecutions will render criminal harmless activity that many engage in on a daily basis. Under the prosecution's theory in Drew, a website terms of service would turn everyday web surfing which is in technical violation of a terms of service into a federal crime. People violate terms of service of websites they access every day. Similarly, employees access their employer's computers in technical violation of acceptable use policies all the time. If an employer's policy says that you can only use the computer for work purposes, and you access espn.com, this is a technical violation of the policy, and under the court's interpretation of the statute, a federal crime.

What's surprising in all of this is that this looks like it should be a run of the mill trade secrets case brought by an employer, who has ample tools available other than the Computer Fraud and Abuse Act to deal with this situation. Instead, it's a federal criminal indictment which drastically expands the scope of Computer Fraud and Abuse Act liability.

[It's worth adding that other federal appeals courts have taken the same approach that the Ninth Circuit took in this case.]

Other coverage:

Threat Level: "Appeals Court: No Hacking Required to Be Prosecuted as a Hacker"
Orin Kerr: "Ninth Circuit Holds That Violating Any Employer Restriction on Computer Use “Exceeds Authorized Access” (Making It a Federal Crime)"
PrawfsBlawg: "When the Right Interpretation of the Law is a Scary One (CFAA Edition)"

Posts on US v. Drew:

"Lori Drew Criminal Case Ends With a Whimper"
"Lori Drew Guilty of 3 Misdemeanor Violations of the Computer Fraud & Abuse Act"

Posted by Venkat at 02:21 PM | Privacy/Security

Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media

By Eric Goldman

La Court v. Specific Media, Inc., 8:10-cv-01256-GW-JCG (C.D. Cal. April 28, 2011)

Lawsuits over cookies seem so Y2K to me. I thought we'd pretty much concluded that placing cookies wasn't actionable a decade ago (see, e.g., In re Doubleclick from 2001). But two things have changed in the interim. First, we're no longer dealing with garden variety cookies. Now we're dealing with FLASH cookies or SUPER cookies or LORD VOLDEMORT cookies or whatever. Surely, if you add a scary adjective before the word "cookies," they become much, much more pernicious than the plain ol' cookies of 2000. See more on my mocking of cookie angst.

Second, and perhaps more importantly, the Internet privacy plaintiffs' bar is much more organized than it was a decade ago. They have built litigation machines that are ready to rock-and-roll at any privacy provocation, no matter how slight. But just because the privacy plaintiff's bar is a well-oiled machine doesn't mean it is doing quality legal work, as this judge notes pointedly--and repeatedly.

Even though the world might be a better place if they did, most judges are too polite and diligent to dismiss a lawsuit with a simple but honest opinion: "Motion to dismiss granted because the lawsuit is asinine." Instead, this opinion takes 9 single-spaced pages to reach that conclusion and grant the dismissal motion, although the judge does give the plaintiffs the chance to amend (an option they should decline, although they won't).

The Article III standing issue in privacy cases has gotten murky in the past 6 months in light of the 9th Circuit's Krottner v. Starbucks opinion and the more recent and much broader (but surprisingly uncited) Claridge v. RockYou opinion, both of which found privacy harms where I would not have. I still think Article III standing is the best way to get rid of the junk privacy lawsuits, so I am happy when courts embrace the doctrine to end unmeritorious cases early. This court says the plaintiffs might have been able to allege some harms sufficient to show Article III standing, but their advocacy sucked.

On the key question of economic harm from placing flash cookies, the court says:

the Complaint does not identify a single individual who was foreclosed from entering into a "value-for-value" exchange as a result of Specific Media's alleged conduct. Furthermore, there are no facts in the FACC that indicate that the Plaintiffs themselves ascribed an economic value to their unspecified personal information. Finally, even assuming an opportunity to engage in a "value-for-value exchange," Plaintiffs do not explain how they were "deprived" of the economic value of their personal information simply because their unspecified personal information was purportedly collected by a third party.

In response to the amended complaint, I hope the court will use Rule 11 to police any deliberate overclaims by the plaintiffs trying to respond with new evidence.

The court also rejects the plaintiffs' conclusory claim that the cookies degraded their computers' performance. This allegation shows up in a lot of privacy complaints, and good for the judge for rejecting the generic assertion and requiring the plaintiffs to show something more tangible before they survive a motion to dismiss.

The court's conclusion at the end of the Article III standing discussion isn't exactly a compliment to the plaintiffs:

It is not obvious that Plaintiffs cannot articulate some actual or imminent injury in fact. It is just that at this point they haven't offered a coherent and factually supported theory of what that injury might be.

Ugh. Then again, in a footnote, the court shows the whip to defense counsel in response to the assertion that the lawsuit was brought in bad faith:

Defendant's counsel would be instructed that lawyers should not, just as a matter of basic professionalism, accuse other lawyers of operating a "shakedown" operation unless they can completely support such accusations.

Clearly, not a judge to be trifled with!

Although the judge dismisses the lawsuit on Article III grounds, it provides some early guidance on some of the substantive claims:

* the judge expresses skepticism that the plaintiffs can meet the $5k of damage requirement for a CFAA claim. In a footnote, the judge wonders if the plaintiffs' harm can be aggregated together to reach the $5k threshold. (I thought it could, so I'm intrigued what prompted the footnote).
* the judge wonders if the ECPA preempts the CA Penal Code 631 claim
* the judge is skeptical of the common law trespass to chattels claim because the plaintiffs didn't allege any meaningful impairment to their computers
* as usual, the unjust enrichment claim isn't a standalone claim. The plaintiff also drops its CLRA claim.

Wendy Davis' coverage of this ruling.

Posted by Eric at 09:30 AM | Privacy/Security , Trespass to Chattels | TrackBack

May 03, 2011

Another Defense-Favorable Righthaven Ruling--Righthaven v. Choudhry

By Eric Goldman

Righthaven v. Choudhry, 2011 WL 1743839 (D. Nev. May 3, 2011)

This lawsuit involves the "Vdara Death-Ray" image published in the Las Vegas Review-Journal, which has been the basis of numerous Righthaven lawsuits. In this case, Choudhry may be a particularly poor defendant. He argues that the image appeared on his site as an in-line link (permissible under Perfect 10 v. Amazon) and via an automated process that lacked volition. The court rejects Choudhry's motions for judgment on the pleadings and summary judgment on those points, saying that the judge wants to understand the technology better before ruling on it.

On fair use, recycling some of his own recent ruling in the CIO case, the court says:

1) The defendant's use is transformative but it's not clear if the use was commercial or not
2) The nature of the work could go either way
3) Republishing the image at 30% size could go either way
4) As a matter of law, the defendant's use doesn't harm Righthaven's market

The latter point is a biggie. The fourth fair use factor is often considered the most important, and the court is treating it as presumptively weighing against Righthaven in all cases. The court is basically doing the same with the transformative nature of the works. If those two considerations automatically weigh against Righthaven in every case, Righthaven will have a tough time defeating any fair use defense.

The court rejects Righthaven's demand for the defendant's domain name. This follows from Righthaven v. DiBiase, 2011 WL 1458778 (D Nev April 15, 2011), issued by a different Nevada judge, which said: "Congress has never expressly granted plaintiffs in copyright infringement cases the right to seize control over the defendant’s website domain. Therefore, the Court finds that Righthaven’s request for such relief fails as a matter of law and is dismissed."

Finally, the judge preserves Choudhry's counterclaim, which allows Choudhry to keep the lawsuit going even if Righthaven dismisses it and sets up Choudhry to potentially go on the offensive.

All told, although this ruling doesn't break much new ground, it consolidates defendants' gains on three fronts:

* the fair use factors weighing in favor of defendants as a matter of law
* the lawlessness of Righthaven's domain name demand
* the preservation of defendant's counterclaims

Ruminations on the Likelihood of Consumer Confusion Standard in Trademark Law

By Eric Goldman

Last month, I attended the Third Trademark Scholars’ Roundtable in Bloomington, Indiana. See my prior blog posts about the first and second roundtables. See a photo of the participants. As usual, Rebecca acted as event chronicler. See her comprehensive blog posts (1, 2 (with artwork by Bill McGeveran!), 3, 4).

The roundtable’s theme was the likelihood of consumer confusion (LOCC) test and its deficiencies. Overall, the roundtable participants generally agreed that the test has obvious doctrinal deficiencies, but unfortunately we did not reach a consensus either on the underlying harms that trademark law should ameliorate or any fixes to the existing LOCC multi-factor test. I called on the group to come up with a consensus proposal, figuring that if our group of knowledgeable and largely like-minded academics could not come up with a consensus proposal, no one could. Sadly, we didn’t rise to that challenge.

I introduced one of the panels. The three main points I made in my introductory remarks:

1) Trademark law protects both producer and consumer interests. To the extent trademark law is protecting consumer interests, the LOCC test attempts to measure what’s going on in consumers’ heads (i.e., how the senior and junior users’ activities affect the consumers’ psychological processes). That inquiry is ultimately doomed. Consumer psychological processes are too complicated and heterogeneous for a legal test to accurately measure these effects.

2) The individual factors in the standard LOCC test are a weird mix of producer- and consumer-oriented factors. This mix of factors doesn’t make sense, which is why courts sometimes pull them apart and put them back together in interesting ways. (See the Network Automation case for a good example of remixed factors). Structurally, the LOCC test implicitly assumes that all consumers use the same search processes, but this assumption isn’t defensible. Different products have different search processes; and even for a single product, different consumer subcommunities will use different search processes.

3) Courts have developed a number of bypasses to the standard multi-factor LOCC test, especially to deal with cases involving non-competing trademark uses. Examples include initial interest confusion and post-sale confusion. However, these tests rarely improve the judge’s analysis; and as an empirical matter, I believe most courts reject the bypass tests and just go back to the standard LOCC test. For example, over the past few years, initial interest confusion gets mentioned fairly rarely in court opinions, and it has been dispositive in those cases even less frequently. I am planning to take a closer empirical look at citations to the initial interest confusion doctrine over the summer.

Having said all that, it’s my own ad hoc empirical observation that most courts reach the right result when using the LOCC test, even if the test (or the judge’s application) is flawed. The errors can be conspicuous, but most cases get to equitable results most of the time. The bigger issue are the errors in decision-making that never reach a court case, such as companies that steer away from grey areas in socially suboptimal ways or potential defendants who cave in response to a trademark owner’s C&D. (With respect to the latter, I still think a threats action may be useful).

Even so, I wonder if we could do simple things that would reduce the errors, reduce the adjudication costs, or empower potential defendants to make decisions with less uncertainty. It seemed like the LOCC test has been stretched to too many different types of TM owner-vs.-defendant factual positions. It is also conspicuous that the LOCC test is completely common law; Congress has never expressly adopted the test. Thus, I wonder if we might find it useful to statutorily adopt the test but then give explicit statutory guidance on how to apply the factors (just like the fair use test gives some explicit guidance to courts about applying the test, although we might view fair use as a cautionary tale rather than a model).

For example, we could statutorily introduce some “buckets” which give judges guidance about when to use the LOCC test or do something different. For example, I offered up the following four different buckets: (1) direct competitive uses, (2) TM uses in adjacent products, (3) merchandising/licensing, (4) everything else. In some sense, courts have already implicitly developed some different tests reflecting these different categories. For example, we have special rules for counterfeiting as a specific case under bucket #1; the courts do different things in merchandising cases; and the LOCC test works particularly poorly in bucket #4 (which is where I think the LOCC test errors are the greatest and most pernicious).

One other interesting takeaway I’ll mention here. At one point we talked about our frustration with the marketing literature that discusses trademark issues and how those papers often do not reflect a nuanced understanding of trademark law. At the same time, when we talk with marketing professors, they are baffled by how trademark law doesn’t reflect well-accepted insights in the marketing community. It seems that there could be some benefit to getting the trademark law professor and marketing professor community together to discuss how we can work together better. If you’re a marketing professor and might be interested in such an endeavor, please contact me.

Posted by Eric at 09:58 AM | Trademark | TrackBack

May 02, 2011

California's Reader Privacy Act: A First Step in a New Direction (Guest Blog Post)

By Sonya Ziaja (with comments at the end from Eric)

[Eric's note: this guest post is from Sonya Ziaja, J.D., a California attorney and co-owner of Ziaja Consulting LLC. She writes regularly for LegalMatch's Law Blog and Ziaja Consulting's blog, Shark. Laser. Blawg. I have added some of my own comments at the end.]

California's Reader Privacy Act, SB 602, recently passed through the Senate Judiciary Committee and will move to the next step in the legislative process. The bill, sponsored by Senator Yee, the ACLU, and EFF, aims to protect readers' right to privacy against unwarranted disclosure to state governments and third parties. It represents an important first step towards protecting readers' rights in the digital age; but it alone cannot achieve reader privacy.

Background

The impetus for this bill stems in part from behavioral and technological shifts in how people read. The availability and variety of data about people's reading habits is far greater when they read digital materials than with traditional printed media. The ACLU's 2010 report on digital books provides a nice summary of what information can be collected:

Digital book providers can easily track what books an individual considers, how often a given book is read, how long a given page is viewed, and even what notes are written in the "margins." As reading has moved online, it also has become much easier to link books that are browsed or read with a reader's other online activities, such as Internet searches, emails, cloud computing documents, and social networking. With all of this information, companies can create profiles about individuals, their interests and concerns, and even those of their family and friends.

Despite the dramatic increase in metadata about people’s online reading activities, current reader privacy law in California only protects personal information recorded at libraries. Earlier attempts to protect readers of digital materials from unwarranted government searches focused on self-regulation. For example, in 2009 EFF, concerned about Google's reader privacy policy, requested that Google adopt a “come back with a warrant” policy. Google refused. Self-regulation has so far has been insufficient to protect reader privacy.

Key Provisions

The Reader Privacy Act defines book providers and books inclusively. “Book providers” means any commercial entity that offers a “service that, as its primary purpose, provides the rental, purchase, borrowing, browsing, or viewing of books.” A “book” is defined as

. . . paginated or similarly organized content in printed, audio, electronic, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or volumes.

Under this definition, news articles, blogs, magazines, and potentially some websites could all be considered “books.” This would mean that “book providers” could include LexisNexis, Google Reader, Amazon and your local bookstore. (More on the expansive definition of “book provider” in a moment).

The Act would limit a book provider’s release of information it collects about readers to a third party. Essentially, the bill places stones in the river; it won’t dam it completely, but it would subtly redirect the flow.

The Act is strongest against government entities. Generally, if a request comes from a government entity, a book provider could not “knowingly disclose” personal information without a valid warrant except in cases of “imminent danger.” In addition to requiring a warrant, the Act gives guidelines for when such a warrant is legitimate. The guidelines are very similar to Colorado's Tattered Cover balancing test (Tattered Cover v. City of Thornton, 44 P. 3d 1044 (2002)), which requires that (1) the requester have a compelling need for the information sought, (2) there are no alternative means for collecting the information, and (3) the court balance the law enforcement's need for information against the constitutional rights of the user. Similarly, California's bill requires there be a compelling interest in obtaining the information, and that there be no less intrusive way to obtain the information, before a warrant can be issued. In addition, under the California bill, before a warrant can be issued, the provider must be given reasonable notice and have a chance to contest disclosure before a warrant is issued.

While government entities would need a warrant before a book provider can release personal information to them, book providers can, on their own initiative, still sell and trade personal information to data brokers and other third parties. The Act, however, does place a few hurdles in the way of third parties who seek to compel book providers to disclose information. Litigants—both government entities and private third parties—cannot compel discovery of personal information about users from book providers without a court order. The court order would be subject to similar restrictions to warrants: compelling interest, no less intrusive means, notice to the book provider, and notice to the user.

The Act requires the book provider communicate specific discovery requests it receives to users.

Book providers must also publish aggregate statistics on a publicly accessible website. Those stats must include the number of disclosure requests the book provider received and whether they complied with or contested those requests.

These are new obligations; the ACLU notes that Amazon's privacy policy as of 2010 specifically states that the company will not tell users if they have shared personal information in many circumstances. By mandating disclosure, the Act would make companies more publicly accountable for their privacy policies and compliance with the law.

Remedies & Scope

There are few penalties for violating the Act. Evidence obtained in violation of the bill would not be admissible in criminal or civil proceedings (except of course to demonstrate a violation of the Act). And book providers would be civilly liable for violating the Act, but only if they knowingly give information to a government entity.

In those cases, the user whose information was distributed can sue the book provider for up to $500 per violation. In addition, if a book provider violates the Act more than two times in six months—again, by knowingly giving personal information to a government entity—then the Attorney's General, district attorney, or city attorney can sue the provider for $500 per violation.

It is not clear from the statute what constitutes a “single” violation. As the Act is currently written, a single violation could be a data transfer of compiled information, or it could be the transfer of each individual piece of personal information in that compilation. Depending on the interpretation of the statute, transferring just 100 distinct pieces of user information in one transfer could make a book provider liable for either $500 or $50,000. If and when a case is brought under the Reader Privacy Act, this interpretation is likely to be an issue in litigation.

Interpreting what exactly a “book” is will also likely be an issue. Part of the statutory definition is that a book is “paginated or similarly organized content.” The “pagination” requirement might limit the statutory scope; but, if “similarly organized” means “information appearing in a sequential order,” then the scope of the Act is greatly increased. Given the references to “audio” books, some Internet radio stations and even services like NetFlix could be within the statute’s scope. Films, for example, are frequently organized by chapters or segments in “audio, electronic, or other format.” Similarly, some unexpected websites could hypothetically be “books.” Ted.com, for example, is a website that presents short lectures on a myriad of topics. Once a viewer has finished one lecture, links appear for what to watch next or for other lectures from the same series. In other words, there is a sequence to the lectures presented. Since the information is presented sequentially—and could be paginated if it the same lectures were transcribed into a codex form—perhaps the website is also a “book.” The effort to define “books” as separate from other types of content (for purposes of heightened protection) could trigger lots of litigation, some of it unproductive.

Websites that primarily feature written content, e.g. blogs, are more likely candidates to be covered by the Act. Blogs after all are published sequentially (by date) and some are paginated; so they very likely fulfill the first part of the statutory definition. The content in blogs is presented in electronic format, which fulfills the second part of the definition. In short, bloggers, watch out—even though the statute probably wasn’t meant to cover you, you inadvertently might be a “book provider” too.

The geographic scope of the Act of course covers websites based in California, and will include some out-of-state sites as well. A plaintiff's ability to sue an out-of-state “book provider” under the Act depends on whether the site is “active” or “passive.” Without going too deep into the rabbit hole of internet jurisdiction, generally speaking a site is “active” if it has an interactive component (including marketing). A website that sells books, for example, is likely “active.” Whereas a blog is more likely to be “passive.” If a website is “active” and establishes minimum contacts in California, it could be subject to liability under the Reader Privacy Act.

Shortcomings & Potential

The most significant limitation of the Reader Privacy Act is that the warrant requirement only applies to California state and local government entities. It does not (by its own terms) and cannot (under Article VI of the Constitution) restrict the information-gathering efforts of federal government entities. And so, for example, warrantless searches for reader information conducted by FBI cannot be covered by the Reader Privacy Act. This seriously undermines the Act’s efficacy.

In addition, the Act would not prevent book providers from compiling and using data about readers for their own benefit. It also does not prohibit providers from selling or giving personal information away to non-government entities.

This allowance could create a significant loophole in preventing government intrusion. One legal scholar describes this as the fourth-party aggregator problem,

[Fourth-party data aggregators, like Choice Point and LexisNexis] are in the business of acquiring information, not from the information's originator (first-party), nor from the information's anticipated recipient (second-party), but from the unavoidable digital intermediaries that transmit and store the information (third-parties). These fourth-party companies act with impunity as they gather information that the government wants but would be unable to collect on its own due to Fourth Amendment or statutory prohibitions.

(Joshua L. Simmons, Note: Buying You: The Government's Use of Fourth-Parties to Launder Data About “The People,” Columbia Business Law Review, Vol. 2009, No. 3, p. 950.)

In its current form, the Reader Privacy Act would not stop “fourth-party” information collectors from giving or selling the same information that the original book provider collected to government entities—but only the book provider sells or transfers the information to a fourth-party collector in the first place

If the bill remains in its current form, there may be external ways to close that loophole, though admittedly, they are scrappy. One possibility is to wait for a judicial ruling in California holding that fourth-party aggregators who turn over data to government entities are acting as agents of the government and therefore are held by the same laws that constrains government intrusion. Of course, such a decision would require a judiciable case to be brought first, and even then, the court’s decision is unpredictable.

Alternatively, one could piece together additional state or federal legislation that protects readers from companies collecting data in the first instance. For example, if the Kerry-McCain privacy bill is passed, users could opt out of data collection by the book providers. But, it would still only protect readers of digital materials who are savvy enough to know about the law and opt out.

Perhaps a more elegant way to handle the fourth-party problem, though, is to simply include fourth-party aggregators who sell or give data to government entities in the Reader Privacy Act's statutory definition of “government entity.”

How the California legislature chooses to deal with this loophole will determine the efficacy of the Reader Privacy Act. Even so, the transparency requirements of the Act, and the increased scrutiny it provides for discovery requests, makes the Act a positive step towards reader privacy protection.
___________

Eric's comments

This bill is animated by laudable concerns but ultimately flawed in its execution. Personally, I hope it doesn't pass in its current form.

The bill starts with the right premise. I find it odd when I see freak outs about "Little Brother's" use and disclosure of personal data. To me, Big Brother is far scarier, yet we rarely see new legislative initiatives to curb government surveillance powers--even though the digital age has expanded the reasons why we need additional limits on the government's power to snoop on its citizens

Reading data is an example of relatively new digital data that is overwhelmingly attractive honeypot to government snoopers. I got into this issue a bit in my Coasean Analysis of Marketing article, where I argued that we needed a new evidentiary privilege to protect our reading/browsing data (in that case, as captured in an automated technological agent trying to effectuate our consumer interests). On that basis, I enthusiastically support efforts to restrict the government's ability to learn more about my private interests.

However, this particular law has two major structural defects. First, it tries to limit its applicability to "books" as a subset of all of the information we consume. Unfortunately, books aren't easily defined, and as Sonya points out, the definition in this statute creates many ambiguous border cases. Further, in the modern era when consumers have shorter attention spans than ever, it seems archaically quaint to think that our interactions with books are more sensitive than our interactions with other types of content. The more logical move would be to treat all reading data equally rather than privileging books over the other information classes. I suspect such a broad legislative sweep would fail, but the definition of "books" doesn't work either.

Ordinarily, I would be OK with the definitional ambiguity with a statute like this. After all, the law is designed to limit the government's snooping power; if that restriction bleeds beyond books and into other content classes, that sounds like a feature, not a bug. However, this leads to my second structural problem: the private cause of action. The combination of an ambiguous scope + private enforcement = plaintiff lawyer fiesta. Let's be clear how big of a problem this is: as a blogger, I'm not sure if this statute covers me or not. However, if I were to respond to a subpoena without complying with the technical requirements, I may be betting my house. Meanwhile, if I *don't* comply with the subpoena, I might also be betting my house. Uh, trouble in either direction. NO THANK YOU.

I think the law would be much more appealing if it lacked the private cause of action. But if the drafters thought they really needed a private cause of action, they should put the liability on the real wrongdoers--the people asking for information they are not entitled to have. For example, it would be more appropriate to put the onus on the government to actually comply with its own laws when it's snooping on its citizens, rather than on the intermediaries to figure out if they are governed by this law or not.

I do want to mention one other structural issue. As a categorical matter, I oppose any state law to regulate the Internet. We have seen absolutely nothing good come from those efforts. At best, the state laws have been inconsequential; at worst, they have threatened to destabilize the Internet. (Utah's repeated screw-ups come to mind). With this particular law, the state effort might be OK if it only restricts the California government and California litigants--but that is also of limited benefit, and as usual, the drafting doesn't make its geographic restrictions clear. Separately, I have supported the Digital Due Process effort, which addresses cloud privacy (a similar issue). The DDP effort is federal and therefore would standardize practice across the nation. For that reason alone, the DDP would be more helpful than this law.

I don't feel great bashing this legislative proposal. We need more legislative efforts to protect readers' rights, and those efforts are all too rare. Nevertheless, I hope we will continue to think about better ways to accomplish this act's goals.

Posted by Eric at 01:54 PM | Privacy/Security | TrackBack

Maryland Supreme Court Rejects "Circumstantial Authentication" Standard for MySpace Evidence -- Griffin v. Maryland

[Post by Venkat Balasubramani]

Griffin v. Maryland, No. 74 (Maryland; Apr. 28, 2011)

I blogged last year about a case in Maryland where the court allowed prosecutors to authenticate a witness's MySpace page merely by accessing it from the internet, printing it out, by testifying that the page contained a photo of the witness and bore the witness's birthdate. ("MySpace Evidence: Maryland Appeals Court Allows Circumstantial Authentication.") The trial court admitted the evidence and the intermediate appeals court held that the profile could be "circumstantially authenticated," and that it was up to the jury to determine whether or not the printout depicted the MySpace page of the witness. The State's highest court* disagreed, and held that the MySpace printout was not properly authenticated, and remanded for a new trial.

Background: The defendant was convicted of murder. His first trial ended in a mistrial. At the second trial, one of the witnesses changed his testimony, and in order to explain the discrepancy in the testimony, the prosecutor argued that the defendant's girlfriend Jessica Barber "had threatened [the witness] before the first trial." In connection with this argument, the prosecution offered Ms. Barber's MySpace profile page which contained the following blurb:

FREE BOOOZY!!! JUST REMEMBER SNITCHES GET STITCHES!! U KNOW WHO YOU ARE!!

Ms. Barber was not called to authenticate the MySpace page. The prosecution instead called a police officer who testified that he visited the website on December 5, 2006, the date on the printout of the page.

The Court's Opinion: The court noted that "[a]nyone can create a MySpace profile at no cost, as long as that person has an email address and claims to be over the age of fourteen." The court also noted that there is no guarantee that the person who creates the account is actually the person who is depicted as the account-holder:

The identity of who generated the profile may be confounding, because 'a person observing the online profile of a user with whom the observer is acquainted has no idea whether the profile is legitimate.' The concern arises because anyone can create a fictitious account and masquerade under another person's name or can gain access to another's account by obtaining the user's account name and password . . . .

The possibility for user abuse also exists on MySpace, as illustrated by United States v. Drew, 259 F.R.D. 449 (D. C.D. Cal. 2009), in which Lori Drew, a mother, was prosecuted under the Computer Fraud and Abuse Act . . . for creating a MySpace profile for a fictitious 16-year old male named 'Josh Evans.' . . . .

The potential for fabricating or tampering with electronically stored information on a social networking site, thus poses significant challenges from the standpoint of authentication of printouts of the site, as in the present case.

The court states that regardless of the possibilities for abuse, authentication is still governed by general evidence principles and the applicable rules. The state argued that the photograph, personal information, and the references to the defendant "were sufficient to enable the finder of fact to believe that the pages printed from MySpace were indeed [the witness's]." The court disagrees, noting that the lower court: "failed to acknowledge the possibility or likelihood that another user could have created the profile in issue or authored the 'snitches get stitches' posting." The court held that the purportedly 'distinctive' elements put forth by the state were not sufficiently distinctive:

The potential for abuse and manipulation of a social networking site by someone other than its purported creator and/or user leads to our conclusion that a printout of an image from such a site requires a greater degree of authentication than merely identifying the date of birth of the creator and her visage in a photograph on the site in order to reflect that [the witness] was its creator and the author of the 'snitches get stitches' language.

The court looks to other cases which similarly hold that the potential for abuse with respect to social network-based evidence requires a higher standard of scrutiny for authentication. For example, in Commonwealth v. Williams, the court ruled that the admission of MySpace messages was improper because there was no evidence regarding "who had access to the MySpace page and whether another author . . . could have virtually-penned the messages . . . ."

Guidance for Authentication: The court lays out possible ways in which a party seeking to admit profile evidence could go about authenticating it. One option would be "to ask the purported creator if she indeed created the profile and also if she added the posting in question." As I noted in my earlier post about this case, the state inexplicably failed to do this in this case. A second option is to "search the computer of the person who allegedly created the profile . . . to determine whether that computer was used to originate the social networking profile and posting in question." This is fairly invasive, particularly if the profile or message in question is from a witness rather than from the party. The third method is to obtain information "directly from the social networking website that links the establishment of the profile to the person who allegedly created it and also links the posting sought to be introduced to the person who initiated it."

The Dissent: Two dissenting judges accuse the majority of having a case of the "technological heebie-jeebies," and note that the key question is whether a "reasonable juror" could conclude that the evidence in question was authentic. In other cases where the authenticity of a piece of evidence is disputed, the typical practice is to let the jury make the call, unless the court concludes that "no reasonable juror" could find the evidence authentic. The dissenting judges fault the majority for not following the same practice in this case.
__

The court's conclusion highlights two interesting points. First, there is little guarantee that a particular profile may turn out to be authentic. It is frighteningly easy for someone to create a profile in another person's name. People litter the internet with their "distinctive attributes," and it's equally easy for someone to create a profile in another person's name which contains purported "unique attributes" of that other person.

Another point which the court touches on but does not delve into is the fact that even if there is some assurance that the particular profile belongs to the witness in question, there is not always a guarantee that the statement on the site was made by the witness. The statement on a person's social networking profile could be made by a third party, and it would be difficult to discern this from a printout. Whether a third party could post a statement to a person's social networking profile would depend on the network in question, and the person's own privacy settings. As we all know, the average person is not necessarily tuned in to the nuances of the privacy settings of various social networking sites. Given all of this, it makes sense to set a fairly high bar for admission of this type of evidence. (Interestingly, the court distinguishes between authentication of social networking evidence and authentication of "e-mails, instant messaging correspondence, and text messages." According to the court, this type of evidence differs significantly because it is "sent directly from one party to an intended recipient or recipients, rather than published for all to see.")

Previous post: "MySpace Evidence: Maryland Appeals Court Allows Circumstantial Authentication"

* The state's highest court is called "Court of Appeals of Maryland" for some reason.

Posted by Venkat at 07:15 AM | Evidence/Discovery

Search

Categories

Archives

Recent Entries

May 31, 2011

April-May 2011 Quick Links, Part 2 (Copyright Edition)

May 30, 2011

April-May 2011 Quick Links, Part 1 (Trademarks and Advertising Edition)

May 27, 2011

Review Website Should Get 47 USC 230 Dismissal But Judge Keeps Case Open in "Abundance of Caution"--Frontier Van Lines v. MoverReviews.com

May 26, 2011

Online Insurance Application Constitutes “Writing” for Purposes of Waiving Insurance Coverage for Medical Benefits--Barwick v. GEICO

Ninth Circuit: FACTA Does not Cover Emailed Receipts -- Simonoff v. Expedia

Cyberbullying and Restorative Justice [a Long-Delayed Post on DC v. RR]

May 25, 2011

Ohio Appeals Court: GoDaddy can be Held Liable for Wrongly Transferring Control Over Domain Name and Email Accounts -- Eysoldt v. ProScan

May 24, 2011

Keyword Advertising and Domain Name Law Slides

Copyright and Tattoos: Hangover II Injunction Denied, But the Copyright Owner Got Some Good News Too--Whitmill v. Warner Bros. (Guest Blog Post)

May 23, 2011

College Course Description Aggregator Loses First Round in Fight Against Competitor in Scraping Case -- CollegeSource v. AcademyOne

May 22, 2011

Dentist Pays Sizable Penalty for Not Knowing 47 USC 230--Wong v. Jing

May 21, 2011

Another Unhappy Facebook User's Lawsuit Tossed--Kamango v. Facebook

Massachusetts Supreme Court Finds Email Sufficiently Authenticated Based on Surrounding Evidence -- Commonwealth v. Purdy

May 20, 2011

Court Allows Fair Credit Reporting Act Claims Against Spokeo to Move Forward -- Robins v. Spokeo

Another Ruling that the Americans with Disabilities Act Doesn't Apply to Websites--Ouellette v. Viacom

May 19, 2011

Facebook User Loses Lawsuit Over Account Termination--Young v. Facebook

Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson

May 18, 2011

No Computer Fraud and Abuse Act Violation for Access of Facebook and Personal Email by Employee -- Lee v. PMSI

Thoughts on the Lawsuit Over the @OMGFacts Twitter Account -- Deck v. Spartz, Inc.

May 15, 2011

Quityerbitchin: Relative Search Results Placement Doesn't Support Trademark Injunction--Bitchen Kitchen v. Bitchin' Kitchen

May 13, 2011

Facebook Scores Initial Win Against Privacy Plaintiffs Over Data Leakage Claims -- In re Facebook Privacy Litigation

May 12, 2011

Judge Refuses to Block Seattle's Yellow Pages Opt-out Law -- Dex Media v. Seattle

May 11, 2011

47 USC 230 and Message Board Cases

May 10, 2011

Twitpic Modifies Terms and Claims Exclusive Rights to Distribute Photos Uploaded to Twitpic

The FTC's Proposed Settlement With Google Over Buzz Privacy Breaches

May 06, 2011

Two Recent Social Media Defendants Avoid Personal Jurisdiction

May 05, 2011

Court Finds Webloyalty Rewards Program Disclaimers Sufficient to Defeat Misrepresentation Claims -- Berry v. Webloyalty

Student Loses First Amendment Fight To Call School Officials “Douchebags” After Four Years Of Litigation--Doninger v. Niehoff (Guest Blog Post)

May 04, 2011

9th Cir: Access of Computer in Violation of Employer's Use Policy Violates Computer Fraud and Abuse Act -- US v. Nosal

Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media

May 03, 2011

Another Defense-Favorable Righthaven Ruling--Righthaven v. Choudhry

Ruminations on the Likelihood of Consumer Confusion Standard in Trademark Law

May 02, 2011

California's Reader Privacy Act: A First Step in a New Direction (Guest Blog Post)

Maryland Supreme Court Rejects "Circumstantial Authentication" Standard for MySpace Evidence -- Griffin v. Maryland