Home

Biography

Tech & Marketing Blog

Goldman's Observations Blog

Writings

Presentations          

Classes

Resources

Contact


 

 
Technology & Marketing Law Blog

« November 2011 | Main | January 2012 »

December 29, 2011

Ripoff Report May Be "Appalling," But It Still Gets 47 USC 230 Immunity--Giordano v. Romeo

By Eric Goldman

Giordano v. Romeo, 2011 WL 6782933 (Fla. App. Ct. Dec. 28, 2011). [Disclosure note: I joined an amicus brief in support of Ripoff Report's position, written by Paul Levy of Public Citizen]

One sign of a good judge--a judge who can set aside his/her personal feelings to uphold the law when it conflicts. We got one of those rulings in this case. The judge condemns Ripoff Report using some of the harshest language I've seen in a judicial opinion in a while:

The business practices of Xcentric, as presented by the evidence before this Court, are appalling. Xcentric appears to pride itself on having created a forum for defamation. No checks are in place to ensure that only reliable information is publicized. Xcentric retains no general counsel to determine whether its users are availing themselves of its services for the purpose of tortious or illegal conduct. Even when, as here, a user regrets what she has posted and takes every effort to retract it, Xcentric refuses to allow it. Moreover, Xcentric insists in its brief that its policy is never to remove a post. It will not entertain any scenario in which, despite the clear damage that a defamatory or illegal post would continue to cause so long as it remains on the website, Xcentric would remove an offending post. [footnote omitted]

I needed asbestos glasses just to read that.

[As a factual note, Ripoff Report has hedged its "we never remove posts" stance, and it does offer its Corporate Advocacy Program which the court acknowledges in a footnote and a separate arbitration system that the court doesn't note.]

Despite the stinging rebuke of Ripoff Report's basic enterprise, the judge concludes: "However much as this Court may disapprove of business practices like those embraced by Xcentric, the law on this issue is clear. Xcentric enjoys complete immunity from any action brought against it as a result of the postings of third party users of its website."

So true.

Some quick background. In the wake of the Seventh Circuit's Blockowicz ruling, which said that Ripoff Report couldn't be forced to remove a third party post under FRCP 65, a Florida state court judge went off the rails in a similar case. That judge held that 47 USC 230 did not prevent the judge from ordering Ripoff Report to remove the user post. This was a rogue ruling by a judge who clearly wasn't interested in what the law actually said. In an interesting turn, that judge wasn't reelected (the voters apparently got it right on that one!) and the case transferred to a new trial judge, who promptly reversed the ruling and upheld Ripoff Report's 230 immunity.

On appeal, the intermediate appellate court upheld the second trial judge's ruling in a short (and, as you can see, sharp) ruling. In 2001, the Florida Supreme Court, in Doe v. AOL, adopted a broad reading of 230 as Florida law, and this court sees that ruling as dispositive: "Consequently, under Florida law, section 230 of the CDA 'creates a federal immunity to any cause of action that would make service providers liable for information originating with a third-party user of the service.'"

I continue to be skeptical of Ripoff Report's business model (I'll explain more in my forthcoming post on Ascentive v. PissedConsumer), and I continue to have reservations that inaccurate information can remain on the Internet even if judges say it's inaccurate. However, I am even more troubled by judges who simply choose to ignore 47 USC 230, so I'm glad to see the appellate court got to the right result.

UPDATE: Paul Levy comments on the ruling.

Posted by Eric at 09:02 AM | Derivative Liability | TrackBack

December 28, 2011

Why Are Korean Copyright Owners Suing an Australian Infringer in San Jose, California?

By Eric Goldman

DFSB Kollective Co., Ltd. v. Tran, 2011 WL 6730678 (N.D. Cal. Dec. 21, 2011)

In light of SOPA, I am paying closer attention to transborder copyright and trademark enforcement actions. After all, SOPA is designed to redress foreign rogue websites, so the results being obtained in court today are highly relevant to the policy debates. As we've previously shown, a lot of SOPA remedies are already being awarded by judges--for better or worse (mostly the latter)--and some of those rulings are raising some of the same due process concerns we have about SOPA.

Today's ruling baffles me, and I'm hoping you'll help me understand the case and the issues. The plaintiffs own copyrights in Korean pop music and are based in Seoul. The defendant is Kenny Tran, who runs ihoneyjoo.com and ihoneydew.com (both offline--more on that later) and is peripatetic on social media. Tran allegedly posted infringing music files and album covers to cyberlockers and other sites and then linked to the uploads from his social media accounts. The plaintiffs claim Tran is "one of the biggest illegal uploaders (and free download link providers) of Korean music in the world" and his site generated more traffic than the top 3 legitimate Korean music sites combined. (If true, this crucial information about consumer behavior made me think of this meme). Tran allegedly profited from his actions by showing ads and soliciting PayPal donations.

The plaintiffs claim they repeatedly sent takedown notices to Tran's service providers, but Tran allegedly evaded enforcement by opening new accounts or switching vendors. So they sued Tran in San Jose, California, where they happened to draw Judge Koh, the only federal district court judge of Korean descent. They claim to have served him in Australia, but Tran hasn't responded to the lawsuit at all.

As usual in default judgments, the judge basically rubber-stamps the plaintiffs' arguments. She finds personal jurisdiction over Tran, a result that's become almost pro forma in copyright infringement cases (see the multiple Righthaven jurisdictional wins). As for Tran's ties to California, Judge Koh says:

it appears as though Defendant has specifically used several California companies to further his scheme of perpetrating illegal downloads. Tran uses California companies Facebook, Twitter, and YouTube to promote the websites he operates, and to allow users access to the pirated copies of the copyrighted music and artwork. Additionally, it appears as though Defendant uses a privacy service located in California to shield his identity....In light of the nature of the websites run by Defendant, it appears that Defendant's activities are expressly aimed at California.

Similarly, with respect to how Tran caused harm in California, the opinion says:

Tran relied on several California companies to further his scheme of providing copyrighted music to a world-wide audience of users. Additionally, given the evidence provided by Plaintiffs of the reach of Defendant's activities, Tran likely knew that harm—in the form of distribution and download of copyright protected material—would be suffered in the forum state.

Completely missing from this discussion is how the plaintiffs suffered any harm in California or, for that matter, had any ties themselves to California. The opinion offers nothing on that point, leaving open the possibility that the plaintiffs are engaged in strategic forum-shopping. The opinion also does some serious arm-waving about the other factors in the personal jurisdiction tests that evaluate the forum's appropriateness--because the plaintiffs apparently didn't provide anything to show their interest in California, the opinion just says a lot of factors are "neutral" when in fact she's working with no information at all. This is typical of default judgments; we usually wouldn't see such corner-cutting in an adversarial proceeding. Similarly, the conclusion that using Twitter or Facebook makes defendants subject to California jurisdiction would not survive properly adversarial proceedings.

The opinion finds direct copyright infringement of 11 albums/129 songs. It also finds contributory copyright infringement, although it never says who the direct infringer is given that Tran allegedly uploaded the files himself (the failure to identify a direct infringer in a contributory copyright infringement analysis is a common error on my Internet Law exam, a mistake that my students usually regret when they get their grade). The opinion punts on the inducement question, saying "there is some doubt as to whether [inducement] is a separate cause of action or more properly considered a species of contributory infringement."

Based on the copyright infringement, Judge Koh approves $5k statutory damages per infringement, for a total of $645k. She also grants the following injunction:

Defendant Kenny Tran, and his officers, agents, servants, employees, and attorneys, are permanently enjoined from copying, displaying, or distributing Plaintiffs' works without permission, and from providing internet links or instructions enabling others to access infringing copies of Plaintiffs' works.

In light of recent injunctions involving foreign rogue websites, this injunction is quite restrained.

This ruling leaves open the big unanswered question: why the plaintiffs didn't sue Tran in Australia? If they really wanted to shut him down, they are more likely to get the desired enforceability from an Australian court.

One possibility is that the plaintiffs knew Tran would default in a US action but feared he would fight in Australia, so suing in San Jose was a quick way to get a default judgment. But is the default judgment actually worth more than the paper it's printed on? I assume they will have some difficulty enforcing their damages award and even more difficulty enforcing the injunction given Tran is in Australia. If Tran breaches the injunction and is held in contempt by a US court, then what? Getting a quick but unenforceable win seems like an odd move.

Another possibility is that the plaintiffs will use the ruling to cut off Tran from US service providers, like kicking Tran off Facebook, Twitter, etc. Interestingly, the injunction doesn't specifically reference any remedies against these third-party service providers, unlike some of the other troubling rogue website enforcements we've blogged about recently. Furthermore, many of those service providers already are willing to kick Tran off as a repeat infringer, but they won't set up the screens required to proactively prevent Tran from setting up new accounts, so I don't see how this injunction helps.

Nevertheless, Tran's two domain names are already down. Did the domain hosts cut off the domain names only because of this ruling? Or would they have done the same with an Australian ruling of infringement? Or, especially in the case of GoDaddy, merely at the copyright owner's request without any judicial adjudication at all?

A third possibility is that the plaintiffs had copyright registrations in the United States but didn't have the requisite copyright standing in Australia. I haven't researched this, but it seems doubtful.

As you can see, I have a lot of questions about this case and not a lot of answers. I'd welcome your thoughts about what's going on here and what it might mean. (As usual, let me know if it's OK to post your email to the blog).

One thing I do know: our judicial system depends on adversarial proceedings, and it frequently breaks down quickly when judges are asked to make rulings based on hearing only one side of the story. In this case, Judge Koh--a shining light in our federal judiciary who normally issues rock-solid opinions--totally sidestepped a deeper inquiry into the plaintiffs' interests in California. I can't imagine she missed this glaring hole in the plaintiffs' case (the opinion unmistakably arm-waves on the factors that would prompt that inquiry), so perhaps she just wanted to quickly move this uncontentious case off her docket. However we get there, it's clear that judges won't aggressively protect defendants in default judgments on their own accord without any help from defendants. Any legislative solution that relies on ex parte or non-adversarial proceedings before a judge superficially appears to bake in due process but instead will suffer the same defect, even when we have great federal judges who try to do the right thing. This has a lot of implications for SOPA, but it's also relevant to OPEN.

For more on the case, see Mike Masnick's post.

UPDATE: Leanne O'Donnell, an Australian IP lawyer, emailed me some comments:

1) Australian federal court will not enforce the California judgment (see Sec. 5(1) of the Foreign Judgments Act; the United States doesn't get reciprocity).

[Further update: Leanne subsequently qualified that the copyright owners could seek common law enforcement of the California judgment even if they can't take advantage of the Foreign Judgments Act, but it's more expensive and complicated. See, e.g., Stern v National Australia Bank at 133. It's also subject to public policy limits.]

2) She speculated on the reasons why the copyright owners didn't sue in Australia, including the lack of statutory damages in Australian copyright law and potential issues with the injunction. She pointed to Cooper v Universal Music [2006] FCAFC 187 as a case that discusses relevant topics. The Roadshow v. iiNet case, currently on appeal, is also possibly relevant.

3) I asked her about any potential issues with extraterritorial downloads, as we saw in the Shropshire case. She replied: "If the claim for infringement against Tran was for both primary infringement and authorisation he could be found to have infringed copyright in Australia if the plaintiffs could establish that Australians (primary infringers) downloaded songs from his site." If Tran was really running the largest Korean music site on the Web, proving Australian downloads seems plausible.

Posted by Eric at 12:34 PM | Copyright | TrackBack

Another Set of Parties Duel Over Social Media Contacts -- Eagle v. Sawabeh

[Post by Venkat Balasubramani]

Eagle v. Morgan, 11-4303 (E.D. Pa.; Dec. 22, 2011)

Background: Dr. Linda Eagle, who holds a Ph.D. in communication and psychology, teamed up with Clifford Brody and founded Edcomm. They were later joined by Davi Shapp. Eagle maintains a reputation in the field of “banking training,” and has “cultivated relationships with thousands of individuals and organizations.” In October 2010, Sawabeh Information Services entered into an agreement with Eagle, Brody, and Shapp to purchase Edcomm. Sawabeh proposed to retain the three as executives, but abruptly terminated them in June 2011. This prompted a flurry of litigation.

The Lawsuits: Eagle sued the principal of Sawabeh and others working in concert with them (in Pennsylvania), alleging that defendants improperly accessed and continued to use Eagle’s LinkedIn account. Defendants turned around and asserted counterclaims, alleging that Eagle misappropriated a telephone number that had been assigned to Edcomm and improperly caused AT&T to transfer this number to Eagle personally. Defendants also asserted that Eagle misappropriated a laptop, as well as the LinkedIn “connections” associated with Eagle’s LinkedIn account (which defendants allege was maintained by Edcomm for the Edcomm's benefit).

In a separate lawsuit (in the Southern District of New York), Sawabeh asserted securities fraud and breach of contract claims against Eagle, Brody, and Shapp, alleging that the principals failed to disclose Edcomm’s obligation to make a substantial severance payment to Brody, and further failed to disclose that Edcomm transferred all of its IP to Brody in an earlier transaction. In this lawsuit, the court recently denied a motion to dismiss brought by defendants. (Sawabeh v. Brody, et al., 11-civ-4164 (S.D.N.Y.; Dec. 16, 2011).) [For some unknown reason, the courts don't seem to have a problem with the maintenance of two separate lawsuits arising out of the same transaction. I would have thought that consolidation was a no-brainer here.]

The parties have widely divergent views on the background facts, so it's hard to assess the viability of the claims. For example, Edcomm alleges that it created and maintained LinkedIn accounts for its employees, and as a matter of policy, employees were expected to turn over their LinkedIn accounts when they left Edcomm. Eagle disagrees, but also has to contend with a very unhelpful fact: Eagle committed the ultimate no-no and provided her LinkedIn password to someone at Edcomm.

(For what it’s worth, this looks like the account in question. The court entered a TRO prohibiting defendants from accessing the LinkedIn account. The order expired of its own accord, and none of the filings in the docket reflect any additional action by the parties with respect to this issue. Although it’s hard to tell, judging from the account, it looks like Eagle continues to use the account and defendants likely agreed to not interfere with this usage.)

Motion for Judgment on the Pleadings as to the Counterclaims:

Computer Fraud and Abuse Act: The CFAA claim was premised on Eagle’s alleged improper access of Edcomm’s AT&T account and misappropriation of Edcomm’s number. The claim is somewhat strange in that it doesn’t really identify what computer Eagle gained “unauthorized access” to. The court seizes on this and says that, in simpler terms, the counterclaims allege Eagle walked into an AT&T store and convinced AT&T to transfer Edcomm’s number to her--this does not involve the "access" of any computers. Along the way, the court also tackles the issue of whether Edcomm sufficiently alleges damages, and whether Eagle’s access was truly “without authorization” because she was once an employee of Edcomm and ostensibly had authorization to access the account. As to damages, the court says that Edcomm’s allegation that it suffered loss of business relationships as a result of Eagle’s transfer of the number does not count towards the jurisdictional threshold (“Nothing in these allegations avers any loss related to the impairment or damage to a computer or computer system, any remedial costs of investigating or repairing computer damage, or costs incurred while the computers were inoperable.").

Trade Secrets: The trade secret claim had a fatal weakness in that it was premised on information that obviously was not a trade secret: (1) the AT&T account information, and (2) the identities of clients and instructors. Eagle persuasively argued that Edcomm’s website disclosed the identity of more than 1,000 clients and the instructor identities were publicly available on their LinkedIn profiles. The court also says that the AT&T account information could not be a trade secret because it doesn’t have any “independent economic value” that would be of use to competitors. The arguably valuable asset in question is the telephone number, and there’s nothing secret about this.

Conversion: The conversion claim was premised on Eagle’s retention of a laptop allegedly belonging to Edcomm. The court allows this claim to proceed.

Misappropriation: The misappropriation claim can either be misappropriation of a trade secret or misappropriation of an “idea.” The court says that the misappropriation based on trade secrets must fail based on the court’s conclusion that Edcomm failed to specify any protectable trade secrets. The court however declines to dismiss the “misappropriation of an idea” claim. The parties had conflicting allegations as to whose investment generated the content on the LinkedIn account. Given these conflicting allegations, the court declines to grant judgment on the pleadings on the misappropriation claim.

Tortious Interference: The court dismisses the remaining claims. Edcomm asserted that Eagle interfered with the contract between AT&T and Edcomm, but the court says that Edcomm failed to adequately allege specific intent and damages. Eagle cared about the number, and the contractual relationship between AT&T and Edcomm was incidental to the number (it's unclear this was terminated anyway). Edcomm also argued that Eagle interfered with relationships with prospective clients, but the court dismisses this claim on the basis that Edcomm’s allegations were speculative. Edcomm failed to point to “one potential contract that would . . . have materialized” absent Eagle’s alleged interference. (The court declines to dismiss an unfair competition claim but this claim piggybacks on the misappropriation claim.)
__

The dispute raises interesting issues, and as with PhoneDog, OMGFacts, and Maremont cases, illustrate the difficulty of neatly categorizing social networking accounts and the goodwill in those accounts. The obvious question is whether the parties had an agreement addressing Eagle’s competitive efforts and use of her contacts. Judging by the fact that the parties did not mention any contractual terms, it’s fair to say that there was no written agreement dealing with Eagle’s competitive activities. This is somewhat surprising, given that Edcomm was acquired, and to the extent the the key assets in the acquisition were human resources, the parties should have had an agreement in place addressing Eagle's post-acquisition competitive activities.

It looks like the vagaries of Pennsylvania law may have made it harder to bring a conversion claim based on the phone number (the court footnotes that conversion claims are limited to tangible personal property), but at least one court has held that phone numbers can be subject to conversion claims. (Can a Telephone Number Be the Subject of a Conversion Claim?, discussing Staton Holdings, Inc. v. First Data Corp, 2010 U.S. Dist. LEXIS 48688 (N.D. Tex. May 11, 2010).) Given the current rules on phone number portability, to the extent they are freely transferable, it seems like phone numbers are increasingly similar to domain names, which can form the basis of conversion claims.

The fight over the LinkedIn account was probably the most interesting, but there is little discussion about the fact that LinkedIn terms restrict usage of log-in credentials to the person who created the account. (Eagle's sharing, and Edcomm's access likley violated LinkedIn's terms, as a technical matter.) Also, LinkedIn distinguishes between “company accounts” and “personal accounts.” Personal accounts seem by design to be akin to resumes, and while it makes sense for someone to be restricted from exploiting their contacts for competitive purposes, the personal accounts don’t lend themselves to use by the company. Neither the court nor the parties focuses on this. As an afterthought, my instinct is that parties are often misdirecting their energies with fights over “who owns contacts.” Contacts are personal, and particularly in the social networking context, I would think it would be difficult for one person to take advantage of another person’s contacts. I could see Edcomm sending out a spam message to Eagle’s LinkedIn contacts, announcing that Eagle is no longer with the company and prospective customers should contact Edcomm directly, but apart from this, is it really realistic for Edcomm to continue to exploit Eagle’s contacts?

Although it's tough to say since the case is at the initial stages, the lawsuit in Pennsylvania seems like a small part of the overall dispute, which includes the litigation in the Southern District of New York. In the Southern District case, Sawbeh alleges fraud on the part of Eagle and her cohorts; if the fraud and misrepresentation claims are successful, they will likely dwarf the effect of the battle over the LinkedIn contacts and phone number. Any victory that is achieved in the Pennsylvania litigation may turn out to be pyrrhic, depending on how the New York litigation pans out.

Posted by Venkat at 10:52 AM | Licensing/Contracts , Trade Secrets , Trespass to Chattels

December 27, 2011

UMG v. Shelter Capital: A Cautionary Tale of Rightsowner Overzealousness

By Eric Goldman

UMG Recordings, Inc. v. Shelter Capital Partners LLC, 2011 WL 6357788 (9th Cir. Dec. 20, 2011). My prior blog posts on district court rulings on Veoh’s 512(c) safe harbor and attorneys’ fees/Rule 68.

Make no mistake, web hosts and their investors got a major 512(c) victory in this ruling. The Ninth Circuit, building on its favorable but convoluted ruling in Perfect 10 v. ccBill, wrote a decisive and clear (well, as clear as the 9th Circuit gets...) opinion interpreting the crucial 512(c) safe harbor. This opinion is so comparatively lucid that I plan to substitute it into my Internet Law reader next Fall as a replacement for the Io v. Veoh and Viacom v. YouTube district court rulings.

But also make no mistake: this case reminds us why we need to strike a fair balance between rightsowners and technology providers, or else our system will break down. This case's real result is that Veoh is legal, but Veoh is dead—killed by rightsowner lawfare that bled it dry. Meanwhile, rightsowners wrongly assessed the legality of Veoh, but the worst consequence they suffered was overpaying their lawyers. Indeed, UMG isn’t liable under 17 USC 512(f) for sending bogus takedown notices because they never sent any notices at all., nor is UMG liable for Veoh's attorneys’ fees. UMG’s decision-makers walk away from this car crash, muttering under their breath that the Ninth Circuit misunderstood their brilliant legal arguments, but they still get to go to their cushy jobs tomorrow. The same can’t be said for Veoh, even though it "won." Veoh’s employees? On the street. Veoh’s investors? SOL. Veoh’s community? Kicked to the curb.

This case outcome—Veoh is legal, but Veoh is dead—highlights one of the many reasons why so many people are so opposed to SOPA/PROTECT-IP. Those proposals don’t make rightsowners fully internalize the cost of their actions, such as the economic losses suffered by erroneously accused targets. Of course rightsowners will overclaim when there's no real downside to doing so; that’s just human nature. (And please, I don’t want to hear any BS that rightsowners will never get it wrong. See, e.g., Viacom v. YouTube). Without proper calibration, rightsowner overclaiming threatens to wreck the entire Internet ecosystem.

A partial fix to SOPA/PROTECT-IP would make rightsowners bear the cost of their overclaiming. Make them put up a $1 billion bond for the privilege of sending cutoff notices; and pay liberally out of that bond if the rightsowners get the law or facts wrong. Write checks to the investors and employees whose economic expectations are disrupted when rightsowners get it wrong. Write checks to the payment service providers and ad networks who turn down money from legally legit businesses based solely on rightsowner accusations. Heck, write checks to the users of those legit services who are treated as inconsequential pawns in this chess match. Sure, a $1B bond obligation with liberal payouts would turn cutoff notices into a sport of kings that only the richest rightsowners could afford, but perhaps that’s the way it should be. A rightsowner's decision to send a cutoff notice should be a Big Deal, the equivalent of going to Defcon 5, and not like sending holiday cards to distant relatives you last saw at Ethan's bar mitzvah.

Unless (until?) Congress wrecks the Internet with SOPA/PROTECT-IP, 17 USC 512(c) still matters a lot to the Internet ecosystem, and this ruling has a lot of good news for web hosts. It’s a long opinion, as 512 opinions usually are. Some highlights:

* Since its passage, 512(c) has had a crucial ambiguity: did it provide a safe harbor for all three flavors of infringement (direct, contributory, vicarious) or just direct infringement? The legislative history was clear that the safe harbor applied to all three flavors, but the literal text of the statute seemed, by its very terms, to exclude contributory and vicarious infringement. Remarkably, most 512(c) cases sidestepped this fundamental interpretive issue. In contrast, this case confronts it head-on and, perhaps for the first time in an appellate ruling, indicates that 512(c) applies to all three flavors of infringement. For example, the court says:

Given Congress’ explicit intention to protect qualifying service providers who would otherwise be subject to vicarious liability, it would be puzzling for Congress to make § 512(c) entirely coextensive with the vicarious liability requirements, which would effectively exclude all vicarious liability claims from the § 512(c) safe harbor….Although in some cases service providers subject to vicarious liability will be excluded from the § 512(c) safe harbor, in others they will not.

To achieve this outcome, the Ninth Circuit says that “right and ability to control”—language that appears in both the standard test for vicarious copyright infringement and as an exclusion to 512(c)’s availability—means different things in those contexts. I presume the same applies to “direct financial interest,” though that didn’t come up here. Notice this is a result only lawyers could love: the exact same words have different meanings depending on whether they are in the plaintiff’s prima facie case or in the defendant’s affirmative defense.

The good news is that the opinion reads “right and ability to control” as dependent on knowing of specific problems that need to be remediated, like the Viacom v. YouTube opinion did:

a service provider must be aware of specific infringing material to have the ability to control that infringing activity within the meaning of § 512(c)(1)(B). Only then would its failure to exercise its ability to control deny it a safe harbor….A service provider’s general right and ability to remove materials from its services is, alone, insufficient. Of course, a service provider cannot willfully bury its head in the sand to avoid obtaining such specific knowledge.

Unfortunately, the last sentence reminds me a little of the gratuitous dicta in Tiffany v. eBay about "willful blindness," which trademark plaintiffs have already started to mine. Trying to scrounge for any angle, I'm sure copyright plaintiffs will start digging around for evidence that service providers buried their head in the sand, making the most tendentious interpretations of fact that aren't damning in the least.

* UMG argued that 512(c) only provided a safe harbor for personal cloud storage. Under this reading, the moment a file stored in the cloud was available to third parties, 512(c) dropped away. The court brushed away UMG’s argument, and I can’t believe UMG thought it was worth pressing. The argument made no sense historically (no one was offering personal cloud storage lockers when the DMCA was passed), it contravened numerous provisions in the statute that clearly suggested otherwise, it would have conflicted with a long list of precedent cases that applied 512(c) to public hosting, and it’s almost impossible to construct a fact pattern where a user uploading to a personal cloud locker commits copyright infringement (or that a copyright owner would learn about this storage sufficient to send a 512(c)(3) notice specifying the file’s location).

As a corollary, 512(c) applies even if the service provider slices-and-dices the user-submitted file, such as transcoding the file and extracting metadata. This is consistent with earlier 512(c) cases, but now it’s Ninth Circuit law.

* The court rejects UMG’s many arguments that Veoh had impermissible scienter. UMG’s hubris was insane. For example, UMG argued that Veoh hosted music videos, and that because it didn’t have licenses to the music, its general knowledge categorically disqualifies Veoh from 512(c). The court shreds UMG’s argument, noting that Veoh did have direct arrangements with music video producers, and UMG’s argument (if you host music, you must know you’re infringing) would negate the entire 512(c) safe harbor. Instead, the court emphasizes the importance of the notice-and-takedown scheme in 512(c) because “Copyright holders know precisely what materials they own, and are thus better able to efficiently identify infringing copies than service providers like Veoh, who cannot readily ascertain what material is copyrighted and what is not.” Thus, the court “hold[s] that merely hosting a category of copyrightable content, such as music videos, with the general knowledge that one’s services could be used to share infringing material, is insufficient to meet the actual knowledge requirement.” Nor can such knowledge count as a “red flag.”

The court isn’t any more impressed with UMG’s argument that Veoh bought Google Adwords keyed to the names of UMG artists like 50 Cent, Avril Lavigne and Britney Spears. The court responds:

50 Cent, Avril Lavigne and Britney Spears are also affiliated with Sony-BMG, which gave Veoh permission to stream its videos by these artists. Furthermore, even if Veoh had not had such permission, we recognize that companies sometimes purchase search terms they believe will lead potential customers to their websites even if the terms do not describe goods or services the company actually provides. For example, a sunglass company might buy the search terms “sunscreen” or “vacation” because it believed that people interested in such searches would often also be interested in sunglasses. Accordingly, Veoh’s search term purchases do little to demonstrate that it knew it hosted infringing material.

I wouldn't rely on the Ninth Circuit for SEM advice, but did the court really say that a site can buy the keyword “Britney Spears” to reach teeny-boppers, even if the site doesn’t offer any Britney Spears music? Hmm...

The court also rejects UMG’s argument that takedown notices from the RIAA should have prompted Veoh to go find additional videos from the same artists mentioned in the takedown notices. As ccBill said, service providers don’t have that affirmative investigatory duty; it remains solely on copyright owners’ shoulders.

Finally, the court rejects UMG’s efforts to dig up old newspaper quotes from Veoh executives acknowledging that their site contained infringing material. The court appropriately notes that 512(c) assumes UGC sites will contain some infringing items. That’s why copyright owners should send takedown notices, and why they shouldn't bitch if they don’t.

One sour note: The court says that a user-submitted complaint that he’d seen infringing content on the site, and fingering a specific other user, could constitute a "red flag of infringement" even if the user complaint didn’t constitute a 512(c)(3) notice. UMG didn't make any progress here based on the specific facts, but unfortunately the Ninth Circuit opened up the door for copyright owners looking for notifications from non-copyright owners that the copyright owners can turn into red flags. Of course they are going to find such notices; what UGC site hasn’t gotten dragged into intra-user disputes? Unfortunately, 512(c) discovery is already ridiculously expensive, and hunts for needles in the haystack like this only add to everyone’s costs—with almost no payoff because sites should be free to ignore user gripes (non-512(c)(3) notices) in their considered judgments. Until the Ninth Circuit fixes this in a future opinion, this sloppy discussion means UGC sites must address non-512(c)(3) gripes about potential copyright infringement at peril of being accused of having red flags of infringement. This isn’t what Congress intended, so it’s a bummer the otherwise-solid opinion went off the rails here.

* The ruling absolved Veoh’s investors of liability. In a footnote, the court recognizes the importance of keeping investors free of liability, especially when the site actually qualifies for the 512(c) safe harbor:

Congress was no doubt well aware that service providers can make the desired investment only if they receive funding from investors like the Investor Defendants. Although we do not decide the matter today, were we to hold that Veoh was protected, but its investors were not, investors might hesitate to provide the necessary funding to companies like Veoh, and Congress’ purpose in passing the DMCA would be undermined.

The court says that UMG isn’t arguing that funding a venture is enough to create liability; the investors must be involved with the business operations. The court tries not to overrule one of the Napster district court rulings regarding investor liability by saying that, in the Napster case, only one investor (Bertlesmann) was involved with Napster. So long as there are more than 1 investor—and frankly, when won’t that be the case?—each individual investor can’t have sufficient control to trigger liability. In response, UMG tried to argue that Veoh had three outside board members from investors and they collectively controlled the board, but the court said UMG didn’t adequately allege that they were in cahoots with each other.

It would have been so much better if the court had just rejected investor liability outright rather than nose-counting board seats and agreements among board members. Expect copyright owners to impose discovery heck on investors, looking for any evidence that smacks of coordinated efforts among them, and expect rightsowners to make mountains out of molehills like stockholders’ agreements. Nevertheless, the Ninth Circuit opinion has enough language to raise the bar on investor lawsuits that district courts should toss these efforts on summary judgment (the needle-in-haystack discovery hunts are going to make motions to dismiss hard). Let’s hope the district courts set the bar high enough that copyright owners eventually get discouraged in pursuing investors.

* The ruling basically eliminates FRCP 68 for copyright cases (and presumably any other statutes that have express fee-shifting provisions). Rule 68 says that if a defendants offers a jdugment, is refused, but then achieves final results better than the settlement offer, the plaintiff must pay all attorneys’ fees after the offer. The idea is to motivate plaintiffs to accept fair settlement proposals—they have to be so confident they’ll do better the settlement offer because they have to pay off the defendant if they are wrong. Rule 68 provides a useful tool from a game theory standpoint, but the court eviscerates it for copyright cases. The court says that Rule 68 offers can pay off only if the judge chooses to award attorneys’ fees under 17 USC 505. No 505 fee shift, no Rule 68 fee shift. But, why is Rule 68 needed if the judge has to make a 505 fee award anyway? This makes no sense. Rebecca discusses this issue in more detail.

I know a lot of folks are interested in how this case affects Viacom v. YouTube. The news is all good for Google. First, until the Second Circuit issues its opinion, this opinion is the new high water mark for 512(c) cases; and it is the governing law of the Ninth Circuit. Second, I imagine the Second Circuit panel will take a look at this opinion, and they may choose to defer to it. The opinion isn’t airtight analytically, but it’s persuasive enough. Third, in the unlikely situation that Google loses in the Second Circuit, this opinion sets up the possibility of a bona fide circuit split that might open the door for a Supreme Court appeal.

Other coverage of the case:

* Techdirt
* Rebecca (focusing on Rule 68)
* EFF
* Michael Barclay

Posted by Eric at 08:19 AM | Copyright , Derivative Liability | TrackBack

December 26, 2011

Infringing Download Without Further Infringement Only Supports Lost License Fee--Real View v. 20-20

By Eric Goldman

Real View LLC v. 20-20 Technologies, Inc., 1:07-cv-12157-PBS(D. Mass. Sept. 21, 2011). The jury verdict form. A June 2011 ruling with more background.

Copyright damages may not seem like the sexiest topic, but the reality is that damages issues are producing some of the most interesting recent copyright jurisprudence. The record-breaking Oracle v. SAP damages award stands out, but other interesting case include Oracle v. Google, Bryant v. Media Right, UMG v. Veoh (more to say about that case soon) and of course the P2P file-sharing cases (including the Tenenbaum case).

This case involves an apparently growing phenomenon where competitor A illegitimately downloads competitor B's copyright material and then uses the material for non-infringing purposes. In this case, Real View downloaded 20-20's software (something having to do with kitchen design) without permission via eDonkey and then used it to refine its competing software so that it was more like 20-20's. Real View then aggressively competed with 20-20, including using an alternative business model that substantially undercut the incumbent's business model. After 20-20 sued, a jury concluded that Real View's software didn't infringe 20-20's software. All that left to adjudicate, then, was the initial unauthorized download, which Real View admitted was infringing (Real View brought a declaratory judgment).

20-20 argued that Real View should pay $38M, which is the amount 20-20 spent to buy a competitor company. Failing that, 20-20 argued that Real View should pay $2M due to "price erosion." Real View said it should pay 20-20's standard license fee of $4,200--although apparently 20-20 wouldn't have licensed the software at all to Real View, making the license fee calculation somewhat hypothetical. Real View also admitted to about making three-quarter million dollars in profits from its own licenses.

The jury came back with an award of $1.37M. In this ruling, the judge issued a remittitur down to $4,200, holding that Real View only was liable for the license fee for the unauthorized download--everything else wasn't proved or was irrelevant. For example, the court rejects all of 20-20's arguments about Real View's "saved development" costs as speculative. Perhaps more importantly, 20-20's claims of price erosion were irrelevant; any price erosion occurred due to Real View's non-infringing competitive software, not the infringing software download itself, and 20-20 didn't prove the causal link between the two well enough. Similarly, the court says 20-20 can't get any of Real View's profits from the non-infringing competitive software simply because it was facilitated by the illegal download.

Not surprisingly, 20-20 rejected the remitittur and instead opted for a new trial. After all, what do they have to lose? They will likely get at least $4,200 again (and if they didn't, it's not a big loss), so they might as well shoot for the upside. But if the damages award goes sour a second time, it would be another example where overaggressive copyright enforcement snatches defeat from the jaws of victory.

This case is interesting because it highlight how copyright owners can easily overclaim damages. Even if one step in the defendants' process involving infringing activity, that doesn't mean that the copyright owner gets to disgorge the defendant of all of its profits. For example, if a defendant impermissibly scrapes a plaintiff's website--making unauthorized copies into RAM while doing so--but the defendant's resulting publication doesn't infringe the plaintiff's copyright, arguably this case would take the defendant's profits off the table, leaving only the potentially meager and overly speculative damages from the illegal download.

Posted by Eric at 08:16 AM | Copyright | TrackBack

December 23, 2011

Academic Literature Recap, Q4 2011

By Eric Goldman

I'm mired in grading heck, slogging my way through 146 exams. As a result, blogging has taken a back seat. I have several key items to blog, including the UMG v. Shelter Capital and Ascentive v. Opinion Corp. rulings. I'll get to these and other topics soon.

In the interim, just in time for the holidays, let me call your attention to some recent academic articles that caught my eye this quarter. They may be worth checking out during your holidays. Happy reading!
____________

Bevin Ashenmiller and Catherine Shelley Norman, Measuring the Impact of Anti-SLAPP Legislation on Monitoring and Enforcement, The B.E. Journal of Economic Analysis & Policy: Vol. 11: Iss. 1 (Topics), Article 67 (2011). The abstract:

We examine changes in environmental monitoring and enforcement activity in the presence of state legislation prohibiting Strategic Lawsuits Against Public Participation (anti-SLAPP laws). Using data on the Clean Air Act from the Environmental Protection Agency’s ECHO database, we find evidence that state inspections increase by almost 50% after a state passes anti-SLAPP legislation. In addition, we find strong evidence that the ratio of findings of noncompliance to inspections more than doubles in the presence of anti-SLAPP legislation.
____________

danah boyd, Eszter Hargittai, Jason Schultz & John Palfrey, Why parents help their children lie to Facebook about age: Unintended consequences of the ‘Children’s Online Privacy Protection Act’, First Monday, Volume 16, Number 11 - 7 November 2011. The abstract:

Facebook, like many communication services and social media sites, uses its Terms of Service (ToS) to forbid children under the age of 13 from creating an account. Such prohibitions are not uncommon in response to the Children’s Online Privacy Protection Act (COPPA), which seeks to empower parents by requiring commercial Web site operators to obtain parental consent before collecting data from children under 13. Given economic costs, social concerns, and technical issues, most general–purpose sites opt to restrict underage access through their ToS. Yet in spite of such restrictions, research suggests that millions of underage users circumvent this rule and sign up for accounts on Facebook. Given strong evidence of parental concern about children’s online activity, this raises questions of whether or not parents understand ToS restrictions for children, how they view children’s practices of circumventing age restrictions, and how they feel about children’s access being regulated. In this paper, we provide survey data that show that many parents know that their underage children are on Facebook in violation of the site’s restrictions and that they are often complicit in helping their children join the site. Our data suggest that, by creating a context in which companies choose to restrict access to children, COPPA inadvertently undermines parents’ ability to make choices and protect their children’s data. Our data have significant implications for policy–makers, particularly in light of ongoing discussions surrounding COPPA and other age–based privacy laws.

This article stirred up a fair amount of discussion. See, e.g., the CNET coverage.

Some notes about this article:

* no one looks good here: not the kids, parents, Facebook or Congress.
- Parents teach children how to lie to get what they want online
- Gilmore’s law that the Internet interprets censorship as damage and routes around it. COPPA has been a success at getting websites to shun kids 12 and under, but it’s been a complete failure at protecting kids online.
- all of the lying kids are presumptively engaged in criminal activity

* when kids are asked to represent themselves as older than they actually are, do they inadvertently put themselves in more adult situations than they can handle? See my post on mistake of age defenses.

* the policy implications of this report cut in both directions. Pro-regulation: the only way to keep kids off Facebook is to do mandatory age authentication that parents can’t game; or do comprehensive privacy regulation. Anti-regulation: COPPA was a bust, so we should repeal it or structurally modify it.
____________

Felix T. Wu, Collateral Censorship and the Limits of Intermediary Immunity, 87 Notre Dame L. Rev. 101 (2011). We don't have too many law professor papers really grokking 47 USC 230, which makes this paper instantly noteworthy. Felix presented this paper at our 47 USC 230 fiesta earlier this year. His conclusion:

Intermediary immunity can and should play an important role in protecting speech on the Internet. Immunity prevents the application of laws targeted at original speakers to intermediaries that lack the incentives of original speakers to speak. Immunity can thus be used to avoid the collateral censorship of lawful, socially desirable speech that poses a real or perceived risk of liability to intermediaries. At the same time, immunity can and should be limited. When intermediaries are actually original speakers, and have the incentives of original speakers, immunity is no longer appropriate. Similarly, immunity as to causes of action that are specifically targeted at intermediaries inappropriately prejudges the reasonableness of such liability.
Even ardent supporters of intermediary immunity would be well-served to recognize its limits. When immunity becomes unbounded, it begins to seem increasingly unfair, stimulating calls to cut back on the immunity, or even eliminate it entirely. The framework developed here demonstrates how, without any need to amend current law, we can limit the immunity, while still serving its core purposes.

James Grimmelmann's comments about the paper.
____________

Sandra L. Rierson, The Myth and Reality of Dilution, 2012 Duke Law & Tech. Rev. ___ (forthcoming 2012). From the introduction:

This Article advances three claims. First, statutory dilution erroneously assumes that the source-identifying function of a trademark is a rivalrous good and one that is dissipated by use. This assumption lacks empirical support, and is assuredly not categorically true despite the contrary principle that underlies the federal dilution statute. If marks are nonrivalrous, as they often are, no cause of action for dilution should exist.
Second, even were particular marks indeed rivalrous, the social and transaction costs imposed by the federal dilution statute would still outweigh the supposed harm to trademark holders. Dilution claims inflict profound anticompetitive burdens, preclude beneficial comparative advertising, and entrench dominant (often oligopolist) firms at the expense of market entrants. Dilution has serious non-economic costs as well and prohibits protected First Amendment speech without justification. For these reasons and others, the federal dilution statute imposes substantially more harm than it (allegedly) prevents.
Finally, the true foundation for the federal dilution statute lies not in alleged economic harms, but rather results from an entirely misplaced fiction of corporate personality. We do not require trademark holders to prove actual economic injury in the context of a dilution claim because, in truth, there is none. Instead, we have granted the holders of famous trademarks the equivalent of a “moral” right to these marks: an extension of the rights granted to a creator of an expressive work in the copyright context. Trademark owners feel vested in their brands, many of which are deliberately anthropomorphized, and the dilution statute reifies and protects these rights as a matter of federal law.

Stacey Dogan's cogent critique of the article. You may recall that in 2007, SCU convened a major academic conference on trademark dilution.
____________

Lydia Pallas Loren, Deterring Abuse of the Copyright Takedown Regime by Taking Misrepresentation Claims Seriously, 46 Wake Forest L. Rev. ___ (forthcoming 2011). A nice in-depth look into one of my favorite topics, 17 USC 512(f), by one of my favorite authors. The conclusion:

The takedown provisions of the Copyright Act are a powerful tool that copyright owners may use to obtain prompt removal of infringing material from the Internet without judicial assessment of the assertion of infringement. Congress provided a mechanism to deter abuse of this extrajudicial enforcement mechanism in the form of a new cause of action for material misrepresentation. Courts should interpret the requirements for prevailing on a claim of misrepresentation with an eye toward fulfilling Congressional intent. This means using a standard that would hold copyright owners liable not only when they had actual knowledge that the material targeted for takedown was not infringing, but also when the copyright owner should have known if it acted with reasonable care or diligence that the material was lawful. It also means interpreting the injury requirement broadly and awarding attorney’s fees to prevailing plaintiffs. Taking the claims of misrepresentation seriously will shape the behavior of copyright owners who seek removal of material through takedown notices.

Posted by Eric at 07:55 AM | Content Regulation , Copyright , Derivative Liability , Privacy/Security , Trademark | TrackBack

Old School Spam Plaintiff Rebuffed in the Ninth Circuit

[Post by Venkat Balasubramani]

Gordon v. BMG Columbia House, 10-35180 (9th Cir. Nov. 28, 2011)
Gordon v. Inviva, 10-35283 (9th Cir. Nov. 28, 2011)
Gordon v. Commonwealth Mktg. Group, 10-35030 (9th Cir. Nov. 28, 2011)

James Gordon has generated more than a few blog posts as a result of his quixotic quest to hold bulk emailers liable under CAN-SPAM, despite not fitting within the categories of persons or individuals who have standing under that statute to bring private causes of action. He was the plaintiff in the Virtumundo case, in which the Ninth Circuit rejected his claims and effectively put an end to the budding spam litigation cottage industry. ("An End to Spam Litigation Factories?--Gordon v. Virtumundo"; "CAN-SPAM Defendant Awarded $111k in Fees/Costs--Gordon v. Virtumundo.") Following Virtumundo, Gordon was the subject of some collections efforts, where he may have lost his home and belongings. (DirectMag: "Anti-Spammer Loses More than His Lawsuit.")

It turns out, despite his stunning string of failures in court, Gordon is still at it! But he doesn’t seem to be making much progress. The Ninth Circuit recently rejected his appeal in three pending cases. Proceeding pro se, Gordon appealed three district court grants of summary judgment against him. In all three cases, the court affirmed the district court judgments on the basis that Gordon lacked standing to sue under CAN-SPAM and his claims under Washington’s spam statute were preempted. He brought a few additional state law claims (consumer protection act, breach of contract) but the court doesn't give those more than a cursory sentence.

Virtumundo, along with Mummagraphics, the two leading appellate cases construing CAN-SPAM preemption, left a small window available to spam plaintiffs. There has been some attempts by plaintiffs to advance state law claims in California ("CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM"; "Plaintiff Wins $7,000 Following Bench Trial on Claims Under California Anti-Spam Statute"), but for the most part, plaintiffs suing under state anti-spam laws have been shut down elsewhere.

Posted by Venkat at 04:42 AM | Spam

December 20, 2011

Hyundai Gets a Pass from the FTC on Endorsement Issues, in Part Due to Its Social Media Policy

[Post by Venkat Balasubramani with updated comments from Eric]

In re Hyundai Motor America, FTC File No. 112-3110 (Nov. 16, 2011) [.pdf]

We've posted on the FTC endorsement guidelines, which broadly require disclosure of relationships, and incentives provided to those who endorse products or companies. ("FTC Dings PR Firm for Fake Reviews -- In re Reverb Communications"; "FTC Drops Investigation of Advertiser Who Gave Gifts to Bloggers"; "FTC Online Endorsement Guidelines Strike Again - FTC Dings Legacy Learning Over Allegedly Misleading Affiliate Reviews.") The FTC recently closed an investigation on Hyundai, whose marketing agency gave bloggers gift certificates as an incentive to "include links to Hyundai videos in their posts and/or to comment on . . . forthcoming Super Bowl ads." You can access a copy of the FTC's closing letter here [.pdf].

The FTC provided two reasons for why it closed the investigation into Hyundai's promotions:

- Hyundai did not know in advance about the incentives, which were offered by an employee of Hyundai's marketing agency.
- offering an incentive to post about or endorse a Hyundai product was contrary to the social media policies of both Hyundai and its marketing agency.

It was challenging to me to make sense of the FTC's decisions under its endorsement guidelines. Thus far, the FTC has taken action against entities who directly violate the rules (Reverb), or those who have an active role in encouraging reviews or endorsements which violate the endorsement guidelines (Legacy Learning). It seems that entities that haplessly dole out gifts with the unarticulated expectation of reciprocation in the form of an endorsement have yet to come under the FTC's knife (see this investigation and Ann Taylor). Meanwhile, the FTC seems to have given celebrities--who reportedly shill for products and companies on a regular basis without accompanying disclosures--a free pass.

The FTC's reliance on the social media policies of Hyundai and its marketing agency is interesting and yet another data point in favor of adopting a social media policy. Query as to whether the FTC's reliance on these policies is inconsistent? The FTC doesn't seem to accept affiliate agreements at face value for the proposition that companies are policing their affiliates. It's odd for the FTC to accept a social media policy for the same purpose.

Update: The FTC's Business Center blog has a nice explanation for the FTC's rationale in this matter. ("Using social media in your marketing? Staff closing letter is worth a read.") The FTC recommends following the M.M.M. approach:

1) Mandate a disclosure policy that complies with the law;
2) Make sure people who work for you or with you know what the rules are; and
3) Monitor what they're doing on your behalf.

Other coverage:

FTC Closes an Investigation Into a Blogging Promotion

Related posts:

"FTC Dings PR Firm for Fake Reviews -- In re Reverb Communications"
"FTC Drops Investigation of Advertiser Who Gave Gifts to Bloggers"
"FTC Online Endorsement Guidelines Strike Again - FTC Dings Legacy Learning Over Allegedly Misleading Affiliate Reviews"
____________

Eric's Updated Comments

1) The FTC Endorsement and Testimonial Guidelines are confusing to everyone, even the FTC. Recall the public discord they had over whether Ashton Kutcher broke the rules. I remain skeptical that the FTC understands what it said in its own rules.

2) Regardless of what they said, the FTC's goals are clear: they hate inauthentic content online, and that includes content that might be financially motivated without sufficient disclosure to the reader/viewer. If they could wave their magic wand and eliminate all that content from the Internet deus ex machina, they would.

3) Unfortunately for the FTC, they can't wave their magic wand, so they have to bring enforcement actions. But they have made it 100% clear that they really do not want to go after individual bloggers--even though the bloggers are the ones who the FTC thinks are actually violating the Endorsement and Testimonial Guidelines. It makes sense that the FTC doesn't want to chase individual bloggers, who are multitudinous and often legally unsophisticated, but it means the FTC refuses to go after the most responsible individuals.

4) Because the FTC won't go after the direct violators, they are casting a net for other folks to hold responsible. I've previously raised the concern that such trawling for secondary violators is impermissible under 47 USC 230, a statute the FTC wishes didn't exist. Because they are going after the secondary players with a weak theoretical justification for holding the secondary players responsible while not simultaneously enforcing the rules against the principal players, the FTC is effectively developing its rules on the fly. Not surprisingly, such an ad hoc development of rules can be hard to keep consistent.

5) Because the FTC doesn't want to unfairly impose liability on secondary players for actions they can't necessarily control, the FTC has made it quite clear that it expects advertisers playing in the financially-motivated online content space to do the following:

* tell bloggers not to break the law
* tell their agents not to break the law
* double-check after-the-fact to see if anyone has broken the law and undertake efforts to remediate those violations

This may seem a little silly and formalistic as a way of complying with the Endorsement and Testimonial Guidelines, but it appears like it's enough to satisfy the FTC.

6) As Venkat points out, the FTC's position here may be harder to reconcile with the FTC's position about other forms of liability based on affiliate actions, where the FTC may not be OK with simply including "comply with the law" provisions in the contracts and doing after-the-fact spot checking. If the FTC is going to hold advertisers liable for third party actions--a paradigm I think they should categorically abandon, especially in light of 47 USC 230--then it would be great if the FTC would publicly reconcile these different attitudes towards third party liability. Given the FTC's steadfast refusal to provide bright-line rules that might limit its future discretion, I wouldn't hold my breath waiting for such clarification.

Posted by Venkat at 07:44 PM | Derivative Liability , Marketing

Twelve Comments Filed in Response to Copyright Office Proposal to Amend 512 Designation Requirements

By Eric Goldman

With all of the focus on SOPA/PIPA/OPEN, it's easy to lose sight that a Copyright Office proposal seriously jeopardizes the 17 USC 512 online safe harbors for many service providers. Specifically, the Copyright Office proposes to expire existing agent designations and then require periodic maintenance of designations or they too will be expired. In both situations, a service provider without a designated agent instantly loses all 512(c)/512(d) eligibility--even if the failure was an administrative accident or mistake, and even if the service provider properly filed a valid designation initially. Worse yet, the Copyright Office hasn't shown how the existing database causes problems for copyright owners, so the Copyright Office is proposing to jeopardize these essential safe harbors for no apparent gain to anyone else.

In response to the Copyright Office's proposal, twelve comments were submitted, including the comment that I submitted with the EFF and Jason Schultz. Regarding the proposal to expire existing designations and require periodic maintenance of future designations, the comments broke out as follows:

AGAINST: EFF/Schultz/Goldman, Public Knowledge, Microsoft, CCIA, Matthew Neco
FOR: RIAA, Verizon/Internet Commerce Coalition (I treat these as identical because Verizon is a member of ICC, and their points were similar)
AMBIGUOUS: MPAA (seemingly leaning against the proposal but equivocal)

The CCIA’s opposition on this issue was well-stated: "it would be unsound and inconsistent with Section 512 to attempt to revoke the safe harbor and impose liability on services who do not resubmit contact information to the Office which the Office already has…Proposed § 201.38 is itself a formality which -- at least as described in the NOPR -- may also impose harsh penalties for failing to prepare redundant paperwork at the proper time."

Some of the “AGAINST” comments wondered if the Copyright Office has the power to terminate a validly filed designation, because doing so creates a forfeiture and apparently exceeds the authority that Congress provided to the Copyright Office. I do hope the Copyright Office will consider the administrative law issues carefully before doing something that leads to an expensive lawsuit over its authority.

Some other interesting points raised in the filings:

* the RIAA made several aggressive proposals, including (1) a requirement that "the service provider...disclose any shareholders or related groups of shareholders (such as a family) with a majority ownership of the service provider; and any persons or entities with a controlling interest in or decision making power over the service provider," and (2) "the Copyright Office require proof of the business address of the service provider, perhaps by requiring the entity to scan a piece of business correspondence and attach it to the designation as a PDF." I don’t see it as the Copyright Office’s responsibility to validate service providers’ self-reported information, and I thought the requirement to disclose related entities was overreaching and creates traps for the unwary.

* Microsoft proposed "that the Office consider issuing OSPs a unique identification number corresponding to their submission of a designation of agent, and requiring the OSP to post this number where it also posts information about its DMCA agent and its process for submitting notices of claimed infringement. This requirement would enable users of the OSP directory to easily link a particular website with the DMCA agent designation (and related records) maintained by the Copyright Office." While this proposal would solve one set of problems, I don’t think the Copyright Office has the authority to require the publication of this unique ID as a condition of the online safe harbor.

* Google believes only written takedown notices should satisfy the 512 requirements:

We urge the Office, however, to also note that takedown notices sent to designated agents must be in the form of a written communication. We are concerned that the clarifications and the availability of a phone number do not lead to a requirement that service providers designate a specific person to be contacted for voice communication or that leaving of takedown notices be authorized via phone calls or voice mail. Accepting takedown requests via phone or voicemail would present a multitude of problems: for example, lack of documentation to send on to the alleged infringer, lack of signature, problems with verifying identity, detecting abuse, lack of accurate metrics, scalability, and potential differences of opinion about what was identified.

While I completely agree about the problems of non-written takedown notifications, I’m pretty sure 512 doesn’t give the Copyright Office the power to effectuate this request.

* The Verizon/ICC filings encouraged the Copyright Office to warn rightsowners not to misuse takedown notices. For example, the ICC filing says "we urge the Copyright Office to post a prominent notice at the entry point to the database warning entities submitting DMCA notices that knowing material misrepresentations in 512(c) notices may trigger monetary liability."

* The ICC filing also gave a specific example of the privacy issues raised by the designated agent database:

One woman who works as a designated agent for one of our member companies has received harassing “stalking-type” messages from people who are not copyright owners, but found her name through an agent designation. For precisely this sort of reason, it is important to allow email addresses of designated agents to reflect their function, rather than their name, and to allow designated agents to list P.O. Boxes as their address, wherever their address is a home address.

I frequently use the designated agent database to find contact information for a company when other resources fail me.

* The MiMTiD filing was a piece of work. It appears to misunderstand the existing 512 safe harbors, and most of it is just a rant against Google.

If you want to comment on the Copyright Office proposals, do so quickly. Reply comments are due December 27.

Posted by Eric at 08:00 AM | Copyright , Derivative Liability | TrackBack

December 19, 2011

Facebook "Sponsored Stories" Publicity Rights Lawsuit Survives Motion to Dismiss--Fraley v. Facebook

By Eric Goldman

Fraley v. Facebook, Inc., 2011 WL 6303898 (N.D. Cal. Dec. 16, 2012)

Because Facebook does so many things that aren't in users' interests, their "Sponsored Stories" program barely registers. Nevertheless, Sponsored Stories demonstrates why many people are burned out on Facebook. Facebook collects user preferences through its semantically ambiguous "like" button and then uses that data to show ads to the users' friends with a seeming endorsement. Using my preferences does little to advance my relationship with my friends, but the implicit endorsement is designed to get my friends to investigate the ads, increasing the advertiser's credibility and Facebook's profits. So Sponsored Stories creates a zero-sum game: I as a user probably don't get any value from the public presentation of my implicit endorsement (if anything, it might hurt my position with my friends), but Facebook and its advertisers benefit from it.

My response to Facebook's rollout of Sponsored Stories was swift and decisive: I don't "like" any businesses on Facebook or do any other activities on Facebook that I believe can trigger a Sponsored Story. (I would also categorically opt-out of being a part of Sponsored Stories if Facebook actually let me decide what I want to share with my friends, but Facebook doesn't). Instead, if I want to make a commercial recommendation to my friends--something I do occasionally--I just share it directly in my status report. That way, I control the message I deliver to my friends, instead of letting Facebook or advertisers control how they communicate my interest to my friends. And the zero-sum nature of Facebook's offering drives a deeper wedge into my relationship with Facebook, making me less willing to use Facebook generally and more receptive to alternatives.

To me, this marketplace response is adequate. To plaintiffs' lawyers, however, Sponsored Stories gives another reason for a litigation fiesta. Remarkably, unlike so many other "privacy" lawsuits against Internet companies, this lawsuit survives the motion to dismiss--dramatically increasing the odds that Facebook will be writing a check for this so-called "feature."

This is a rich and interesting opinion by Judge Koh that has something for everyone to "like" (or dislike). Some of the highlights:

Article III Standing

In a ruling that bucks a mini-trend, Judge Koh upholds the case from an Article III standing challenge. She says that violation of a statutory right (in this case, California's publicity rights statute) automatically satisfies the actual harm requirement of Article III standing. The plaintiffs also satisfied the "particularized" and "concrete" requirements of Article III by explaining how the Sponsored Stories feature used their information.

She explicitly distinguishes numerous defense-side Article III wins (including her own recent iPhone application litigation and Low v. LinkedIn decisions) by noting the particular nature of the plaintiffs' publicity rights claim. In this case, unlike the others, the plaintiffs are claiming that their endorsement had commercial value to help sell goods to others, compared to the situation in the prior cases where the commercial value of a user's data came from theoretically improved marketing to the user him/herself. She says:

Plaintiffs here do not allege that their personal browsing histories have economic value to advertisers wishing to target advertisements at Plaintiffs themselves, nor that their demographic information has economic value for general marketing and analytics purposes. Rather, they allege that their individual, personalized endorsement of products, services, and brands to their friends and acquaintances has concrete, provable value in the economy at large, which can be measured by the additional profit Facebook earns from selling Sponsored Stories compared to its sale of regular advertisements.

She says later:

Plaintiffs assert that they have a tangible property interest in their personal endorsement of Facebook advertisers’ products to their Facebook Friends, and that Facebook has been unlawfully profiting from the nonconsensual exploitation of Plaintiffs’ statutory right of publicity. Thus, in the same way that celebrities suffer economic harm when their likeness is misappropriated for another’s commercial gain without compensation, Plaintiffs allege that they have been injured by Facebook’s failure to compensate them for the use of their personal endorsements because “[i]n essence, Plaintiffs are celebrities—to their friends.”

Clearly, Judge Koh is making a tricky intellectual move, and I bet it's going to make some privacy advocates unhappy. There is unquestionably a street value to data about a person to improve the marketing to that person, just as there is unquestionably commercial value in gaining an endorsement from a consumer. It's awkward to recognize one value and not the other. (Of course, in many of the precedent cases, there was only the possibility of data leakage; there wasn't actually a showing that any marketer had bought the leaked data for commercial reuse).

However, Judge Koh's fancy footwork rips open only a very small hole in the Article III jurisprudence. Her exception only applies where there's a statutory publicity rights claim, and only when the defendant made a commercially-motivated endorsement. I'm sure we'll see plaintiffs advance claims to take advantage of this ruling, but few plaintiffs will be able to style their claims accordingly.

In another tricky intellectual move, Judge Koh distinguishes Cohen v. Facebook, which dismissed a publicity rights claim based on Facebook's "Friend Finder" service, because this case showed a more direct connection between the friend's endorsement and the commercial value derived by Facebook. She also implies the lawyers did a better job here than in Cohen. I didn't fully understand this distinction other than Judge Koh's desire to reach a different result without disturbing the Cohen precedent.

47 USC 230

Facebook's 230 defense is tricky. First, it seeks to invoke the defense against a publicity rights claim, which the 9th Circuit said was possible in Perfect 10 v. ccBill in a controversial statutory reading that has been rejected by every other court outside the Ninth Circuit. Judge Koh doesn't touch that issue.

Second, Facebook seeks 230 protection for the ad copy it created automatically. The ad is based on a user action, the "Like," plus various pieces of user content, but Facebook assembles it all into a package that the user never sees, blesses or necessarily even wants. We've had some other cases upholding 230 when a service provider is so intimately involved with creating the final content, such as the Carafano case, but Facebook is clearly playing at the edge of the statutory immunity.

Judge Koh rules that Facebook is over that line and doesn't get the immunity. Unfortunately, she does so by saying that Facebook is partially the information content provider of the ads in question. She references the dispositive allegations:

Plaintiffs allege that Facebook creates content by deceptively mistranslating members’ actions, such as clicking on a ‘Like’ button on a company’s page, into the words “Plaintiff likes [Brand],” and further combining that text with Plaintiff’s photograph, the company’s logo, and the label “Sponsored Story.” ... Plaintiffs allege that they themselves have no control over whether to post a particular company’s name or logo, and that Facebook maintains sole control over whether to display a Sponsored Story at all.

Personally, I'd be much more sympathetic to Facebook's position if users had the specific ability to "like" a business page without simultaneously authorizing the Sponsored Story. Because Facebook's controls are insufficiently granular, Facebook automatically interprets a "like" as both a statement of user attitudes and as a green light to create the Sponsored Story. In contrast, imagine that when a user "liked" a business page, Facebook prepared the ad copy for the Sponsored Story, presented it to the user, and asked the user if the user wanted to publish the ad copy to his/her friends. At this point, I would feel much more strongly that the ad copy really was the user's words. Naturally, Facebook doesn't give users this level of control over the words being put into their mouths.

On the other hand, consider an alternative example where a website both publishes UGC on its site and then syndicates the content to third party sites. It's my position that the website gets 230 for both acts of publication, even if the user never expressly green-lighted the syndication (so long as the user-to-website license permitted the syndication). See, e.g., Prickett v. infoUSA. Based on Judge Koh's explication, I'm not exactly sure why Facebook crossed the 230 line while some of these other situations probably don't.

Facebook responded that its activities didn't make it a content provider but just represented traditional editorial functions. The court rejects the argument, citing this allegation:

Plaintiffs allege not only that Facebook rearranged text and images provided by members, but moreover that by grouping such content in a particular way with third-party logos, Facebook transformed the character of Plaintiffs’ words, photographs, and actions into a commercial endorsement to which they did not consent.

In the context of this case, I see her point. Sadly, the opinion's wording will give false hope to a slew of plaintiffs who will argue that the website's presentation of third party content constituted some type of unauthorized endorsement. It will take a few cases to burst the plaintiffs' bubbles about a new exception to 230.

The Statutory Publicity Rights Claim (CA Civil Code 3344)

Facebook took a few cracks at the claim, all of which were unsuccessful:

Newsworthiness. The publicity rights statute does not restrict using someone's personality "in connection with any news." This is a backdoor First Amendment defense, as what constitutes news tracks First Amendment jurisprudence on "matters of public interest." This defense seemed like a hail-mary for Facebook--a user "liking" a page is clearly "new" information to the marketplace, but it's not "news" in either the traditional or First Amendment sense. The court seems unimpressed, saying that even if a user "liking" a commercial product is news to that user's social network, using that information commercially drops out of the exception. I wasn't persuaded by the judge's distinction here, but then again Facebook's argument about what constituted "news" was obviously tendentious.

I was a little disappointed that Judge Koh sidestepped some interesting lurking issues about what is "news" in the modern environment, where all of us are publishers to our local communities and we as publishers can have significant clout in a small community. Some academic literature in the 1990s discussed these issues in the Internet context, but it might be worth revisiting as a paper topic. Judge Koh also sidestepped the intellectually interesting issue of whether opinions about marketplace goods are "newsworthy," something that I strongly believe to be the case in the context of anti-SLAPP laws.

Consent. Facebook argued that users consented to Sponsored Stories as part of its terms of use. The plaintiffs retorted that Sponsored Stories didn't exist when they signed up, so they couldn't have consented to it. The court says there's a factual dispute which prevents a motion to dismiss.

Injury. Facebook argued that non-celebrities have to show economic injury as part of their 3344 prima facie case. The court rejects this distinction, saying "[i]n a society dominated by reality television shows, YouTube, Twitter, and online social networking sites, the distinction between a “celebrity” and a “non-celebrity” seems to be an increasingly arbitrary one." Furthermore, the plaintiffs did allege injury by showing that their endorsements were valuable to Facebook, which helps distinguish this case from the Cohen "Friend Finder" precedent. I liked this quote:

While traditionally, advertisers had little incentive to exploit a non-celebrity’s likeness because such endorsement would carry little weight in the economy at large, Plaintiffs’ allegations suggest that advertisers’ ability to conduct targeted marketing has now made friend endorsements “a valuable marketing tool,” just as celebrity endorsements have always been so considered.

For more on this point, see my Online Word of Mouth paper.

Unfair Competition Law (UCL)

Normally, we'd expect the UCL claim to be tossed because the plaintiffs can't make the required showing that they lost "money or property." Numerous Internet privacy cases have reached that conclusion. Judge Koh makes the same intellectual move she did with Article III standing, saying that publicity rights are different than other privacy torts. She says: "[t]o the extent Plaintiffs allege they can prove that their endorsement of commercial products to their Facebook Friends has concrete, quantifiable value for which they are entitled to compensation, the Court finds that Plaintiffs have properly alleged loss of money or property for purposes of establishing standing under the UCL." I wonder if plaintiffs can make that showing because there's no existing market for consumer-to-consumer endorsements, but it's enough to survive the motion to dismiss. In particular, she says California's statutory damages for publicity rights violations aren't enough to demonstrate the value of the endorsements.

Judge Koh also concludes that plaintiffs properly alleged that Facebook's activities were unlawful, unfair and fraudulent (in the latter case, because Facebook allegedly overclaimed users' abilities to opt-out of Sponsored Stories).

Unjust Enrichment

Recent caselaw makes it even clearer that there's no separate cause of action for unjust enrichment; instead, it's just a synonym for restitution. As a result, the court tosses this claim.

Conclusion

This is not a good ruling for Facebook, but I can't really feel too sorry for it. Facebook has been playing fast-and-loose with the law in many different contexts (see, e.g., its FTC bust), and Sponsored Stories is no different. Before rolling it out, Facebook surely knew that the Sponsored Stories offering was on murky legal ground. It can't be surprised that it didn't get an easy dismissal.

Even so, if it gets that far, Facebook may yet win this case. Judge Koh has made it clear that she's a tough customer, but Facebook has plenty of power to its remaining arguments. Nevertheless, I'm reasonably confident it won't get that far. Given the importance of maximizing ad revenues and its desire to clean up legal issues in advance of an IPO, it seems more likely that Facebook will cut a deal with plaintiffs' counsel. I imagine Facebook might try to do a settlement like the Facebook Beacon settlement that results in minimal restrictive covenants, a chunk of money into the lawyers' hands, and a chunk of money that doesn't get into users' hands but instead goes into something like Facebook's privacy foundation.

UPDATE: Facebook is blazing ahead with its Sponsored Stories offering, moving the Sponsored Stories module into the newsfeed instead of on the side. (And with almost-invisible disclosure that it's an ad). Surely this means Facebook plans to win this lawsuit or to settle up. I'm voting the latter.

Posted by Eric at 09:10 AM | Licensing/Contracts , Marketing , Publicity/Privacy Rights | TrackBack

December 18, 2011

More on Ex Parte Cutoffs of Foreign "Rogue" Domain Names

By Eric Goldman

I got the following email regarding our prior three posts on ex parte cutoffs of foreign "rogue" websites in the Chanel, True Religion and Philip Morris cases (I'm republishing the email with permission):
__________

All of the court papers in the Chanel case were been posted to http://servingnotice.com/sdv/. Similarly, the court papers in the Philip Morris case are at http://servingnotice.com/jiang/index.html.

A little exploration of the site reveals that a Fort Lauderdale lawyer named Stephen Gaffigan (who seems to be a sole practitioner) has brought a bunch of these cases. In the Chanel case, "service" on the vast majority of the defendants was achieved by posting the complaint at http://servingnotice.com/sdv/ and getting a TRO ordering the registrar of defendants' domains to redirect the accused domain names to http://servingnotice.com/sdv/. Reading the court papers, it turns out that the purported authority cited by Mr Gaffigan in his memorandum supporting Chanel's motion is a collection of orders and default judgments in other uncontested cases brought by the same lawyer, according to the same template. (See http://www.servingnotice.com/ofn/index.html; http://servingnotice.com/pan/index.html; http://servingnotice.com/off/index.html; http://servingnotice.com/oft/index.html; http://servingnotice.com/li2/index.html; http://servingnotice.com/qi/index.html; http://servingnotice.com/wu/index.html; http://servingnotice.com/ling/index.html).

Gaffigan's method seems to be to rely on default judgments. Nobody has showed up in any of these cases to contest his motions in court. (The docket sheet in the Chanel case shows the voluntary dismissal of a couple of defendants, so I assume those individuals showed up and either settled out of court or got off without settling to avoid an in-court contest.) So, there has been nobody to make the argument to district courts that no US statute authorizes the remedies Gaffigan seeks, and nobody to appeal the judgments to a court of appeals, and no opportunity for a court to assess the appropriateness of the remedy in a contested proceeding.
__________

Eric's comments: This email helps to answer some of my prior questions, such as how many similar cases are out there (many) and whether these cases will multiply (it appears the True Religion case was brought by an unrelated law firm, Greenberg Traurig). Yet, it leaves open my most basic question, which is what can be done proactively to educate judges about the potential abuses of the ex parte process, joinder, notice to defendants and orders purportedly binding non-litigant third parties. It also leaves open the implicit question of whether attorneys who seek overreaching ex parte requests will be subject to discipline or sanction for any possible abuses of the process.

Prior coverage:

* Does the House Judiciary Committee Debating SOPA Know What's Going On In the Courts?--Philip Morris v. Jiang
* If You Dislike SOPA, You'll Dislike This Case Too--True Religion v. Xiaokang Lei
* The OPEN Act: Significantly Flawed But More Salvageable Than SOPA/PROTECT-IP
* I Don't Heart SOPA or PROTECT-IP: A Linkwrap
* Ad Network Avoids Contributory Copyright Infringement for Serving Ads to a Rogue Website--Elsevier v. Chitika
* Court OKs Private Seizure of Domain Names Which Allegedly Sold Counterfeit Goods--Chanel, Inc. v. Does
* Why I Oppose the Stop Online Piracy Act (SOPA)/E-PARASITES Act

Posted by Eric at 11:17 AM | Domain Names , Trademark | TrackBack

December 16, 2011

Does the House Judiciary Committee Debating SOPA Know What's Going On In the Courts?--Philip Morris v. Jiang

[Post by Venkat Balasubramani, with comments from Eric]

Philip Morris USA, Inc. v. Jiang, 11-cv-24049 (S.D. Fla.) (TRO entered on Nov. 16, 2011) (Prelim. Injunction Entered on Dec. 12, 2011)

This is yet another case where a court orders broad remedies to a rightsowner who alleged that various foreign domain names were selling infringing products. See our recent blog posts on the Chanel and True Religion cases.

The plaintiff in this case is Philip Morris, who alleges that an investigator purchased products from various websites. The investigator forwarded the products to a Philip Morris representative, who alleged that "what appeared to be Marlboro cigarettes were in fact counterfeit." Additionally, the representative

reviewed and visually inspected the internet websites operating under each of the subject domain names, as well as pictures of items bearing the Philip Morris USA Marks offered for sale on the internet websites, and determined that the products were not genuine and/or authorized Philip Morris USA products.

The court issues a TRO that is similar in scope to the Chanel TRO. (The same lawyer was involved in both cases on the plaintiff's side, so this is probably more of a function of the fact that Chanel and Philip Morris sought similar relief.) The TRO contains the following:

- Defendants are enjoined from using any Philip Morris marks, in websites, domain name extensions, links to other websites, search engine databases.
- The domain name registrars are directed to transfer the domain name certificates to plaintiff (for deposit with the court).
- The registrars are directed to transfer the domain names to GoDaddy, who will "hold the registrations for the . . . domain names in trust . . . during the pendency of [the] action."
- GoDaddy shall also update the DNS data so it points to a copy of the complaint, summons, and court documents (<http://servingnotice.com/jiang/index.html>).
- Finally, Western Union is directed to "divert" transfers made by US consumers to three named individuals

The court later extends the TRO and enters a preliminary injunction with substantially similar terms. The orders in this case don't order any sites de-listed, but are still pretty extraordinary in scope. The fact that the court orders the complete disabling of websites and orders registrars to transfer domain names to GoDaddy based solely on the strength of the declarations Philip Morris's investigator and representative is really surprising. Of course, ordering (on an ex parte basis) the diversion of funds transmitted through Western Union is extreme.

As with the Chanel and True Religion cases, the same questions remain. Is there a relationship between the various defendants and the domain names? What type of notice of the lawsuit did defendants actually receive? Was there actually infringement or counterfeiting? The plaintiffs in these cases end up convincing the court of a key fact: immediate, ex parte relief is necessary because defendants will hide assets and shift operations. Courts seem to take this allegation at face value. (The court does authorize service via alternate means and Philip Morris filed affidavits of service in accordance with the court's directive, but this seemed like an afterthought.)

Yesterday's SOPA hearings caused many observers to cringe (see, e.g., Mike Masnick's horrifying recap). I think it's worth revisiting the question of how courts appear already open to remedies people think are objectionable in legislative proposals that are being considered.

Related posts:

If You Dislike SOPA, You'll Dislike This Case Too--True Religion v. Xiaokang Lei
Court OKs Private Seizure of Domain Names Which Allegedly Sold Counterfeit Goods--Chanel, Inc. v. Does
Why I Oppose the Stop Online Piracy Act (SOPA)/E-PARASITES Act
____________

Eric's Comments

In our True Religion post, I asked just how many similar cases are in the system. Unfortunately, there's not an easy way to quantify the litigation activity. For example. in the True Religion case, the entire action was sealed for a couple of weeks. Even without the seal, I don't know how to find these ex parte rightsowner enforcement cases against foreign rogue websites other than laboriously reviewing every federal filing, having readers tip us off or serendipity.

However, with today's case representing the third foreign rogue website enforcement case we've found in the past month, I'm going to guess that more enforcement actions are out there today or are coming imminently. This seems to suggest that rightsowners have figured out a way to work with the current system without any additional legislation.

The fact that rightsowners are making progress on their own without help seems quite relevant to the debates about SOPA taking place right now in the House Judiciary Committee. Unfortunately, those debates are so ungrounded from reliable fact-based deliberation that the unpersuadable committee members wouldn't care if we found a million of these cases. In contrast, if they were willing to consider the facts on the ground, the possibility that courts are giving rightsowners what they want is a strong indication that SOPA doesn't need to be slammed home on the fast track without proper deliberation.

From my perspective, the three cases demonstrate the problems with ex parte judicial oversight. Only hearing one side of the story isn't enough to trigger the kind of draconian remedies the courts are granting. In particular, in this case, interdicting money being sent via Western Union is quite troubling. Basically, the court says that money being sent by customers who may have done nothing wrong goes into a holding tank--the customers don't get their money back now (and maybe never?) even if the transaction didn't consummate. It seems like rejecting the money transfers, rather than interdicting the money, would have a lot fairer to the buyers caught in the middle. But they aren't in court to defend their interests, and no one else is speaking up on their behalf, so the rightsowner can make a pure cash grab from potentially innocent buyers. That kind of result wouldn't happen with real due process.

Instead of insulting each other on Twitter or reading the sports pages, what the House Judiciary Committee should be doing is putting the existing legislative proposal to the side, taking a close look at what's going on in these cases, figuring out how much relief rightsowners are getting today from the courts, and then deciding if any incremental legislation is necessary to fill any gaps or--equally importantly--curb any rightsowners' abuses of the ex parte process. Instead, sadly, the House Judiciary Committee will continue its bizarre form of political theater until the rightsowners get what they paid for.

Meanwhile, I would be interested in trying to curb the ex parte abuses in court, but I don't know how. We are finding out about these orders after-the-fact, and I don't know how to get ahead of the curve. If the affected domain name owners aren't complaining after-the-fact, perhaps that's a sign that the rightsowners are truly hitting only the bad guys. On the other hand, if the process remains ex parte, inevitably rightsowners will make some serious mistakes that will have terrible consequences for legitimate players. I wish I could figure out a way to sensitize the judges about those risks before they rotely accede to the rightsowners' requests.

Posted by Venkat at 09:46 AM | Domain Names , E-Commerce , Trademark

December 14, 2011

If You Dislike SOPA, You'll Dislike This Case Too--True Religion v. Xiaokang Lei

[Post by Venkat Balasubramani, with comments from Eric]

True Religion v. Xiaokang Lei (S.D.N.Y.) (TRO; Nov. 18, 2011) (Prelim. Injunction; Dec. 2, 2011). The initial complaint.

We recently blogged about a case where Chanel obtained surprisingly broad remedies against domain names associated with foreign "rogue" websites which allegedly sold counterfeit Chanel items. Much of the relief Chanel sought and obtained in that case overlapped with relief that the proposed SOPA law would provide to rightsowners.

True Religion, a company which manufactures jeans, brought a similar enforcement action against foreign "rogue" websites in the Southern District of New York. It first obtained a temporary restraining order, which the court converted into a preliminary injunction. The relief obtained by True Religion is similarly broad as, and presents the same due process concerns raised by, the Chanel case.

True Religion filed a lawsuit in the Southern District of New York. As in the Chanel case, it went after numerous domain names in a single lawsuit, and it presented declarations from its investigators that they bought counterfeit goods from those domain names. True Religion also presented evidence that defendants undertook efforts to conceal their true identities (primarily by supplying 'purposely-deceptive contact information' to registrars), and that if defendants were provided notice, they would "likely destroy, move, hide or otherwise make [the domain names, products in question, accounts, and records] inaccessible to the Court." True Religion filed its lawsuit on November 15, and the court issued an ex parte TRO three days later. The TRO broadly enjoined the conducts of defendants and third parties, authorized service via email, and set a hearing for November 30, 2011. Defendants were required to show cause on or before the hearing date as to why the court should not issue a preliminary injunction. True Religion filed two sealed declarations and an unsealed declaration. No defendant appeared or filed any pleadings. On December 2, 2011, the court issued the preliminary injunction.

The TRO: The TRO finds that True Religion established a likelihood of succeeding on the merits of its claims that defendants sold products which infringed on True Religion's trademarks and copyrights and that defendants' conduct will cause irreparable injury to True Religion. The TRO also finds that defendants undertook efforts to conceal their identity and that if "True Religion were to proceed on notice to defendants," defendants would shift their operations. Pending the court's ruling on True Religion's request for an injunction, the court issues the TRO, which contains the following provisions:

- defendants and any third parties acting in concert with them, including ISPs, registrars or third party selling platforms are restrained from selling allegedly infringing items;
- True Religion is entitled to broad financial discovery and discovery from various service providers (MasterCard, Visa, PayPal, back-end service providers, web designers, third-party selling platforms, registrars, registries, ad-word providers, etc.);
- third party payment processors and financial institutions are ordered to freeze any of defendants' funds;
- domain name registries (VeriSign, Neustar, Public Interest Registry) and registrars are orderd to "temporarily disable" the domain names referenced in the TRO, "through a registry hold or otherwise";
- third party service providers are ordered to cease providing service to defendants.

The Preliminary Injunction:

The order largely tracks the TRO, but adds a approximately 24 new domain names. As with the TRO, the preliminary injunction broadly enjoins defendants from exploiting True Religion's copyrights and trademarks. In addition, it contains the following provisions:

- third party service providers who are provided notice are enjoined from providing services to defendants in conjunction with any of the acts which defendants are enjoined from doing;
- a broad asset freeze, directed at banks, payment processors, PayPal and other payment services providers;
- continuing right to conduct discovery for True Religion;
- domain name registries and registrars are directed to continue disabling and lock the domain names, including the new domain names;
- third party service providers, including ISPs, back-end service providers, affiliate program providers, web designers, sponsored search engine or ad-word providers are ordered to "disable service" to the defendant websites; and
- an authorization to serve process via "registered electronic mail" pursuant to rule 4.

__

This is a slightly different flavor from the Chanel orders, but it raises similar due process concerns. The initial order (the TRO) is issued on an ex parte basis without notice, and it contains extraordinary relief--it's essentially a kill switch for the websites in question. There are a variety of reasons why this has the potential to run roughshod over the rights of defendants or third parties; among other things, there could be some mistake as to the underlying domain name or website. There's no assurance that the site as a whole (as opposed to one or two products) is infringing. Also, after bona fide adversarial proceedings, True Religion's copyrights or trademarks may not turn out to be as enforceable as they seem at first blush. But on the strength of True Religion's unchallenged assertions, the court orders various third parties, including registrars, registries, payment processors, ad-word providers and others, to cut off the defendants. (The court did require True Religion to post a bond of $10,000--a laughably nominal amount.)

Regardless of whether the court has the authority to issue an injunction binding third parties who are not before the court, and who may not even be subject to the court's jurisdiction, many service providers will just follow the court order anyway. They may have no interest in expending resources to fight for a third party's due process rights. Indeed, in its declaration filed after the TRO was issued, True Religion indicated that the registries (VeriSign, Affilias, Public Interest Registry, Nominet UK) disabled many of the domain names in question upon receiving notice of the court order. PayPal also froze the funds in 84 different PayPal accounts.

It's unclear how much business defendants conducted in the United States. If their business activities in the US were nominal, this looks like an extraterritorial enforcement by a US rightsowner in a US court. It's tough to tell, given that the process hasn't been adversarial or even designed to facilitate bona fide participation by the defendants.

I know there are some tweaks in pending SOPA/PIPA legislation that surely would be even more helpful to plaintiffs, but courts today seem willing to grant broad remedies to rightsholders without any legislative change at all. It seems that today, rightsowners are able to go to court and, quickly and at low cost, take down domain names and get an order directing third parties, including service providers, ad networks, and payment processors, not to provide services to various websites. That's a pretty good deal if you are a rightsholder. They may even prefer that to the ITC proceedings proposed in OPEN.

_______

Eric's Comments

This case raises so many unanswered questions for me:

1) Just how many rightsowner vs foreign rogue website lawsuits are already in the court system? Are the Chanel and True Religion cases unique, or are dozens or hundreds of similar cases percolating through the system?

2) Did so much of this case really need to be done under the cloak of secrecy, and even if the answer is yes, why is so much of the case history still sealed?

3) Just how far can rightsowners go in suing dozens or hundreds of unrelated defendants in a single lawsuit? We've seen some pushback against copyright trolls. Are trademark owners similarly overreaching?

4) Just how far can rightsowners go in forcing third party service providers, like domain name registrars, ad networks, payment service providers and others, to honor rulings where the service providers aren't litigants? We dealt with this issue a bit in the 47 USC 230 context in the Blockowicz case. In that case, the Seventh Circuit set some important limits on the reach of Rule 65. Without an adversarial process, were the Chanel and True Religion courts perhaps a little lax in their reading of Rule 65?

5) If rightsowners can already get in court so much of the remedies that SOPA would provide, then why are they pushing so hard for SOPA?

6) Then again, if rightsowners can already get SOPA-like remedies in court, why are we fighting so hard against SOPA? This reminds me a little of the public outcry against UCITA a decade ago--much of the angst was about the parts where UCITA merely restated then-current contract law. Similarly, perhaps SOPA is more of a mirror on present reality than a bona fide change in the law. At minimum, it suggests SOPA may be distracting us from other real problems. If we object to the remedies in SOPA, not only do we need to kill SOPA, but we need to proactively seek new statutes that prevent the outcomes Chanel and True Religion are getting in court.

I plan to continue my personal efforts against SOPA, but it's clear that killing SOPA isn't enough to end the fight. Perhaps OPEN would help by giving rightsowners an easier path to attacking illegitimate foreign websites and thereby alleviate the pressure that rightsowners are putting on doctrines not specifically designed to deal with that problem. That would be a good reason to support OPEN, but it's now 100% clear to me that OPEN also needs more immunities, safe harbors and other limitations on rightsowner powers. If rightsowners get a shiny new enforcement toy via OPEN, they should have to give up some of their overreaching elsewhere.

Posted by Venkat at 11:54 AM | Copyright , Domain Names , Trademark

December 12, 2011

Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank

[Post by Venkat Balasubramani]

Ryabyshchuk v. Citibank, 11-cv-1236 - IEG (S.D. Cal.; Nov. 28, 2011)

Plaintiff alleged that he contacted Citibank and inquired about a credit card. Later that day, he alleged he received the following unsolicited text from Citibank:

Free Text Msg: Citi Cards needs to talk with you regarding your recent application. Please call 866-365-8962. To Opt-Out reply STOP.

Plaintiff replied "STOP" and alleged that he received the following from Citibank:

Free Text Msg: Per your request you will no longer receive text alerts from Citi Cards Credit Dept. If you have any questions call 866-365-8962.

Plaintiff sued for violations of the Telephone Consumer Protection Act, seeking statutory damages ($500 per text) and treble damages. Citibank moved to dismiss.

The court says that text messages are "calls" within the meaning of the TCPA, and any text sent with equipment which has the capacity to store or produce telephone numbers using a random or sequential number generator falls within the TCPA. (See Satterfield v. Simon & Schuster.)

Citibank argued that plaintiff "consented" to the text and first relied on plaintiff's initial complaint where he alleged that he "provided his cell phone number" to Citibank in connection with the credit card application. Plaintiff amended his complaint to avoid any implication that he provided his number, instead alleging the second time around that he "contacted Citibank ... by telephone" in connection with a possible credit card. The court says that plaintiff should be allowed to revise his pleadings and there is nothing in the rules which prohibit plaintiffs from making inconsistent or even contradictory allegations in successive pleadings.

Citibank also relied on two FCC pronouncements to argue that plaintiff consented. The FCC stated in 1992 that people who "knowingly release their phone numbers have . . . given their invitation to . . . be called . . . absent instructions to the contrary." The FCC also stated in a 2008 ruling that calls to wireless numbers "in connection with an existing debt" fall under the 'prior express consent' exception to the TCPA. Specifically, the FCC stated:

the provision of a cell phone number to a creditor, e.g., as part of a credit application, reasonably evidences prior express consent by the cell phone subscriber to be contacted that that number regarding the debt.

The court says that it's unclear at the pleading stage whether plaintiff released his number "knowingly," and what limitations he attached to the release of his number. The court also says that the FCC has recognized the burden consumers may face in proving that they did not provide consent, and thus senders should bear the evidentiary burden of showing that consent was provided. Given the state of the pleadings, the court says the consent issue is better suited for adjudication at the summary judgment stage, rather than the pleadings stage.
__

Ouch. Not only does the initial text violate the TCPA (in the absence of consent), even the text which confirms Ryabyshchuk would not receive any further text messages can violate the statute.

The rules governing unsolicited text messaging leave little room for those who send unsolicited texts. Despite the texts relating to a proposed transaction which plaintiff admitted he contacted Citibank about, and despite Citibank apparently honoring plaintiff's opt-out request, Citibank may still be on the hook! Relying on a check-the-box opt-in that says "please send me text messages regarding various topics to XXX-XXX-XXXX" would seem to be the prudent choice. The defense that the recipient provided a phone number in the course of a proposed transaction does not insulate Citibank here. Although Citibank may ultimately prove consent, the fact that it was unable to get rid of the lawsuit at the pleading stage means that it has to deal with the expense of discovery and summary judgment.

The odd thing about this case is that Ryabyschuck obviously anticipated or implicitly requested additional contact with Citibank. He filled out a credit card application and included his phone number. Citibank would have to comply with certain restrictions, but it could have avoided the prospect of liability by calling Ryabyshuck on the phone. Because it chose to text him--which some would say is less intrusive--Citibank got tagged with a lawsuit.

Related posts:

"Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster"
"Cellphone Spam Violates TCPA--Joffe v. Acacia Mortgage"
"Another Court Finds that TCPA Applies to Text Messages -- Lozano v. Twentieth Century Fox Film Corp"
"Debt Collection Text May Result in Liability under the Telephone Consumer Protection Act -- Gutierrez v. Barclays Group"

Posted by Venkat at 12:58 PM | Spam

“Economics of Privacy” Conference Recap

By Eric Goldman

Earlier this month, I attended an event at University of Colorado Boulder called “The Economics of Privacy,” sponsored by the Silicon Flatirons center. A couple photos from the event: 1, 2. As usual, these notes reflect my impressions of the discussion. They aren’t verbatim transcriptions, so please double-check before attributing anything to anyone.

Paul Ohm was the principal event organizer. He offered a thesis: the legal academy has ignored economics and markets in its privacy scholarship. This is because a decade ago, privacy scholarship got rooted in consumer autonomy. As a result, we are letting waves of new economics discussions go past without incorporating into the privacy scholarship. He thinks this is a missed opportunity. This conference was intended to fix that.

Keynote: Alessandro Acquisti

Can market forces adequately “protect” information privacy? Answer: a resounding “it depends.”

Notifying consumers isn’t good enough. Less than 3% read privacy policies; people don’t understand them; people assume “privacy policy” implies privacy protection; if people actually read the policies, we lose significant social resources in the opportunity costs of their time; and outright deceptive bypassing of policies can go unpunished.

Consumer control is illusory. In fact, by making people feel more in control, consumers may take greater privacy risks.

Can self-regulation protect privacy? Alessandro thinks probably not. Hyperbolic discounting means consumers will take the immediate benefits and ignore future costs/risks. Further, technology keeps changing. Consumers who try to optimize for current technology are required to learn the newer technology. It’s overwhelming for consumers. Thus, the empirics of privacy shows that hurdles in decision-making render self-regulatory solutions untenable.

Where do we go from here? Currently, unless there’s a quantifiable economic harm, there’s no legally recognizable harm. However, by focusing on tradeoffs, we’ve lost the non-economic benefits of privacy, like personal autonomy. The lack of adequate consumer protection also leads to socially wasteful investments, ex post damages, shrinking share of consumer surplus, others. We can do better than telling consumers that they need “quantify the privacy costs incurred or be quiet.” Privacy enhancing technologies allow both data sharing and data protection. We should put burden of proof on data holders: prove you can’t provide same services with less data, or be quiet. Finally, he rejects the privacy fatalism that “data is price for content.” In fact, consumers pay when advertisers use the data to develop manipulative marketing.

First Panel

Lior Strahilevitz. Information asymmetries led to19th century English workhouses (like homeless shelters). The government wouldn’t provide welfare payments because recipients knew better than the government if they were worthy, so workhouses were an alternative to providing wasted welfare. The consequence of this information asymmetry was the growth of government services and poor living conditions.

India is experiencing something similar. To address this, India is collecting biometric information on its poor (the “AADHAAR”). Some Indians feel this data collection is empowering—it gives them an identity.

Homogeneity enables mass-market products, but precludes catering to idiosyncratic needs. On the other hand, we should favor serendipitous exchanges between disparate people, and that’s essential for us to function as a society.

Lior is concerned that people will buy products for signaling purposes, not because they want the goods. For example, it turns out that people who buy felt pads for their furniture are good credit risks. Knowing this, people might buy felt pads to send false signals. Peppet’s comment: signaling is exhausting. We’re always communicating through our actions, and that’s tiring. It’s rational for consumers to respond by just deleting their Facebook accounts entirely.

Alessandro’s comment: matching systems will never be perfect; they will always make errors. But if decision-makers overly rely on the technologies, we may not be able to protect ourselves from these errors.

Lorrie Cranor. In 1996, there was a lot of talk about notice-and-choice and that privacy policies were unreadable, but the thought was that privacy seals and P3P could save privacy policies. We're at that exact same place today, but the technology hasn’t changed much. In fact, the current Do-Not-Track technology is lower-tech than P3P was.

What went wrong with P3P? 5 years of haggling led to a computer-readable language for privacy policies. It’s still incorporated into Microsoft Internet Explorer, but it only focuses on cookie-blocking decisions. To avoid Microsoft’s cookie blocking, sites enacted P3P policies. At least a third of P3P policies had errors, including major sites (Amazon, Facebook), so P3P may be counterproductive (i.e., consumers relying on P3P will not have their preferences effectuated). She hopes regulators will investigate.

Based on our experiences with P3P, online behavioral advertising tools aren’t promising. Companies aren’t providing clear policies to consumers or working opt-outs; consumers don’t recognize the icon; and consumers won’t click on it because they expect to get more ads, not to opt-out. She has a feeling of déjà vu: privacy tools empower consumers, but when people inevitably lose interest in developing the tools, privacy issues will become moribund again.

In contrast, incorporating automated privacy information into search results made consumers more aware of privacy concerns, and consumers showed they were willing to pay extra for additional privacy benefits.

Julie Cohen. The term “information privacy market” is weird. The market doesn’t produce information privacy; it produces information that’s used for market segmentation and risk management. There are social costs of information privacy markets—do we need less of the outputs from this markets?

Deeply-held ideological considerations drives privacy norms. Many of us are socialized to believe that more information is better. This skews the discussion as privacy advocates try to get around this norm.

We should be skeptical of information collection practices. Social benefits don’t necessarily grow as information becomes more precise. Gaps in knowledge lead to serendipitous matches that benefit society.

Innovation is used as an excuse to stiff-arm regulators because it’s too complicated for regulators. We’re bad at valuing systemic risks.

Scott Peppet. He sees parallels between Occupy Wall Street and the concerns about privacy. We don’t know how companies are tracking us, and that lack of knowledge makes us uncomfortable. Our economy is built on data, but we don’t understand how that system works. Data collectors are getting big, and we don’t know what they are doing. Perhaps some data collectors get too big to fail—we couldn’t let Facebook’s database go through bankruptcy.

Q from Berin Szoka: why isn’t the common law system adequate to deal with exigencies? For example, the FTC can enforce P3P misrepresentations even if the private lawsuit fails in court? Why do we need additional regulation?

Q&A on self-regulation

Lorrie: self-regulatory model requires enforcement. We have some leaders in the industry doing a great job, but they aren’t getting the requisite enforcement backup.

Alessandro: self-regulation doesn’t work because it relies on notice-and-consent, and that doesn’t work. Instead, he would like to see self-regulation include broader deployment of PETs.

Peppet: he expected, but has failed, to find role-modeling privacy intermediaries such as infomediaries (see my 2005 blog post on the absence of infomediaries). Even companies that are leaders on privacy have unreadable privacy policies. His hypothesis: it’s more profitable to disrespect privacy.

Strahilevitz: self-regulation is best for handling data that’s been recently collected, not on historical data. No one has a good response to deal with new data uses enabled by evolving technologies. Data retention may be an appropriate place for government regulation.

Keynote: Joe Farrell (speaking for himself, not the FTC)

Economics assumes consumer sovereignty. Consumers have wants; the marketplace supplies them. His starting point: consumers value privacy. It’s hard to measure how much. We shouldn’t ask why or how much. We should ensure the market doesn’t thwart their desires.

If we focus on consumer sovereignty, notice-and-choice should work. This minimizes the need to figure out how much consumers value privacy and why; it enables competition on privacy; and the market can cater to consumers’ preference heterogeneity. Notice-and-choice is difficult, but we should try to fix it. However, even experts can’t tell what will happen to privacy in the future; and consumers can’t tell how their information disclosures are affected by information disclosures of other consumers.

Taxonomy of consumer data uses:

• order fulfillment (responding to consumer request). For consumers’ mail orders, it’s not surprising that retailer will tell shipper your address. This directly serves the transaction the consumer wanted, and it’s unthreatening. Leave this out of the regulation.
• Profitable re-uses that consumer may not directly like. Need to distinguish between deals consumer would be willing to strike (data-for-content) and unacceptable deals.

When marketers deceives consumers, it trains them not to trust anyone. This is a harm to society. Ad hoc case-based enforcement doesn’t fix this harm.

Teaching consumers is hard, even if both parties are motivated. This is the basic problem with “disclosures.” But when advertisers don’t have full incentive to be forthcoming, consumers are even less likely to learn.

When the market price is zero, it’s hard for consumers to discount the price further to reflect the costs of privacy risks. Micro-payments actually solve this problem (we saw some of these advantages with the move from broadcast TV to cable TV) but micro-payment service providers create their own privacy paradox.

We should be open to private law solutions, such as trustworthy intermediaries or the adoption of liability-type commitments.

Panel 2

Ryan Calo moderated this discussion, which didn’t have presentations. Because I was part of the panel, my notes are a little sketchy.

Aleecia McDonald: Definition of behavioral advertising = advertising that’s based on data collected about individuals about the websites they visited and their search terms and used to create a profile to trigger ads. Behavioral advertising can be done on a third-party or first-party (e.g., Amazon) basis. Some folks believe that online behavioral advertising only means third party behavior.

Laura Kornish: Can self-regulation work? The Behavioral Advertising icon has been around a year. The icon and linked information doesn’t answer the Qs very well of why the ads are appearing. It’s not working so well, and she’s not sure why. It depends on whether educating consumers about behavioral advertising is a technical challenge. If it is, the icon probably isn’t salvageable. In contrast, it would work if consumers get clear information about why they are getting the ads.

Eric Goldman: the point of advertising is a conversation between marketers who want to sell and consumers who want to buy. If behavioral advertising improves the conversation, there’s no problem that regulation needs to fix.

Seth Levine: He doesn’t favor regulation. As an investor, we don’t see companies trying to create containers for consumer data to give marketers. He does see entrepreneurs trying to fix the fact that publishers let a lot of data leak out to advertisers.

Eric: publishers need to manage the trust relationship on behalf of readers. It’s weird to me how few publishers take this responsibility seriously.

Aleecia: There's currently a schism between EU and US about holding first party data controllers responsible for third party actions.

Catherine Tucker discussed her paper. The punchline: EU advertising effectiveness decreased by 65% compared to the US due to privacy regulations. Small unobtrusive ads were particularly affected because these are more informational and need to be more relevant. Blaring intrusive ads weren’t affected. Most adversely affected websites: general news sites, not niche-y sites (probably because contextual targeting on niche sites was a passable substitute for behavioral advertising).

Seth: an ad impression based on data about the consumer is 3x-10x more valuable than an ad impression without consumer data. Online brand advertising isn’t very effective, so the Internet relies on direct response advertising. If brand advertising worked online, there would be less motivation for behavioral advertising.

Aleecia: Q to Catherine. What legislation caused the difference in ad performance, especially because the EU directive isn’t being enforced?

Catherine: She focused on the 2002 EU directive but the rules were rolled in over time, and advertisers were uncertain about its implementation. Some advertisers pulled away from using cookies due to the uncertainty. Health ads, in particularly, were much less effective.

Aleecia: Catherine’s study is good news for privacy advocates. It shows regulation can work.

Eric: it “worked” how? Some of the adverse consequences from privacy regulation: more intrusive ads, and some matches were foreclosed in the marketplace.

Aleecia: if regulation results in fewer beacons and tracking, this is a good result for healthcare data.

Seth: the advertising marketplace is big enough to incent investment in innovation.

Eric: the best way to spur innovation: give immunities and safe harbors. [I have a more detailed blog post in process making this point in greater detail.] The privacy plaintiffs’ bar is imposing a huge tax on advertising privacy innovation today.

Seth: existing technologies allow private/anonymous browsing. Less than 5% turn it on, and usually turn it on in the middle of the day, perhaps to hide information from their employers.

Aleecia: some consumers want to block ads, but the dominant reason for blocking ads is privacy concerns. Many of the tools are flat-out unusable. 6% of browsers have adopted DNT. On mobile, 17% have adopted DNT (and this is hard for them to do). Definition of DNT = allows users to put up their hand and request privacy. It’s not a technical mechanism; it’s just an HTTP header. What should websites do when the header is present? That's still being discussed.

Eric: the devil of DNT is in the details. We’ll know how important/useful DNT is when we see what websites do when they know consumers have raised their hand.

Catherine: consumers don’t understand online behavioral advertising, so they need protection, but maybe consumers are ahead of regulation and thus regulation would be redundant.

Seth: Solutions to privacy issues should be technology-based. If you’re 18 and don’t have a Facebook account, you’re dead. But Facebook does a terrible job with monetization: they have a huge audience and but get only a small percentage of online ad dollars.

Peter Swire Q: getting consumers adopt PETs is hard, so 5%-17% adoption is huge. Also, Julie Cohen’s right to read anonymously.

Seth: we would all agree that we should have user-driven right to read anonymously.

Panel 3

Scott Peppet. Ways to connect digital identity to physical identity:
• facial recognition. We can now do searches using a face as the search query.
• iris recognition. The technology can read irises on the run. If the technology became widely installed, it can do highly accurate individual identification.
• Car chips measure usage of cars. Insurance companies will find this information useful.
• Biometric. Your scale can broadcast your weight; it can even post to Twitter. It may be entertaining to measure oneself; but that data has substantial commercial value, and marketers may be willing to pay to get it.
• Smart goods. A sweater has been chipped to provide interested consumers background information about the exact sheep whose wool was used.

Ways to tie Digital Space to Physical Space
• Augmented reality. Smartphone can provide this functionality. Car can display information on the windshield.
• Pranav Mistry’s Sixth Sense.

Berin Szoka. Lessig outlined a dystopian view that code will become a perfect form of control. In contrast, the Supreme Court has said that technology expands consumers’ capacity to choose. So, does technology empower or enslave?

First Amendment is baseline for the (lack of) regulation of information. Government can and should punish fraud and deception. Government can validly compel disclosure of objective factual statements (Cass Sunstein’s “smart disclosure”). With proper narrow tailoring, government can intervene in other situations—user empowerment tools, limiting government, educating consumers.

Chris Hoofnagle. He favors competition-enhancing enforcement. Problem: privacy policies that are internally inconsistent; they say “we don’t share” and then say they work with third-party marketers. He also favors an enforcement action that says companies can’t force tracking onto consumers. If consumer manifested their intent not to be tracked, companies can’t undo that. Also, companies are resistant to working with privacy agents where consumers pay someone to help them opt-out; they want to confirm this intent. Companies can’t imagine that consumers don’t want their advertising.

Peter Swire. He worries about security. There’s no way to fix theft of biometrics. Iris scans can be defeated by high-quality print of a third party’s iris.

What if data = speech? (IMS v. Sorrell). He reads Sorrell to say that many privacy laws are subject to heightened scrutiny. Ex: the FCRA says CRAs can’t report credit data more than 7 years old. This limits speech by limiting data. Thus, arguably it’s both a speaker- and content-based restriction.

Berin: he hopes Sorrell will bring more rigor to legislative drafting. The Vermont statute didn’t have any showing of harm. He doesn’t think all privacy statutes are dead, but he hopes the ruling will encourage an emphasis on less restrictive measures.

Chris: Sorrell involved a dumb law, but most privacy laws are dumb because corporate lobbyists muck up well-meaning legislative proposals. He thinks libertarians should hate the Sorrell ruling—the government forced the collection of information and then it was shared with the private sector.

Berin: He doesn’t mind the government data collection in Sorrell because he believes the private sector would have generated the information anyway. Sorrell has no bearing on government-compelled disclosure.

Fernando Laguarda. The Sorrell decision was a reaction to a poorly drafted statute. Information dissemination is speech.

Paul Ohm Conversation with Julie Brill

Paul: it’s the 1 year anniversary of the FTC’s privacy report. What’s happened since then?

Julie: the FTC has spoken loud and clear on social networks (Facebook, Google Buzz). It’s brought some good cases on behavioral advertising and COPPA. The report didn’t preview the FTC’s directions; instead, it describes the problems the FTC has been running into when it brings enforcement actions, especially with notice-and-choice and consumer harm. It sums up where the FTC has been.

The report’s basic principles:
• Companies should build privacy into their foundation
• Simplify notice-and-choice. For example, on mobile devices, privacy policies are too long and not readable. Give more layered notices. Companies are burying the most important disclosures in the policy.
• Transparency. Give consumers more information about the company’s practices, but also show the data that the company has collected about the consumer and give them the right to correct. Analogy: FCRA. Data brokers that don’t come under FCRA should still give access to consumers.

What’s happened since the report? A majority of commissioners have embraced “Do Not Track.” A lot of technological development has occurred in a year—DNT technology, browser-based restrictions, BA icon.

Paul: What does Do Not Track mean, and who enforces any violations?

Julie: there isn’t consensus of what “do not track” means. A header-based solution is one way for consumers to express their preferences. But will websites honor the header? Another solution: the blacklist/whitelist built into Microsoft browser. Advertisers feel that is more draconian. The icon-based system is another solution.

She believes Do Not Track efforts have to cover data collection and retention in addition to tracking. When issue final report (maybe by end of 2011), she hopes it will include data collection.

Who decides—self-regulatory groups or browser companies? Once promises are made to consumers, FTC and state AGs need to enforce.

Paul: academics like Alessandro and Lorrie expressed a lot of skepticism about notice-and-choice. Should the FTC still be pushing it?

Julie: FTC commissioners typically agree about the FTC’s specific enforcement actions. Most opinions are unanimous, especially on privacy and consumer enforcements. When commissioners are debating theory, as opposed to a specific enforcement action involving a particular company, the commissioners disagree more. She thinks the commissioners disagree about notice-and-choice. We shouldn’t throw out notice-and-choice, nor should we throw out PII, but Julie is a skeptic on notice-and-choice. Consumers aren’t the least cost avoiders. The safety analogy is useful—just like we don’t want consumers policing aircraft, consumers shouldn’t be policing privacy. She would like more dashboards for consumers.

Paul: how do we resolve any specific privacy problem—self-regulation, FTC, Congress—who?

Julie: this is a big question, and there’s no single answer. She likes the bully pulpit; she raises her eyebrows a lot! This can lead with a lot of dialogue between industry and the FTC. The FTC has to account for the political environment. Legislative discussions look different now than a year ago; Congressional-enacted regulation isn’t realistic right now because Congress doesn’t have the bandwidth. The industry is a little emboldened because it knows the FTC can’t get Congress to act.

Eric’s Q: there have been lots of Internet privacy lawsuits, but they are routinely getting tossed. How does this affect the FTC’s calculation about whether or not to intervene?

Julie: privacy lawsuits based on deception still require the plaintiffs to show consumer damages. FTC/state AGs aren’t bound by this restriction. The FTC also has authority under unfair acts. Unfairness requires balancing of economic interests. Harm is essential to the balancing. But what about embarrassment, such as an unwanted outing or unwanted Facebook photo posting? The FTC report argues that they should expand the harms. About a decade ago, Eli Lilly had a website for Prozac users. When it decided to shut down the website, it included everyone’s email address in their announcement. This was a huge breach. FTC said it was either a deceptive or unfair act. She thinks it was really an unfairness case; it was wedged into the deception prong.

Posted by Eric at 09:17 AM | Privacy/Security | TrackBack

December 11, 2011

Facebook Evidence Suppressed in Skater Brawl Prosecution--People v. Bignone

People v. Bignone, 2011 WL 6091756 (Cal. App. Ct. Dec. 8, 2011). Some background on the case.

In my house, it's not a party until someone spills, but my parties apparently are comparatively tame. This case involves a wild house party in tony Palos Verdes Estates which went downhill after a group of skaters arrived, apparently unwanted. During/after a "melee", where [t]here was just a bunch of fists flying" and one of the skater buddies allegedly yelled "Fuck [Defendant]", the defendant threw a beer bottle at the victim Smith, hitting Smith in the face and sending him to the hospital to get 34 stitches.

The jury convicted the defendant of assault with a deadly weapon (the beer bottle). The defendant claimed self-defense and appealed claiming the court improperly excluded Facebook evidence that the victim and one bro like to yell "Fuck you" to random people and a third bro self-acknowledged that he likes to be an asshole. The appeals court agreed that the evidence was properly excluded:

That evidence, at best, showed that the three young men in question may generally have been offensive, rude, and obnoxious, but it did little to show defendant's specific intent toward Smith on the night in question. Indeed, there was no showing that defendant ever witnessed any of the conduct in issue or that he was otherwise aware of it. None of that conduct constituted specific threats of violence, much less threats of violence toward defendant. Similarly, that conduct did not suggest or imply that the three men in question had reputations for violence in the community. Moreover, defendant did not offer the Facebook evidence to support his state of mind, but rather as credibility and demeanor evidence. Thus, it was reasonable for the trial court to conclude that the evidence merely suggested that the three men were "jerks" and that the evidence was therefore more prejudicial than probative.

If there were actually a defense that a victim's Facebook page demonstrated the defendant's jerkiness, California prisons would be a lot less crowded.

Posted by Eric at 10:19 PM | Evidence/Discovery | TrackBack

December 10, 2011

The OPEN Act: Significantly Flawed But More Salvageable Than SOPA/PROTECT-IP

By Eric Goldman

Sen. Wyden and Rep. Issa have released a draft of OPEN: Online Protection & ENforcement of Digital Trade Act, intended as an alternative to SOPA/PROTECT-IP. See my prior posts opposing SOPA and linkwrapping the discussion. Unlike SOPA's disgustingly blatant rent-seeking, which was such an over-the-top abuse of the legislative process that it did not (and could not) support a principled or even intelligent conversations about it, OPEN provides a useful starting point for a sensible conversation that could actually lead to acceptable compromises. For that reason alone, I think Congress should immediately stop all work on SOPA/PROTECT-IP and redirect that energy towards vetting this proposal. Having said that, for reasons I'll explain in a moment, I continue to believe the assumptions underlying SOPA/PROTECT-IP and OPEN are misguided, meaning that forging a compromise from OPEN’s more sensible proposal may be tricky.

Before I get further into substance, two process notes:

First, SOPA was the product of rent-seekers who were talking only amongst themselves and legislators tethered to their campaign contributions. The drafting process was disturbingly closed-door and exclusionary, exactly the kind we wish didn't take place in our representative democracy. In contrast, the OPEN sponsors want to have a dialogue about their ideas. In support of that, they have posted the draft to a website that allows comments and discussion. This is the way our democracy SHOULD work. Why is such an open process the exception instead of the rule?

Second, OPEN is a comparatively svelte 18 pages focused mostly on one core concept, compared to SOPA's 78 page monstrosity that advanced about a dozen different substantive proposals. I can't tell you the number of times I've seen very smart people stymied to keep all of SOPA's moving parts separate, and the failure to do so meant that they were conflating different parts of the statute in ways that prevented productive discussion. (Just two examples: the Colbert Report, where Zittrain mostly focused on SOPA's felony streaming provision while his counterpart was mostly talking about the cutoff provisions; and Business Insider's infographic where the felony streaming sanction was presented as a remedy to the cutoff provisions). By reducing the number of topics at issue, OPEN substantially reduces the chance that policy discussants will simply talk past each other.

An Overview

The law contemplates that rightsowners can file a petition against rogue websites at the ITC, an independent federal agency best known for its adjudication of certain patent disputes. In response to the rightsowners’ petition, the ITC will conduct an administrative adjudication. If the ITC determines that the website is a rogue website, then (1) the website is required to cease its conduct (not sure how enforceable that is), (2) the site also will be subject to any other unspecified consequences following from its determination as a rogue actor, and (3) most importantly, the rightsowner can take the ITC determination to payment service providers (PSPs) and ad networks and have them cut off the flow of money to the rogue website. The PSPs and ad networks would be protected by several immunities for trying to comply with the orders or their other efforts to protect the public.

This makes OPEN similar to SOPA in that it seeks to cut off funds flowing to rogue actors. However, among other key differences, PSPs and ad networks have no legal obligations until the ITC makes a ruling. In contrast, SOPA imposed cutoff obligations on PSPs and ad networks based merely on rightsowners’ unsubstantiated assertions.

What's Good

Substantively, some of the things I liked about OPEN:

* it situates the discussion about "rogue websites" in foreign trade policy. This fixes SOPA's overinclusive application to both domestic and foreign actors. However, if we really think rogue websites are a transborder enforcement problem, there are many other trade policy solutions that might be better options to consider—the most obvious being transborder enforcement coordination like the FTC does with its foreign counterparts.

* OPEN doesn’t touch the domain name system or search engines. SOPA had the potential to destroy the DNS and to jeopardize search engine functioning. OPEN sidesteps both pitfalls.

* OPEN builds in some due process before any formal legal obligations attach. As we've recently seen, due process is actually quite important, and we suffer from its absence. I say “some” due process because I’m not sure how much due process will attach in practice. For example, I have some concerns about the notice provision--not every targeted website will receive notice of the ITC investigation. However, I did like that any website the ITC labels as rogue can correct any identified problems, reapproach the ITC and ask it to remove the “rogue” determination.

* the definition of rogue website is tightened up substantially. It requires three elements:
a) a "non-domestic domain name," which requires that the registry, registrar and registrant all have to be located outside the US (I'm not sure what "located" means in this context). Venkat asked me what happens to a .com registered with a foreign registrar; I believe OPEN does not apply to this domain name.
b) conducting business in the US; and
c) "has only limited purpose or use other than engaging in infringing activity and whose owner or operator primarily uses the site to willfully engage in infringing activity."

The last element, in particular, is quite restrictive by requiring willful infringement. The meaning of the word "willful" is notoriously murky (see, e.g., the multitudinous Supreme Court cases over the word), so the statute would be improved by using a more detailed synonym. No matter what, though, willful is a high scienter level that should easily exclude most legitimate players. The statute further expressly excludes any sites that:

- follow good notice-and-takedown procedures
- qualify for 17 USC 512 (the DMCA online safe harbors) [this means that the statute sits next to 512 instead of rendering 512 moot like SOPA threatened to do], or
- distribute "copies that were made without infringing a copyright or trademark." I’m not 100% sure what this means. It apparently excludes websites reselling goods covered by the First Sale doctrine. I presume that the exclusion includes sites that sell legitimate knock-off goods, such as replicas of goods that aren’t protected by copyrights or trademarks.

* if a PSP or ad network fails to comply with an ITC order, the only consequence is that the DOJ can seek injunctive relief. Rightsowners do not have a private cause of action in those cases. As discussed below, this doesn't eliminate all PSP/ad network exposure to rightsowners, but rightsowners can't introduce evidence of ITC orders in any civil suits they bring against PSPs or ad networks.

* on the trademark side, it expressly limits its applicability to counterfeiting (although there is a erroneous cross-reference in the draft). Presumably, dilution or garden-variety trademark infringement disputes don't qualify under the statute.

What's Not Good

Substantively, some of the things I don't like about OPEN:

* OPEN still contemplates reestablishing a Fortress USA. Fortress USA marginally makes sense regarding the shipment of physical goods across geographic borders. It makes zero sense for digital bits zinging around the borderless network.

* in particular, because OPEN would burden only US-governed PSPs and ad networks, it may drive websites—including legitimate websites who want to reduce their risk of being mistargeted—to shift their business to foreign-based PSPs and ad networks. If lots of businesses make a switch based on these concerns, OPEN could counterproductively result in net financial losses for the US economy.

* similarly, foreign websites can opt-out entirely of the ITC process by consenting to US judicial jurisdiction. I like the idea of an opt-out, but imagine if other countries offered the same quid-pro-quo of allowing US websites to opt-out of some nasty foreign process so long as the websites consent to jurisdiction in their countries. I think we’d be outraged and insulted; which is how I would expect foreign countries to view this quid-pro-quo. Cf. Venkat's recent post on Facebook v. Faceporn. Then again, other countries might think it’s a pretty good idea, leading to a proliferation of transborder quid-pro-quo jurisdictional offers.

* designating the ITC to conduct the investigations is a little odd. First, the ITC is an administrative agency, not a federal court. I don't fully understand all of the implications of administrative vs. judicial review, but I believe there are substantial procedural differences that could lead to important substantive differences. Second, the ITC has been gamed in the patent world (see, e.g., my colleague Colleen Chien's research on the ITC explaining how the ITC hears many US company vs. US company disputes), so I fear similar gaming will emerge. For example, a rightsowner chasing a rogue website could simultaneously pursue a domestic court action, a foreign court action and an ITC proceeding. How would these types of parallel proceedings play out in practice? We’re still trying to resolve the parallel proceeding problems in patents.

* like SOPA, the bill covers copyright infringement, trademark infringement *and* 1201 circumvention. I don't understand why the circumvention issue is getting equal billing or how often transborder circumventions are a real problem. Seeing how 1201 circumvention lawsuits have devolved into anti-competitive enforcements, picking up the circumvention piece could increase the risk of competitive misuse of the statute.

* like SOPA, the definitions are vague. Consider, for example, the definition of Internet advertising service:

The term Internet advertising service means a service that serves an online advertisement in viewable form for any period of time on an Internet site.

Hmm...what does that mean? Notice that the definition doesn't directly distinguish between third-party ad networks and sites that sell their own ads. I think in practice sites that sell their own ads drop out of the statute, so one possible implication is that more sites will ramp up their own ad sales. (This is doubtful, but just throwing the possibility out there). I think the focus on "viewable" is interesting; are audio-only ads excluded? And what does it mean to "serve" content? This contemplates a specific technological interaction that I don't fully understand today and will almost certainly evolve over time.

Why I’m Not Enthusiastic About OPEN

Even though OPEN is worth discussing intelligently, unlike SOPA, I believe it's based on two underlying assumptions that aren’t fixable.

First, like SOPA, OPEN assumes there is a problem with foreign rogue websites that needs to be solved. I'm not saying there isn't, but the policy discussions have been startlingly devoid of reliable and credible facts demonstrating the nature and scope of the problem.

Instead, the evidence in support of a rogue website "problem" typically consists of two main threads: (a) people are dying from counterfeit drugs, and (b) bad guys are "stealing" our stuff. With respect to the former, I've never seen anything more than ad hoc assertion; but if there’s a real problem, counterfeit drugs can be fixed with a highly targeted solution. With respect to the latter, it's hard to give those arguments much credit. After all, all of rightsowners’ arguments are inherently self-interested: it's in their financial interest to say that they would like to make more money than they are making. It's also in their interest to bemoan broad sectoral changes in the economy as evidence that someone is capturing money they think they are entitled to (and to use rent-seeking to thwart those broad sectoral changes). More importantly, there is lots of evidence that a lot of rightsowners are making a lot of money today, both via the Internet and more generally. So it's hard to break out the quantity of actual economic losses that rightsowners are truly suffering when those claims are intermingled with rightsowners’ general rent-seeking efforts.

Therefore, until the rightsowners offer us more than the trumped-up BS already-discredited statistics, I'm still not clear on the problem, how bad it is, how any legislative solution would remediate that problem, and if the collateral consequences of the effort to remediate the problem are greater or less than the problem itself. OPEN does nothing to fill the void of supporting foundational evidence of the problem, so it's hard for me to be enthusiastic about its solution.

Second, and more importantly, attacking the money supply to supposed bad actors remains too blunt an instrument. I may be truly on my own on this point, as many people I respect--including, notably, Rep. Lofgren--are prepared to embrace the policy solution of cutting off money flows. However, by embracing an attack on the movement of money, OPEN replicates one of SOPA's sins. If a player is engaged in legitimate and illegitimate activity and its money supply is cut off, both activities go down the tubes. In contrast, one of the positive aspects of 17 USC 512(c) and (d) is that they require the copyright owner to identify infringing items and target only those items. Giving rightsowners a remedy that would affect an entire site for only some items on the site goes too far.

The OPEN bill tries hard to minimize overbreadth by narrowly defining the targeted websites. Perhaps this definition is narrow enough that there won't be much collateral damage. However, in practice, regulating money flows nevertheless could have pernicious effects in the field. A PSP or ad network drawn into an ITC proceeding frequently will “voluntarily” choose to toss the targeted website before the ITC proceeding reaches its conclusion—even if the ITC proceeding would have rejected the challenge. Furthermore, rightsowners still will send cutoff notices to PSPs/ad networks without filing any ITC petition, and the PSPs/ad networks will often honor them as a way of preempting an ITC proceeding.

What this teaches me (in combination with the Elsevier v. Chitika case) is that PSPs and ad networks need robust statutory immunities which are not based on a notice-and-takedown scheme. On the trademark side, the need for an immunity became clear after the sloppy language in Gucci v. Frontline. On the copyright side, 512 doesn’t cover PSPs and ad networks, probably because in a million years the safe harbor drafters never thought PSPs and ad networks would be liable for third party infringing activity in the first place. Now that we've seen copyright law and trademark law creep much further than we could have imagined in 1998, we should plug this liability hole completely. If OPEN proceeds, it should have a broad-based immunity for PSPs and ad networks with the idea that rightsowners are getting a specific remedy against them in the new law.

While OPEN can’t really be fixed to resolve my two structural concerns, my hope is that the discussion about OPEN will force rightsowners to provide *credible* evidence of harms that they or consumers are suffering (no more self-serving hype, please), and that such evidence will force us to think carefully about how "rifle shot" solutions (as opposed to shotgun solutions) can ameliorate those harms. If we have a discourse that even slightly resembles this ideal, then OPEN will be successful no matter what final outcome we reach.

Posted by Eric at 09:55 AM | Copyright , Derivative Liability , Search Engines , Trademark | TrackBack

December 08, 2011

Employee's Claims Against Employer for Unauthorized Use of Social Media Accounts Move Forward--Maremont v. SF Design Group

[Post by Venkat Balasubramani]

Maremont v. Susan Fredman Design Group, Ltd., et al., 10 C 7811 (N.D. Ill.; Dec. 7, 2011)

I blogged about a case earlier this year where a plaintiff sued her former employer for improperly accessing the plaintiff's social media accounts. (Here's my earlier post on the case: "Employee's Twitter and Facebook Impersonation Claims Against Employer Move Forward.") I thought the case was dismissed due to plaintiff's inaction, but it looks like the case is still trudging along.

The basic facts: Susan Maremont worked for the Susan Fredman Design Group as the director of marketing. Maremont created a blog and Facebook account for SFGD. She also created Facebook and Twitter accounts that the court says are undisputedly her personal accounts. Maremont suffered an accident. While she was in the hospital, SFDG continued to access and post from Maremont's accounts. (The court is never 100% clear on which of the two Facebook accounts SFDG posted from.) Maremont returned to work briefly on a part-time basis, and during this time she thanked her temporary replacements "for their amazing posts on [the blog] in [her] absence." Subsequently, Maremont apparently changed her mind and sued for alleged misuse of her personal accounts. [The order says that Maremont stored her account access info on the SFDG server, although the folder in which she stored this info was ‘locked’ and she never gave authority to anyone to access it. This was Maremont’s version of the facts. The order does not say exactly how SFDG got access to the passwords (SFDG could have obtained the passwords through accessing the folder on the SFDG server, or it's possible that the computer Maremont used to create the accounts--which were SFDG computers--remembered them).]

SFDG brings a motion for summary judgment, which the court largely punts for lack of evidence on damages.

Lanham Act claim: Maremont's Lanham Act claim requires her to show that she had an intent to commercialize her identity. The court says that she satisfies this requirement, noting that "it is undisputed that Maremont created a personal following on Twitter and Facebook for her own economic benefit . . . " However, Maremont also must show that she was somehow damaged by her unauthorized affiliation with SFDG. The court gives Maremont additional time to marshal evidence as to how she was damaged. Maremont tells the court that she will bring an expert to testify as to the damages issue.

Stored Communications Act claim: As to the Stored Communications Act claim (which Maremont added later on in the lawsuit) there is no dispute that SFDG accessed Maremont's accounts:

there is undisputed evidence in the record that Defendants accessed Maremont's personal Facebook account and accepted friend requests at least five times from September 23, 2009 through November 24, 2009. Moreover, evidence in the record reveals that Defendants posted seventeen Tweets to Maremont's personal Twitter account during the relevant time period.

This probably amounts to unauthorized access of "a facility through which an electronic communication service is provided." However, the court says that in order to be entitled to statutory damages under the SCA, Maremont has to show that she suffered some "actual damages." (See Van Alstyne v. Electronic Scriptorium.) Because of the dearth of evidence on the damages issue, the court declines to grant summary judgment at this juncture. (Although the court's discussion of whether the SCA requires actual damages as a prerequisite to relief is not extensive--and as Van Alstyne acknowledges, there is mixed authority on the issue--the ruling is significant in this regard.)

Right of Publicity claim: The right of publicity claim fails because SFDG did not pass itself off as Maremont, even though it posted tweets through Maremont's Twitter account. The first of the objectionable tweets explained Maremont's absence and linked to a blog post by Susan Fredman. Additionally, upon returning to work on a part-time basis, Maremont "thanked" SFDG's guest editors for their efforts. Thus, the court concludes that SFDG did not misappropriate Maremont's likeness.

Common Law Privacy claim: Maremont also brought a common law privacy claim, which appeared to be based on the "intrusion of seclusion" tort. The court says that she has to show that defendants intruded into a matter that was private and which the plaintiff attempted to keep private. The court says that Maremont cannot satisfy these elements:

there is no dispute [that] . . . the matters discussed in Maremont's Facebook and Twitter posts were not private and that Maremont did not try to keep any such facts private. In short, Maremont fails to point to any private information upon which Defendants intruded.

Cf. Moreno v. Hanford Sentinel.
__

This is a messy dispute, and some of the facts don't seem clearly developed by either the court or the parties. For example, there were two Facebook accounts involved (one for SFDG and one which Maremont uses personally), but later in the discussion, the court doesn't specify which Facebook account it is talking about. Second, the court notes that "there is no evidence in the record concerning the actual Facebook postings and their content." This is a strange evidentiary omission by the plaintiff.

Then there's the issue of actual damages. Maremont has a Herculean task in proving that her affiliation with SFDG as a result of a smattering of social media posts somehow had a negative financial effect on her. How exactly was she damaged by this association? It's not as if SFDG said anything negative about her. Maremont's claim is that while she was in the hospital, SFDG continued to post and make it look (to the untrained eye) that Maremont continued to handle SFDG's social media efforts. Would a prospective client really refuse to hire Maremont because of these posts? Did this somehow diminish Maremont's earning capacity? I'm not sure what Maremont's expert is going to say, but he or she better come up with something good.

The court's analysis of the invasion of privacy issue also threw me for a loop. The court concludes that the information contained in the posts were public, so there's no violation by SFDG when it posted to Maremont's accounts, but this didn't seem to be the crux of Maremont's invasion of privacy claims. Maremont should be arguing that when SFDG accessed Maremont's accounts, SFDG could also have accessed private facts stored in the account, such as private messages, DMs, photos, and other information in the Twitter/Facebook accounts that were not public. The court's analysis makes me think that the court didn't understand that Twitter or Facebook accounts can contain other information than what's actually publicly "posted" through the account. (Of course, Maremont would have faced a challenge when it comes to damages. She may not have had a standing problem, but she would have to show that she suffered damage as a result of the intrusion, and it's fair to presume from the court's dismissal of her claim that she failed to put forth adequate evidence on this issue.)

This case, along with the PhoneDog case (and Ardis Health) highlight the inherent ambiguity in ownership over social media accounts. Property-wise, it's tough to slot the accounts in a particular box. There also seems to be differing expectations on the part of the employer and employee. The employee obviously wants to take the account with her when she leaves, but the employer would like to continue to take advantage of the goodwill built by the account. There is a solution, and that's to have a written policy in place! A policy is not a cure-all, and I think it's equally important to have a discussion up front about whose account this is and what happens when the relationship terminates. (This is a mini-version of the "blog ownership question" that Eric has harped on.)

As with the PhoneDog case, this is another dispute where the attorney's fees expended could eclipse the value of the case. If the facts as alleged are true, SFDG stepped way over the line in accessing Maremont's accounts, but Maremont's damages are probably minimal. (Ironically, I would think the invasion of privacy claim would be one of the strongest, but the court kicks this claim.)

As a final note, it's worth comparing the result in this case to In re Rolando S., the case where a California appeals court found that a juvenile violated California's identity theft statute when he took someone's Facebook account for a joyride. Here, SFDG gets dangerously close to this line, although it was not clear that the posts in question purported to be from Maremont. As I mentioned in my initial post on the case, depending on what jurisdiction you are in, meddling with someone's social media account in this context could result in e-personation liability.

Related posts:

Employee's Twitter and Facebook Impersonation Claims Against Employer Move Forward
Courts Says Employer's Lawsuit Against Ex-Employee Over Retention and Use of Twitter Account can Proceed--PhoneDog v. Kravitz
Ex-Employee Converted Social Media/Website Passwords by Keeping Them From Her Employer--Ardis Health v. Nankivell.
Court Declines to Dismiss or Transfer Lawsuit Over @OMGFacts Twitter Account -- Deck v. Spartz, Inc.

Posted by Venkat at 03:45 PM | Privacy/Security , Publicity/Privacy Rights , Trademark

December 07, 2011

I Don't Heart SOPA or PROTECT-IP: A Linkwrap

By Eric Goldman

Venkat and I have been covering SOPA and related topics. In case you missed our posts:

* Why I Oppose the Stop Online Piracy Act (SOPA)/E-PARASITES Act

* Court OKs Private Seizure of Domain Names Which Allegedly Sold Counterfeit Goods--Chanel, Inc. v. Does

* Ad Network Avoids Contributory Copyright Infringement for Serving Ads to a Rogue Website--Elsevier v. Chitika

Next week, SOPA is supposed to go to committee markup. In anticipation of that, some of the SOPA-related links from the past few weeks that have caught my attention:

* Bose v. Ejaz (D. Mass Nov. 7, 2011). Paypal cut off funds transfers to an International eBay merchant at the request of Bose, a rightsholder. The court rejects the merchant's tortious interference claim.

* Techdirt: The Definitive Post On Why SOPA And Protect IP Are Bad, Bad Ideas

* Politico: Shootout at the digital corral. The entertainment industry spent $91M this year on lobbying. Tech industry spent $15M. Guess who wins that battle?

* Op-eds against SOPA from NYT, LA Times and the Economist.

* EFF: What's On the Blacklist? Three Sites That SOPA Could Put at Risk

* Public Knowledge explains why PROTECT-IP isn’t an acceptable compromise to SOPA. Both "solutions" are off-the-charts extreme.

* Wired: Analysis: Internet Blacklist Bill Is Roadmap to ‘the End’ of the Internet.

* WaPo: SOPA opposition goes viral. Partially related: interesting stats about SOPA's lack of popularity.

* DHS/ICE seize another 150 domain names. Who needs SOPA? Reuters’ coverage.

* Hollywood Esq.: How Controversial Antipiracy Laws Could Be Enacted Even Without Congress.

* Nazerali v. Mitchell, 2011 BCSC 1581 (B.C. Sup. Ct. Oct. 19, 2011): A Canadian court ordered Google and other support providers to cut off the domain name of an allegedly defamatory website.

* EFF: Free Speech is Only as Strong as the Weakest Link. Check out their new resource, www.globalchokepoints.org.

* The RIAA wrote a letter to the editor headlined “RIAA largely succeeds in goal of bringing piracy under control.” Yet, they insist that SOPA is needed?

* Amusingly misguided: The $500,000,000 Cost of Google’s Five Million DMCA Notices. Partially related: Techdirt: As We Complain About SOPA & PIPA, Don't Forget The DMCA Already Has Significant Problems

Posted by Eric at 08:48 AM | Copyright , Derivative Liability , Trademark | TrackBack

December 06, 2011

Trademark Lawsuit Against Groupon Isn't Going Well--Groupion v. Groupon

By Eric Goldman

Groupion LLC v. Groupon, Inc., 2011 WL 5913992 (N.D. Cal. Nov. 28, 2011)

Groupion provides CRM software as a service (SaaS). Groupon distributes "deal of the day" offers that are typically unprofitable for advertisers and often have the extra "benefit" of causing the advertisers to get trashed on Yelp. Groupion sued Groupon for trademark infringement. I previously blogged on the complaint.

The court denies Groupion's various motions. The court runs through a typical multi-factor likelihood of consumer confusion analysis:

* mark similarity. Calling this factor "critical," the court concludes that consumers can keep the marks separate. The visual depictions of the logos are different, Groupion has one more syllable, and the words are portmaneaus from different inspirations ("coupon" + "group" vs. "groupware" + "companion").
* product similarity. "The parties' products are used for different functions and purposes, and are purchased by different classes of consumers."
* marketing channels. The Internet's commonality is discounted (cite to Network Automation), and the rest of the parties' channels are disparate as you would expect when one company is B2B and the other B2C.
* mark strength. The court says "Groupion" is weak because others are using similar marks in its field and Groupion didn't show evidence of the mark's commercial strength.
* intent. Groupion asserted that Groupon must have selected the mark knowing about it, but Groupion didn't provide any evidence to that effect. Groupon's failure to stop after Groupion's C&D was irrelevant.
* evidence of actual confusion. None of Groupion's evidence "demonstrates instances of actual confusion by its customers regarding the source of its products."
* likelihood of expansion. Groupon bought a mobile apps business, but the court says it will use that to distribute deals, not for intracompany groupware.
* purchaser care. B2B software buyers are careful, as are advertisers.

Thus, the factors point against Groupion's likelihood of success, so the court denies the preliminary injunction, Groupion's motion for summary judgment and motion to cancel Groupion's registered mark. I assume Groupon will view this as an invitation to bring its own summary judgment motion and kill this case. The judge's tone was unmistakable.

Posted by Eric at 08:49 AM | Trademark | TrackBack

December 05, 2011

Ad Network Avoids Contributory Copyright Infringement for Serving Ads to a Rogue Website--Elsevier v. Chitika

By Eric Goldman with comments from Venkat

Elsevier, Ltd. v. Chitika, Inc., 2011 WL 6008975 (D. Mass. Dec. 2, 2011). Chitika's brief supporting its motion for judgment on the pleadings. Elsevier's opposition. Chitika's proposed reply brief.

As Venkat recently indicated, while Congress generates massive amounts of hot air discussing SOPA, there's a common law battle quietly brewing with rightsowners seeking to obtain in court the same basic remedies that SOPA would provide statutorily. This judge nixes this rightsowner's request, but this is hardly a win for SOPA opponents or ad networks.

Elsevier publishes textbooks. This lawsuit involves pharmatext.org, a (now-defunct) site that provided links to allegedly infringing copies of Elsevier's books. We'd now characterize pharmatext.org as a possibly rogue website. I previously blogged about this case in January, when the judge issued a dense and troubling ruling that ordered ad networks Chitika and Clicksor to freeze the site's money and stop serving ads to the site. It also ordered the domain name privacy proxy to freeze the domain name and identify the owner. Basically, Elsevier got much of the relief that SOPA now seeks to enact as law.

But hold on a second. The court's January order was based on ex parte proceedings. Chitika subsequently showed up to contest the case, and surprise! The court reaches a different result after adversarial proceedings. Let's hear it for due process!!! YEAH!

[Note: you may recall Chitika separately had an unfortunate legal scrape with the FTC.]

Chitika first argued that Elsevier never proved any direct copyright infringement in the United States because Pharmatext.org's operator, Saggi, was based in India, and the site had no US presence. Elsevier argued that it had test downloads done by US investigators, so there was infringing activity in the US. The court nearly blows a gasket before punting this sticky jurisdictional issue:

While it appears that Chitika may eventually be entitled to judgment on this ground (that is, plaintiffs’ failure to allege any act of direct infringement occurring entirely within the United States), factual issues involving the structure of the Internet and the locus of the infringing activity remain (Where did the copying take place? Where are the third-party websites and servers, from which unauthorized copies of plaintiffs’ books were downloaded?). These issues preclude the granting of the motion on this ground.

For more on the jurisdictional question, see, e.g., the Shropshire case. This locus-of-infringement question is quite interesting, especially as applied to "foreign" rogue websites, but SOPA largely sidesteps all of the doctrinal complexity (and creates its own mess).

Without resolving whose the underlying direct infringer, the court instead considers Chitika's contributory copyright liability. The court concludes that Chitika doesn't have the requisite knowledge of infringement:

Plaintiffs do not allege facts showing that Chitika was familiar with the content of the Pharmatext website, or knew (or had reason to know) that such content was infringing. Thus, plaintiffs fail to support with plausible facts their conclusory allegations that Chitika “must have had knowledge” of the alleged infringement of plaintiffs’ books...and that Chitika “plac[ed] ads on the Pharmatext site because [it] believe[d] that Pharmatext users – in other words, people seeking to obtain pirated copies of copyrighted books – are a target audience for particular advertisers.”

Notice this leaves open what would have happened if Elsevier had sent a takedown/cutoff notice to Chitika. Presumably, such a notice would have conferred the requisite knowledge to Chitika.

Heavily relying on Perfect 10 v. Visa (even though it wasn't binding precedent in Massachusetts), the court also rejects Chitika's material contribution to the infringement. The court says:

while Chitika’s advertising payments might make it easier for Saggi’s infringement to be profitable, Chitika did not create, operate, advertise, or promote the infringing websites, and its advertisements were not the “site” of the infringement.

However, the court hedges at the end, saying it wasn't deciding the issue definitively because Chitika's lack of knowledge resolves this case.

In a footnote, the court explains why Judge Kozinski's dissent in Perfect 10 v. Visa is unhelpful to the plaintiffs:

in contrast to Visa, Chitika did not provide an “essential” service to Saggi that enabled infringement on a “massive scale.” Plaintiffs make no factual allegations that Chitika knew about any infringing activity, nor is there any evidence that Chitika was “intimately and causally involved in a vast number of infringing transactions.”

This is a little garbled (because it references the defendant's knowledge in the consideration of material contribution), but it seems like the court suggests that ad networks may be in a different position than payment service providers because ad networks don't have the same multi-iteration "transactions" with the rogue website.

Notice that this court totally sidestepped (or missed?) the tertiary liability aspect of this case--that Chitika was a support provider to a site that only provided links to allegedly infringing files. To me, it would be entirely appropriate for the court to say that any tertiary player categorically lacks the ability to materially contribute to infringing activity. Otherwise, once we start doing a dragnet for service providers to service providers to infringers, the universe of potential defendants grows to a ridiculous size.

In the end, the court grants Chitika's Rule 12(c) motion for judgment on the pleadings. Broadly construed, this ruling is a win for ad networks, indicating that they are not automatically liable for contributory copyright infringement simply because allegedly rogue websites participate in their networks. But I'd hardly call this a resounding win. Elsevier didn't send Chitika a cutoff notice, giving the court an easy escape valve on scienter, and the court waffled on the material contribution prong. I would expect this opinion to look very different if Elsevier sent a cutoff notice and Chitika didn't promptly drop Pharmatext. In so, rightsowners like Elsevier probably can get 90%+ of the benefit of SOPA Section 103 simply by sending cutoff notices to ad networks.

Notice also that in the face of a cutoff notice, Chitika would not stand up to defend the alleged rogue website publisher in its network. Chitika alleged that Saggi accrued about $500 in royalty payments over 29 months of service. Assuming Chitika does 50/50 splits with its publishers, Chitika will not expend an ounce of effort to preserve its $17/month revenue stream from Saggi. Thus, Elsevier's cutoff notice would be dispositive--even if Chitika could win a ruling like this (which would be more uncertain after Chitika gets a cutoff notice), it's not worth the fight. So after Elsevier's cutoff notice to Chitika, Chitika instantly tosses Pharmatext overboard like a piece of garbage, due process be damned. SOPA isn't required to get that result.
__

Comments from Venkat:

As Eric points out, Elsevier is trying to hold Chitika liable under a theory of tertiary liability. It's far from clear that Pharmatext is liable to Elsevier for merely linking to infringing downloads. Columbia Records v. Fung is currently pending in the Ninth Circuit, and it should shed some light on how extreme the facts need to be in order to hold a website liable for merely linking to allegedly infringing downloads. (Here's Eric's post on the district court opinion in that case: "Torrent Sites Induce Infringement and Lose DMCA Safe Harbor--Columbia v. Fung." I expect the Ninth Circuit's ruling on the appeal fairly soon.)

The question of infringement that occurs purely off-shore is interesting. As Eric mentions, the court questions whether a site that is totally off-shore can be held liable if there's no predicate act that occurs in the United States. I wonder if this is a legitimate argument for rightsowners as to something in the rules that should be 'fixed'? If Elsevier has no recourse in US courts against Pharmatext, should this automatically undermine any possibility of going after service providers of rogue sites?

Finally, as to the issue of whether Chitika has the requisite knowledge of the underlying infringements for Elsevier to be able to hold it liable, query as to whether any search terms that were used to target could be used to show the requisite knowledge on Chitika's part. The use of search terms as a proxy for intent has come up in the copyright context (e.g., it was used against Limewire as indicative of its intent to lure Napster users) but it would seem less probative in this context.

Posted by Eric at 09:20 AM | Copyright , Derivative Liability | TrackBack

December 03, 2011

Facebook's Trademark Enforcement Effort Against "Faceporn" Hits Jurisdictional Snag -- Facebook v. Pedersen

[Post by Venkat Balasubramani]

Facebook, Inc. v. Pedersen, et al., 10-cv-04673 (N.D. Cal.; Nov. 29, 2011)

Facebook sued Pedersen and Retro Invent, who are based in Norway and run the "Faceporn" site. "Faceporn" is a website which features pornographic content and "allows its users to create profiles, join groups, upload photos and video, and conduct live chats." Facebook served Retro Invent using the Hague Convention, and moved for default judgment.

The court, on its own motion, raises the issue of personal jurisdiction, and orders Facebook to show cause why the lawsuit should not be dismissed for lack of personal jurisdiction. Facebook argued in its filings that Faceporn targets a United States audience by using a ".com" address, and by virtue of the fact that Faceporn is an interactive website with 250 users in California and 1000 users in the United States. The court says that these allegations alone are not sufficient to satisfy the standard for personal jurisdiction:

not all material placed on the Internet is, solely by virtue of its universal accessibility, expressly aimed at every state in which it is accessed.

(citing Mavrix Photo, Inc. v. Brand Techs., Inc.).

Given the numerous foreign regulators who are taking aim at Facebook, it seems foolhardy for Facebook to argue that use of a TLD along with local registered users confers jurisdiction in a foreign country. Perhaps this argument won't directly tag Facebook because it is already subject to jurisdiction in every country where it uses the TLD, but it's not a great precedent for other internet companies. I'm somewhat surprised Facebook made this argument. Clearly, it's not an internet start-up any more.

Posted by Venkat at 10:32 AM | Domain Names , Trademark

December 02, 2011

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

[Post by Venkat Balasubramani]

Del Vecchio v. Amazon, C11-366-RSL (W.D. Wash.; Dec. 1, 2011)

Plaintiffs sued Amazon, alleging that Amazon’s use of “flash” cookies and certain browser “tokens” was misleading. In a putative class action, Del Vecchio asserted claims against Amazon under the Computer Fraud and Abuse Act, and the Washington Consumer Protection Act, along with claims for trespass and unjust enrichment. The court dismisses the lawsuit, and although it grants leave to amend, it sends a pretty clear message to plaintiffs that they face a high (and likely insurmountable) hurdle.

CFAA Claim: The court identifies two problems with the CFAA claim. First, plaintiffs fail to satisfy the $5,000 damage threshold. Plaintiffs argued that Amazon’s use of cookies “devalued” their personal information but the court says that this allegation is entirely speculative. Did the plaintiffs really lose the ability to exchange their personal information with third parties as a result of Amazon’s use of cookies or was this ability somehow lessened? Negative, says the court. The second category of possible loss was diminished performance to the plaintiffs' computers. The court rejects this allegation as well, noting that “not one of the Plaintiffs alleges that he or she discerned any difference whatsoever in the performance of his or her computer while visiting [Amazon’s] site.”

Although the failure to meet the five thousand dollar threshold is sufficient to dismiss the CFAA claim, the court goes on to address the issue of authorization and says that Amazon’s terms of use and privacy notice disclosed to end users that Amazon uses “Flash cookies” and uses these cookies to track and serve advertisements. (Thus, the access by Amazon was not "without authorization".) Plaintiffs made the clever argument that their injury occurred at the very moment they accessed Amazon’s site (i.e., before they had the chance to read and agree to the policy) but the court rejects this, saying that any information collection only occurred as a result of plaintiffs’ use of Amazon’s site.

Consumer Protection Act: Plaintiffs’ CPA claim suffered from two similar flaws. The court says plaintiffs failed to allege any “non-speculative” injury. One of the plaintiffs claimed that after she purchased pet supplies through Amazon, she received advertisements and junk mail from companies selling pet products. The court says this allegation is too speculative. In a footnote the court notes that this type of tracking and marketing is disclosed in Amazon’s privacy policy. The court also says that Plaintiffs failed to satisfy the requirement that Amazon’s conduct be unfair or deceptive—plaintiffs did not allege any actions that were inconsistent with Amazon’s privacy policy. [Although not cited in the order, see Cherny v. Emigrant Bank, for the proposition that the receipt of spam is not in itself a compensable harm. I would assume the same is true of junk mail as well.]

Trespass to Chattels: The court dismisses the trespass argument on the basis that trespass to chattels requires an allegation that the defendant’s actions interfered with a plaintiff’s property interest in a way that affects the physical condition or plaintiff's use of the chattel, and plaintiffs failed to adequately make out this allegation.

Unjust Enrichment: Relying on the plaintiffs’ failure to allege any improprieties in Amazon’s use of cookies or collection of information, the court also dismisses the unjust enrichment claim. The court cites to In re DoubleClick case and says:

Although demographic information is valued highly . . . the value of its collection has never been considered an economic loss to the subject. Demographic information is constantly collected on all consumers by marketers, mail-order catalogues and retailers . . . we are unaware of any court that has held the value of this collected information constitutes damage to consumers or unjust enrichment to collectors.

__

Yet another decision rejecting claims by plaintiffs who sued over the use of cookies. (See the Specific Media and Interclick cases for other recent examples.) Some courts dismiss on the basis of Article III standing, while others (as in this case) find that plaintiffs failed to allege the requisite elements of causes of action. Whichever route the courts end up taking, they have overwhelmingly rejected these lawsuits. The "personal information as property" argument ends up going nowhere--in the context of tracking, courts don't seem enthusiastic about claims where the damages are premised on loss of value to personal information.

There was an element of plaintiffs’ allegations which did not receive as much attention as I expected. Plaintiffs alleged that Amazon used a piece of code, or a “token” (a P3P "Compact Policy"), which told the user’s browser that no personal information is collected and thus allegedly “tricked” the browser into accepting Amazon’s cookies. (Here is a link to plaintiffs' complaint, which details these allegations.) The court does not get into the issue of whether even if Amazon did "trick" the user’s browser this translates into misleading the user, or whether there was some sort of implied contractual promise in the P3P Compact Policy in the first place, given that it is a string of code directed at a machine, rather than a human. The court instead relies on the fact that plaintiffs’ have not alleged any harm. In any event, the court cites to the broad disclosures in Amazon’s privacy policy, indicating that the disclosures in the policy will likely trump any claim based on Amazon's allegedly misleading use of the P3P Compact Policy.

Plaintiffs (and their lawyers) who have brought the latest wave of cookie lawsuits must be feeling pretty discouraged at this point. They’ve tried every conceivable variation of every possible argument and have gotten nowhere in the courts. We will see if they have better luck on appeal.

Related posts:
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn

Posted by Venkat at 07:00 AM | Privacy/Security

December 01, 2011

Spiritual Group's Attempt to Unmask Online Critics Goes South--Art of Living Foundation v. Does

[Post by Venkat Balasubramani]

Art of Living Foundation v. Does, 10-cv-05022-LHK (N.D. Ca.; Nov. 9, 2011)

Art of Living Foundation is an organization based in India that is dedicated to teaching the spiritual lessons of “His Holiness Ravi Shankar.” Defendants are disgruntled former “student-teachers and students” of plaintiff who want to bring to light their view that AOLF is a “manipulative and abusive cult.” Defendants posted blogs under the pseudonyms “Skywalker” and “Klim.”

AOLF sued, alleging various claims including defamation, misappropriation of trade secrets, copyright infringement and trade libel. AOLF also alleged that defendants published AOLF’s copyrighted “Breathe Sound Water Manual.” AOLF sought leave to conduct expedited discovery. This request was approved and AOLF issued subpoenas to Google and Automattic. Before Google and Auttomatic complied with the subpoenas, defendants appeared through counsel and moved to dismiss AOLF’s defamation claim, strike its trade secrets claim, and also moved to quash the discovery. Skywalker acknowledged that he published the manual, but said that he posted this solely as part of his larger campaign to bring awareness to his views about AOLF.

While the motion to quash was pending, the court granted defendants’ request to dismiss the defamation claim, and struck the trade secrets claim. AOLF filed an amended complaint limiting its claims to copyright infringement and misappropriation of trade secrets. Magistrate Judge Beller granted the motion to quash as to Klim but denied it as to Skywalker, relying largely on the fact that a prima facie claim of copyright infringement is sufficient to overcome the right to anonymity. Judge Koh, reviewing Magistrate Judge Beller’s order, finds that AOLF failed to overcome Skywalker’s right to remain anonymous and quashes the subpoena as to Skywalker.

In a characteristically excellent order, Judge Koh canvasses the various standards courts apply in resolving anonymity issues. Some courts have required plaintiffs to make a prima facie showing before ordering disclosure, while others have demanded admissible evidence establishing each element of a claim. The Ninth Circuit recently held that in resolving the disclosure issue, courts should keep in mind the nature of the speech (e.g., purely commercial versus purely political) as well as the potential chilling effect of ordering disclosure (In re Anynomous Online Speakers). Finally, and most troubling for the defendants, a widely cited 2004 decision from the Southern District of New York found that a prima facie allegation of copyright infringement entitles the plaintiff to identify doe defendants (Sony Music v. Does).

Defendant raised a fair use argument, but the court does not rely on the possibility of non-infringement in resolving the disclosure issue. The court notes that “evidence of copyright infringement does not automatically remove the speech at issue from the scope of the First Amendment.”

The court employs a balancing test where it weighs the harm to plaintiff and defendants. Disclosure of Skywalker’s identity would have a chilling effect on other bloggers, and this weighed heavily in favor of defendants. With respect to harm to the plaintiff from quashing the subpoena, the court finds that AOLF would not suffer a comparable harm. AOLF could proceed in the litigation without knowing Skywalker's identity—Skywalker had responded to written discovery, and if necessary, AOLF’s counsel could even conduct a deposition via telephone (or alternatively, Skywalker’s identity could be revealed on an attorneys’ eyes only basis). Ultimately, AOLF was unable to make a compelling argument that it needed to discover Skywalker’s identity at this point in the litigation. It raised a weak argument that it needed to find out the revenues generated from Skywalker’s blog but the court notes that this information could be gleaned through other sources, such as Google and Automattic.
__

This is a nuanced result. The court recognizes that the copyright claim is not particularly strong and there is a good chance, this is the end of the road for Art of Living Foundation. The earlier dismissal of its defamation claim (and accompanying liability for attorney's fees) is a serious blow, but the court's rejection of its request to unmask Skywalker deprives AOLF of what it was looking to get out of this lawsuit--early identification of a pseudonymous blogger. On the merits of his copyright claim, Skywalker may win on his claim for fair use or successfully argue that the damages are minimal at best. (See generally, the Righthaven debacle.)

The overall takeaway is that if you as a blogger face a claim for garden-variety copyright infringement, this type of a ruling shouldn't give you much hope. Courts will readily cite to Sony Music v. Does and order compliance with a subpoena seeking your identification. If, on the other hand, a plaintiff is using a weak copyright claim to get at you for bad-mouthing the plaintiff, a court may see it for what it is, and deny the requested discovery. Of course, this depends on your luck of the draw and requires you to be in front of a thoughtful judge and have good representation. (The ACLU, EFF, and Public Citizen weighed in as amici, which didn't hurt.) It also requires that service providers don't jump the gun when responding to subpoenas seeking identification. I'm sure on a daily basis, numerous posters and bloggers are unmasked because the circumstances are different from those in this case. Additionally, "garden-variety" copyright infringement unmaskings never get to court at all; service providers routinely make disclosures under section 512(h) without the alleged infringer even knowing it.

Added: Art of Living approached me and asked if I would add a link to an explanatory letter from them explaining their motivations in bringing the lawsuit. I've uploaded it to Scribd here.

Other coverage:
Public Citizen: Federal Judge Protects Anonymity of Blogger Despite the Allegedly Infringing Posting of a Copyrighted Teaching Manual
Techdirt: Courts Can't Ignore Free Speech Concerns Just Because Someone Claims Copyright Infringement
Wendy Davis: Court Rejects Bid To Unmask "Art of Living" Critic
RCFP: Federal judge preserves blogger's anonymity

Posted by Venkat at 04:45 PM | Copyright , Privacy/Security

Medical Justice Capitulates by "Retiring" Its Anti-Patient Review Contracts

By Eric Goldman

It's been a rough week for Medical Justice, the company that tries to help doctors suppress patient reviews. First, the Center for Democracy and Technology filed an FTC complaint alleging three main points: (1) Medical Justice deceives doctors by selling them contracts that don't work as promised, (2) the effort to suppress patient reviews is unfair under Sec. 5 of the FTC Act, and (3) Medical Justice violates the endorsement/testimonial guidelines through efforts that appear to create fake reviews for doctors. See the CDT announcement.

Second, Public Citizen filed a declaratory judgment action against a dentist who tried to use Medical Justice's contract to suppress a patient's review. The dentist didn't actually sue the patient, but she did send over a draft complaint. The DJ complaint touches on a number of interesting issues, including contract unconscionability and dentist ethics, but the copyright angles are perhaps the most interesting. See the Public Citizen announcement.

Both CDT and Public Citizen acknowledge the DoctoredReviews website, which Jason Schultz, two Berkeley students and I launched a half-year ago as a way of calling attention to the problems being created by Medical Justice's contracts. Although I'm delighted that the website was helpful to them, I'm even more grateful that they took the website's advocacy and turned it into action.

While the FTC complaint and lawsuit work their way through the system, they have already been effective: after going through multiple iterations of its review-suppression contracts, Medical Justice apparently threw in the towel and admitted it is dropping the contracts altogether. Timothy B. Lee at Ars Technica reports:

"While we believe these agreements are honest, ethical, and legal, we are going to use this situation as an opportunity to retire these written agreements used since 2007," MJ CEO Jeffrey Segal told Ars on Wednesday. He claims that MJ will recommend to doctors that they stop using the agreements, and that patients will not be asked to sign any such agreements in the future.

As usual from Medical Justice, there is enough lawyer-mumblespeak in those words to leave open the possibility that they are not completely exiting the contract-distribution business. On Twitter, Timothy reiterated:

They claimed they're retiring all versions of the agreement, and that patients won't be asked to sign anything.

We get stronger words from this MSNBC article:

“We retired the form,” said Dr. Jeffrey Segal, a neurosurgeon and founder of Medical Justice Services Inc., a North Carolina firm that claims to battle medical defamation for a fee. “We probably should have retired the agreement earlier, but today’s the day we did it.” He added that he’s telling his 3,500 members to stop using the contract in the future.

Hooray? This is exactly the outcome we sought with DoctoredReviews, but I don't exactly feel like celebrating. First, in my mind, this result was inevitable; it was only a matter of time until Medical Justice dropped the product line. Their legal position was incoherent and ultimately untenable. Second, given their track record, I'm nervous they are just cooking up something even more diabolical and anti-patient, which might make this victory hollow.

Third, and most importantly, knocking Medical Justice out of the market doesn't solve the underlying problem of vendors improperly using copyright law to control what's said about them publicly. Like moths drawn to light, inevitably other businesses will continue to explore copyright-as-a-reputation-control-mechanism. So we're going to have to keep fighting this issue until some structural change--a clear judicial precedent or legislation--makes it clear that efforts to suppress consumer reviews are unacceptable. Perhaps the results of an FTC investigation or the declaratory judgment action will provide us more certainty.

More on this topic:

* Request for Help: Doctor v. Patient Lawsuits Over Online Reviews
* Updates on DoctoredReviews.com and Medical Justice
* Dentist Pays Sizable Penalty for Not Knowing 47 USC 230--Wong v. Jing
* Announcing DoctoredReviews.com, a Website Against Doctors' Efforts to Squelch Online Patient Reviews
* "Consumer Reviews of Doctors and Copyright Law" Talk Notes
* The Regulation of Reputational Information

Posted by Eric at 08:50 AM | Content Regulation | TrackBack