Technology & Marketing Law Blog: Adware/Spyware Archives

Technology & Marketing Law Blog

March 14, 2013

Court Rejects Attempt to Hold Software Company Liable for Surveillance Conducted by Its Customer – Luis v. Zang

Luis v. Zang, 12 cv 629 (S.D. Oh. Mar. 5, 2013)

Divorces have spawned some of the most interesting privacy disputes, such as the cases involving whether GPS surveillance of a vehicle violated one spouse’s privacy rights and whether accessing webmail using a shared computer constitutes a violation of privacy laws. This particular case involved the use of “WebWatcher” software that ostensibly allows people to monitor the computer-related activities of individuals. We blogged on a separate matter involving this divorce (see “Lawyer Who Advised Brother-in-Law Regarding the Use of Spyware on His Wife Disqualified in Ensuing Privacy Dispute”), but this particular lawsuit is one of a three lawsuits spawned out of the divorce; two of which were filed by Javier Luis (against a variety of defendants) relating to the monitoring of his communications with Cathy Zang:

[a]lthough Plaintiff alleges that he has never met Cathy Zang in person, he alleges that he virtually met her, via a "Metaphysics" internet chat room, in January or February 2009 (Doc. 39, P 15). Shortly thereafter, Plaintiff alleges that he began to have "daily" communications, in the course of a "caring relationship" with Ms. Zang via the telephone and computer.

[Zang filed a separate lawsuit as well.] The key question before the court is whether Access Technologies, maker of WebWatcher, can be held liable for the monitoring activities conducted by its customer.

Whether WebWatcher ‘Intercepts” Communications: The court struggles with several semantic questions surrounding whether there has been an ‘interception’ as defined by the wiretap statute: (1) is information captured instantaneously; (2) is the information captured transmitted locally; and (3) is the information re-routed. The court rejects Access’ argument that there has been no interception, noting that the facts at this stage indicate a near-instantaneous capture and re-routing of information to a remote location.

Can Access be held liable for its customers’ conduct: Even assuming an interception occurred, the court says Luis’s claims fall short because remedies are only available against the individuals that “intercepted, disclosed, or intentionally used” communications in violation of the statute. The court says that the statute does not contemplate imposing civil liability “on software manufacturers and distributors for the activities of third parties.” While there is a provision of the statute that prohibits the "[m]anufacture, distribution, possession, and advertising [of devices” that can be used for interception]," (and imposes criminal liability for this activity) the court says that the civil remedies provision does not extend to this part of the statute.

The court also dismisses the litany of state law claims brought against Access (invasion of privacy, infliction of emotional distress, “bullying and harassment”) on the basis that Access did not have any knowledge of Mr. Zang’s use of the product and was not a party to any agreement that involved unlawful interception of communications. (The court does not mention Section 230, but that sounds like a fairly plausible basis for rejecting the state law claims as well.)
__

Although the two cases analyzed slightly different statutory provisions, this dispute is reminiscent of the SpectorSoft case, where a federal district court in Tennessee held that an ex-spouse could not assert federal or state law claims against the company that made monitoring software. In SpectorSoft, the court focused on whether the disclosure of communications was knowing or intentional. In this case, the court says there was an interception, but says that liability for the interception does not extend to third parties. Either way, the result is the same: in the garden-variety case, it's difficult to hold the software developer liable for interceptions effected by customers and clients. This decision reaffirms what is a fairly helpful result for developers of these types of software providers.

As far as derivative liability goes, both with respect to the Wiretap Act and the Computer Fraud and Abuse Act, plaintiffs have fared poorly in holding third parties liable for the actions of the people who actually did the monitoring, intercepting, or accessing. Courts have been reluctant to extend the reach of these statutes to third parties who did not directly participate in the allegedly wrongful activities themselves.

It's worth flagging that in addition to lawsuits from private parties, these software providers also have to worry about FTC actions. As noted in this 2008 Wired article, the FTC shut down the websites of a company that sold 'DIY spyware'.

[image credit -- kar/shutterstock: eyeball spy catcher]

Posted by Venkat at 10:25 PM | Adware/Spyware , E-Commerce , Privacy/Security , Publicity/Privacy Rights

September 06, 2012

Lawyer Who Advised Brother-in-Law Regarding the Use of Spyware on His Wife Disqualified in Ensuing Privacy Dispute -- Zang v. Zang

[Post by Venkat Balasubramani]

Zang v. Zang, 11-cv-00884 (S.D. Ohio; Aug. 30, 2012)

This is another case involving surreptitious monitoring in the context of a divorce. I’ve half-jokingly mentioned that people who deploy monitoring or tracking software should seek the advice of counsel before doing so. Joseph Zang, who suspected his wife Catharine of infidelity, claims he did this. Unfortunately, for Mr. Zang (or for the lawyer he sought advice from), things did not work out as planned. In fact, things went about as far South as they could have possibly gone.

The court is resolving a motion to disqualify plaintiff’s counsel (Donald Roberts) brought by Joseph, and a host of others, who were all sued by Catharine for invasion of privacy and violations of the federal Wiretap Act. Apparently Joseph decided to install “monitoring software on the computer and a video camera with audio in the home” he shared with Catharine. He claims he sought counsel from Roberts, who happened to be his brother-in-law at the time. He also says he paid Roberts $1 for his legal services, and Roberts allegedly advised him that installing this stuff to monitor Catharine’s possible infidelity was kosher. Roberts allegedly said that he recommended the “Web Watcher” software to many of his domestic relations clients, and suggested a place where Joseph could purchase the software.

This all sounds potentially problematic to begin with, but here’s the bombshell: Roberts is now Catharine’s lawyer.

The court says that disqualification is required because, at a minimum, Roberts’s advice will go to Joseph’s state of mind and will affect the damages calculation. There’s also the issue that Roberts is a third-party defendant in a malpractice claim brought by Joseph.

There's an underlying he said/she said dispute over whether Roberts represented Joseph. Joseph claimed he was being given legal advice and he even paid the sum of $1 for this advice. Parties often exchange the symbolic amount of $1 with lawyers that they receive informal advice from (in order to cement the relationship and preserve the attorney/client privilege). Roberts for his part denies these allegations. I suppose the fact-finder will sort out whose version is more accurate.

There are many many other lessons to be learned from this dispute. The easy one (for lawyers) is to tread carefully when offering legal advice to your brother-in-law about possible marital issues with your sibling. If you break that rule, you should probably refrain from representing the other half of the marriage with respect to a claim that directly implicates your legal advice. If you’re going to offer up the advice, you should probably stay out of the ensuing legal dispute. (Again, it's unclear whether Roberts actually represented Joseph, but if he did, this could get ugly for him.)

Then there’s also the lesson to be learned from Joseph’s side. It’s wise to tread carefully when seeking legal advice from your brother-in-law, particularly when it relates to your marriage. If you do, you may want to make sure the brother-in-law will not flip and decide to represent your ex-spouse. Finally, and most importantly, if you do seek this type of advice, do not, under any circumstances, pay one dollar for it. I guess in the end, this goes to show that you get what you pay for in terms of legal advice.

As a final note, I'm not sure installing spyware or surveillance equipment to surreptitiously monitor someone else's communications is ever a good idea. I can see parents getting away with doing it to monitor their kids' online activities, but in any other context, if you don't have a document to point to (e.g., an employee manual) that provides at least implicit consent for this type of monitoring, you're going to have a long, uphill road to climb on the legal side.

Related posts:

Posted by Venkat at 07:48 AM | Adware/Spyware , Evidence/Discovery

June 12, 2012

State Privacy Claims not Preempted by ECPA -- Leong v. Carrier IQ

[Post by Venkat Balasubramani]

Leong v. Carrier IQ et al., CV 12-01562 GAF (NRWx) (C.D. Cal.; Apr. 27, 2012)

This case addresses the issue of whether claims under state privacy statutes are preempted by ECPA, the federal statute governing the interception, access, and disclosure or electronic communications. The lawsuit is one of the many filed against Carrier IQ, which allegedly “developed and maintain[ed] a software that is installed on cell phones and surreptitiously records the user’s keystrokes, text messages and passwords” (without the user’s consent). Plaintiffs sued on behalf of a California class, asserting state law claims against Carrier IQ. Carrier IQ moved to dismiss on the basis that the state law claims were preempted by ECPA.

Courts have come out differently on the preemption issue. Carrier IQ relied heavily on Judge Ware’s ruling in the Google Wi-Fi case for the proposition that ECPA represents a Congressional intent to comprehensively regulate the field of privacy in electronic communications. (Here’s is our previous post on Judge Ware’s ruling: “Google Not Entitled to "Readily Accessible to the General Public" Defense in Street View Class Action.”) The court disagrees with Judge Ware, noting that Judge Ware’s ruling embraces the minority position and there are several cases going the other way. The court also cites to the legislative history for the proposition that Congress actually intended to set a minimum floor for privacy in electronic communications (citing to Lane v. CBS and Valentine v. NebuAd [pdf]). The ECPA also contains a provision limiting remedies for the interception of communications where the interception does not comply with the statute, but the court says that this provision means that criminal defendants whose communications are obtained in violation of ECPA are only entitled to suppression as a remedy.

End result: the lawsuit is remanded to state court where the plaintiffs can pursue their state law claims against Carrier IQ.

The ECPA preemption argument is an important one, and will come up in a variety of contexts. While this case dealt with the interception of electronic communications, other scenarios where it may come into play is where someone accesses emails and other communications (e.g, social networking posts) or records conversations without consent authorization. The ECPA admittedly has some gaps when it comes to privacy protection for electronic communications (see, for example Anderson Consulting v. UOP and Charles Jones & Associates v. The H Group), and plaintiffs can be expected to use state law claims to fill the gaps.

It’s tough to be sympathetic with the argument from service providers or third parties who are making a preemption argument in this situation. Unlike laws regulating spam or that cover online content—where complying with a patchwork of regulation across 50 states would be untenable—complying with state laws governing the privacy of electronic communications sounds pretty doable. At least, the parties arguing preemption haven’t to date presented good examples of why this is not the case. On the other hand, it's easy to see that these types of rulings will pave the way for the class action machine to unleash state law claims, and have available yet another tool for extracting settlements.

Other coverage: Wendy Davis: “Carrier IQ Loses Preliminary Round in Privacy Lawsuit”

Inside Privacy: Carrier IQ Class Action Sent Back to State Court

Posted by Venkat at 03:05 PM | Adware/Spyware , Privacy/Security

October 14, 2011

Court Disregards Check-the-Box Agreement and Doesn't Enforce Venue Clause -- Dunstan v. comScore

[Post by Venkat Balasubramani with additional comments from Eric]

Dunstan v. comScore, Inc., 11-cv-05807 (N.D. Ill. Oct. 7, 2011)

Plaintiffs sued comScore, alleging that comScore improperly obtained and misused plaintiff's personal information, after plaintiffs downloaded and used comScore's software. comScore sought to have the lawsuit transferred to Virginia, which was the forum specified in a forum-selection clause in the software terms of use/EULA. The court denies comScore's motion.

A comScore Vice President testified that "before a user can install comScore software," a customer must "click the box acknowledging" that the customer read and agreed to the terms. Plaintiffs, on the other hand, alleged that the forum-selection clause was not "apparent" when they downloaded the software. They also alleged that the terms of service were "obscured" during the installation process. From the court's order, it seems like plaintiffs did not deny that they checked the box. The court resolves the apparent factual dispute as follows:

the court declines to infer that clicking a box acknowledging that a user has read an agreement indicates that the agreement was reasonably available to the user, particularly when the plaintiffs have alleged that the hyperlink to the agreement was obscured.

Whoa. Let's take another look at this sentence. The court is saying that just because a user checked a box acknowledging the user had read the agreement, this does not mean that the court can infer that the user was able to read the agreement. (???)

comScore cited to several cases where courts enforced "click-through" agreements, including Specht v. Netscape. The court says that none of the cases involved an allegation of an obscured hyperlink. According to the court, Specht acknowledged the possibility that "a click-through agreement is not enforceable if its terms are not reasonably apparent to the user." The court goes on to note:

it is not reasonable to expect a user casually downloading free software to search for such an agreement if it is not immediately available and obvious where to obtain it. As the Second Circuit noted, 'when products are 'free' and users are invited to download them in the absence of reasonably conspicuous notice that they are about to bind themselves to contract terms, the transactional circumstances cannot be fully analogized to those in the paper world of arm's-length bargaining.' [U]nder the circumstances alleged here, including that the location of the license agreement was not readily apparent, the court concludes that the forum-selection clause was not reasonably communicated to the plaintiffs . . . .

This is definitely a double-take-worthy decision. The court relies on Specht v. Netscape, but Specht is a browsewrap case, where the user did not have to indicate assent to the terms before downloading the software. Given the circumstances (free download) and the fact that the terms were not in an obvious location, the court in Specht declined to enforce the terms.

There's an easy way to solve the problem presented by Specht: have a mechanism to require the user to unequivocally indicate assent to the terms before downloading the software. Courts have upheld this type of contract formation because there is no ambiguity as to the user's assent to the terms, and this was the type of agreement comScore had in place here. The consumer cannot say that he or she did not read the terms because prior to downloading, the user has to indicate that they read the terms. (See for example Feldman v. Google, which Eric discusses in this blog post: "Google Adwords Contract Upheld (Again)".)

It's tough to understate the importance of certainty in online contracting and the predictability of online agreement enforceability. They're among the cornerstones of online commerce. Courts struggled with the enforceability of browsewrap terms, but check the box terms are widely acknowledged to be enforceable; at least there should be no bar as to mutual assent and basic contract formation. I'm not sure whether the formation process or the court went astray here (see Eric's comments below regarding the former--he makes good points regarding implementation). If there were no issues with the UI implementation or the browser, then the court's decision is off base.

[Interestingly, comScore did not argue that the dispute is subject to arbitration, which tends to indicate that the agreement did not have an arbitration clause.]

______

Eric's comments

I have a couple theories about what went wrong here. Theory #1 is that the judge was overly willing to accept a plaintiff's bald factual assertion that comScore didn't adequately present the contract. (The judge says, "At this stage, however, the court must take the plaintiffs’ word for it."). As Venkat indicates, judges have to do a little more gatekeeping than this, because plaintiffs will assert this defect in every lawsuit. If all it takes to survive a motion to dismiss is the plaintiff's bald assertion, the contracts are nearly worthless.

Theory #2 is that comScore didn't do its formation process properly. I think there is truth to this theory even if comScore went "by the book" and used what seemed like a mandatory non-leaky clickthrough agreement. It's the responsibility of software vendors/website vendors to present the contract in such an unambiguous/can't-miss-it process that NO ONE--plaintiffs' lawyers, judges, Grandma--could possibly fail to see it. The fact that the judge gave the plaintiffs the benefit of the doubt is prima facie evidence that comScore failed to do this well enough.

The case might remind us of two key lessons for lawyers advising companies implementing user agreements:

1) I don't care how brilliantly you draft your user agreement. It's also your job as a lawyer to advise your clients HOW to form the contract and to ensure they follow your advice. If your brilliant contract isn't properly formed, who cares what it says?

2) You need to look at the UI implementation across multiple browsers with a variety of settings. Even if your browser renders the agreement formation process just fine, another browser may chunk the display. This is even more crucial in the mobile environment, where UIs are even more constrained.

Posted by Venkat at 12:55 PM | Adware/Spyware , Licensing/Contracts , Privacy/Security

February 10, 2011

Comparative Domain Name and Keyword Regulation Talk Slides

By Eric Goldman

I have a busy semester of talks, so I will be rolling out some talk slides over the next few days. Today, I'm posting my talk slides from a talk I gave last month at the University of Houston as part of this event. I titled the talk "Domain Name and Keyword Regulation."

This is a newly updated version of a talk I gave in 2007 at McGeorge Law School. At the time, I was interested in how we codified various forms of domain name exceptionalism compared to other keyword navigation tools. (The impetus for that talk, in turn, comes from my Deregulating Relevancy article, where I make this point more fully). This time, I think I did a better job offering some reasons why domain names may truly differ from keywords, so perhaps the "exceptionalism" isn't as remarkable as I indicated in 2007 (or is justifiable in part).

Revisiting the talk after 4 years, what really caught my attention were the relative quantum of regulations targeted specifically at domain names and keywords, respectively. I did a search in Westlaw's federal and state statutory databases for "domain name," and I was overwhelmed with hundreds of search results. I'm amazed how many statutes call out domain names and, in some cases, subject domain names to exceptionalist regulation. I taxonomize these various types of domain name regulations in my slides.

In contrast, we still have virtually no keyword advertising-specific regulation. The only such law still on the books is the Alaska anti-adware law, a law that I believe everyone simply ignores (although perhaps it's been mooted by the demise of adware circa 2005). When I initially gave the talk in 2007, the Utah Spyware Control Act was still on the books, but Utah ultimately (and wisely IMO) repealed that law, and Utah's other flirtations with keyword regulations have fortunately petered out. Given how keyword advertising has eclipsed domain names in so many ways, I remain perplexed by this disparity in regulatory attention despite the distinguishing characteristics between the two.

Posted by Eric at 11:30 AM | Adware/Spyware , Domain Names , Internet History , Trademark | TrackBack

November 23, 2010

Wildcarding Subdomains Is OK; Reverse Domain Name Hijacking Isn't--Goforit v. Digimedia

By Eric Goldman

Goforit Entertainment LLC v. Digimedia.com LP, 2010 WL 4602549 (N.D. Tex. Oct. 25, 2010). See the related personal jurisdiction ruling from 2007 featuring a completely different but still ridiculously large and expensive cast of lawyers.

This is a super-interesting dispute involving two not-so-interesting litigants. The plaintiff Goforit runs a type of meta-search engine at goforit.com. After spending 5 minutes at the site, I couldn't identify a single reason why anyone would want to use it. Also inexplicably, Goforit appears to be quite pleased with its trademark rights in "Goforit," a term that seems more like an exhortation than a trademark.

The defendants own or operate many domain names, including "org.com," "com.org," "gov.org," and "org.net." All of these domain names have wildcarded subdomains, meaning that XYZ.com.org will lead to a working web page, no matter what "XYZ" is. (See my descriptive and normative discussion about wildcarding in my Deregulating Relevancy article). The resulting com.org web page presents a mostly useless directory of CPC links. I noticed that the pages now include a disclaimer at the top saying "xyz.com.org was not found on our servers. www.com.org is shown below" and a link at the bottom saying "Information on how you reached this site" which says:

Occasionally we receive inquiries from users who do not understand why they have accessed our site. Please be advised that you are not reaching our site as a result of spyware. We are not exactly sure why you have been directed here, however, we believe it is a result of the autosearch feature of Internet Explorer. If a site entered into the address bar cannot be accessed, Explorer apparently appends ".org" to the name and then tries to access that site. In the case of a search ending in .com, Explorer thus accesses our domain, "com.org."

Taking this statement at face value (which I recognize is questionable), this technical implementation seems like a goof by Microsoft and anyone else who automatically appends a TLD to an address bar entry. The court’s opinion doesn't mention either the disclaimer or the footer link, so they may post-date the lawsuit commencement. FWIW, the latest page in Archive.org from Aug. 2008 lacks the top disclaimer, although it does have the footer link.

Because the defendants are wildcarding their subdomains and various browsers or toolbars may be automatically adding ".com" or ".org" extensions, the net result is that users could enter "goforit" or "goforit.com" into their address bar and end up at the defendants' wildcarded com.org page, where they were presented CPC links. On the one hand, this wildcarding could have contributed to a type of consumer confusion--consumers putatively looking for goforit's navigational directory got the defendants’ navigational directory instead of, say, getting a 404. On the other hand, who cares? It's hard to believe many people were actually looking for goforit.com and yet had their browser redirect them to goforit.com.org, and those few brand-loyal users should have had no problem instantly spotting that they were in the wrong place.

So to boil the dispute down, a low-value no-name search engine is suing a low-value no-name domainer for a few allegedly misdirected users who quickly self-corrected. It's a little hard to work up a lot of sympathy in either direction. In this respect, the lawsuit vaguely reminded me of the unsympathetic marketers battling over dmv.org.

Two more oddities. First, making all favorable inferences for the plaintiff, how many users could possibly have been "diverted" from plaintiff to defendant? Second, after Goforit complained, the defendants "blocked" goforit as a wildcard, causing users who would have gotten to the defendants' site to get a 404 instead. So, adding it all up, exactly how much money could Goforit be legitimately seeking? I'm sure the defendants love the traffic they get from their scheme, but I can't imagine that the slice of their revenue attributable to "goforit" is greater than de minimis. And for this peppercorn, the plaintiff has been suing the defendants since 2006 through multiple courts--with no less than *TEN* lawyers from *THREE* different law firms listed as its counsel on this opinion. (FWIW, I count 4 lawyers from four different law firms working on the defense side, although there were multiple defendants who might have wanted their own lawyers). The entire litigation efforts seems like a nuclear flyswatter.

Fortunately, the parties' exorbitant expenditures do produce one good outcome: this opinion is one of the most conscientious and thoughtful ones I've seen this year. Huzzah for Chief District Judge Sidney A. Fitzwater!

Unfortunately for Goforit, the judge rules decisively in favor of the defendants. The court rejects Goforit’s claims over the wildcarding and sends defendants' counterclaims to the jury. I’m going to get into the minutiae of the opinion, so unless you are a hardcore domain name/trademark nerd, you should probably stop reading here.

ACPA Claim

The court rejects the cybersquatting claim because Goforit was complaining about third-level subdomains. The court says flatly: "as a matter of law, third level domain names are not covered by the ACPA." The court concludes:

Because third level domains--whether specifically designated or using Wildcard DNS--are not "registered with or assigned by any domain name registrar," a straightforward reading of the text shows that GEL cannot recover under the ACPA for defendants' use of Wildcard DNS in a third level domain.

Trademark Infringement

Goforit's trademark claim fails for lack of use in commerce. Goforit tried two arguments to establish use in commerce: "(1) defendants "used" the mark by registering a TLD website such as "com.org" and enabling Wildcard DNS, intending that third parties would enter addresses containing others' trademarks, such as "goforit.com.org"; and (2) defendants "displayed" the GOFORIT mark in the sale and advertising of their services by programming the address bar to display "goforit.com.org" after the Wildcard DNS directed the user to the "com.org" website."

On the first point, the court says that setting up a wildcarding scheme does not evidence the defendants' intent to use Goforit's trademarks. Citing the 2005 1-800 Contacts v. WhenU case, the court says:

Even if defendants could have foreseen that some third-party web users might type in a trademarked name to trigger the Wildcard DNS, the fact that the TLD websites' Wildcard function processes a trademarked input does not constitute a "use" in "sale or advertising" of services....the Wildcard function in the instant case does not handle the third-party user's trademark input as a trademark, but merely as a web address that internally redirects to the domain name's homepage....Defendants have never tried to leverage others' trademarks into profit by selling specific trademarked keywords to advertisers.

I note that the com.org website now shows the disclaimer--referencing the subdomain and possible trademark--on each page. I wonder if this would change the court's analysis.

On the second point, the court says:

A reasonable jury could only find that, in any instance when "goforit.com.org" appears in the address bar, this is because the user has somehow entered "goforit.com.org" into the address bar at some point, whether intentionally or by inadvertent misuse of shortcut keys, to trigger Wildcard DNS in the first place. It would be different if defendants had configured their website to display "GoForIt.com" on the user's address bar after redirecting users to the "com.org" site and displayed other indications of affiliation with GEL and its GOFORIT mark. But a reasonable jury could not find that there is anything deceptive in itself about calling a website what it actually is: when a user enters "goforit.com.org" into the address bar, the user may be redirected to "com.org," but that does not change the fact that the content the user is seeing is the actual content assigned to the "goforit.com.org" address.

False Designation of Origin

The court also rejects Goforit's claim that the defendants made a false designation of origin by retaining the goforit subdomain throughout a user's visit. The court says that Goforit did not produce any convincing evidence either of consumer confusion or any harm to it.

The court first does a traditional multi-factor trademark confusion test; a few comments about that:

Mark Strength: "Without any evidence of the GOFORIT mark's consumer recognition power, there is no proof that would enable a reasonable jury to find that any of the redirected users was even aware of GEL's GOFORIT mark."

Mark Similarity: the court says the relevant marks are "Goforit" compared with “com.org." The court effectively ignores the subdomain as irrelevant. Even if the Goforit trademark is compared with goforit.com.org, the court says a "reasonable jury could not find that a user would construe an address bar display, especially one that merely retains what was just inputted by the user, as a "mark" when nothing else in the page content indicates GOFORIT sponsorship or affiliation."

Product Similarity: "A reasonable jury could only find, however, that the similarity of product design is attributable to the fact that defendants' TLD Domain Name websites and GEL's GoForIt.com website are both web directories; the functional design choices are common to many web directory websites rather than distinctive to GEL, and GEL has not produced any evidence that defendants have copied any product feature that uniquely identifies GEL's services."

Actual Confusion: "According to Grant's testimony, users on message boards expressed confusion as to how they arrived at websites such as "com.org," but there is no summary judgment evidence that users mistook "com.org" to be affiliated with or approved by the websites they intended to reach. On the contrary, the fact that some users, after experiencing Wildcard DNS, suspected that they had been infected with spyware suggests that it was immediately apparent to users that defendants' websites, which lacked trademark and trade dress similarity with their target sites, were of a different origin." Perhaps this is one of the rare situations where being confused with spyware is a positive!

The court then turns to false advertising proper, saying "a reasonable jury could not find that the display of "goforit.com.org" is a literally false statement." The court considers implied falsity and rejects the elements of that:

GEL has failed to present any evidence that the redirected consumers would have found the display of "goforit" in the web address material in deciding whether to click on the advertisements on "com.org." Nor has GEL adduced evidence that would enable a reasonable jury to find that any of the affected users was even aware of "GoForIt.com" as a competing entity....because a reasonable jury could only find that "go for it" is a common expression in conversational English, and because myriad other websites unaffiliated with GEL incorporate "goforit" into their web addresses, a reasonable jury could not find that any of the users from the log files who typed "goforit" intended to go to GEL's website.

Reverse Domain Name Hijacking

After completely rejecting Goforit's claims, the court turns its attention to the defendants' counterclaims. Defendants sued for reverse domain name hijacking under 15 USC 1114(2)(D)(iv). As part of its scorched earth tactics, Goforit asked the defendants' registrar (Tucows) to impose a registration lock on all of defendants' domain names--including com.org and nearly 300 others.

Tucows did, in fact, impose the registration lock, which allegedly caused all kinds of problems for the defendants. I'm trying to figure out how Goforit convinced Tucows to lock all of the defendants' domain names. On the surface, Tucows isn't looking so great here either. [see update below]

The court says that even if Goforit had a plausible argument against com.org based on goforit.com.org (something the court left open), Goforit had no plausible argument that the other domain names violated its trademark rights. As a result, the court denied Goforit's summary judgment motion, putting the reverse domain name hijacking claim to a jury trial.

I did a little research on the ACPA reverse domain name hijacking provision. I found only 6 other cases in Westlaw citing to the damages provision in subsection (iv) (as opposed to the declaratory relief in subsection (v), which has been successfully invoked only a few times). As far as I can tell, no other (iv) case has resulted in a positive outcome for the domain name registrant. Therefore, I believe the defendants' success so far on the (iv) reverse domain name hijacking claim is the first of its kind.

Tortious Interference With Contract

The court also rejected Goforit's summary judgment on the defendants' claim for tortious interference with the defendants' contract with Tucows. There were some old cases that implied that the ACPA reverse domain name cybersquatting provisions preempted state law equivalents, so this ruling also appears to be novel.

UPDATE: I had an extended email discussion with Tucows about its role in this situation. My contact sent me the following statement:

"Tucows responded in this case as per our policy. When we receive notice of filed litigation, NOT simply a C&D or draft litigation, we lock the affected name(s). We also notify the registrant. Please remember that locking the name does not in any way disable the name, but simply ensures that the name stays in place while the rights are being sorted out. In these circumstances we are also happy to accommodate changes that a registrant may need to a setting such as DNS. Also, in the rare circumstance where this policy creates difficulties for a registrant, Tucows actively works with the registrant to find a solution that balances the registrant's rights with the need to see that an effective legal system sits behind all property rights, including domain names.

While we don't comment on specific matters, Digimedia is, and continues to be, a long time Tucows customer."

Posted by Eric at 10:04 AM | Adware/Spyware , Domain Names , Marketing , Trademark | TrackBack

April 06, 2010

Fourth Circuit: Email, ECF, and Domain Name Woes do not Excuse Failure to Respond to Summary Judgment Motion -- Robinson v. Wix Filtration

[Post by Venkat]

Robinson v. Wix Filtration Corp. LLC, 4th Cir. (Mar. 26, 2010) [scribd]

The Fourth Circuit recently held that the district court properly granted summary judgment in favor of a defendant, and rejected plaintiff's argument that counsel's failure to respond to a defense motion for summary judgment was excusable due to email, malware, and domain name issues.

As described by the court, plaintiff's counsel "was afflicted by a malware virus and . . . his counsel's firm's domain name had temporarily expired when the motion for summary judgment was filed." Counsel re-registered the domain name but the "e-mail accounts associated with the domain name were 'blacklisted' causing further e-mail problems."

The court found that plaintiff's failure to receive notice of the motion "resulted from counsel's conscious choice not to take any action with respect to his computer troubles." In the words of the court: "counsel made the affirmative decision to remain in the dark." Finding that a client must bear the consequences of his or her attorney's conduct, the court found that it was not an abuse of discretion for the trial court to refuse to set aside the judgment. The court found that plaintiff was not entitled to relief under either Rule 59(e) or 60(b).

One judge concurred, finding that the dismissal was a result of "counsel's unwise and misplaced strategic choice to litigate, ostrich-like, with his head in the sand." The concurring judge noted critically (in a footnote) that periodically checking the CM/ECF docketing system "simply was not a part of [counsel's] practice."

Judge King filed a spirited dissent, among other things, arguing that the Fourth Circuit's decision creates a "duty to monitor," and that the party should not in this case made to bear the consequences of counsel's actions. Interestingly, Judge King also argues that the exception to the rule (taken for granted as a matter of practice in many ECF jurisdictions) that ECF filing constitutes service should come into play. The dissenting opinion argues that once defense counsel became aware that plaintiff's counsel had email issues, defense counsel should have sent a paper copy of the motion in order to complete service. (The rules provide that ECF filing "is not effective if the serving party learns that [the Notice of Electronic Filing ] . . . did not reach the intended recipient," but by the time the defendant had notice of the other side's email problems, it was pretty much too late. And plaintiff's counsel should have probably checked the docket anyway, to see if a dispositive motion was filed when the deadline came and went.) Judge King also notes that imposing a "duty to monitor" will result in additional costs (in the form of PACER fees) which will fall on the shoulders of clients.

___

It's tough to not be sympathetic to plaintiff and to counsel for plaintiff. Everyone will have an email gaffe at some point in their career. (I'm not sure the failure to check the docket is as excusable.) That said, courts are not very tolerant of arguments that counsel did not respond to a motion or a deadline due to a failure to receive electronic notice. The "spam filter ate my CM/ECF notice" is often offered as an argument in these situations, but this argument typically does not get a lot of mileage. (See Shuey v. Schwab discussed in this post (court remands for consideration of the merits) and the other cases mentioned there.)

(h/t ABA Journal: "Lawyer’s Computer Virus Doesn’t Excuse Missed Dismissal Motion, 4th Circuit Says")

Posted by Venkat at 12:20 PM | Adware/Spyware , Spam

January 27, 2010

Utah May Repeal Its Spyware Control Act--SB 26

By Eric Goldman

It's that time of year again. The Utah legislature is back in session and cooking up new schemes to regulate the Internet. So far I only see one Internet-specific bill in queue, SB 26. Surprisingly, it does not directly attempt to regulate keyword advertising.

SB 26 is sponsored by Sen. Stephen H. Urquhart, who rocketed to national cyberlaw fame (infamy?) in 2004 when he sponsored Utah's Spyware Control Act. It was such a misguided law that it motivated me (in part) to write a 71 page magnum opus explaining its policy deficiencies. It was also hampered by its fairly obvious unconstitutionality, which was confirmed by a Utah court a few months after passage. (Note: I helped write an amicus brief in that court challenge, so you might interpret my assessment as an advocacy statement). Following the judicial thumping, then-Rep. Urquhart shepherded an amendment to the Spyware Control Act in 2005 that effectively neutered the law. Since then, I believe the law has sat largely dormant. The only court citation I know of was in the 2008 Overstock v. SmartBargains case, easily rejecting Overstock's mystifying attempt to make a claim under the superseded 2004 version of the law.

Among other items I'll discuss in a moment, SB 26 proposes to repeal the Spyware Control Act entirely. If passed, that would be a remarkable development because most legislators let their failed laws sit on the books unused. It takes some work to repeal a law, plus it can be a little embarrassing to repeal a law--especially after hyping up the law to get it passed initially (Urquhart had a lot of tough talk about spyware/adware in 2004-05, see, e.g., here). Kudos to Sen. Urquhart for having the fortitude to admit and fix his errors publicly.

While repealing the law would be a remarkable step on its own, it's even more remarkable in the context of the Utah legislature's track record of Internet regulation. By my count, repealing the Spyware Control Act would be at least the THIRD Utah Internet law that its legislature repealed in the past few years--the other two being Utah's 1995 digital signature act and its infamous Trademark Protection Act. For a legislature that meets only a couple of months a year, a trifecta of repealed Internet laws in the past couple of years is a stunning waste of scarce legislative resources. Wow.

As bad as that is, the three repealed laws don't even tell the full story of the Utah legislature's incompetence when it comes to Internet regulation. Recall Utah's failed attempt to line its coffers by taxing email (which turned into a big money-loser), and don't forget its repeated attempts to regulate Internet content that have spawned years of costly litigation (see, e.g., Free Speech Coalition v. Shurtleff). From my perspective, anyone looking objectively at the Utah legislature's track record of regulating the Internet would logically conclude that they should cut their losses and focus on other legislative priorities.

Unfortunately, SB 26 indicates that either hope springs eternal in the Utah legislature or they are doomed to forget the lessons of history. Despite doing some good by putting down the Spyware Control Act, the bill amazingly proposes more regulations of the Internet! To Sen. Urquhart's credit, the bill is largely clone-and-revise proposals from other places and not drafted from scratch, which may contribute less from a regulatory standpoint but at least they aren't quite as error prone. The proposed law has three main components:

1) anti-phishing/anti-pharming restrictions. I'm not sure where the original text came from. California has an anti-phishing law but I don't think this is a clone-and-revise of that law. Maybe it's cloned from another state's anti-phishing law. In any case, the anti-"phishing" proposal is noteworthy because the regulation doesn't restrict itself to email (presumably to avoid any risk of CAN-SPAM preemption). As a result, as currently drafted, it's an unlimited anti-pretexting law applicable to both online and offline conduct.

2) anti-spyware restrictions. After wiping out the Spyware Control Act, the new anti-spyware proposals are based on the California model of state anti-spyware laws, which have been followed by a couple dozen other states. The California model regulates various types of "intentionally deceptive" conduct regarding software activity. This is what Utah should have done in 2004-05 rather than trying to develop its own sui generis law. I generally don't have a problem with regulating intentionally deceptive software behavior, but it seems a little late to be enacting the laws now. Most of the regulations contemplate practices more common in 2003-06 and largely defunct now, so Utah is showing up late to a party that ended years ago.

3) a state version of the federal Anti-Cybersquatting Consumer Protection Act. I know some other states have enacted domain name protection laws (California comes to mind), but it's not clear what benefits these state laws have. As far as I know, California's law is almost never used. Tom O'Toole speculates that this bill will make it easier for Utah trademark owners to bring in rem lawsuits, but it's not clear to me how much this law will help given the rarity of ACPA in rem lawsuits (UDRPs are usually cheaper and faster for the same results) and already expansive jurisdictional principles under ACPA. Further, I wonder if this law is preempted either by the dormant commerce clause or via field preemption of the federal ACPA.

I should add that I’ve observed that Utah bills can change radically from draft to draft with little warning, even if the law is on the legislative floor for a final vote, so we'll have to see if this law transmogrifies through the process. And I am keeping a vigilant watch for any resurrected attempts to regulate keyword advertising.

Posted by Eric at 09:58 AM | Adware/Spyware , Domain Names , Internet History , Spam , Trademark | TrackBack

December 26, 2009

November-December 2009 Quick Links, Part 1

By Eric Goldman

Trademarks/Domain Names

* Yahoo and Mary Kay settled Mary Kay's trademark lawsuit over Yahoo's email shortcuts.

* uBID Inc. v. The GoDaddy Group Inc., No. 09-cv-2123 (N.D. Ill. Nov. 5, 2009). uBid’s anti-domain name parking lawsuit failed on jurisdictional grounds. Tom O'Toole explains why this is an unusual jurisdictional ruling.

* Trademark Blog: “Sellify, operator of ONEQUALITY.COM, sues Amazon over Amazon affiliates' alleged misuse of ONEQUALITY.COM as Google keywords.”

* In an unenlightening memo opinion, Second Circuit affirms the Cintas v. Unite Here opinion involving union activists’ web activities using a target company’s trademark. My initial blog post on the case.

* Bloomberg: Buyers of counterfeit luxury goods understand they are getting counterfeits, and many of them upgrade to the real thing eventually.

* Transamerica v. Moniker Online Services, 2009 WL 4715853 (S.D. Fla. Dec. 4, 2009). Domain name registrar does not qualify for ACPA's registrar safe harbor when: "Transamerica alleges that Oversee and the Moniker Defendants, together with the ostensible registrants-the John Doe Defendants-are the de facto registrants of the domain names in question. Transamerica claims that Moniker was not merely acting as a registrant in providing registration services to the John Doe Defendants for the infringing domain names, but instead was part of a scheme to profit from the use of the infringing names. As Transamerica points out, Moniker receives a fee each time an internet user clicks on one of the links attached to the infringing domain sites; such payment establishes at least partial ownership in the domain name." Troubling ruling.

* SafeWorks, LLC v. Spydercrane.com, LLC (W.D. Wash. Dec. 7, 2009). A trademark owner's preemptive registration of domain names containing typographical errors of the registrant's trademarks does not infringe a third party trademarks.

Marketing and Advertising

* In re Gemtronics (FTC ALJ decision Sept 16, 2009). A dietary supplement seller wasn't liable for comments on a website that it didn't own or control but (among other things) it had linked to. While this is great, I still believe the FTC needs to rethink its entire liability scheme of online content endorsement or adoption due to 47 USC 230. See 1, 2.

* Avvo settles Florida bar lawsuit and gets Florida to admit that client testimonials on Avvo aren't lawyer advertising. Rebecca explains why an analogous South Carolina regulation violates 47 USC 230.

* After the FDA spooked pharmaceutical companies to stop engaging in search advertising, the FDA held hearings on Internet pharmaceutical marketing. The Arnold & Porter recap. Ironically, BusinessWeek ran a story wondering if pharmaceutical ads reduce consumer demand.

* The FTC cracks down on online negative option/"continuity plan" offerings.

* In re Miva Inc. Securities Litigation, 2009 WL 3821146 (M.D. Fla. Nov. 16, 2009). The court dismissed a securities class action lawsuit over Miva's/FindWhat's investor disclosures relating to click fraud and spyware. My initial blog post on the case.

* NYT: False advertising litigation is a growth industry.

Search Engines

* A Milwaukee lawyer has alleged that another lawyer buying keyword advertising triggered by his name violates his publicity rights. I’ve posted the complaint to Scribd.

* Google is now personalizing search results for everyone, not just logged-in users. In 2006, I wrote about how universal personalization would affect SEO and concerns about search engine bias. Danny Sullivan believes Google’s change deserves "extraordinary attention."

* Google took out an ad from itself to explain why its image search results for Michelle Obama contained an offensive result. This is after it first tried to remove the image on the pretext that the website was hosting malware.

* Danny Sullivan asks some good questions about Google's integration of Twitter into its search database.

* BusinessWeek: Matt Cutts, Google’s search engine anti-spam superstar, talks about his job. He doesn't sound like the most fun person to travel with

* Rose Hagan, Google's chief trademark counsel, is retiring after 7 years at Google. She leaves behind big shoes to fill.

Posted by Eric at 02:59 PM | Adware/Spyware , Derivative Liability , Domain Names , Licensing/Contracts , Marketing , Publicity/Privacy Rights , Search Engines , Trademark | TrackBack

August 06, 2009

State of the Net West Recap

By Eric Goldman

Yesterday, the High Tech Law Institute and the Advisory Committee to the Congressional Internet Caucus co-sponsored the Third Annual State of the Net West event at Santa Clara University. The featured participants were 3 members of Congress (Boucher, Goodlatte and Lofgren) and the White House CTO Aneesh Chopra, supplemented by 8 distinguished discussants. In a jam-packed morning, we covered a lot of interesting and important ground on broadband, privacy, antitrust, immigration and open government. This blog post recaps some highlights from the discussion.

Boucher on Broadband

Rep. Boucher emphasized the importance of broadband availability to economic activity and expressed concern that the US wasn't keeping up with broadband deployment (he said, "we can do better"). He offered three policy proposals for ways the federal government could help:

* revise the Universal Service Fund to allow dollars to be spent on broadband deployment; and require USF fund recipients 5 years from now to be offering broadband or be cut off from USF
* federally preempt state laws prohibiting municipal broadband offerings (which about 25 states have)
* get the FCC to develop a broadband deployment plan

He expressed disappointment with the guidelines that NTIA and the Department of Agriculture have adopted to give away the $7.2B broadband fund that was part of the stimulus package. It appears he will be encouraging both entities to rethink their guidelines.

My colleague Al Hammond was the broadband discussant. Al made a number of good points, including noting that broadband deployment is both a rural and low-income issue (Boucher appeared to be focusing more on the former) and raising concerns about municipalities not playing fair and the FCC overcounting actual broadband availability.

Boucher on Privacy

Rep. Boucher also gave a preview of the privacy bill he is planning to introduce next month. He started off by saying he likes ad targeting, especially first party targeting (he said he buys items based on customized recommendations). So he wants to encourage "appropriate" ad targeting, not eliminate it. His bill is expected to contain the following elements:

* websites collecting data will be required to post a prominent privacy policy
* users can opt-out of first party targeted ads. This also includes data sharing necessary to enable first party ads
* websites that want to share data with unaffiliated third parties will need opt-in. However, behavioral ad networks can proceed on an opt-out basis if they allow users to see and edit their behavioral profile, except for sensitive information categories that would always be opt-in
* both the FTC and state AGs would have enforcement authority

To the extent that the mandatory privacy policy and opt-out options codifies existing industry practices, this proposal generally seems benign but not worth the effort--the costs of the inevitably poor statutory drafting outweighs any benefit we might get from regulatory codification. Requiring opt-in would likely eliminate third party behavioral ad networks, which (as I've discussed before) is more likely to be a detriment than a win.

I was especially intrigued by the proposal that behavioral networks can flip from opt-in to opt-out by letting users access a user profile. I need to see more details about Boucher's thinking, but doesn't this superficially sound crazy? The most obvious problem is authentication of the user before seeing his or her profile. How would this be done? The networks usually don't know the identity of the specific individuals they are profiling, so they can't authenticate identity. And just tying profile access privileges to a cookie or machine sounds like a recipe for disaster for all shared computers. Plus, a web interface seems to increase the security risks that the bad guys can see profiles they shouldn't be able to see. On first blush, it sounds like this part of Boucher's proposal may need a complete rewrite, with unknown consequences for the entire structure of his proposal.

Mike Hintze of Microsoft was the privacy discussant. He espoused Microsoft's standard line that there should be a comprehensive privacy law.

In the Q&A, Boucher appeared willing to consider concurrent privacy enforcement authority by self-regulatory organizations, so long as they enforced the law's minimum requirements. But any self-regulatory effort wasn't a substitute for other aspects of his bill.

Lofgren on Antitrust

Rep. Lofgren said that if the Bush administration did too little on antitrust enforcement, the Judiciary committee is now concerned that Obama and Varney will do too much. Lofgren is particularly focused on the chilling effects of the mere threat of antitrust scrutiny, not just the actual successful prosecution in court of cases. Thus, an "informal" DOJ expression of interest can deter innovative activity by high tech companies.

She also expressed skepticism that antitrust laws remain effective at protecting technology markets, which are marked by fast innovation and low barriers to entry. (I believe her exact words were "traditional antitrust measures of marketplace behavior might no longer work.") At minimum, any technology-related antitrust enforcement actions should be focused on improving innovation rather than trying to manage current marketplace prices.

Finally, she said that copyright restrictions should be considered in antitrust inquiries. Mike Masnick has more to say on this.

Michael Katz of UC Berkeley was the most colorful respondent. He shared Lofgren's concern that antitrust law may be counterproductively squelching innovation, especially when companies try to capture antitrust enforcers to hassle competitors. He had especially harsh words for the FCC, calling it much less disciplined than the DOJ and observing how the FCC can blackmail companies using its leverage. He also complained that the FCC's review of mergers takes too long, and as an example of their lack of discipline, the FCC will impose merger conditions that have nothing to do with the merger.

Tim Bresnahan of Stanford and my colleague Cathy Sandoval were the other respondents.

At the end of her talk, Lofgren praised the Google Book Search settlement, saying that in some ways it lowers barriers to entry. She also said she was grateful that Google appears to have found a back-door way to liberate orphan works given that she wasn't able to pass an orphan works bill. I'm all in favor of orphan works reform, but a class action settlement seems like a weird way to get there.

Chopra on Open Government

Aneesh Chopra is the new White House CTO, a role that never existed before, which puts Chopra at Obama's elbow on all technology issues. This was Chopra's first Silicon Valley trip since he undertook his new role. His first talk was on Tuesday night at a Churchill Club event; we were his second. Lots of people were very interested in learning more about him. He was the big draw for the press, and we got an unprecedented number of walks-in based in part (we think) on his talk. He was also mobbed before and after his talk--everyone seemed to want a piece of his attention (then again, I'd love to have a chance to kick some stuff around with him one-on-one myself!).

It's easy to see why Chopra sparks such curiosity. My impressions were that he was genuinely affable, smooth without being slick, substantive without being bookish, a big fan of crowdsourcing and an even bigger fan of assessment and measurement of outcomes.

He started off by discussing the importance of technology and how the US's rate of technological performance is lagging against other countries. He then identified three ways to "turn the ship around":

1. invest in innovation building blocks, such as a smart/secure infrastructure, more R&D and improved workforce expertise
2. healthcare reform, especially improvements to the information technology side of healthcare delivery
3. an improved education system, including distance learning and more emphasis on lifelong learning

He then discussed open government issues and gave examples of ways technology can facilitate participatory governance.

Goodlatte and Discussants on Immigration

Rep. Goodlatte laid out the Republican's high tech agenda, which includes:
* skilled workforce, including immigration reform
* patent reform
* trade issues
* taxation, including efforts to define when activity in a state triggers tax obligations
* net neutrality (don't regulate but improve antitrust enforcement)
* privacy (opt-out except for sensitive information)

The panel then drilled down on immigration reform. I was really excited to have this panel because workforce issues are so central to the Silicon Valley's "secret sauce" and yet I couldn't recall a time that the HTLI had sponsored a discussion about them. Obviously immigration issues are age-old and are well-trodden, but I nevertheless found the discussion helpful--with the one caveat that everyone on the panel agreed with everyone else, so there was a lot of preaching to the choir. I learned an interesting factoid that both Reps. Goodlatte and Lofgren were formerly immigration attorneys, so they have some front-line domain expertise in this area.

First discussant was AnnaLee Saxenian of UC Berkeley. She talked about how skilled immigrants have fueled innovation in this country. She gave a number of stats in support of this, including that a majority of Silicon Valley engineers are foreign-born, and a high percentage of technology entrepreneurs and patent applicants are foreign-born individuals. She also noted that foreign-born skilled works create net new jobs and also help build better ties to their home country.

We benefit from the best and the brightest from around the world, who come to the US because of our higher education system and historically have chosen to stay. However, she is concerned about this retention because of bureaucratic barriers. She is also concerned that companies, frustrated by their lack of access to development talent, will offshore their R&D.

Finally, she pointed out that immigration discussions kludge together the issues of skilled and low-skilled workers, even though their issues are very different.

Keith Wolfe of Google reinforced many of AnnaLee's points from Google's specific experiences.

My colleague Deep Gulasekaram was the last discussant. He pointed out that free marketplaces may require free movement of labor, which isn't consistent with our current immigration policy. He raised concerns about state and local anti-immigration policies and the negative consequences of tying foreign workers to specific jobs (by linking their visa to the job).

Rep. Lofgren added a few remarks:
* Obama told her that it's time for comprehensive immigration reform. [This led to a polite back-and-forth between Lofgren, who favors comprehensive reform, and Goodlatte, who would settle for piecemeal immigration reform]
* Immigration reform is not a substitute for educating the US workforce
* We should give permanence to people we want to keep (i.e., not keep them on some treadmill with the possibility of a forced exit, which prevents their long-term life planning)
* We need to address the family of skilled immigrants, not just the immigrants themselves

More Coverage of the Event

* ABC 7 News
* KCBS radio
* Zusha Ellison of the Recorder
* Joyce Cutler of BNA (BNA subscription required)
* Mike Masnick
* Joel West
* Colette Vogele
* Warren's Washington Internet Daily also ran a story (not web-linkable) "Boucher Promises Online Privacy Bill Draft Soon"
* The extensive Twitter discussion at hashtag #sotnw. Twitterers included @ipolicy, @caminick, @persistance, @miss_eli, @techpolicygirl, @cathygellis, @mmasnick, @nextgenweb, @marianmerritt, @larrymagid, @christinela, @mblatkin, @seangarrettnow, @vogelelaw (who didn't always use the hashtag--we will try to publish a standardized hashtag at future events). Whew! Apologies if I missed anyone. I can't recall seeing more Twitterers in an audience--everyone seemed to have their Twitter page up constantly. As usual, I didn't turn on my computer at the conference (I take notes by hand and blog them later), so my comments seem woefully out-of-date already!

We plan to post the event audio soon so you can listen for yourself. I'll announce the audio posting at my Twitter account when it's live.

UPDATE: Audio now available: Download (item 27) or Stream

Posted by Eric at 10:54 AM | Adware/Spyware , Copyright , E-Commerce , General , Internet History , Marketing , Patents , Privacy/Security | TrackBack

July 06, 2009

June 2009 Quick Links, Part 1

By Eric Goldman

Just a reminder that I post some items to Twitter that don’t make it into these monthly recaps. If you want even more, you can track a superset of my online activities at Friendfeed.

Search Engines

* All Things Digital had an interesting 3 part series on the role of humans in configuring Google's algorithms: Scott Huffman; Matt Cutts; Amit Singhal. My initial 2005 blog post on the topic.

* More evidence of the deleterious consequences of latency on users' enjoyment of search results pages.

* Google is stumping in favor of its book search settlement deal and putting on the "charm offensive."

* Wired on niche search engines competing around the edges of Google.

* Google has dropped its feature that allowed quoted sources to reply in Google News.

* First, kosher phones. Now, kosher search engines.

Trademark

* Wendy Davis on a trademark lawsuit against Craigslist for allegedly infringing ad copy supplied by one of its users.

* Rookie mistake: Tony LaRussa publicly announced a settlement deal in his trademark lawsuit against Twitter before the papers were signed. Guess what....NO DEAL! UPDATE: A deal was struck subsequently.

* Speaking of which...the WSJ on Twittersquatting.

* WSJ: Europe's High Court Tries On a Bunny Suit Made of Chocolate. The EU struggles with trademarkability of chocolate bunnies.

* Productive People, LLC v. Ives Design (D. Ariz. May 29, 2009). TRO against a domainer.

* Oddee: 10 of the Worst Restaurant Names ever.

Copyright

* Supreme Court declined certiorari in the Cartoon Network v. CSC case.

* Arista Records LLC v. Usenet.com, Inc., 2009 WL 1873589 (S.D.N.Y. June 30, 2009). Usenet service provider committed (1) direct copyright infringement (because it “actively engaged in the process so as to satisfy the “volitional-conduct” requirement for direct infringement”) as well as contributory infringement, vicarious infringement and inducement of infringement. This case was colored by defendants’ evidence spoliation and the lack of a viable 512 defense; in situations like this, courts smack down defendants hard. The court’s analysis would be troubling for many online service providers if this case isn’t an outlier. Mike Masnick has more on the import (or lack thereof) of this case.

* Brave New Films 501(C)(4) v. Weiner, 2009 WL 1622385 (N.D. Cal. Jun 10, 2009). BNF was denied summary judgment on its declaratory judgment request because (a) Savage never threatened BNF directly, and (b) ORTN, which did threaten BNF directly, isn't the copyright owner. My previous coverage of this case.

User Agreements

* In the Matter of Sears Holdings Management Corporation. The FTC busted Sears for installing tracking software/spyware, even though Sears (1) asked all users to expressly opt-in, (2) paid users $10 to install the software, and (3) made full disclosure of the thorough tracking function of the spyware in the user agreement, albeit late in the installation process and in a buried fashion.

* Universal Grading Service v. eBay Inc., No. 08-CV-3557 (E.D.N.Y. June 10, 2009). eBay venue selection clause upheld.

* McMillan v. Wells Fargo, 2009 WL 1686431 (N.D. Cal. June 12, 2009). Wells Fargo asks some customers to agree to four different documents with differing governing law/venue selection clauses, leading to massive judicial confusion about how to determine governing law and venue.

* I’m using EFF's new "TOSBack" tool to track changes to major online services' user agreements. For my commentary on an article by Becher/Zarsky predicting the development of tools like this, see my writeup.

Posted by Eric at 04:54 PM | Adware/Spyware , Copyright , Derivative Liability , Domain Names , Licensing/Contracts , Marketing , Search Engines , Trademark | TrackBack

June 26, 2009

Anti-Spyware Company Protected by 47 USC 230(c)(2)--Zango v. Kaspersky

By Eric Goldman

Zango, Inc. v. Kaspersky Lab, Inc., 2009 WL 1796746 (9th Cir. June 25, 2009)

The case involves Kaspersky, an anti-spyware software vendor, and Zango, the former purveyor of adware (I say "former" because Zango shut down a few months ago). Kaspersky classified Zango's software as adware and did some other things that allegedly interfered with Kaspersky users' ability to download and enjoy Zango software. Zango sued Kaspersky, and Kaspersky defended on 230(c)(2) grounds.

Note: 47 USC 230(c)(2) is the underlitigated/under-discussed sibling of 230(c)(1), which provides nearly absolute immunity for third party online content and actions.

In my opinion, 230(c)(2) fairly clearly protects all types of online filtering decisions, and this panel confirms that it protects anti-spyware classifications. As the court concludes:

a provider of access tools that filter, screen, allow, or disallow content that the provider or user considers obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable is protected from liability by 47 U.S.C. § 230(c)(2)(B) for any action taken to make available to others the technical means to restrict access to that material.

While I think this is the right result, both normatively and descriptively, 230(c)(2) is not exactly the best-drafted statute, and this panel (being the first appellate court to work through the language) appeared to struggle with some of its frayed edges.

For example, to become eligible for 230 protection, the defendant must be a provider or user of a service that "provides or enables computer access by multiple users to a computer server." [In this case, Kaspersky didn’t claim it was a user.] How does this language apply to an anti-spyware software provider? Typically, anti-spyware software phones home for new spyware definitions, but if a phone-home capability qualifies for 230 protection, then many/most software vendors should qualify (so long as they offer some filtering capability). I’m personally OK with that result, but I suspect it takes the statute beyond the drafters’ initial intent.

The panel also sidestepped some other drafting problems in 230(c)(2), including:

* does it immunize decisions to filter other software, as opposed to filtering content? The drafting clearly meant to immunize filters of porn and similar kid-unfriendly content, but the language doesn’t apply as clearly to software filtering.

* must the filtering provider make its categorizations in good faith? The court ducks this question. However, Judge Fisher’s concurrence expresses concern that 230(c)(2) might literally protect a vendor’s anti-competitive or capricious blocking. He gives an example of “a web browser configured by its provider to filter third-party search engine results so they would never yield websites critical of the browser company or favorable to its competitors. Such covert, anticompetitive blocking arguably fits into the statutory category of immune actions.” I agree with this, although I’m also confident that any such browser provider would lose its customer base if such biases were ever publicly exposed. Therefore, legal liability may not be necessary to discourage this behavior.

Ultimately, this ruling may not affect the litigants very much, as Zango has already gone belly-up, making this effectively an advisory opinion. However, I think this ruling is important for everyone else for two reasons:

First, the Ninth Circuit's last two 230 opinions (Roommates.com and Barnes) have exhibited some hostility to expansive 230 readings. In refreshing contrast, this opinion gives a robust interpretation to 230’s immunizations.

Second, this opinion is terrific news for vendors of anti-spam/anti-spyware/anti-virus services. Although we have long suspected that they would be protected under 230(c)(2), this opinion codifies their immunization as Ninth Circuit law. As a result, these vendors should continue to have a high degree of freedom to make judgments about how to best serve their customers. On the flip side, this opinion confirms that anyone blacklisted by these software vendors can’t use judicial proceedings to change the classification. Fortunately, most reputable vendors offer an extra-judicial mechanism to correct their misclassification errors.

It remains less clear if this opinion protects search engines for their ranking determinations. The statutory words interpreted in this opinion aren’t germane to search engines. Even so, the panel’s broad reading of 230(c)(2) can’t be bad news for the search engines.

The case library:

* Ninth Circuit oral arguments
* Zango's reply brief [warning: 3+ MB file]
* Amicus brief by CDT in favor of Kaspersky
* Kaspersky's answering brief [warning: 5MB file]
* National Business Coalition on E-Commerce and Privacy amicus brief in favor of Zango
* Zango's appeal brief [warning: 2.1MB file]
* The district court's dismissal and my commentary
* TRO Denial and my commentary
* Kaspersky's Response to TRO Motion
* Zango's TRO motion

Posted by Eric at 01:13 PM | Adware/Spyware , Derivative Liability | TrackBack

May 03, 2009

April 2009 Quick Links

By Eric Goldman

[Just a reminder that I am posting some “quick links” exclusively to my Twitter account, so if you want to keep up with everything, follow me at Twitter or subscribe to the RSS feed.]

Marketing/Spam

* Zango is dead (and so is adware), Ken Smith, Zango's CTO, conducts a post mortem: What Zango Got Wrong and What Zango Got Right. Mike Masnick's post-mortem.

* The FDA's instructions about pharmaceutical search marketing have led to lots of confusion. See Search Engine Land and the NYT.

* NYT: "Never Mind What It Costs. Can I Get 70% Off?"

* Tsan Abrahamson on social media and marketing law.

* Asis Internet Servs. v. Consumerbargaingiveaways. A district court diverges from Mummagraphics and says CAN-SPAM does not preempt CA's anti-spam law even if there is no common law fraud.

* Jackson v. American Plaza Corp., No. 08-8980 (S.D.N.Y. April 28, 2009), A Craiglist advertiser isn't a third party beneficiary of Craigslist's contract for purposes of stopping another advertiser from breaching the contract (in this case, spamming the forum).

Defamation

* Gardner v. Martino (9th Cir. April 24, 2009). I'm not a fan of talk radio, and the 9th Circuit apparently isn't either. The court upheld an anti-SLAPP dismissal of a defamation claim against the radio talk show host because "The Tom Martino Show is a radio talk show program that contains many of the elements that would reduce the audience’s expectation of learning an objective fact: drama, hyperbolic language, an opinionated and arrogant host, and heated controversy." Accord DiMeo v. Max. As Marc Randazza notes, rulings like this pose a challenge for those who think contextually ridiculous statements should be treated as "cyberbullying" or "cyber-harassment." Cf. the Finkel v. Facebook case involving asinine but clearly meaningless chatter on a private Facebook page.

* Some big defamation losses reported by CMLP:
- Blogger hit with $1.8M damage award.
- $12.5M defamation judgment against a gripe site.

* CMLP has a page organizing all of its 47 USC 230 material.

Intellectual Property

* Publicly republishing a private email leads to a default judgment of copyright infringement.

* Bryant v. Europadisk, Ltd., 2009 WL 1059777 (S.D.N.Y. April 15, 2009). In 2000, musicians authorized distributors to distribute their [hard copy] recordings, which the defendants ultimately ripped and allowed Amazon and Rhapsody to deliver via downloading. The resulting lawsuit turned on the interpretation of the license agreement term “internet sites.” The court says the term "is not ambiguous and does not extend to websites selling digital copies of songs. At the time the parties entered into the agreements, The Orchard sold physical copies only. As its Vice President explained by affidavit testimony, digital downloads of music did not become a “viable business” until iTunes was launched in approximately April 2004, long after Media Right and Gloryvision entered into contract."

* Octomom is seeking trademark registrations.

Miscellaneous

* GeoCities is shutting down.

* eBay will referee customer disputes.

* Wilson Sonsini's VC financing term sheet generator.

* Oddee: 10 Most Bizarre [Online] Gaming Incidents

Posted by Eric at 06:31 AM | Adware/Spyware , Content Regulation , Copyright , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Marketing , Spam , Trademark , Virtual Worlds | TrackBack

April 12, 2009

Q1 2009 Quick Links, Part 4

By Eric Goldman

Security

* Massachusetts Data Security regulations were amended.

* In Facebook v. Power.com, Facebook brought another lawsuit to block extraction of user data from the site (similar to the Facebook v. ConnectU lawsuit). Venkat, Masnick, News.com, NYT, Justia. In this case, I wonder if Facebook has adequately distinguished between Power.com's behavior and the operation of its own "Find a Friend" service that taps into third party email servers to extract email addresses. Power.com’s response.

* Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. Jan. 7, 2009). IP infringement isn't a cognizable harm under the Computer Fraud & Abuse Act.

Adware/Spyware

* Who says Valentine's Day is just a Hallmark holiday? Sales of spyware and other tools to track cheating SOs also increase around Valentine's Day.

* Susan Brenner on the Cybercrimes Treaty and the US's decision not to criminalize possession of malware as required by the treaty.

Venture Capital

* BusinessWeek: Silicon Valley innovation is being stifled by VCs who only want to make small bets, not big bets. But VC investing is faddish, so the wind might change tomorrow.

* $600M of VC investments in virtual worlds.

Contracts

* Burcham v. Expedia, Inc., 2009 U.S. Dist. LEXIS 17104 (E.D. Mo. Mar. 6, 2009). Buyer was bound to user agreement even though he argued (without any evidence) that someone else established the account he used. This dovetails nicely with the broad reading of who is bound by an online user agreement; see my discussion in the Lori Drew case. Jeff Neuburger's writeup. Aside: I wonder if Expedia will be insulated by 47 USC 230 for the allegedly wrong description of amenities if they got the description of the hotel from third parties. For an analogous result involving the binding of users who didn't agree to the initial contract, see CoStar Realty Information, Inc. v. Field, 2009 WL 841132 (D. Md. March 31, 2009).

* Fractional Villas Inc. v. Tahoe Clubhouse, No. 08cv1396 (S.D. Cal. Feb. 25, 2009). Citing the RMG case, the court says that merely visiting a site may be sufficient to bind visitors to a browsewrap. However, in this case, there was insufficient evidence that the defendant had ever visited the site.

* Cherny v. Emigrant Bank, 2009 U.S. Dist. Lexis 2486 (March 12, 2009). Latest case that breach of privacy policy isn’t actionable unless there are actual damages. Venkat’s writeup.

* A stat I fully believe: "studies have shown that more than half of all companies cannot even locate signed copies of 10% or more of their contracts." The Zen Master asks: if both parties think they have entered a contract but neither can find a copy, do they have a contract? (this has really happened to me before).

Taxes

* Amazon v. New York and Overstock v. New York (N.Y. Sup. Ct. Jan. 12, 2009). Kudos to New York for finally figuring out a way to break the Internet and defeat the Internet Tax Freedom Act by treating Amazon Associates as traveling salespeople for sales tax collection purposes. I imagine every state in the country will jump on this bandwagon, at which point some e-tailers will kill their affiliate program and others will end up imposing sales tax collection nationwide.

* Pitt County v. Hotels.com, L.P. (4th Cir. Jan. 14, 2009), Online travel aggregators aren't "retailers" (as referenced in the statute) for purposes of collecting local hotel occupancy taxes.

General

* Some interesting cyberspace exceptionalism developments involving cases where paper presentation may be different from electronic presentation of the exact same content. In Smith v. Under Armour, Inc., 2008 WL 5486764, web payment confirmations displayed on-screen are not "printed" within the meaning of the Fair and Accurate Credit Transactions Act. Accord Smith v. Zazzle.com, Inc., 2008 U.S. Dist. LEXIS 101050. See generally this Proskauer recap. In Saulic v. Symantec Corp., a California law prohibiting data collection with credit card sales was held inapplicable online.

* Sudduth v. Donnelly, 2009 WL 918090 (N.D. Ill. April 1, 2009). Plaintiff got stiffed on his eBay transaction and sued eBay for 1983 equal protection and conspiracy claims as well as a Title VI civil rights claim. Because eBay isn't a state actor, however, the court dismissed eBay.

* My colleague Steve Diamond is blogging every detail of the battle for SAG's soul over at his new blog, King Harvest. For example, he summarizes the travails of the Screen Actor's Guild.

* Oddee: 10 Geekiest T-Shirts. I own a t-shirt that says "I'm Blogging This" (a gift from a former student) and a mug that says "Vegetarian Blogger" (gift from a colleague).

* Oddee: 15 Most Unfortunate Town Names. I think Licking County should have been a contender.

* Is there any better sign of Cyberlaw's maturity than the publication of Internet Law in a Nutshell? [Amazon Affiliates link]

* Oddee: 12 Most Ridiculous Lawsuits. I welcome your nominations for the most ridiculous Internet lawsuits of all time. I hope to write that up some day.

* Happy birthday, Gmail! Best email software I've ever used. The battles over Gmail privacy seem so...2004!

Free Stuff

* The Ninth Circuit recently updated its website...with RSS feeds!

* Nolo Press' "NDAs for Free." Potentially useful site.

* I have one extra copy of my Fall 2008 Cyberspace Law course reader. First person to send an email with their mailing address gets it. [CLAIMED]

Posted by Eric at 12:03 PM | Adware/Spyware , E-Commerce , Licensing/Contracts , Privacy/Security , Trade Secrets , Virtual Worlds | TrackBack

March 04, 2009

Utah Trying to Regulate Keyword Advertising....Again!? Utah HB 450

By Eric Goldman

When I first heard that the Utah legislature is considering yet another law to regulate keyword advertising, I thought: Are you kidding me? After all, Utah has pursued these regulations twice with disastrous results. The first time, in 2004, Utah's attempt to regulate adware-mediated keyword advertising was declared unconstitutional, and Utah amended the law in 2005 to make it irrelevant. In 2007, Utah tried again, passing a law that restricted keyword advertising across-the-board. That law was a spectacular failure, garnering derision both within Utah--especially from angry Utah citizens shocked that their elected representatives passed a law that the state AG thought was unconstitutional and that was going to cost valuable taxpayer money to defend in court--and globally as everyone wondered if the Utah legislature was really that crazy. In 2008, the legislature tucked its tail between its legs and repealed the 2007 law.

With this track record, the Utah legislature wants to try regulating keyword advertising again...? Are you kidding me?

Then again, perhaps this latest foray really isn't all that surprising. My sources tell me that 1-800 Contacts is the prime mover behind this statute, and 1-800 Contacts has testified in support of the law. 1-800 Contacts has an hard-to-explain love/hate relationship with keyword advertising. 1-800 Contacts has been a repeat litigant against keyword advertising, including being the losing plaintiff in the landmark 1-800 Contacts v. WhenU case, and 1-800 Contacts has continued to bring other lawsuits against competitive retailers (such as the LensWorld case I blogged about a year ago). At the same time, 1-800 Contacts has been a buyer of trademarked keyword ads, and it was one of the companies that protested the 2007 law because it was concerned the law would limit its own advertising practices (although, at the last minute, 1-800 Contacts flip-flopped and tried to sneak in new restrictions on keyword advertising into the putative repeal of the 2007 law). Clearly, 1-800 Contacts has a complex attitude towards keyword advertising, although it might just be pure duplicity. Either way, with 1-800 Contacts’ flip in 2008 and its continued litigation against keyword advertising, it’s not unexpected that they might try to bend the ear of the apparently pliable Utah legislature.

The Proposed Law

The 2004-05 laws banned trademark-triggered pop-up ads triggered by adware. The 2007 law allowed trademark owners to register their marks with a newly created Utah administrative registry (which never got created) and prohibited keyword buyers and sellers from using registered marks as triggers for keyword advertising. HB 450, the proposed 2009 law, takes a very different approach than the 2007 law:

Fewer Defendants. The law only applies to keyword buyers (advertisers). Unlike the last two laws, keyword sellers such as search engines are immune from liability under this law. However, the law is expansive in other ways: the law expressly holds an advertiser liable for affiliates' keyword purchases (a currently open point in trademark law), and the law expressly references telephone directory assistance advertiser as being within its scope.

Opt Out. The law only applies after the trademark owner sends a takedown notice/cease & desist demand to the advertiser. Further, if the advertiser stops within 10 days of the takedown notice, it is not liable for any remedies under this law. (They might still be liable under other legal doctrines).

Limited Remedies. My reading of the law is that the only remedies against an advertiser are an injunction and attorneys fees--no damages. I'm not 100% sure about this because some states have laws that create damage claims outside the scope of any specific statute (I'm thinking of California B&P 17200). I don't know if Utah has a catchall provision like that.

Geographic Restrictions. One of the most deficient aspects of Utah's 2007 law was that it required advertisers throughout the country to check the new registry before buying keyword advertising on a third party trademark, even if the advertiser, the keyword seller and the trademark owner all had zero connection with Utah. This law tries much more clearly to restrict its reach to Utah. First, the law only applies to ads "in Utah," whatever that means. Second, the law only restricts keyword buys made from sellers that allow "an advertiser to limit the display of advertisements by geographic location." I'm not exactly sure what this means--after all, a site like eBay segregates its listing database by country; does that mean eBay gives advertisers geographic choices?--but it's clear that an advertiser purchasing ads from a seller that doesn't offer any geolocation choices isn't covered by the law. Third, the law doesn't apply if segregating Utah ad viewers from non-Utah ad viewers isn't "technologically feasible" or would impose "an undue financial burden." I'm not saying that this law will survive a dormant commerce clause challenge--personally, I think all state regulation of the Internet is inherently suspect--but the law certainly tried to limit its reach to Utah.

Narrow Scope. The law applies when "the delivery or display of an advertisement in Utah...is the product of a bad-faith attempt to profit from the registrant's mark by diverting a consumer from the registrant, the registrant's authorized licensees, or another source authorized by the registrant." The statute provides for a multi-factor evaluation of what constitutes a "bad faith diversion" by keyword advertising, with the first factor being that the ad "is likely to create an initial, misleading impression that the person is a legitimate source of the goods or services" (which itself is subject to another multi-factor evaluation). Personally, I don't think there is such a thing as bad faith diversion or initial misleading impressions with respect to truthful ad copy, so this ought to be a null set. Even so, the law lists a number of categorical exclusions from its coverage, including:

* advertiser belief that the ad is fair use. Note: the bill uses the term "fair use" several times, even though this term is not well-defined in trademark law. So it isn't clear to me if "fair use" meant descriptive fair use, nominative use, both, neither, or yet something else.
* the sale is permissible under the First Sale doctrine. This should exclude keyword buys by other parties in a trademark owner's distribution channel. However, as I recently blogged, courts are struggling with the First Sale doctrine's application to e-commerce.
* "(a) fair use of a mark in comparative commercial advertising or promotion to identify the competing goods or services of the owner of the famous mark; (b) noncommercial use of a mark; and (c) all forms of news reporting and news commentary." This is an interesting set of exclusions; it looks like the drafter tried to (incompletely) mimic the federal dilution exclusions. However, the implicit redundancy with the other fair use aspect mentioned above also raises a question why (a) only applies to famous marks. That's either a drafting error or a significant limitation on that prong.

So What Does This Law Do?

From my reading, it appears that this law does not apply to gripe ads or trademark conflicts within a distribution channel. Therefore, I think the law really only applies to advertising on competitors' trademarks, and even then, only some of the ads.

Given the application to competitive keyword advertising and the focus on an injunction as a remedy, this law covers only limited circumstances that are not already addressed by the search engines' trademark policies, which provide an extrajudicial "injunction." Indeed, this law is nearly co-extensive with Yahoo's and Microsoft's trademark policies. On the other hand, the law would govern situations that Google isn't remediating with its trademark policy because it could force advertisers off keywords that Google would happily sell. Furthermore, the ambiguous application of the law to keyword buys from places other than search engines, such as telephone directory assistance services, may implicate some keyword sellers who don't currently have trademark policies.

Conclusion

If I'm right that this law simply codifies current search engine trademarks policies and extends them some, then this law isn't as problematic as Utah's last two efforts. But it also makes me wonder--what's the point? Doesn't Utah have more important problems to solve???

Even if the law is less troublesome than the last two, let's be clear: this is not a good proposal. As with Utah's past two efforts, this law has nothing to do with improving consumer welfare. Instead, it would allow companies to suppress competition by helping companies keep their competitors from gaining exposure among the company's potential customers; meaning that companies won't have to work as hard competing on price and quality. I understand why companies such as 1-800 Contacts, who has a pattern of trying to use legal tricks to suppress competitors, would find it attractive to ply their local legislators for some corporate welfare. But why any legislator would waste their time with such an unabashed anti-competitive, anti-consumer request is simply beyond me. As I have explained elsewhere, policy-makers should be helping consumers get relevant content, not enacting laws to take it away from them.

The bill is making its way through the Utah House, and my observation of Utah legislative proceedings is that bills can be amended substantially from beginning to end. So this bill could get better, or it could get much worse. Fortunately, a coalition of Internet companies is lobbying against the bill, and the bill barely survived its first committee hearing on an 8-6 vote. Thus, it's not guaranteed that this law will make it through. My hope is that the Utah legislators will recognize the law’s depravity and their own poor track record in the area and squelch this latest effort.

Posted by Eric at 09:55 PM | Adware/Spyware , Derivative Liability , Domain Names , Marketing , Search Engines , Trademark | TrackBack

February 24, 2009

Zango v. Kaspersky Ninth Circuit Oral Arguments

By Eric Goldman

The Ninth Circuit has posted the audio of the February 2, 2009 oral arguments in Zango v. Kaspersky, the important 47 USC 230(c)(2) case about vendors' abilities to classify third party content as spam, viruses, adware/spyware, etc. The judges were Betty Fletcher, Pamela Rymer and Raymond Fisher.

The judges' questions were pretty good. Judge Fisher was by far the most spirited jurist at this hearing. It was interesting to hear him tell Zango's counsel that he thought Batzel and Roommates.com are irrelevant to the case. But Judge Fisher also asked a tough question of Kaspersky's counsel about why McAfee has blocked him from getting to websites he wanted.

HT: Venkat

The case library:

* Zango's reply brief [warning: 3+ MB file]
* Amicus brief by CDT in favor of Kaspersky
* Kaspersky's answering brief [warning: 5MB file]
* National Business Coalition on E-Commerce and Privacy amicus brief in favor of Zango
* Zango's appeal brief [warning: 2.1MB file]
* The district court's dismissal and my commentary
* TRO Denial and my commentary
* Kaspersky's Response to TRO Motion
* Zango's TRO motion

Posted by Eric at 05:44 PM | Adware/Spyware , Derivative Liability | TrackBack

February 06, 2009

2008 Cyberlaw Year-in-Review

By Eric Goldman

It's a sign of my schedule that I'm just now getting to this, and this post will be more pithy than I initially conceived. This post recaps some of the Cyberlaw highlights from last year. Frankly, the two biggest stories of 2008 were the financial markets meltdown and the ascension of President Obama, neither of which have a lot of Cyberlaw angles. In light of those big developments, Cyberlaw in 2008 was comparatively quiet. However, there is still plenty of interesting developments to revisit.

Broad Themes

A few broad themes emerged last year:

* Ludicrous trademark claims. 2008 hardly had a monopoly on dumb trademark claims; those are perennial. But 2008 certainly saw some asinine entries, including putative Cyberlawyer Eric Menhart's claim to own a trademark in the term "Cyberlaw," Jones Day's efforts to claim that a web page referencing its name as the employer of some homebuyers violated its trademark rights, and putative Cyberlawyer John Dozier's claim that if his name is used as anchor text, the link must go to his website or it violates his trademark right.

* This was a good year for expansive readings and applications of user agreements. Some examples:
- the Lori Drew prosecution, where Lori was convicted of violating an agreement that someone else clicked through.
- Jacobsen v. Katzer, where a user of copyrighted material is bound by a contract that he/she never clicked through at all.
- AV v. iParadigms, where kids were not allowed to void a user agreement despite their status as minors (and despite the fact that some of them had no meaningful choice about whether or not to consent).
- JuicyCampus enforcement action, where the New Jersey Attorney General's office tried to treat a negative user behavioral restriction in a user agreement as an affirmative marketing representation that such user behavior would not occur on the site.

* One of the long-standing Cyberlaw memes is that websites must either be passive conduits to avoid liability or active editors to manage their liability, but if a website chooses the latter, the website is liable for any editorial mistakes. That is, if the website edits its site but misses something, it's fully liable for what it missed. This simply isn't true under 47 USC 230, which allows websites to choose to be passive, active or anything in between without varying liability. In the IP context, this passive v. active meme has had more traction, but 2008 saw two solid cases suggesting that if a website tries to police its premises and fails, courts will be sympathetic and excuse any omissions. Example #1: Tiffany v. eBay, where the court gave eBay extra credit for its VeRO program as a basis to excuse any counterfeit goods that slip through. Example #2: Io v. Veoh, where the court was more willing to excuse Veoh because it had undertaken extra policing efforts than was required for the 17 USC 512 safe harbor. Finally, although not an IP case, the court in Cisneros v. Yahoo also lauded search engines for their affirmative efforts to block gambling ads, which the court acknowledged was a hard challenge.

* Despite some adverse rulings early in the year, punctuated by the Ninth Circuit's en banc ruling in Roommates.com, the 47 USC 230 immunization is still extremely robust. We saw a number of expansive and pro-defense rulings per 230 throughout the year, including Craigslist, Doe v. MySpace, Cisneros v. Yahoo and Goddard v. Google. Perhaps more importantly, in the three 230 cases I've seen since Roommates.com that cited to the opinion, all three cited the opinion in ruling for the defense.

* Battles over keyword advertising are hardly over, even though Utah officially backed off its attempt to ban them. The ABA IP Section tried to get into the act, and American Airlines sued Google, settled, and then sued Yahoo.

Top 11 Cyberlaw Developments of 2008

#11: Utah Trademark Protection Act repealed. The Utah Trademark Protection Act had the potential to throw the entire keyword advertising business into turmoil. Instead, now that it's repealed, it just remains as a dramatic reminder of the Utah legislature's incompetence regarding Internet legislation.

# 9 and 10: Fair Housing Council v. Roommates.com and Goddard v. Google. The Roommates.com en banc opinion makes the list based mostly on its potential consequences, not its actual effect. It remains one of the most significant pro-plaintiff incursions into the solidly defense-favorable interpretations of 47 USC 230, but it's so riddled with contradictory and ambiguous language that no one really knows what to do with it. I think Judge Fogel's reading of the case in Goddard v. Google has the potential to become the defining interpretation of the case, and his solidly defense-favorable reading of the precedent in excusing Google for ads placed by its advertisers may only reinforce how little Roommates.com changed the law.

#8: AV v. iParadigms. This case was a terrific win for online fair use enthusiasts because the for-profit commercialization of a database of third party copyrighted works was still deemed fair use. The upholding of the contract against the minors forced to enter into it was also significant. Before this ruling, my assumption is that any plaintiff trying to form a class action lawsuit in the face of an adverse user agreement could always form the class on behalf of any minors who had the right to void the contract. This case seems to shut down that loophole in user agreement protection.

#7: Io v. Veoh. The 17 USC 512(c) safe harbor has been law for over a decade and has produced a couple dozen rulings, but few are cleaner and more decisive for the defense than this one. It was a textbook example of a court rejecting the many different arguments plaintiffs make to kick a defendant out of the safe harbor, and as mentioned before, it was a great validation for Veoh's decision to do more than 512 required.

#6: Jacobsen v. Katzer. From a doctrinal standpoint, this case raises really difficult questions about how a copyright consumer can be bound to terms that he/she never "assented" to. Even so, this case had huge implications because it effectively validated that open source licenses can be binding on licensees, giving much more legal credibility to the entire multi-billion open source software industry. However, an odd footnote: on remand, the district court denied an injunction for the plaintiff, raising more issues about what exactly the plaintiff won at the Federal Circuit.

#5: Tiffany v. eBay. A fantastic validation of eBay's practices against a very serious and sympathetic challenger who had plenty of evidence that counterfeit goods were being sold on eBay's site. The case also shows that courts can grow tired of IP owners simply making up their own rules about how online sites should protect them and then suing the sites for breaching these artificial rules.

#4: Mazur v. eBay. A more scary case to 47 USC 230 defense enthusiasts than the Roommates.com opinion. The court says that eBay isn't protected by 230 for some of the marketing representations it makes, even if those representations are rendered untrue by third parties. While this makes a lot of doctrinal sense, it is also a green light for plaintiffs to mine a website's marketing representations as a way to bypass the otherwise-fatal consequences of 230 on a lawsuit triggered by user behavior or content.

#3: Google Book Search settlement. This makes the list for two independent reasons. First, many folks were hoping the case would establish solid precedent on online fair use, and the settlement ended that hope. Second, the proposed Book Rights Registry has the potential to reshape a number of major industries, including the book publishing business, the book retailing industry and the library industry.

#2: the Lori Drew prosecution. I think this may have been the most polarizing Cyberlaw development of 2008, exposing deep divides in people's appetite for punishing bad conduct online. It's hard to assess the overall implications of her conviction because no one rallied to praise Lori Drew's choices, and her case is still a ways from a final legal outcome. However, the possible implications of the case were so complex that it took a special three part series for me to explore its nuances (1, 2, 3).

#1: Cartoon Network v. CSC (the "Cablevision" case). Boy, the more I think about this case, the more important it becomes. The case upends our assumption that if we see it online, it's fixed, creating a new class of unfixed electronic works. Also, the court treats the users, not the service, as making the requisite copies, which reinforces the possibility that online providers can be just "dumb technology providers" for copyright law purposes and reinvigorates the possible defense that a service provider's copying is just done as a proxy for its users. However, the Supreme Court's ambiguous response to the cert petition--not yes, not no, but a request to the Solicitor General for comments--leaves this decision in a precarious position.

Other Developments of Special Note

47 USC 230

* Doe v. MySpace. The Fifth Circuit soundly rejects the argument that MySpace had an obligation to police its “premises.”

* Craigslist. Judge Easterbrook's language in Doe v. GTE had given plaintiffs some hope that the Seventh Circuit would provide a friendly venue to plaintiffs trying to overcome 47 USC 230. Judge Easterbrook may still love his language (which he quoted extensively in the Craigslist ruling), but his practical and no-nonsense ruling for the defense squelches the hope that the Seventh Circuit will become a plaintiff's haven.

* New Jersey's enforcement action against JuicyCampus. State AG offices HATE 47 USC 230.

Affiliate Liability

* Impulse Media. A jury thumped the FTC's overly expansive views of affiliate liability for spam.

* NY v. Direct Revenue. A state judge emphatically rejected the NY AG's office's expansive views of affiliate liability for adware.

Trademarks/Domain Names

* American Airlines' lawsuits against Google and Yahoo. No one I know fully understands why American Airlines sued Google for selling its trademarks for keyword ads. No one I know understands what concessions Google gave to American Airlines to settle the case. And no one I know understands why American Airlines decided to sue Yahoo after procuring the Google settlement. It's all a big mystery.

* NSI's grabbing of domain names in response to WHOIS queries. Is there any better example of ICANN's failings to police domain name retailers than to have one retailer selling a scarce good grabbing the good exclusively (blocking attempted sales by all other retailers) when a customer merely inquires about it?

* Kentucky's attempted seizure of 141 gambling-related domain names. As I wrote before, "Is a domain name property? Yes. See the Sex.com case. Can a plaintiff seize a domain name pursuant to a favorable judgment? Yes. Is it appropriate for Kentucky to seize domain names for gambling websites available in Kentucky? Of course not, because this would effectuate an extraterritorial reach by curtailing non-Kentucky residents from making possibly legal uses of the domain name."

* Eric Menhart, a lawyer who claims to practice Cyberlaw, doesn't know that Cyberlaw is a generic term.

* New gTLDs. Maybe I should reserve this development for 2009...if it happens.

Others

* McCain complains about 512(c)(3) notices taking down his YouTube videos. Surprise! 512(c)(3) notices are unforgiving. Sen. McCain, now that you've had a first-hand taste of their power, maybe you'd like to revisit the statute to see if it's producing the right incentives?

* FCC's bust of Comcast. The pro-regulatory forces were queued up to pounce on any examples where an IAP violated Net Neutrality principles, and Comcast's chicanery in forging reset packets was impossible for anyone to defend.

* NebuAd's flameout. Behavioral ad targeting is in our future unless regulators stop it. NebuAd won't be the winning provider of targeting services, but legislators will keep trying to regulate it further out of existence nonetheless.

Posted by Eric at 05:50 PM | Adware/Spyware , Copyright , Derivative Liability , Domain Names , E-Commerce , Internet History , Licensing/Contracts , Marketing , Publicity/Privacy Rights , Search Engines , Spam , Trademark | TrackBack

November 18, 2008

October 2008 Quick Links, Part 2

By Eric Goldman

Spam

* Kramer v. Perez. An Iowa court awards $236M in damages in a spam case. Venkat's comments.

* After the government lost its jury trial against Impulse Media, the court denied Impulse Media attorneys fees.

Contracts

* AT&T put its own emailed notice of amended contract terms into its spam folder. Whoops! Due to spam filters and other automated blocks, it is becoming almost impossible for websites to communicate with their users by email.

* An estimate of the massive "tax" imposed on consumers by reading privacy policies. Of course the financial drain is overstated because many people make a rational decision not to read every privacy policy, plus not every person has to read a privacy policy for marketplace responses to be effective.

* The Blizzard v. MDY WOWGlider case has reached a stipulated damages amount of $6M.

* Pulaski & Middleman, LLC v. Google Inc., 5:2008cv03888 (N.D. Cal. complaint filed August 14, 2008). The Justia page. Yet another me-too lawsuit against Google over serving ads to parked domains and error pages.

* An Israeli GPL enforcement action settled.

Trademarks/Domain Names

* Kentucky v. 141 Domain Names. Is a domain name property? Yes. See the Sex.com case. Can a plaintiff seize a domain name pursuant to a favorable judgment? Yes. Is it appropriate for Kentucky to seize domain names for gambling websites available in Kentucky? Of course not, because this would effectuate an extraterritorial reach by curtailing non-Kentucky residents from making possibly legal uses of the domain name. More recently, the seizure was stayed.

* Speaking of inappropriate seizures, the Feds are trying to seize the trademarks of the Mongols motorcycle group. DOJ press release. LA Times article.

* Best Western Intern., Inc. v. Doe, 2008 WL 4630313 (D. Ariz. Oct. 20, 2008). Prior blog post in this case. The judge is losing patience: "These filings are wasteful in the extreme. The Court is not a forum for the parties to expend every possible dollar seeking to litigate every conceivable issue, no matter how insubstantial. The Court will no longer tolerate the excesses of this case."

* The Verizon v. Navigation Catalyst Systems domainer lawsuit settled.

* 50 Cent brings yet another questionable lawsuit. (1, 2).

Advertising

* Goddard v. Google Inc., 2008 WL 4542792 (N.D. Cal. Oct. 10, 2008). The case against Google for deceptive mobile phone ads will stay in federal court.

* Eyeblaster, Inc. v. Federal Insurance Co., 2008 WL 4539497 (D. Minn. Oct. 7, 2008). This is a collateral lawsuit to Sefton v. Eyeblaster alleging that Eyeblaster distributed spyware. Eyeblaster tendered the claim to its insurer. This court holds that the CGL policy doesn't apply because the claim relates to software problems, not physical damage to the users' computers. Further the E&O policy doesn't apply because Sefton alleges that Eyeblaster intentionally installed the spyware, bumping Eyeblaster into one of the policy's exclusions.

* Are consumers becoming more tolerant of pop-up ads? For more on consumer acceptance of new advertising formats, see here.

* A big damages award in NetQuote v. Byrd.

Posted by Eric at 06:42 AM | Adware/Spyware , Domain Names , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Spam , Trademark | TrackBack

October 14, 2008

September 2008 Quick Links, Part 3

By Eric Goldman

eBay

* Universal Grading Service v. eBay, Inc. More fallout from the National Numismatic v. eBay case--another lawsuit alleging antitrust and defamation because eBay designated some coin rating services as preferred and impliedly devalued others.

* Windsor Auctions v. eBay has been refiled in a new jurisdiction.

* Mehmet v. Paypal, Inc., 2008 WL 3495541 (N.D. Cal. Aug. 12, 2008). Upholding the consequential damages waiver in PayPal’s user agreement.

* A company's failure in the marketplace can drive up the value of its collectibles on eBay.

Google

* Stelor Productions, Inc. v. Google, Inc., 2008 WL 4218107 (S.D. Fla. Sept. 15, 2008). In the lawsuit alleging that Google causes reverse confusion of Googles.com [warning: annoying music ahead], the plaintiff doesn't get to depose Sergey or Larry yet. Rose Hagan, Google’s long-time chief trademark counsel, is the lucky substitute.

* Lots of rhetoric in the Google/Yahoo ad syndication deal. Google’s advocacy website. Google Chief Economist Hal Varian explains why the deal won’t raise ad prices in the auction. Randall Stross weighs in.

* Google has changed course and now allows religious groups to advertise on the keyword “abortion.”

* Kubit v. Google Groups, 2:2008cv00738 (M.D. Fla. complaint filed Sept. 29, 2008):

I then would like to sue Google Groups for not removing the posts when I repeatedly asked them to for 2 years. I believe I am entitled to at least a small amount of compensation for the emotional distress and lost business income that has resulted from them allowing these posts to remain on their Google Groups, even though I offered them VERY solid proof that I do not have HIV. If they had stopped the posts when they first occurred, they would not have proliferated to hundreds of websites. I became suicidal for a period of time after the posts started. I incurred a lot of emotional pain and fear because of the posts and had to seek psychiatric and psychological help to get my life back together. I still suffer from fears of dating, living a public business life and trusting others.

Yes, this is a pro se complaint. Yes, it is preempted by 47 USC 230.

Marketing/Advertising

* NebuAd is dead (1, 2). Even so, the lure of intermediaries aggregating deep data about consumers for commercial purposes will never die.

* Is Gator/Claria dead?

* The EU passed a non-binding resolution against sexual stereotypes in advertising.

* Celebrity branded merchandise run amok.

Miscellaneous

* Valleywag: "The 5 most laughable terms of service on the Net." For more laughs, see Mark Lemley’s Terms of Use paper.

* Murakowski v. University of Delaware, 2008 WL 4104087 (D. Del. Sept. 4, 2008). This reminded me a lot of the Jake Baker case from the mid-1990s.

* The Virginia Supreme Court reversed itself on the Jaynes anti-spam prosecution, and Jaynes walks. Does Virginia routinely pass unconstitutional laws?

* Becker v. Toca, 2008 WL 4443050 (E.D. La. Sept. 26, 2008). Ex-wife's alleged delivery of "Infostealer" program to grab passwords from ex-husband could violate the ECPA, SCA and CFAA.

* Interesting article on ESPN’s exclusive distribution and bundling agreements with Internet access providers.

* Funniest law firm names.

* Silly? Horrifying? A sign of the apocalypse?

Posted by Eric at 06:17 PM | Adware/Spyware , Content Regulation , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Spam | TrackBack

August 27, 2008

7Search Sues McAfee For Red Flagging It

By Eric Goldman

7Search.com v. McAfee, Inc., 1:2008cv04831 (N.D. Ill. complaint filed Aug. 25, 2008). The Justia page.

I don't have a good sense of how many lawsuits have been filed against anti-spyware vendors for classifying third party software as "adware" or "spyware." I've blogged on a few (including Kaspersky, PC Tools and Symantec v. Hotbar), and Ben Edelman maintains a larger catalog of such lawsuits (not sure how up-to-date this is). However, I don't know if these lawsuits are relatively rare (as Ben's chart implies) or if they are multitudinous but most quietly fly under the radar screen.

If there aren't many unpublicized lawsuits, that may reflect that suing an anti-spyware vendor over its classification decisions almost never makes sense. First, many vendors have a private adjudicatory/appellate process that resolves many potential disputes without a lawsuit. Certainly, most vendors don't want to make errors, which undermines their own credibility, and most reputable vendors want to fix their mistakes. Second, lawsuits bring generally unwanted publicity to the plaintiff, calling extra attention to their alleged deficiencies and bringing out all of the gripers. Third, the costs of the lawsuit may be more than the value of any frustrated transactions. Finally, many of the lawsuits have low probabilities of legal success for the reasons I'll discuss in a moment. So there is good reason to believe classification-related lawsuits such as this one are rare. (I'm not saying that grumbles or C&Ds are rare; I'm just referring to formal lawsuits).

In this lawsuit, 7Search says that it was in the toolbar business but stopped offering downloads from its site in 2003. However, McAfee's SiteAdviser gives 7Search the big red X and says "Feedback from credible users suggests that downloads on this site may contain what some people would consider adware, spyware, or other potentially unwanted programs." 7Search claims that this statement is false because it isn't offering any downloads at all. 7Search thus alleges false advertising (Lanham 43(a)), deceptive trade practices, defamation and unfair competition.

The most obvious barrier to 7Search's lawsuit is 47 USC 230. Both (c)(1) and (c)(2) could be implicated. (c)(1) is less likely, but if in fact McAfee is republishing information from third parties (as suggested by the statement's reference to "credible users"), they may be able to claim (c)(1) for the republication. Either way, (c)(2)--the immunization for filtering decisions--is directly on point and potentially immediately fatal to the lawsuit. Zango's lawsuit against Kaspersky was soundly and quickly knocked out on 230(c)(2) grounds (though that is now on appeal to the Ninth Circuit), and a district court in Illinois gave broad deference to the Zango ruling in finding that Comcast could claim 230(c)(2) for email filtering decisions.

At the same time, 7Search alleges that McAfee's classifications were in bad faith. If so, then 230(c)(2) wouldn't apply even under the liberal Kaspersky or Comcast approaches, both of which required subjective good faith. We'll have to see how McAfee responds to determine if 7Search's allegation has any chance of getting traction.

There are two other possible holes in the potential 230 coverage for this lawsuit. First, courts have been inconsistent whether a false advertising 43(a) claim under the Lanham Act fits within the "IP" exclusion to 230. Second, most of 7Search's gripe goes to McAfee's statement that bad downloads are available--words chosen by McAfee to describe its filtering decision. It remains unclear if 230(c)(2) protects an intermediary's characterization of its filtering decision as much as it protects the filtering decision itself--just like 230(c)(1) may protect against liability for third party information but may not protect against marketing representations rendered untrue by third party content or actions.

In any case, I think this lawsuit and others over classification decisions raise interesting and important issues that I plan to explore in my Economics of Reputational Information project. We want skillful intermediaries to digest the overwhelming amount of information available in the marketplace and make reputational judgments that speed up our consumer decision-making. On that basis, we definitely don't want reputational judgments removed from marketplace actors and put into the hands of the judges. However, we also want the reputational intermediaries to make factually accurate judgments because their misjudgments also could distort marketplace decision-making.

Posted by Eric at 03:54 PM | Adware/Spyware , Derivative Liability , Marketing , Trademark | TrackBack

August 20, 2008

Competitive Pop-up Ads Aren't Unfair Competition or Tortious Interference--Overstock v. SmartBargains

By Eric Goldman

Overstock.com, Inc. v. SmartBargains, Inc., 2008 UT 55 (Utah Sup. Ct. Aug. 19, 2008)

In light of the death of adware and the fact that almost all of us have moved on, it is jarring to see adware opinions still emerging. This case, percolating in the courts four years, is quite a throwback.

In 2004, Overstock sued SmartBargains for buying adware-delivered pop-up ads that were triggered by user visits to Overstock.com. There have been a lot of keyword advertising cases since then, but this case is unusual because (for reasons not clear to me) Overstock did not make the more typical trademark infringement claim or even the less common trademark dilution claim.

Instead, Overstock asserted three causes of action: (1) violation of the initial Utah Spyware Control Act passed in 2004, (2) unfair competition, and (3) tortious interference with prospective business relations. The Spyware Control Act claim was mooted when the statute was deemed unconstitutional and further mooted when the legislature amended the law, so Overstock did not pursue that claim further. The district court also ruled against Overstock on the other 2, and Overstock appealed to the Utah Supreme Court. [for reasons that aren't clear to me, this case apparently bypassed the Utah appeals court.]

The Supreme Court had little difficulty disposing of the remaining claims. The pop-up ads didn't constitute unfair competition (in Utah, an anti-passing off claim) in this case because SmartBargains' pop-ups appeared in a separate window and displayed the SmartBargains' logo. The tortious interference claim gets tossed for exactly the right reason--competitive ads are a good thing, not bad. The court says "SmartBargains’ pop-ups indisputably exist to compete with Overstock. Competition is not an improper purpose, even though other byproducts of competition may exist." Case dismissed.

In one sense, this case isn't all that important. With respect to lawsuits over competitive online ads, most of the action relates to trademark infringement and particularly what constitutes a trademark use in commerce. But this case is important because it's fairly typical for plaintiffs in those lawsuits to add a laundry list of additional claims with the hope that something sticks. As this case shows, the laundry list claims are junky and easily disposed of, and a state supreme court ruling to that effect is a nice and useful precedent for defendants.

Even so, I wonder about the political ramifications of this ruling. Overstock's attitude towards keyword advertising has been erratic. On the one hand, it went to the Utah legislature to protest the Utah Trademark Protection Act because it apparently buys keyword ads on third party trademarks. On the other hand, it supported Utah's initial Spyware Control Act, it was the first to try to take advantage of the law, and it was willing to pursue this silly lawsuit for over 4 years. In response to this loss, will Overstock flip--just like its Utah Internet retailing peer 1-800 Contacts flipped--and go seek out a friendly and easily persuaded Utah state legislator to give it a tailor-made anti-keyword advertising statute? Stranger things have happened in Utah...

HT: Evan Brown

Posted by Eric at 07:15 AM | Adware/Spyware , Marketing , Trademark | TrackBack

August 08, 2008

Affiliate Liability Extravaganza

By Eric Goldman

[Note: I recently published a version of this article at InformIT. Here's the pre-edited version I sent them.]

Introduction

This article discusses marketers’ liability for the actions of their marketing affiliates (what I refer to as “affiliate liability”). The affiliate liability issue has become red-hot recently because numerous plaintiffs have taken aggressive legal positions seeking to expand the boundaries of affiliate liability. In three recent rulings, courts have emphatically rejected these expansive liability arguments. Even so, it seems likely that plaintiffs will continue to look for ways to expand affiliate liability, and despite the favorable rulings, defendants often settle a lawsuit alleging affiliate liability rather than establish their rights in court.

Affiliate Marketing—Good and Bad

Marketers create affiliate programs to outsource marketing decisions to domain experts. For example, independent third parties may have better or cheaper access to subcommunities of potentially interested consumers than a marketer’s employees. An affiliate marketing program compensates these local experts for work and expertise involved to take the marketer’s message to those consumer communities. When it works properly, affiliate marketing programs can play an important role in the broad “invisible hand” economic phenomenon of allocating scarce resources to consumers who value them the most.

Affiliate marketing doesn’t always have this salutary effect. Affiliate marketing programs create payoffs to motivate affiliate behavior, and inevitably some affiliates will try to obtain the payoff without doing the desired activity. Thus, even if the marketer would prefer otherwise, some affiliates might do “whatever it takes” to get paid, including using false advertising or illegitimate marketing mechanisms. Further, the fact that the marketer outsources some choices to affiliates (a necessary part of any affiliate program) can lead to “diffuse responsibility” where the marketer and affiliates point fingers at each other if something goes wrong. Sometimes, when there are multiple tiers of affiliates, it can become effectively impossible to assign responsibility for the wrongdoing.

To bypass these legal entanglements, plaintiffs have sought ways to hold marketers vicariously (automatically) liable for their affiliates’ actions. However, these efforts “break” standard tort law by trying to treat independent contractors as if they are principal-agents without the requisite supervision or authority that typically triggers agency liability. As a result, overexpansive theories of affiliate liability cause marketers to internalize too many costs, curtailing potentially socially beneficial marketing activities or leading to overinvestment in socially wasteful liability minimization schemes.

Plaintiffs Gone Wild: Two Recent Efforts to Expand Affiliate Liability

There have been countless affiliate liability enforcement actions, but I’ll focus on two recent initiatives.

New York Sales Tax Law

State and local taxing jurisdictions have long coveted a way to impose sales tax collection responsibilities on non-resident Internet vendors. In general, these efforts have been stymied by the Supreme Court’s decision in Quill Corp. v. North Dakota, 504 U.S. 298 (1992), which requires a vendor to have a physical presence in the jurisdiction before the taxing entity can impose sales tax collection obligations on it.

New York, however, developed a nifty workaround. In April, it passed a law (Chapter 57, N.Y. Laws of 2008) declaring that a vendor’s marketing affiliates in New York constituted a physical presence in New York by the vendor. If so, New York can impose sales tax collection obligations on remote vendors due to their New York affiliates. As part of its crafty plan, New York tried to induce compliance with a carrot—if remote vendors voluntarily agreed to collect and pay sales tax from New York residents going forward, then New York would grant them amnesty for any back sales tax collection obligations.

Neat trick, but…a small problem: affiliates are independent contractors of the vendor, so this effort to treat them as legally related entities surely doesn’t comply with the Constitution. I suspect a court will confirm this flaw because both Amazon and Overstock.com have sued New York over the law. At the same time, to minimize its risk, Overstock has also tossed all of its New York affiliates overboard. One might question the wisdom of the New York legislators prompting marketers to cut off opportunities for New York online entrepreneurs.

Trademark Owners Claiming Marketers Are Liable for their Affiliates’ Marketing

Another trend: trademark owners are trying to hold a marketer liable for the alleged trademark infringement committed by its affiliates, such as when affiliates purchase the third party trademark as a keyword trigger for search engine ads. Plaintiffs have alleged affiliate liability in at least three lawsuits in the past couple of months:

* DSW v. Zappos.com (S.D. Ohio complaint filed May 12, 2008). For more, see SEOmoz.

* NameSafe v. LifeLock (M.D. Tenn. complaint filed June 26, 2008). For more, see Techdirt and News.com.

* Rosetta Stone v. Rocket Languages (C.D. Cal. complaint dated July 2, 2008). For more, see the WSJ Law Blog.

Courts Weigh In—and Plaintiffs’ Expansive Theories Don’t Fare Well

The efforts to extend liability in the sales tax and trademark contexts are novel, and it’s hard to predict the final outcome because we have limited direct precedent to consult. However, looking at some recent rulings in other contexts, there is good reason to believe that both legal theories go way too far.

CAN-SPAM

Unlike many other areas of the law, CAN-SPAM (15 USC 7705 and 7706) specifically authorizes affiliate liability in the statute. The Federal Trade Commission (FTC) has routinely invoked this provision in its pursuit of marketers promoted by affiliate-initiated spam (for one of the more recent examples, see the FTC’s press release on one of its porn spam busts and settlements). Further, typically when the FTC targets a marketer on an affiliate liability theory, the marketer rolls over and settles rather than fight.

But…a small problem: the FTC’s expansive interpretation of the affiliate liability statute—the basis it has used to procure these settlements from marketers—may not actually reflect the law. In an outcome that didn’t get nearly the press it deserved, in an lawsuit against Impulse Media earlier this year, the FTC took its affiliate liability theories to a jury and lost. This is a huge verdict because (1) the FTC rarely loses in court, and (2) perhaps more importantly, when average citizens evaluate the FTC’s expansive affiliate liability theories, they may balk.

Oddly, the FTC didn’t take no for an answer. It subsequently asked the judge to enjoin Impulse Media even though Impulse Media won the jury verdict. Talk about chutzpah! Not surprisingly, the court declined the request. US v. Impulse Media, 2008 WL 1968307 (W.D. Wash. May 1, 2008).

In another lawsuit, ASIS Internet Services, v. Optin Global, Inc., 2008 WL 1902217 (N.D. Cal. March 27, 2008; unsealed April 29, 2008), a civil plaintiff, ASIS (a serial anti-spam litigant), invoked the CAN-SPAM affiliate liability provision in its anti-spam lawsuit against 20 defendants. One defendant never showed; 18 defendants settled up (as mentioned, the typical response); and only one defendant—Azoogle—persisted in court.

Azoogle is a lead generation company for upstream marketers, and it relies on downstream affiliates to help it generate leads for its clients. Some of those downstream affiliates generate leads via spam. In this ruling, the court rejects Azoogle’s liability for spam sent by its marketing affiliates:

Although ASIS has pointed to significant evidence that Azoogle, during the relevant time period, did little to investigate the third party vendors it engaged, there is no evidence in the record from which a jury could conclude that Azoogle, in contracting with Seamless Media, made a deliberate choice not to know that Seamless Media would engage third parties to send out spam on Azoogle's behalf. The evidence cited by ASIS to establish knowledge on Azoogle's part is entirely speculative. Even assuming it is true that the Emails were sent by a single individual and that the lead was typed into a web site that was copied from Azoogle's lowrateadvisors site, this is insufficient to show that Azoogle consciously avoided knowing that the Emails would be sent. Further, while ASIS relies primarily on the allegation that Azoogle failed to adequately investigate its third-party vendors, ASIS has pointed to no evidence that if Azoogle had investigated Seamless Media prior to entering into the Insertion Order, it would have learned facts sufficient to show that Seamless Media was likely to engage in CAN-SPAM violations. There is no evidence in the record that would put Azoogle on notice that Seamless Media, or Seamless Media's vendors, obtained leads from spammers. Indeed, the only evidence on this subject is that Seamless Media had a good reputation at the time, and was obliged by its contract with Azoogle to follow the law.

Adware

Another recent affiliate liability decision is the remarkable ruling in People v. Direct Revenue LLC, 2008 WL 1849855 (N.Y. Sup. Ct. March 12, 2008), another case that did not get the attention it deserved. Disclosure note: I helped file an amicus brief in this case.

In 2006, the NY Attorney General’s office (NYAG) made the apparent decision that adware vendor DirectRevenue needed to be shut down by any means necessary, and it launched a multi-front attack on DirectRevenue. It publicly posted a website with information about DirectRevenue that had no apparent purpose other than to denigrate DirectRevenue’s reputation. It bullied DirectRevenue’s advertisers, ultimately procuring, and then releasing a hyperbolic press release about, an insignificant settlement that spooked potential advertisers away from DirectRevenue. And finally, it sued DirectRevenue directly.

The NYAG’s actions had their desired effect. Perhaps due in part to the NYAG’s campaign to close DirectRevenue down, DirectRevenue did in fact go out of business. Congratulations to the NYAG for achieving its apparent goal.

But…a small problem: the NYAG’s assessment of DirectRevenue’s legitimacy may have, in fact, been itself lawless, because the court emphatically rejected all of NYAG’s legal theories. This might be amusingly ironic if the NYAG’s anti-DirectRevenue campaign wasn’t such a chilling and crushing misuse of governmental powers.

The opinion is worth reading in its entirety, especially where the court affirms the EULA formation and limits extraterritorial liability. However, apropos to this post, the court rejected DirectRevenue’s liability for allegedly illegitimate software installations made by its affiliates, saying “petitioner has not shown that respondent should be held liable for the actions of those third parties under a theory of agency or ratification, or otherwise.” The court explains:

Dismissal is required with respect to the 22 [installations by] third parties, who petitioner concedes were independent contractors rather than agents of Direct Revenue. A principal is generally not liable for the acts of an independent contractor because of the lack of control over how the contractor's work is performed (Chainani v. Bd. of Educ., 87 N.Y.2d 370, 380-81 [1995]). Neither may the principal be charged with the conduct of even more remote subcontractors (People v. Synergy6, Inc., Index No 404027/03 [Sup Ct N.Y. Co 2006][unpublished disposition][Attorney General's action for deceptive practices and false advertising under GBL dismissed as against email marketing company where fraudulent emails were sent by company retained by agent]). Although exceptions exist, such as where the contractor was negligently retained or supervised (Saini v. Tonju Assocs., 299 A.D.2d 244, 245 [1st Dept 2002]) or where the principal has ratified the wrongful acts (Kormanyos v. Champlain Valley Fed. Sav. and Loan Assoc. of Plattsburgh, 182 A.D.2d 1036, 1038 [3d Dept 1992]), the record here does not support any grounds for departure from the usual rule.

As noted, under the SDA, Direct Revenue contractually required its distributors to obtain consent of consumers consistent with the terms of the EULA. The SDA also forbade the distributors from holding themselves out as respondent's agents. Respondent was not authorized or obligated to control their work, particularly since many of them additionally acted as distributors for various other advertisers. Although in Sotelo v. Direct Revenue, 384 Supp2d 1219 (ND Ill 2005) the court upheld a cause of action against respondent for negligent supervision of distributors, the issue arose on a motion to dismiss and the court thus restricted its inquiry to the four corners of the complaint. Notably, the court stated that it was precluded at that procedural juncture from considering respondent's evidence that the distributors were independent contractors, evidence which, as here, included the SDA.

…

The theory that respondents ratified the alleged third party misconduct also fails. The allegations that respondent had general and/or constructive knowledge of some distributors' wrongful practices are insufficient to impose liability (see, Synergy6, supra; Del Signore v. Pyramid Sec. Servs., Inc., 147 A.D.2d 759, 760-61 [3d Dept 1989][mere knowledge of litigation and complaints against security company for undue force by guards insufficient to impose liability upon hiring firm]; see also Hamilton v. Beretta USA Corp., 96 N.Y.2d 222, 237 [2001]). Moreover, it is conceded that in those few instances in which respondent obtained actual knowledge of a distributor's misconduct, it took significant steps to modify its procedures. A finding of ratification cannot be found upon such facts, notwithstanding that respondent may have benefited financially from its relationship with the distributors before remedial measures were implemented (see Synergy6, supra).

It is my understanding that the NYAG has filed a notice of appeal in this case to preserve its options, but it is still deciding if it will pursue the appeal.

Unfortunately, I’m not aware of the Synergy6 opinion being available electronically, which is a shame because it’s an interesting and relatively early rejection of the NYAG’s expansive affiliate liability doctrines. Due to that ruling (which involved email marketing instead of adware), the NYAG already had good reason to suspect that its predicate theories were dubious, which makes its decision to pursue those theories against DirectRevenue even more lamentable.

Conclusion

This post highlights two seemingly inconsistent trends. Trend #1 is that plaintiffs (private actors or government agencies) are taking very expansive positions on affiliate liability. Trend #2 is that when tested, expansive affiliate liability theories are failing in the courts. These two trends seem to be in conflict with each other. My hope is that trend #2 becomes so strong that it overrides trend #1, i.e., plaintiffs and government actors get the message that they have gone too far.

Unfortunately, in the interim, many defendants will capitulate and settle an expansive affiliate liability claim—even if it’s lawless—because it’s the cheapest path to resolution or because the precedent isn’t strong enough to ensure victory. Perhaps some defendants will realize that the trend is in their favor and will fight back accordingly. More judicial clarity about the line between permissible and impermissible behavior would benefit everyone.

It is also possible that the legal ambiguities of affiliate liability will be resolved by statute. However, despite the defendants’ string of court victories, I see the chances of legislative intervention to curtail expansive affiliate liability doctrines as nil. If anything, it’s more likely that future legislation will codify liability expansion.

For a rare in-depth analysis of affiliate liability, see Jean Noonan and Michael Goodman, Third-party liability for federal law violations in direct-to-consumer marketing: telemarketing, fax, and e-mail 63 Bus. Law. 585-596 (2008) [ABA subscription required to download].

Posted by Eric at 08:04 AM | Adware/Spyware , Derivative Liability , Marketing , Spam , Trademark | TrackBack

July 01, 2008

June 2008 Quick Links

By Eric Goldman

Trademarks/Domain Names

* Utah Lighthouse Ministry v. Foundation for Apologetic Information and Research, 2008 WL 22043807 (10th Cir. May 29, 2008). CMLP writeup. Nice 10th Circuit win for a gripe site against trademark infringement and cybersquatting. This case, plus the SKI VAIL case, indicate that the 10th circuit is making progress undoing the harm it created in the Australian Gold v. Hatfield case.

* Georgia has a new anti-phishing law (16-9-109.1) that acts as a para-trademark law. See my comments on the analogous California anti-phishing law.

* After initiating a trademark lawsuit against a consumer review site and soundly losing in court, Lifestyle Lift paid $17,500 to settle its own lawsuit and avoid claims for legal fees under Rule 11 and the Lanham Act.

* Marty reports on a German case saying that white-text-on-a-white-background is a trademark use.

* Update on the battle over the trademark registration for "SEO."

* Will TLD proliferation lead to a new open era in domain name administration, or will the resulting anarchy just reinforce that top search engine placement is the really important online real estate? It seems like the currently limited number of TLDs has some benefits from a bounded rationality standpoint, and those benefits will be lost in a cacophony of unknown TLDs.

Patents

* My colleague Colleen Chien has posted "Patently Protectionist? An Empirical Analysis of Patent Cases at the International Trade Commission" (forthcoming William & Mary Law Review). She empirically demonstrates that the ITC mostly involves disputes between two domestic litigants, making it a redundant battleground with federal district court but nevertheless an attractive venue for plaintiffs due to a number of procedural advantages. She makes a number of recommendations to eliminate the litigation gamesmanship offered by having parallel venues. Check it out.

Search Engines

* Udi Manber, chief algorithm keeper for Google, reiterates why it's silly for lawyers and judges to put too much legal emphasis on the relative placement of search engine results, saying "it's definitely the case that if you do the same search on a different cluster, you may get slightly different results at a given time. It's also the case that if you do the same search on different days you may get different results, because some of the results are things we indexed five minutes ago."

(Over)Regulation

* In response to an enforcement effort by the NY AG's office, several Internet access providers have blocked access to newsgroups that are putatively sources of child pornography. See the NYT story and the NY AG press release. In practice, this means wholesale takedowns of newsgroups that may have nothing to do with child porn. For example, Verizon is killing all USENET hierarchies except comp.*, misc.*, news.*, rec.*, sci.*, soc.*, and talk.*. Wired suggests this is the death of online intermediary freedom as conceptualized in 47 USC 230. Of course, 230 never protected intermediaries from criminal exposure for child porn, and this isn't the first time that an access provider has knuckled under to the NY AG's office. See the BuffNet enforcement action from 2001.

* Ohm, Paul. The myth of the superuser: fear, risk, and harm online. 41 UC Davis L. Rev. 1327-1402 (2008). A neat article on how regulators manufacture a fake bogeyman, the unbeatable "superuser," as a justification for expansive regulatory power.

* No evidence that data breach disclosure laws actually help reduce identity theft. Surprised?

* The FTC wants civil enforcement authority for spyware actions. Haven't they heard that the adware battle is already over...and they won?

Contracts

* Mark Radcliffe expresses concern about the ALI's proposed software licensing project on open source licenses.

* Sarah Bird on a messy contract lawsuit involving an SEO contractor.

Anonymity

* Tendler v. www.jewishsurvivors.blogspot.com, 2008 WL 2352497 (Cal. App. Ct. June 10, 2008). A subpoena request to identify a blogger doesn't support an anti-SLAPP cause of action.

* In the AutoAdmit lawsuit, Doe 21's motions to squash the subpoena and proceed anonymously were both denied. David Hoffman provides an update on the case.

Event Tickets

* Chicago has moved against eBay for reselling tickets in violation of its amusement tax law.

* The Ticketmaster v. RMG case ended with a default judgment granting a permanent injunction and $18.2M in damages.

General

* Vanity Fair: How the Web Was Won.

* Paul Levy blogs about a plaintiff's effort to bypass 230 by suing the authors of complaints about the vendor and then joining the consumer complaint site as a necessary party as a cost-increasing tactic.

* BusinessWeek on emerging technological tools to protect workers' attention against unwanted/untimely interruptions.

* Text message-savvy kids educate the North Carolina DMV about the meaning of the term "WTF," which was used on a license plate example on the DMV's website.

* I have one free pass to OMMA Behavioral in San Francisco July 21. First person to send me an email asking for the pass gets it.

Posted by Eric at 12:32 PM | Adware/Spyware , Content Regulation , Derivative Liability , Domain Names , E-Commerce , Internet History , Licensing/Contracts , Marketing , Patents , Privacy/Security , Search Engines , Trademark | TrackBack

May 20, 2008

Zango Files Reply Brief in Zango v. Kaspersky

By Eric Goldman

Zango has filed its reply brief in Zango v. Kaspersky [warning: 3+ MB file]. Some points that caught my attention:

* the brief starts out by quoting one of Kozinski's unfortunate rhetorical detours in Roommates.com that 230 wasn't intended to create a lawless no-man's land on the Internet. I'm sure some Zango haters would note the irony of Zango thinking this language benefits them. From my perspective, this is just another example of plaintiffs cutting and pasting pieces of the Roommates.com opinion to try to bolster their case.

* the brief doesn't acknowledge the existence of the significantly adverse e360insight case. Zango wasn't required to cite it, but the CDT brief did mention it, and I expect this precedent to figure prominently in the ruling.

* I thought this was an interesting statement (on page 19 of the PDF): "Notwithstanding the overheated protestations of Kaspersky and the holier-than-thou ideologues that it relies upon, millions of people find Zango not only acceptable, but desirable."

The case library:

* Amicus brief by CDT in favor of Kaspersky
* Kaspersky's answering brief [warning: 5MB file].
* National Business Coalition on E-Commerce and Privacy amicus brief in favor of Zango
* Zango's appeal brief [warning: 2.1MB file]
* The district court's dismissal and my commentary
* TRO Denial and my commentary
* Kaspersky's Response to TRO Motion
* Zango's TRO motion

Posted by Eric at 06:46 AM | Adware/Spyware , Derivative Liability | TrackBack

May 06, 2008

CDT Files Amicus Brief in Zango v. Kaspersky

By Eric Goldman

The Center for Democracy and Technology has authored a brief, for itself, anti-spyware vendors and other advocacy groups, in favor of Kaspersky in the Zango v. Kaspersky case. I thought this brief was a useful contribution to the discourse. The brief focuses heavily on the issue of empowering users' control over their desktops, which is the critical issue but a complicated one when users give instructions that may conflict with each other. The brief addresses this issue squarely:

Two scenarios illustrate the interplay of “consent” in the anti-spyware context. First, assume that a user did consent to the installation of Zango software, but later concluded that the software and resulting advertisements were harassing and objectionable. Kaspersky Lab (and most anti-spyware services and tools) offers the ability to disable Zango software, and for a user to choose to install Kaspersky software to block Zango’s advertisements is fully consistent with the user’s true choice (notwithstanding the assumed initial consent to install the Zango software).

Second, if the Kaspersky Lab software is installed on a computer before someone attempts to download and install the Zango software (and Kaspersky software blocks the Zango installation), that is quite possibly also fully consistent with the wishes of the user. By installing anti-spyware software, the user is asking to be protected from spyware even if the user does not immediately recognize certain downloaded software as spyware. Moreover, it may well be that the owner of the computer (such as a parent or an employer) decided to install anti-spyware software such as Kaspersky Lab’s, and then some other users (such as a child or employee) attempts to install Zango software (and that installation is blocked). In that scenario, the anti-spyware software is in fact doing precisely the job that it was asked to do.

I think both of these examples tell a story of how a user's putatively inconsistent instructions could be reconciled. But these examples are also pretty stylized, so minor changes in the facts would expose situations where the reconciliation might be tougher.

The case library:

* Kaspersky's answering brief [warning: 5MB file].
* National Business Coalition on E-Commerce and Privacy amicus brief in favor of Zango
* Zango's appeal brief [warning: 2.1MB file]
* The district court's dismissal and my commentary
* TRO Denial and my commentary
* Kaspersky's Response to TRO Motion
* Zango's TRO motion

Posted by Eric at 05:35 PM | Adware/Spyware , Derivative Liability | TrackBack

May 01, 2008

Adware is Dead. Long Live Adware!

By Eric Goldman

In late January, I attended the Anti-Spyware Coalition's Public Workshop entitled Spyware: What's Worked, What's Left, and What's Coming. I was on a panel entitled "Is Adware Dead?" with Alissa Cooper from CDT and Colin O'Malley from TRUSTe. This is a timely topic because I've been pondering this question myself for a while now. This blog post recaps some of my thoughts.

Adware Is Dead

At the workshop, everyone agreed that adware is dead, although we may have been using different definitions of adware. (Commissioner Leibowitz declared adware "mostly dead," invoking the phrase from the Princess Bride). I was a little surprised to see such broad consensus on this topic. Let's explore what happened.

Looking back, it's clear that the 2003-06 period was a wild time for the adware industry. Several new entrants sought to build "legitimate" businesses on client-side software that displayed advertising, and others were seeking technical exploits for more nefarious purposes.

Collectively, these efforts sparked the Great Adware Wars of the 2000s. This was a time of mania, with everyone scrambling for the largest network of installs. In turn, vendors attempted lots of aggressive practices, such as bundled installs with obscure notice/consent, difficult uninstalls, loosely controlled/uncontrolled third party distribution chains, and overgrazing of user attention once a desktop install was achieved.

I'm declaring that the Great Adware Wars of the 2000s are over, and the anti-adware forces won. The signs of a decline in the adware industry are everywhere. Most obviously, most of the entrants are out of the business. Of the players trying to run legit adware companies, arguably only Zango persists in its client-side software business model circa 2004.

Why Did Adware Die?

It's hard to tell exactly what ended the Great Adware Wars. Some possible contributing factors:

* enforcement actions by the FTC, state AGs and private litigants (including class action lawsuits)
* new laws, including the laws passed by Utah and Alaska
* technological responses, including enhanced filtering/labeling by anti-spyware vendors
* changes in the economics. In particular, paying third party distributors for installs spurred a lot of unprofitable behavior, so installation economics improved. At the same time, due to the enforcement actions and negative publicity, advertisers have become increasingly gun-shy about advertising via adware. There is some anecdotal evidence that advertisers are now including anti-adware policies in their agency agreements. It's not clear that such policies are actually being enforced, but collectively they send a signal that suppresses the demand for advertising inventory in adware.
* changes in user behavior, due to user education and press attention to adware. Adware has become a dirty/tainted word, and that taint suppresses demand up and down the chain.

Ultimately, I think the single biggest contributing factor to the demise of adware is that it often provides a lousy consumer experience. Even when adware doesn't carpetbomb users with ads, it is still largely based on interruption marketing (a term from Seth Godin's excellent book Permission Marketing [Amazon affiliate link]), i.e., getting the user to stop what they are doing to focus on the ad being presented. Telemarketing is a great example of interruption marketing, and it's universally reviled. Interruption marketing might work if the ads are routinely sufficiently relevant, but I believe that even the "best" adware rarely fulfills that potential.

In the end, I believe lousy consumer experiences always fail in the marketplace. The adware being deployed during the Great Adware Wars didn't prove otherwise.

What Consequences from the Death of Adware?

The Great Adware Wars are over. Now what?

Regulatory Proliferation

Even though the war is over, regulators haven’t gotten the message. In fact, I predict that we will see continued efforts to regulate 2005-era adware. Why? If the threat has been neutralized, shouldn't regulators focus their attention elsewhere?

This is a classic public choice problem. Everyone hates pop-up ads and scary adware, so regulators can pander to their constituencies' fears. At the same time, no one is opposing these efforts--the adware companies have largely vanished (not that they were ever a potent lobbying force in the first place), and no one else will stand up in their stead. As a result, regulators seeking some publicity bounce for being “tough on Internet threats” can easily enact ineffectual laws to combat past problems. (As an example of this, see the continued unopposed efforts of the Humane Society to ban Internet hunting).

Long Live Adware!

Adware circa 2003-06 may be dead, but adware in the broad sense--client-side software that displays advertising--will never die. Instead, as I argue here, adware is an inevitable part of our future for several reasons.

First, client-side software can interact with the user whenever they are using their computer. As a result, the vendor doesn’t have to worry about Internet connectivity. Plus, each vendor wants to be able to reach the consumer 100% of the time, not just when the user is visiting its servers.

Second, client-side software has access to the very best data about a user. Server-side applications generally only see the data made available when users are communicating with it. This partially explains the Facebook Beacon offering; it's an attempt by Facebook to aggregate data about user behavior that's captured by third party servers (i.e., data that Facebook ordinarily wouldn't see). But even compared with Beacon, client-side software will see more--and better--data.

At the conference, it was pointed out that behavioral targeting doesn't necessarily improve with deeper datasets. While this is true, it also remains true that a website never knows if the user has transacted with its competitor (i.e., when I searched for flights at both American and United's websites, the losing company has no idea if I transacted with its competitor or not). Client-side applications can see all of this valuable information.

As a result, vendors will always want to get onto users' hard drives and watch the users' communication flows from there. Thus, the race for client-side installations will remain an omnipresent fixture of our technological environment.

At the same time, the residual legislative and regulatory efforts--made in a vacuum without a direct threat and without any counterbalancing lobbying--has a serious risk of inhibiting the development of beneficial client-side applications. Simply put, in the legislative grandstanding to put the "nail in the coffin" of adware, regulators might in fact distort the innovation cycles of software developers who can improve users' lives. It's this risk of collateral fallout that drives my objection to most types of anti-adware regulation, and when I see stupid and regressive state laws (like the Utah Spyware Control Act, or Alaska's anti-adware law, or the screwed up Utah Trademark Protection Act), the potential harm on innovation is palpable.

So here's my proposal. Let's take a moment to pause and celebrate the end of the Great Adware Wars of the 2000s, and congratulate the many people who worked very hard to contribute to its demise. Then, let's all collectively vow to move on and focus our energies on looking forward to the next round of bona fide and serious threats, instead of looking backwards at perceived threats already vanquished.

Posted by Eric at 08:10 AM | Adware/Spyware | TrackBack

April 29, 2008

Kaspersky Files Answering Brief in Zango v. Kaspersky

By Eric Goldman

Continuing my coverage of the Zango v. Kaspersky litigation over 230(c)(2), Kaspersky has filed its answering brief (warning: 5MB file). If you want to save time, the actual argument starts on page 32 of the PDF.

The case library:

* National Business Coalition on E-Commerce and Privacy amicus brief in favor of Zango
* Zango's appeal brief [warning: 2.1MB file]
* The district court's dismissal and my commentary
* TRO Denial and my commentary
* Kaspersky's Response to TRO Motion
* Zango's TRO motion

Posted by Eric at 05:53 PM | Adware/Spyware , Derivative Liability | TrackBack

April 09, 2008

Pro-Zango Amicus Brief in Zango v. Kaspersky

By Eric Goldman

The National Business Coalition on E-Commerce and Privacy has filed an amicus brief supporting Zango in Zango v. Kaspersky, the lawsuit over an anti-spyware vendor's classification of third party software as "spyware." I'm not familiar with this coalition and I couldn't find a website for it. If you have any information about them, please let me know. The brief itself conducts a very run-of-the-mill statutory and legislative history analysis, so it doesn't give much color about the coalition or why it cares about this case.

UPDATE: "Among its members are Experian, Fidelity Investments, the Investment Company Institute, Charles Schwab & Co., Inc., Deere & Company, Inc., JP Morgan Chase, General Motors Corp., Vanguard Group, UPS, CheckFree, Eastman Kodak, Bank of America, and The Assurant." This makes me even more curious why these companies would be interested in the issue.

UPDATE: Wendy Davis at MediaPost reports: "The coalition's members operate Web sites that place cookies on users' computers when they visit the site. The group is concerned that the trial judge's decision would immunize spyware removal companies that market software that deletes their members' cookies." Hmm...are they planning to sue CookiePal or any web browser software vendor that sets a default to reject all cookies?

The case library:

* Zango's appeal brief [warning: 2.1MB file]
* The district court's dismissal and my commentary
* TRO Denial and my commentary
* Kaspersky's Response to TRO Motion
* Zango's TRO motion

Posted by Eric at 10:17 AM | Adware/Spyware , Derivative Liability | TrackBack

March 30, 2008

Zango's Brief in Zango v. Kaspersky Ninth Circuit Appeal

By Eric Goldman

Zango has filed its initial appellate brief in Zango v. Kaspersky [warning: 2.1MB file], the case addressing the liability of anti-spyware vendors for their classification decisions. Characteristically, Zango goes on the offensive, declaring that Kaspersky's software is the real "badware" here.

Other materials in this case:

* The district court's dismissal and my commentary
* TRO Denial and my commentary
* Kaspersky's Response to TRO Motion
* Zango's TRO motion

Posted by Eric at 01:45 PM | Adware/Spyware , Derivative Liability | TrackBack

December 28, 2007

December 2007 Quick Links

By Eric Goldman

Marketing

* I've blogged about Various, which operates AdultFriendFinder.com, before. They made the news recently in two ways. First, they sold to Penthouse for half-a-billion dollars. Second, they settled with the FTC for "pelting" users with unwanted sexually graphic pop-up ads. Do you think these developments are linked in any way... ? Could it be that Various was willing to settle up with the FTC on any terms so that they could get a half-billion dollar check? In this respect, I'm reminded of the MySpace/Intermix $7.5M settlement with the NY Attorney General's office in a dubious enforcement action that was immediately followed by MySpace's sale to News Corp. for $580M. Hey government enforcement agencies--if you can spot hot dot-coms that are negotiating mergers and bring an enforcement action, you can name your price!

* Abrams v. Facebook, the lawsuit over Facebook sending text messages to old phone numbers, has settled. See Michael Erdman and the AP.

* Newsday circulation fraud case (involving inflated circulation numbers) nets $83M restitution, $15M criminal settlement, and nine criminal convictions.

* Texas AG Abbott is prosecuting two companies under COPPA. As far as I know, this is the first state-level enforcement action under COPPA.

* Florida AG Michael Palecki looks to be targeting online advertisers for ads placed by their affiliates.

* The Do-Not-Call registry has become an even less dynamic reflection of preferences.

Copyright

* The Second Circuit kicked out the settlement struck in Tasini's aftermath because it covered unregistered copyrights. Rebecca makes some good points.

* Perez Hilton drops YouTube because they took down one of his videos in response to a takedown notice. On the one hand, this shows that there can be marketplace mechanisms that give feedback to intermediaries based on the restrictiveness of their takedown policies. On the other hand, YouTube was a free service; what did you expect?

* Michael Savage, a radio personality, is suing a website for posting audio clips of his rants as part of the website's criticism of him. See the NYT and CMLP.

* A special master has been appointed in the Grokster case to determine the possible filtering options available to Streamcast. I'm actually amazed that this case is still going!

Reviews and Ratings

* WSJ: Restaurants are giving away free meals to online reviewers to try to get improved consumer ratings.

* BrokerCheck, a regulator-sponsored website for consumer gripes about securities brokers, deletes negative gripes if the complaint settles.

* Retail store signage ("shelf talkers") routinely overstate the Wine Spectator ratings assigned to wine on the shelves.

Best of Mike Masnick

Mike Masnick of Techdirt is a terrific blogger who is smart, prodigious and opinionated. This month he had some noteworthy posts (even by his standards), including:

* Some wise words about Fark's trademark application for NSFW.

* “Noncompete Agreements Are The DRM Of Human Capital.”

* "Anything Goes Wrong Online? Yell 'Net Neutrality' As Loud As Possible!"

Search Engines

* Google appears to have categorically wiped out PageRank for bloggers participating in PayPerPost.

* Danny's sensible remarks on the role of humans in Google's algorithmic search results.

* Search engines pay $31.5M to settle up for running gambling ads. A significant share of this settlement amount is actually public service ads, not cash. Note that enforcement of federal criminal gambling laws is one of the few exceptions to 47 USC 230; if this had been an enforcement of state anti-gambling criminal laws or a civil action, it should have been preempted.

General

* "Like the proverbial tree falling in a forest, the unauthorized use of a trademark that is never perceived by anyone cannot be said to create a likelihood of consumer confusion." Custom Manufacturing and Engineering Inc. v. Midway Services Inc. (11th Cir. Nov. 21, 2007). This statement was made in the context of a counterfeit component part, but it sounds like a good reason to reject liability for including trademarks in keyword metatags.

* Todd Hollis is suing DontDateHimGirl.com a second time. Last time the court sidestepped 230. This time, I hope the court will use 230 to terminate the lawsuit permanently.

* Mark Radcliffe's "2007 Top Ten Free and Open Source Software Legal Issues"

* A nice recap on "location-based mobile services," the delivery of services predicated on GPS devices in cellphones. UPDATE: It looks like mobile marketing/privacy is the topic du jour (or, at least, a topic worthy of end-of-the-year recaps). AP weighs in on the same topic.

* Kaspersky flags Windows Explorer as a virus and then reverses itself, calling this a false positive. Then again, many people consider Microsoft software "malicious code," so maybe the positive wasn't so false after all.

Posted by Eric at 09:39 AM | Adware/Spyware , Copyright , Derivative Liability , Marketing , Search Engines , Trademark | TrackBack

December 13, 2007

Oct.-Nov. 2007 Quick Links, Part 1

By Eric Goldman

I was so jammed at the beginning of November that I didn't have time to post my quick links from October. Never fear; that omission is being corrected with a double shot of quick links covering October and November:

Wikipedia

* Slashdot: Has Wikipedia peaked? If true, I'm not surprised.

* The new status symbol of the digital age? A personal Wikipedia page. FWIW, my personal Wikipedia page was crunched and rolled into a general criticism of Wikipedia page. I found this ironic given that the Wikipedians had already caucused about the merits of my page and decided not to kill it; and then a single Wikipedian swept through and ignored that decision. Sounds like the process worked really well there, guys.

* The newest fork from Wikipedia: Veropedia.

Google

* Webmasters give preference to the Googlebot over other search engine robots in robots.txt files.

* Searchers prefer Google results in a blind taste test. But...searchers also prefer search results when they are branded Google!

* For years, people have speculated that Google advertisers get extra bounce in organic search results. Search Engine Guide lays out the case.

* Carl Person isn't giving up in his (unquestionably futile) fight against Google. The latest: he's appealed his case to the Ninth Circuit. HT Links & Law.

Adware/Spyware

* FTC Commissioner Leibowitz thinks bigger civil fines would help shut down more spyware operators. Then again, it seems like the market is doing that job for them; another adware vendor, DirectRevenue, has gone under.

* Zango has appealed Zango v. Kaspersky to the Ninth Circuit. I wasn't a fan of this lawsuit from the outset, so pursuing the case sounds like a mistake to me.

Virtual Worlds

* Herman Miller (maker of the famous Aeron chairs--I had one at Epinions) is combating the makers of fake virtual Aeron chairs in Second Life.

* Bragg v. Linden Lab has settled. The case involved a claim that Linden Lab improperly impounded some virtual assets.

* Wired: "Cheaters in multiplayer online games beware: Game developers are turning to advanced financial fraud-detection software to keep you from crooking your way to online riches."

47 USC 230

* Roskowski v. Corvallis Police Officers' Ass'n, 2007 WL 2963633 (9th Cir. Oct. 10, 2007). A summary opinion upholding a dismissal based on 47 USC 230. See my blog post on the district court ruling. Michael Erhman's comments.

* The US Supreme Court denied certiorari in Perfect 10 v. ccBill.

* The AutoAdmit plaintiffs filed an amended complaint that dropped Ciolli as a defendant and reworked the substantive allegations. Coverage: Above the Law, Concurring Opinions (1, 2), WSJ Law Blog.

* A former student informed me that a judge on the show Boston Legal (the Nov. 13 episode, "Attack of the Xenophobes," episode 74) applied 47 USC 230--correctly!--to dismiss a lawsuit against YouTube for a defamatory video. See the episode recap.

Online Contracts

* Adsit Co. v. Gustin (Ind. Ct. App. Oct. 16, 2007). Daughter-in-law gives credit card number to mom-in-law to complete online transaction. Court holds that mom-in-law acted as daughter-in-law’s agent and thus bound the daughter-in-law to the vendor’s clickthrough agreement. Accord: the Hofer and Abramson cases.

* Whitnum v. Yahoo, Inc., 2007 WL 2609825 (NY Supreme Court, Sept. 5, 2007). Woman sought damages because Yahoo shut down her website the same day she got a good publicity hit. Yahoo pointed to the liability limits in its user agreement, and the court found that those limits supported a motion to dismiss. Given the ubiquity of similar provisions in web hosting contracts, this case nicely illustrates that web hosting customers really don’t have any recourse if their vendor just shuts them down. This is also why I find 17 USC 512(g) (the DMCA limit on liability if a web host honors a counter-notification) so baffling—web hosts don’t need any help from the statutory safe harbor when they have already eliminated the risk through their contracts.

Posted by Eric at 02:05 PM | Adware/Spyware , Derivative Liability , Licensing/Contracts , Search Engines , Virtual Worlds | TrackBack

November 21, 2007

Search Redirection Tool Could Be Trespass to Chattels--Burgess v. EForce

By Eric Goldman

Burgess v. EForce Media, Inc., 2007 WL 3355369 (W.D.N.C. Nov. 9, 2007)

Every now and then a consumer goes on a me-vs.-the-world bender and decides to unilaterally save society by suing everyone in sight. Burgess' anger over unwanted advertising may have sparked such a campaign. His previous appearance on the blog involved his pro se lawsuit against American Express and many other major brand names for unwanted pop-up ads. In that ruling, the court intimated that advertisers could be liable for contributory trespass to chattels.

In this companion action, Burgess sued a number of defendants for spam. The court rejects his CAN-SPAM claim for lack of standing (he doesn't qualify for the limited private causes of action).

Burgess also sued for the installation of search redirection client software, claiming it was a privacy invasion, trespass to chattels, and "illegal conduct." The defendants first tries to dismiss the claims as preempted by CAN-SPAM, but CAN-SPAM's preemption clause does not apply to generally applicable laws like privacy invasions and trespass to chattels. Nevertheless, the magistrate report (approved by the judge) dismisses the privacy invasion claim for failure to state a claim, saying:

While the undersigned shares in plaintiff's frustration with the internet and the unconscionable applications that interfere with one's use and enjoyment of technology--and at times display offensive websites--frustration of purpose is not an invasion of privacy. Further, the undersigned cannot find any North Carolina case recognizing a cause of action for invasion of privacy based on computer viruses that redirect internet searches or inquiries, or any cases that would suggest that similar such conduct in other fields would support such a claim.

The "illegal conduct" claim was also dismissed.

On the other hand, building on Burgess prior ruling in state court, this court refuses to dismiss the trespass to chattels claim. Citing to Sotelo and others, the court says that Burgess' "pro se pleadings are not a model of clarity but nevertheless suffice to state a claim for trespass to chattels. He sufficiently alleges actual possession of his computer and 'unauthorized, unlawful interference' with his use of this personal property." So the Sotelo precedent marches on, even though this court (as with the prior Burgess court) doesn't acknowledge Hamidi, Mummagraphics or the other cases that would put these expansive trespass to chattels rulings in serious doubt.

As a result, Burgess' case lives to see another day. I'm sure we haven't heard the last from him!

Posted by Eric at 02:32 PM | Adware/Spyware , Publicity/Privacy Rights , Search Engines , Spam , Trespass to Chattels | TrackBack

August 29, 2007

Anti-Spyware Vendor Protected by 47 USC 230(c)(2)--Zango v. Kaspersky

By Eric Goldman

Zango Inc. v. Kaspersky Lab, Inc., No. C07-0807-JCC (W.D. Wash. Aug. 28, 2007)

There has been a fair amount of hand-wringing/teeth-gnashing over the legal liability of anti-spyware vendors when they label a software program as spyware or some other synonym. On the one hand, vendors might present those labels in a way that causes consumers to overreact to the actual threat, or vendors may make factual errors, and either case can have significant adverse effects on the affected software manufacturer. On the other hand, if vendors are liable whenever software manufacturers don't like their labels, the vendors will make labeling decisions based on risk management, not editorial criteria, and that may degrade the tool's utility to consumers.

That's what makes this ruling so important. The court says, clearly and unambiguously, that anti-spyware vendors' labeling judgments are completely protected by 47 USC 230(c)(2), a statute designed to protect online filtering judgments. In support of this conclusion, the court says that:

1) Kaspersky qualifies as an interactive computer service provider (specifically, as an access software provider)
2) The labeled software does not have to be actually "objectionable;" the vendor qualifies for protection so long as it subjectively considers the software objectionable.
3) There is no "good faith" standard in the statute for the vendor's decision to consider software objectionable.

230(c)(2) has been interpreted fairly infrequently, but a few decisions have applied it to anti-spam vendors and search engine filtering. As best I can remember, this is the first time the statute has been applied to protect anti-spyware vendors. (Am I forgetting any?). As a result of this decision, we should see a decrease in software manufacturers' efforts to strongarm vendors into recharacterizing their software. There will still be private negotiations/discussions between vendors and software manufacturers (which is often a healthy process), but any software manufacturer's threat to escalate the matter to litigation should be fairly empty.

This should close the book on Zango's ill-fated legal initiative from May to change anti-spyware vendors' characterizations of its software. Some previous coverage of those cases: Zango loses TRO against PC Tools; Zango loses TRO against Kaspersky. Yesterday, Zango announced that it voluntarily dismissed the lawsuit against PC Tools; and this ruling appears to put an emphatic end to Zango's lawsuit against Kaspersky.

Posted by Eric at 02:08 PM | Adware/Spyware , Derivative Liability | TrackBack

August 13, 2007

2007 Cyberspace Law Syllabus

By Eric Goldman

I've posted my 2007 Cyberlaw syllabus. Unlike the past few years, which were a little slow cyberlaw-wise, the past 12 months saw a lot of important developments. Let me recap some of changes I made to my reader reflecting these developments:

Additions

Copyright: I added the Cablevision case (after editing out some of the mind-numbing description of cable technology), which provides an interesting exposition on how the source of bits matters in copyright law (we'll reinforce that message with the Amazon.com "server test"). I companioned the Cablevision with the Field case to show a very different philosophy about "volitional" server activity, so I'll ask the students to see if they can reconcile the two cases.

I struggled with how to handle the Ninth Circuit's troika of Perfect 10 opinions. The opinions are long, complicated and irresolute, but it's hard to discuss one without discussing the other two. I decided to include all three but I don't feel great about that decision, given that it takes 115 pages (about 1/6 of my total reader) to work through the three cases, and I'm not sure students will come away any smarter about Ninth Circuit online copyright law after reading all three.

Trademark. I substituted the FragranceNet case for the 1-800 Contacts v. WhenU case. The 1-800 Contacts case remains a very important keyword law precedent, but as a teaching case it was just so-so. The adware subject matter increased the complexity, and it punted on the most interesting question of search engine liability. However, most of the other recent keyword law cases have been even less teachable. Fortunately, the FragranceNet case does a pretty job of recapping the 1-800 Contacts case as well as other recent decisions, and it frames the policy issues nicely. I've paired it with the Playboy v. Netscape case, which will make a good compare/contrast. However, if the Second Circuit gets off its duff, I'd be thrilled to substitute in the court's opinion in the Rescuecom appeal. (I'd be even more thrilled if the court reaches the "right" result!).

I also updated my materials to reflect the Trademark Dilution Revision Act.

230. I continue to stick by the seminal Zeran case, which remains both powerful precedent and a colorful teaching case. However, this year I added the Ninth Circuit hairball Roommates.com opinion. I really didn't want to--it's such a messy opinion--but I think for now the case represents a vitally important incursion into 230 law that any good Cyberlawyer needs to know about it (even if they don't know what to do about it). If we're lucky, perhaps the Ninth Circuit will rehear the case en banc and issue a new and more lucid opinion before I have to teach the existing opinion.

In addition, I created a new module on "blogs and social networking sites" and added the Doe v. MySpace case, a great opinion for exploring the differences between online and offline "premises."

Spam. I teach spam at the semester's end, when time is running out, so we'll see what I'm actually able to cover this year. I've added two recent cases: the Mummagraphics case, which wiped out a lot of state anti-spam laws and has a nice interplay with trespass to chattels, and the MySpace v. theglobe.com case, which has an odd contrast with Mummagraphics on the state anti-spam statutory analysis; plus it shows how online contracts can substitute for legislative rights.

Other. I added some explanatory material, including my standard dog-and-pony CLE presentations on keyword law and blog law and my brief distillation of social networking site law. I also updated the CRS on Spyware.

Other Changes

* I eliminated my standalone section on "search engines" and folded the material into the rest of the reader. I think there's pedagogical value to isolating and deeply exploring search engine issues, which is why I initially segregated the material. However, search engine issues crop up throughout the foundational material, so I'm not sure that segregation worked.

* I deleted the following material:
- Corbis v. Amazon. This was an excellent case to teach 512, but I think the ccBill case superseded it in a number of respects.
- the district court opinion in Perfect 10 v. Google, which was superseded by the Perfect 10 v. Amazon Ninth Circuit opinion.
- 1-800 Contacts v. WhenU (as discussed above)
- Alaska SB 140, which I ran out of time to discuss last year.

Deliberately Excluded

* The Utah anti-keyword advertising law represents one of the most important statutory changes of the year, but I omitted it because I anticipate Utah will modify it, and there's no point teaching a moot law.

* I skipped the Unlawful Internet Gambling Enforcement Act. I've generally shied away from teaching online gambling in Cyberlaw; the topic requires a lot of time to teach, making it hard to squeeze into a semester-long survey course. Plus, the new law is an analytical mess, so I'm not sure what the students would get out of the discussion.

* We were so excited to get the California Supreme Court's Barrett v. Rosenthal ruling, but the actual opinion doesn't add much to Zeran, so I thought it wasn't worth the time.

Posted by Eric at 07:57 AM | Adware/Spyware , Copyright , Derivative Liability , Internet History , Search Engines , Spam , Trademark | TrackBack

August 01, 2007

July 2007 Quick Links, Part II

By Eric Goldman

Virtual Worlds

* After a remarkable run as media darlings, Second Life is now experiencing some of the inevitable backlash. Case in point: Wired's "How Madison Avenue Is Wasting Millions on a Deserted Second Life." In this respect, Second Life reminds me a little of Keen.com--both provide fantastic platforms for monetizing user-generated content, but that powerful economic platform is likely to take root primarily in the sin businesses (porn, gambling, etc.). (FWIW, Keen.com appears to have cleaned up the dial-a-porn and is now focused exclusively on dial-a-horoscopes). As a result, it will be interesting to see what happens to Second Life's numbers in response to their anti-gambling crackdown. Meanwhile, lawyers--the classic late adopters--are gushing about Second Life's potential as a business generator--an interesting counter-perspective to the Wired article.

* World Copyright Law Report: "Some residents have been using a rogue version of a program called CopyBot to make a copy of anything in the Second Life world, thus threatening to undermine the whole basis of the Second Life economy."

Wikipedia

* More marketers wake up to the value of inserting links into Wikipedia despite Wikipedia's nofollow tag. See my earlier explanation of this. Meanwhile, a Wikipedia administrator talks about what Wikipedians consider white hat practices for marketers.

* Willing to cite to Wikipedia in your legal briefs? Need some custom-tailored authority to support your argument? Edit Wikipedia to say what you want!

* Mike Godwin has become Wikimedia’s GC. You may recall that Mike and I bet about Wikipedia’s future; it appears he has raised the stakes on that bet substantially!

User Generated Content

* "GC's Client from Hell": Whole Food's CEO John Mackey pseudonymously posted about his company's stock and his competitor's stock on Yahoo Finance. The WSJ article has some of the juiciest postings. The NYT on CEO "sock puppetry."

* A restaurant owner used consumer reviews from Yelp as part of deciding to fire employees.

* Interesting interview with the pseudonymous founder of a pay-for-Diggs business.

Blogs

* The ABA Journal has entered the crowded field of blawg directories with one of their own.

* Blawgworld 2007: 77 blawgers chose their favorite posts, which were compiled into an e-book. The compilation turns out to be a great way to get noisy blawgers to promote their brilliant contributions to the e-book, which generates traffic and link love for the publisher, which in turn creates a nice delivery vehicle for sponsored content/advertising.

Miscellaneous

* Asch Webhosting, Inc. v. Adelphia Business Solutions Investment, LLC, 2007 U.S. Dist. LEXIS 52932 (D. N.J. July 23, 2007). IAP terminates customer based on complaints that customer was a spammer. Court holds that the consequential damages waiver applies, effectively negating customer's alleged damages. Rejecting the customer's argument that the termination was in bad faith, the court says: "Plaintiff’s arguments about the accuracy of the spamming complaints do not change the Court’s determination because regardless of the ultimate accuracy or veracity of the spamming complaints, defendant was entitled to rely on those complaints so long as it did so in good faith, and plaintiff has not demonstrated any bad faith by defendant." HT: Technology Law Update.

* Consumer Law & Policy Blog: "companies in two recently filed federal cases explicitly invoke [the recent Supreme Court decision in] Leegin as a justification for terminating the eBay auctions of competitors that charge lower prices online."

* Declan on whether anti-spyware vendors are screening for "fedware" (government keystroke loggers designed to capture data before it's encrypted).

Fun

* More proof that technology can save lives: During a power outage at a hospital, doctors were able to complete a surgery using the light of open cellphones.

* I’m a new fan of Oddee. Some recent posts (it helps to think about sexual connotations when interpreting the photos):
- "15 Unfortunately Placed Ads."
- "Most Unfortunate Logos Ever"
- "Unfortunate Business Names.”

Posted by Eric at 11:06 AM | Adware/Spyware , E-Commerce , General , Internet History , Marketing , Spam , Virtual Worlds | TrackBack

July 19, 2007

Advertiser Liability for "Contributory" Trespass to Chattels Redux--Burgess v. American Express

By Eric Goldman

Burgess v. American Express Co., 2007 NCBC 15 (N.C. Superior Ct. May 21, 2007)

David Fish points to an interesting new ruling on the subject of advertiser liability for pop-up advertising (I'm inferring that the pop-ups were delivered via adware, although the opinion doesn't use that term). As part of a procedural request by a defendant/advertiser, the court says:

Burgess’s claim is premised on the appearance of unauthorized “pop-up” messages on his computer displaying the Defendants’ advertisements. Burgess alleges specifically that Target (and other Defendants), through the services of a third-party intermediary, delivered unauthorized “pop-up” advertisements to his computer and thereby caused damage to the same....Construing these allegations in the light most favorable to Burgess, he has at least alleged a claim for trespass to chattels under North Carolina common law. [cite to Sotelo] ...The Court is also satisfied that Burgess has alleged actual harm; although, I note that actual damage is not required to pursue a claim for trespass to chattels in North Carolina, at least where the claim is based on unlawful interference.

While the plaintiff has a lot more work to do before winning this case, this ruling is still interesting because it reinforces the potential that advertisers can be directly/contributorily liable for a trespass to chattels based on how their advertising is delivered. Not only is this a stupid result legally, but I remain shocked that these opinions fail to discuss Intel v. Hamidi or the more recent Mummagraphics case, both of which should make pop-up ad-based claims for trespass to chattels tenuous at best. I hope the defense lawyers can convince the judge to look at broader precedent than just the Sotelo case.

Some previous posts on advertiser liability for adware/trespass to chattels:
* Utah Bans Keyword Advertising (April 2007)
* Advertisers Settle NY Anti-Adware Action (January 2007)
* WSJ Debate on Advertiser Liability for Adware (April 2006)
* The FTC, Adware Advertising and Badges of Shame (December 2005)
* Adware Witchhunt Gone Awry (October 2005)
* Downloading Software onto Home Computer May Be Trespass to Chattels--Sotelo v. DirectRevenue (Sept. 2005)
* Are Adware Advertisers Responsible for Adware? (August 2005) [points to my CNET editorial on this topic]
* AP Story on Advertiser Responsibility for Adware (June 2005)
* Edelman on "Intermediaries' Role in the Spyware Mess" (May 2005)
* LA Times on Adware Advertisers--Including 1800 Contacts? (May 2005)
* Utah Amends Spyware Control Act (March 2005)

Posted by Eric at 02:06 PM | Adware/Spyware , Derivative Liability , Marketing , Trespass to Chattels | TrackBack

July 02, 2007

June 2007 Quick Links

By Eric Goldman

Email

* Spam cases are coming at a regular clip, and it's tricky divining the latest state of the law. Two recent cases that caught my attention:
- US v. Impulse Media Group, 2007 WL 1725560 (W.D. Wash. June 8, 2007). This case involved a porn site that used affiliate marketers who didn't comply with the porn spam labeling requirements. The government argued that the advertiser should be strictly liable for this breach, but the court fairly emphatically rejected that (same as Cyberheat). But the news isn't all good for the defense, as the court also rejected its SJ motion, showing that the question of scienter about affiliate behavior remains a tough one for courts. Venkat's writeup.
- Kleffman v. Vonage Holdings Corp., No. 07-2406 (C.D. Cal. May 22, 2007). A nice complement to the Facebook v. ConnectU case, each holding that aspects of California's anti-spam laws are preempted by CAN-SPAM. In this case, the targeted behavior was the fact that the emailer may have used multiple email addresses to bypass electronic spam filters, but there wasn't anything false/deceptive about each email itself. See the BNA write-up and Venkat's writeup. I've lost track of the preemption cases, but it seems like state anti-spam laws are really getting munched after the Mummagraphics case.

* NYT on the pros/cons of captchas.

* Goodmail has expanded its pay-to-email system to Comcast, Cox, Roadrunner and Verizon.

Intellectual Property

* In Explorologist v. Sapient, involving the posting of a video deconstructing Uri Geller's act, the defendant is arguing (per CCBill) that 47 USC 230 preempts British copyright law.

* A rushed high school yearbook editor downloads lots of Facebook photos and adds them to the yearbook to fill space. Not a good idea!

* Techdirt: Who owns the right to license the design of military weapons to toy manufacturers?

* Marty on intellectual property protection for sexual activity.

Contracts

* A California man claims he bought a Gateway computer that never displayed text properly. Is he bound to the clickthrough agreement displayed on bootup? If this is the only way Gateway presented its contract, the answer should be no.

* At a conference at Southwestern Law School, I heard Prof. Lon Sobel talk about "idea submission" law. He illustrated the phenomenon that "where there's a hit, there's a writ": he suggested that hit TV shows produce an average of 6 "you stole my idea” demand letters. The great 1980s movie Coming to America produced 12 such letters, which resulted in 7 actual lawsuits. Interestingly, Prof. Sobel made the case (implicitly, not explicitly) that there is no separate law of "idea submissions," but rather any such doctrines are subsumed within standard contract law.

eBay

* eBay has changed its stance towards fighting counterfeiters, and it now does more policing itself.

* eBay shill bidder pays $400k to settle with NY AG.

Social Networking/Blogs

* The NCAA kicked a reporter out of the stadium for live-blogging the event. Tip to NCAA: It’s neither possible nor wise to control the flow of real-time information. Get over it. HT: Techdirt.

* Just came across this article: Stacey Schesser, MySpace on the record: The admissibility of social website content under the Federal Rules of Evidence, First Monday, volume 11, number 12 (December 2006).

* Wired: 7 MySpace sex offenders busted.

Marketing/Advertising

* AMCO Ins. Co. v. Lauren-Spencer, Inc., 2007 WL 1795970 (S.D. Ohio June 20, 2007). Insured offers jewelry from a website. Third party claims that the insured's jewelry constituted copyright infringement. Insured tenders the lawsuit to her insurance company under the advertising injury policy. Insurance company seeks a DJ of no coverage. The court says that the website constitutes advertising for the products, and so the policy applies to photos of the allegedly infringing jewelry items, even if the photos themselves were created by the insured. Observation #1: The advertising injury policy is very helpful to web businesses. Observation #2: Due to cases like this, I suspect insurance companies are reducing their willingness to offer advertising injury coverage to web businesses.

* Taylor v. XRG, Inc., 2007 WL 1816142 (Ohio App. Ct. June 21, 2007). The defendant was a vendor retained by bulk fax senders that handled consumer responses, including opt-outs from future faxes. Court held that the vendor wasn't liable for any TCPA/state anti-junk fax laws allegedly broken by the fax sender.

* Newish ad format: ads running 2 seconds in duration.

Search

* It's taken me a while to digest some of Google's new efforts. First, Google released two tools (a new toolbar button and a new personalized tab) to anticipate searchers' needs based on their past searches. Second, Google expanded its search history to incorporate all aspects of a user's searching through its services (what it calls "web history"). Meanwhile, Google has reduced its storage of personalized search data from 18-24 months to 18 months before that data gets anonymized. FWIW, I've been using Google personalized search since November 2005 (presumably, some of my data will be flushed any time now). Google has now captured almost 12,000 searches (with a high so far of 255 searches in a single day). Despite this, Google still doesn’t do a good job making predictions for me.

* Another great study from Jim Jansen (see the last one I blogged about). This one presented identical search results branded from different search engines and found that consumer ratings of relevancy varied based on the brand (Yahoo and Google came out on top). The logical inference--branding does matter to perceptions of relevancy. HT: SEL.

* Matt Cutts on the various ways humans affect Google search.

Domain Names

* Denmark's .dk TLD registry has enacted rules targeted at wiping out domainers. See here (Sec. 8.3.6).

* What's hotter than iPhones? iPhone-related domain names.

Adware/Spyware

* Declan on the latest legislative rally against spyware, the Senate's Counter SPY Act.

* The FTC issued final approval for the DirectRevenue settlement of $1.5M. Commissioner Leibowitz dissented, saying the cash payment was too light.

Online Reputations

* Avvo has filed a motion to dismiss the lawsuit over its ratings of attorneys. The motion is very heavy on the 1st amendment and very light on 230. HT: WSJ Law Blog.

* The Washington Post gushes about Reputation Defender and its competitors, without really acknowledging the value of reputational accountability or the potential for takedown/pushdown abuse.

* Entrepreneurs figured out a way to game FICO scores. Fair Isaac will try to close the loophole.

* Ed Magedson of Rip-Off Report was the victim of a vicious harassment campaign demanding that he remove complaints from the site.

* Lengthy NYT article on Wikpedia. Not much new there, but it does hint at the young age of Wikipedians, and it talks about how "pride of ownership" motivates Wikipedians.

Other

* June 26 was the 10 year anniversary of the classic Reno v. ACLU Supreme Court opinion.

* The NYT has launched a new technology blog called BITS.

Posted by Eric at 02:37 PM | Adware/Spyware , Content Regulation , Copyright , Derivative Liability , Domain Names , Internet History , Licensing/Contracts , Marketing , Search Engines , Spam , Trademark | TrackBack

June 06, 2007

SPY Act Passes House...Again

By Eric Goldman

HR 964

For the third year in a row, the House passed the SPY Act. I was hopeful that the House's passing of the I-SPY Act would forestall further action on this bill, but unfortunately I was wrong. The SPY Act is a terrible solution to problems that may be already self-correcting, so let's hope the Senate either takes a pass on both bills or at least takes a pass on the SPY Act a third time.

Posted by Eric at 05:29 PM | Adware/Spyware | TrackBack

Zango Also Loses Kaspersky TRO Motion

By Eric Goldman

Zango, Inc. v. Kaspersky Lab Inc., C07-0807-JCC (W.D. Wash. TRO motion denied June 6, 2007)

Yesterday, Zango's TRO request against PC Tools was denied but Zango claimed the result was nevertheless a "victory for consumer choice" because PC Tools had made important classification changes. Today, the same judge denied Zango's TRO request against Kaspersky Lab even though Kaspersky hasn't made commensurate classification changes. Is this result a loss for consumer choice?

Like yesterday's opinion, the court's opinion is short and plainly stated, and it repeatedly points readers to yesterday's opinion. The only substantive differences are (1) Kaspersky made fewer technical changes, but the court says that this fact isn't significant enough to reach a different result, and (2) the court suggests, but does not conclude, that a 230(c) defense might be meritorious.

The opinion doesn't say it, but I think implicitly the two opinions signal very clearly that Zango will need to present much stronger evidence of its problem if it hopes to ultimately prevail. Or, if it can't present stronger evidence, this judge doesn't look like he will be easily impressed. On that basis, Zango may find the better choice is to pursue out-of-court options.

UPDATE: Zango says this ruling puts "Consumer Choice on Hold."

Posted by Eric at 11:01 AM | Adware/Spyware | TrackBack

June 05, 2007

Zango Loses TRO Motion Against PC Tools But Claims Win

By Eric Goldman

Zango, Inc. v. PC Tools Pty Ltd., C07-0797-JCC (W. D. Wash. TRO denied June 5, 2007)

The judge denied Zango's TRO request against PC Tools. The actual opinion is efficient and somewhat non-committal, as befits an opinion written quickly in response to a TRO request. However, the court's opinion reflected that it was aware of Zango's historical practices and understood the public benefit from giving space for anti-spyware tools to do their thing. Venkat's take: "This Order would make me reconsider if I were Zango."

Despite the TRO loss, Zango claims this as a "victory for consumer choice" because the lawsuit caused PC Tools to substantially change its categorization of Zango, giving Zango the results it sought anyway.

Regardless of these developments, I'm failry confident this story isn't over. I suspect PC Tools and Zango will have continued categorization spats in the future. And, the lawsuit against Kaspersky is still pending, so perhaps that will give us some more useful insights into this legal area.

Posted by Eric at 07:59 PM | Adware/Spyware | TrackBack

PC Tools & Kaspersky Respond to Zango Lawsuit

By Eric Goldman

PC Tools and Kaspersky have responded to Zango's TRO requests in Zango v. PC Tools and Zango v. Kaspersky.

PC Tools' response reads like a typical anti-spyware gripefest about Zango generally, only some of which actually responds to Zango's TRO motion. (For an analogous circumstance, see Symantec's gratuitous smear of Hotbar in a similar lawsuit). Then again, Zango had to know that its dirty laundry was going to be aired when it filed this lawsuit. I thought it was particularly interesting that PC Tools didn't raise the 230(c)(2) defense--not sure why they didn't do so, because it seems like the quickest path to success.

Kaspersky's response claims (among other defenses) that Kaspersky USA is an independent entity from the true classifying organization in Moscow. I'm not sure how a court will handle the factual issues raised by this contention; TROs hearings don't normally engage in extensive fact-finding.

Both motions rely heavily on the New.net v. Lavasoft (see, e.g., the stern anti-SLAPP and dismissal opinion in that case). Also, in case you're curious, Ben Edelman is PC Tools' expert and Ray Everett-Church is Kaspersky's expert.

HT: Venkat. See Venkat's comments here.

Posted by Eric at 01:34 PM | Adware/Spyware | TrackBack

May 31, 2007

House Passes I-SPY Act

By Eric Goldman

Internet Spyware (I-SPY) Prevention Act of 2007 (HR 1525)

The House passed the I-SPY Act, sending it on to the Senate. This is the House's third time passing anti-spyware legislation. The past two years, the House passed the SPY Act, only to have the bill die in the Senate. We'll see what the Senate does this year.

As regular readers know, I've opposed just about every anti-spyware/anti-adware law proposed/enacted. So, it may surprise you that I think the House's passage of I-SPY is good news. This doesn't mean that I-SPY is necessary or even wise. From my perspective, I-SPY's main operative provisions overlap existing provisions in the Computer Fraud & Abuse Act. Thus, I don't think the law creates any new limitations, which makes the law a harmless/ineffective trifle.

However, I-SPY is good news because it's unlikely the House and Senate will pass two anti-spyware laws this session (and perhaps for a very long time). Thus, I-SPY may displace further action on the SPY Act, which is positive because the SPY Act is a terrible bill. The SPY Act tries to codify a set of bad practices and banish them; but, the practices targeted by the SPY Act aren't universally bad, and the technological specificity of the SPY Act will render it useless in the face of new technology, social practices and business practices. So I'm hoping that the Senate takes up I-SPY, passes it, and closes this chapter on Congressional efforts to regulate spyware. They have plenty of other important things to worry about.

Posted by John Ottaviani at 11:21 AM | Adware/Spyware | TrackBack

May 30, 2007

Zango's Busy Litigation Docket

By Eric Goldman

I got a tip that Zango's lawsuit against PC Tools had been removed to federal court, which prompted me to search for "Zango" in PACER for the Western District of Washington. I learned that Zango has a surprisingly busy litigation docket, with 4 lawsuits filed in its home court in the past two months:

* I previously blogged on Zango v. PC Tools. That case has been removed to federal court (W.D. Wash., case no. 2:07-cv-00797-JCC).

* Zango filed a similar but less well-publicized lawsuit against anti-virus software vendor Kaspersky, which also has been removed to federal court. Zango Inc. v. Kaspersky Lab Inc., 2:07-cv-00807-JCC (W.D. Wash.). Because the lawsuit was initially filed in state court, PACER doesn't have the complaint. However, here's Zango's motion for a TRO.

In addition to these 2 lawsuits against anti-spyware software vendors, Zango claims it's been stiffed by two advertisers to the tune of about $1M:

* Zango Inc. v. Internet Brands Inc., 2:07-cv-00506-RSL (W.D. Wash. complaint filed April 6, 2007). See the complaint.

* Zango Inc v. Mainstream Advertising, 2:07-cv-00507-MJP (W.D. Wash. complaint filed April 6, 2007). See the complaint.

Looks like it's a rough-and-tumble world out there!

Posted by Eric at 09:44 AM | Adware/Spyware , Licensing/Contracts , Marketing | TrackBack

May 29, 2007

Zango Claims Spyware Doctor SE Surreptitiously Deletes Its Software

By Eric Goldman

Zango, Inc. v. PC Tools Pty Ltd., 07-2-15844-8SEA (Wash. Superior Ct. complaint filed May 15, 2007)

We've seen a fair amount of tussling between adware vendors and anti-spyware software vendors, including a battle over the incorporation of' "good samaritan" immunizations for anti-spyware vendors in proposed anti-spyware legislation (see, e.g., here and here). However, litigation between the two camps has been relatively rare, so this case (if it doesn't settle like most of the precedents) might help shape the contours of anti-spyware software vendors' duties as well as influence the pending anti-spyware legislation in Congress.

Here, Zango claims that PC Tools' software, Spyware Doctor Starter Edition, (1) mislabels Zango's software as an "elevated risk" and (2) automatically disables Zango's software from functioning without giving users notice, which prevents new installs and prevents current users from using existing installs--including those users who have paid a premium subscription allowing them to use Zango's software pop-up-free. While these effects alone would be problematic for Zango even if Spyware Doctor were an obscure program, Spyware Doctor SE has the added profile of being bundled in the Google Pack.

While I can see why Zango would be upset enough about this situation to sue, bringing a lawsuit has numerous downsides. First, the facts may not be in its favor; SunbeltBlog has had difficulty replicating some of the results. Second, lawsuits over classifications threaten anti-spyware vendors' editorial integrity (and PC Tools is claiming that was Zango's intent), but fortunately those editorial judgments should be completely protected by 47 USC 230(c)(2). Third, Zango isn't particularly popular in the anti-spyware crowd, so their enforcement actions bring extra scrutiny.

With the respect to the claim that Spyware Doctor disables Zango, this case reminds me of the fracas (that matured into a lawsuit) between Avenue Media and DirectRevenue back in 2004, where Avenue Media claimed that competitor DirectRevenue was surreptitiously kicking its software off users' hard drives (the case reached a detente).

While it would be tempting to dismiss the Avenue Media/DirectRevenue lawsuit as a piratical battle between untouchables, there are other examples where company A deletes company B's software with minimal notice. Most prominently, I still can't fathom how Microsoft gets away with unilaterally wiping software off users' hard drives (my recollection is that AOL has done the same thing, but I can't find my documentation of it now). At some point we're going to have reach a social consensus about what level of user authorization is required for one software program to annihilate another program. Maybe this case will help us understand that issue a little better.

Posted by Eric at 01:14 PM | Adware/Spyware , Privacy/Security | TrackBack

May 09, 2007

Utah Trademark Protection Act Updates (from BNA)

By Eric Goldman

As I previously reported, Utah legislators met with industry representatives to discuss the Utah Trademark Protection Act on April 25. BNA [BNA subscription required] provides a fresh update on developments since the April 25 meeting. According to the BNA article:

the governor has directed the Division of Corporations and Commercial Code in the state Department of Commerce to hold off on implementing the law "for at least a couple of months" while changes to the legislation are considered....If an agreement is reached soon, changes could be enacted during a special session likely to occur this summer.

I like the way that Paul Rogers, a lobbyist for some of the technology companies, summarized his take-away from the April 25 meeting:

"I don't think they had thought it through, in terms of how it will affect the consumers' interests," he said. "We told them we're not going to comply--we're going to sue. They said, 'Don't sue--we get it, we've gone too far. Let us see if we can fix it or repeal it.' "

Personally, I recommend option #2.

Posted by Eric at 09:57 AM | Adware/Spyware , Domain Names , Search Engines , Trademark | TrackBack

April 27, 2007

Utah Legislators Realizing They Screwed Up By Banning Keyword Advertising

By Eric Goldman

Linda Fantin at the Salt Lake Tribune reports on the meeting between Utah legislators and various technology companies (Google, eBay, Microsoft, AOL, Yahoo, 1-800 Contacts and Overstock.com) to discuss the recently enacted Utah Trademark Protection Act banning trademark-triggered keyword advertising.

Based on the SL Trib article, it looks like the Utah legislators are beginning to realize that they got in over their heads (Sen. Eastman's defensive bravado that he "makes no apologies" notwithstanding). For example, the article says that the legislators didn't understand that Utah technology companies 1-800 Contacts and Overstock.com routinely buy other parties' trademarks to trigger ads--even though this is a well-documented fact. Rep. David Clark lamented that "I wish we had had this interaction with industry 60 days ago...We would have all been better off." Great point! The world would be a better place if legislators did their homework first before blasting their legislative guns.

Based on this meeting, it appears the law is in stasis for now. The Utah legislators haven't promised to amend or repeal the law (at least, not yet), but Rep. Clark admitted that "we understand we've got some work to do" and the AOL/1-800 Contacts lobbyist walked away from the meeting thinking litigation wasn't going to be necessary. Meanwhile, according to Sen. Eastman, no efforts will be made to create the registry until further discussions take place.

UPDATE: If you missed it, in an April 11 editorial, the Salt Lake Tribune urged the Utah legislature to unilaterally repeal the law.

Posted by Eric at 04:18 PM | Adware/Spyware , Derivative Liability , Marketing , Search Engines , Trademark | TrackBack

April 25, 2007

Academic Debate over Trademark Use in Commerce

By Eric Goldman

As regular blog readers know, a hot area in online trademark law is the "trademark use in commerce" element of the plaintiff's prima facie case. This element has been dispositive in several noteworthy defense wins, including the 1-800 Contacts v. WhenU and Rescuecom v. Google cases. Yet, some experts, such as Prof. McCarthy, believe that the prima facie case doesn't require the plaintiff to show that the defendant made a trademark use in commerce.

This debate has led to 2 companion articles by 4 top trademark scholars. First, Graeme Dinwoodie and Mark Janis wrote Confusion Over Use: Contextualism in Trademark Law. In the article, Dinwoodie/Janis agree with McCarthy that trademark use in commerce isn't a separate element of the plaintiff's prima facie case because, otherwise, the trademark fair use statutory provision makes no sense. Therefore, Dinwoodie/Janis favor a contextual analysis of infringement which effectively omits the trademark use in commerce element and instead focuses on the likelihood of confusion factor.

Mark Lemley and Stacey Dogan responded with Grounding Trademark Law Through Trademark Use. This article argues that the trademark use in commerce element historically helped distinguish between direct and contributory infringers (i.e., if the defendant hadn't made a TM use in commerce, its only liability would be contributory).

As I've said before, I think the statute is unresolvably irresolute, so statutory arguments aren't likely to help us reach a consensus any time soon. From a normative standpoint, I think Lemley and Dogan have the better argument in this debate, but for different reasons than the ones they articulate. I think the use in commerce requirement acts to keep "commercial referential uses" outside the boundaries of trademark law. I'll explain this in more detail soon.

The Dinwoodie/Janis abstract:

This paper tackles an intellectual property theory that many scholars regard as fundamental to future policy debates over the scope of trademark protection: the trademark use theory. We argue that trademark use theory is flawed and should be rejected. The adoption of trademark use theory has immediate practical implications for disputes about the use of trademarks in online advertising, merchandising, and product design, and has long-term consequences for other trademark generally. We critique the theory both descriptively and prescriptively. We argue that trademark use theory over-extends the search costs rationale for the trademark system, and that it unhelpfully elevates formalism over contextual analysis in trademark law rulemaking. The theory seeks determinate trademark rules in order to encourage a climate of certainty for innovators, but the concepts on which it is founded are likely to degenerate. We show that trademark use theorists ignores the multivalence of trademark law, and that adopting trademark use doctrines would result in less transparent trademark decisionmaking. Instead, we propose that trademark law retain its traditional preference for contextual analysis. We show in particular how a contextual analysis would offer an approach to trademark disputes involving online advertising that better captures the potential of trademark law to police new information markets. Our analysis contemplates individualized assessments according to common law standards, but opens up policy space for the development of limited statutory safe harbors for intermediaries such as search engines.

The Lemley/Dogan abstract:

The debate over trademark use has become a hot-button issue in intellectual property (IP) law. In Confusion over Use: Contextualism in Trademark Law, Graeme Dinwoodie and Mark Janis characterize it as a dispute over whether to limit trademark holder rights in a new and unanticipated way. Yet there is another – in our view more historically accurate - way to frame the trademark use debate: the question is whether courts should, absent specific statutory authorization, allow trademark holders to assert a new and unprecedented form of trademark infringement claim. The pop-up and keyword cases involve attempts to impose third-party liability under the guise of direct infringement suits. Dinwoodie and Janis's thorough account notwithstanding, it remains the fact that, before the recent spate of Internet-related cases, no court had ever recognized a trademark claim of the sort that trademark holders are now asserting. Trademark infringement suits have always involved allegations of infringement by parties who use marks in connection with the promotion of their own goods and services. The question raised by the trademark use cases, as we view it, is whether courts should countenance a radical departure from that traditional model without specific instruction from Congress. We think they should not.

In this paper, we explain the origins of trademark use doctrine in traditional limits on the scope of the trademark right and in the distinction between direct and contributory infringement. We also explain why we cannot simply rely on the likelihood of consumer confusion test to solve the problems the trademark use doctrine addresses, and we examine the difficult problem of defining the scope of the trademark use doctrine.

Posted by Eric at 02:10 PM | Adware/Spyware , Search Engines , Trademark | TrackBack

April 12, 2007

Keyword Law Talk

By Eric Goldman

Tomorrow I'm giving a talk in Dallas entitled "Keyword Law." In light of the new Utah law, this turns out to be an interesting time to speak on the topic!

Posted by Eric at 03:53 PM | Adware/Spyware , Search Engines , Trademark | TrackBack

April 09, 2007

Keyword Advertising as Corporate Identity Theft—Sen. Eastman Defends New Utah Law Banning Keyword Advertising

By Eric Goldman

Last month, Utah quietly passed SB 236 to outlaw keyword advertising. Last week, SB 236’s sponsor, Sen. Dan Eastman, blogged a defense of the law. I really respect Sen. Eastman for engaging his critics in the blogosphere, but his response also illustrates how Utah passed such a rotten and anti-consumer law.

Sen. Eastman’s blog post is entitled “Identity Theft: The Next Generation,” and he explains that keyword advertising is a “creative new kind of identity theft.” Apparently, then, banning competitive keyword advertising should prevent a type of corporate identity theft. While invoking the Big Scary Threat of “identity theft” is a clever rhetorical move, it’s also analytically indefensible. Identity theft occurs when someone makes a false representation, but this law bans competitive keyword advertising that is completely truthful and does not confuse anyone.

Along the way, Sen. Eastman picks some colorful verbs to describe competitive keyword advertising, analogizing competitive keyword advertising to “carjacking” someone’s trademark (should we call this “markjacking”?) and suggesting that searchers presented with a comparative ad are being “shanghaied by a pirate.” These chosen verbs imply that somehow searchers are being forcibly deprived of their rights, as if a thief is holding a gun to the searcher’s head, saying “GIVE ME YOUR CLICK,” or that a careless searcher will wake up one morning with a bad headache trapped on a square-rigged ship as an indentured servant. But, there is no compulsion taking place with keyword advertising; searchers aren’t being forced to do something they don’t want to do. Search engines present keyword advertising, and searchers click on it when they think it’s relevant. Search engines increase consumer choice, not limit it, so in my opinion the only people being shanghaied here are Utah citizens harmed by this law and its bogus justifications.

Sen. Eastman also declares: “I make no apologies. Utah is a highly tech-savvy, super business-friendly state. We have more computers per capita than anywhere else in the nation.”

I can’t argue with his business-friendly characterization, as this law amply confirms that Utah happily sells out consumers to help businesses seeking to limit fair and legitimate competition. However, his reference to the number of computers in Utah is more puzzling. Utah residents may own a lot of computers, but the Utah legislature appears to be trying to render those computers useless by passing a dizzying array of regressive, anti-consumer, anti-Internet laws.

Finally, Sen. Eastman’s intransigence (“I make no apologies”) is understandable but unfortunate. This law will fail in the courts, and it would be a true public service to declare a “mea culpa” than to waste a lot of Utah taxpayers’ money in a futile defense of the law.

In addition to Sen. Eastman's post, Matthew Prince, CEO of Unspam, also blogged his own defense of the law. I'm still trying to parse Unspam's interest in this law--are they hoping to become the electronic registration mark's database vendor?

In any case, I thoroughly dissected Prince's proffered rationales (such as the bogus claim that Mazda "diverts" searchers for Pontiac) in this article, so I'll spare you the rehash here. However, I will address one legal point: it's misleading to suggest that the "Trademark Protection Act merely extends the same rights already enjoyed by mark holders throughout the rest of the world to Utah." Just like US courts, foreign courts are struggling to determine the proper application of their trademark laws to competitive keyword advertising, so there are numerous foreign rulings validating the legitimacy of competitive keyword advertising (see, e.g., Israel's endorsement of the practice in the Matim Li v. Crazy Line case).

UPDATE: It appears that Matthew Prince knows more about the dormant commerce clause than Utah's General Counsel. If this law isn't generating profits for Unspam, it's very generous of Unspam to give Matthew so much time to write lengthy legal memoranda.

Posted by Eric at 11:25 AM | Adware/Spyware , Search Engines , Trademark | TrackBack

April 03, 2007

Utah Bans Keyword Advertising [Updated]

By Eric Goldman

Utah SB 236 (the "Trademark Protection Act"), enacted March 19, 2007

Legislators enact stupid laws all of the time, but some laws transcend mere stupidity and produce a single 3 letter response: WTF? And no legislature has passed more WTF Internet laws than Utah's. Consider this track record:

* in 1995, Utah enacted the nation's first digital signature legislation designed to spur PKI-based digital signatures. But no one cared, and no company ever qualified for the statutory safe harbor. Completely unused, last year Utah repealed the law entirely after 11 years of futility.

* In 2005, Utah passed a law requiring Internet access providers to allow Utah's AG nee porn czar to designate porn websites as off-limits in Utah. Utah had to repeal some of that law, but litigation over the remainder is ongoing.

* Utah recently enacted a "don't email the kids" registry. Putting aside the major problems of state-based email laws (i.e., mapping geographic-based laws onto a borderless email infrastructure), email is much more suited to client-side filtering than centralized do-not-contact registries, and there's always the risk of bad actors getting their hands on the database of kids' email addresses. As a result, this law is such a bad idea that even the consumer protection-oriented FTC advocated against it.

Based on this list alone, I think it's safe to say that Utah has an unrivaled track record of enacting dumb, regressive, unproductive Internet laws. But Utah's 3 year battle against keyword advertising represents the strongest support for this assertion.

In 2004, Utah enacted the Spyware Control Act, a completely misguided (and misnomered) law designed to protect a few noisy Utah trademark owners with weak trademarks (such as 1-800 Contacts and Overstock.com) from legitimate competition via adware. In the process, the law took technology out of consumers' hands--even if consumers wanted and valued the technology. I have previously deconstructed in great detail why this law was terrible policy.

Unfortunately, our system doesn't have good checks/balances against dumb laws other than voting the politicos out (hey, Utah readers--hint hint). Fortunately, the initial implementation of the Utah Spyware Control Act was so grossly and obviously unconstitutional that a judge had no problem quickly enjoining the law in summer 2004.

Recognizing the futility of defending that law, Utah abandoned it and amended the Spyware Control Act in 2005 to merge it with trademark law. These amendments effectively eviscerated the law because, as amended, the law required plaintiffs to establish that keyword advertising via adware made a trademark use in commerce. This legal proposition was soundly rejected in the Second Circuit's subsequent holding in 1-800 Contacts v. WhenU. After that ruling (even though it wasn't binding on Utah courts), it's relatively clear that the post-2005 Spyware Control Act failed.

Apparently undeterred by its first two misfires with the Spyware Control Act, Utah has tried to enact regressive anti-consumer legislation for a third time. This time, they've stopped messing around with adware vendors. Instead, they have made a frontal assault on all keyword advertising across-the-board. So this law now appears to cover anyone selling keyword ads, including every major search engines (including Google), many adware vendors, and plenty of other e-commerce sites (eBay, Amazon, etc.).

Specifically, the law creates a new intellectual property right called an "electronic registration mark," defined as a "word, term, or name that represents a business, goods, or a service." This definition may be broad enough to protect domain names even if the domain names are otherwise generic or unprotectable under TM law. Owners of eligible words can register the terms in a new registry by paying a nominal fee.

Once registered, an infringement occurs if another person "uses an electronic registration mark to cause the delivery or display of an advertisement for a business, goods, or a service: (i) of the same class, as defined in Section 70-3a-308, other than the business, goods, or service of the registrant of the electronic registration mark; or (ii) if that advertisement is likely to cause confusion between the business, goods, or service of the registrant of the electronic registration mark and the business, goods, or service advertised."

I read this law to restrict all competitive ad buys of registered terms, even if the advertiser is engaged in comparative advertising that would be completely permissible under existing trademark law and not confusing to any consumer. (Interestingly, the law apparently excludes ad buys by affiliates unless their ad buy causes confusion.) Both the advertiser and the ad vendor are on the hook for an infringement.

To try to limit the law's effect to just Utah, the law only applies if the ad is displayed in Utah or the advertiser or keyword vendor is located in Utah. This caveat tries to overcome the obvious dormant commerce clause problems with this law. Utah, of course, is familiar with this problem given that the first version of the Spyware Control Act was struck down on DCC grounds.

But does this qualifier save the law? The practical reality is that every advertiser, wherever they are located, would have to check Utah's registry before buying keywords that might contain a trademark of a competitor, either because the competitor might be located in Utah or the competitor might have a registration nonetheless and the ads will be displayed to Utah residents (there's no way to buy keyword ads that exclude delivery to Utah residents). So I'm 100% convinced that this law has an extraterritorial effect.

However, I've made the same argument about state do-not-spam registries (where a sender based outside Utah must check the Utah registry before sending) and other state anti-spam laws, yet most of those laws have survived a DCC challenge--including a very recent DCC challenge to Utah's don't-spam-the-kids registry (See Free Speech Coalition v. Shurtleff, 2:05CV949DAK (D. Utah March 23, 2007)). Despite that, Utah's general counsel informed the legislature that the law probably violated the DCC, and I can't imagine judges won't find that compelling. Further, there are other grounds for a challenge here, including the First Amendment and other types of preemption. So I'm reasonably confident that the law ultimately will be struck down on some basis when challenged, although plenty of resources will be needlessly spent in the process.

Irrespective of the legal analysis, I'd be remiss if I didn't say what we're all thinking: this law is terrible policy created by a legislature out of control. We've learned over the last 15 years that keywords are a uniquely empowering tool to enable consumers to express their interests more accurately, concisely and cheaply than other alternatives, which in turn enables intermediaries like search engines to cater to their informational interests. The result is lower search costs for consumers, which in turn creates big social welfare payoffs by making more socially beneficial matches between consumers and producers. So as a matter of social policy, we should be encouraging the use of keywords, not banning it (see my extended support for this argument here (and, to a lesser extent, here)).

UPDATE: Whoops, I can't believe I forgot to mention this. On top of the major DCC problems with the law, there's a very good argument that search engine/online intermediary liability under this law is preempted by 47 USC 230. Last week, the Ninth Circuit in Perfect 10 v. CCBill held that 47 USC 230 preempted all state IP claims, including state TM laws. Online intermediaries can argue that advertisers select the keywords and provide the ads, meaning those items are "provided by another information content provider," in which case online intermediaries should not be liable for that content. This argument won't help advertisers themselves, so the law still creates plenty of friction for online advertising and could still hurt online intermediaries by suppressing demand for their ad inventory. However, if other courts buy the Ninth Circuit's reading of 47 USC 230, any frontal assault on Google or adware companies using this law might very well fail.

UPDATE 2: In response to this post and others, Sen. Eastman has blogged an explanation/defense of the law. I link to his post and provide more commentary in this post.

Posted by Eric at 01:58 PM | Adware/Spyware , Derivative Liability , E-Commerce , Search Engines , Trademark | TrackBack

March 25, 2007

Miva Securities Litigation Rejects Most Click Fraud/Syndication Fraud Claims

By Eric Goldman

In re Miva, Inc. Securities Litigation, 2007 WL 809686 (M.D. Fla. Mar. 15, 2007)

Stockholders of Miva (formerly FindWhat) sued Miva, alleging that Miva had inflated its stock price by making false public statements. In this ruling, Miva successfully dismisses most of the allegations, substantially narrowing the lawsuit. While Miva would have liked to dismiss the complaint entirely, Miva can still find some solace in the fact that the court clearly was underwhelmed by the overreaching nature of the plaintiffs' claims.

The Allegations

The court reports the plaintiffs' allegations at the center of the lawsuit:

two of FindWhat's main revenue generating distribution partners (Saveli Kossenko and Dmitri l/n/u), who represented 36% of FindWhat's revenues, were using illegal means to inflate revenues. This included the use of spyware, browser hijacking software, and “non-human traffic.” The use of such illicit methods of creating internet traffic, commonly referred to as “click-fraud,” meant that advertisers were not forwarded legitimate leads of consumers interested in acquiring their products. This resulted in advertisers refusing to place high bids with FindWhat, causing FindWhat's revenue shortfall to worsen…

Based on this, the plaintiffs introduced eleven public statements to show that Miva was painting a rosier picture than reality, including the following statements:

1) 9/3/03 press release: "Through FindWhat.com, online marketers are able to cost-effectively promote their websites and find highly qualified prospects who have already expressed an interest in their product or service." The court says that the plaintiffs did not allege that the defendants knew its two distributors were sketchy in September 2003.

2) 9/19/03 press release: "The FindWhat.com Network includes hundreds of distribution partners, such as CNET's Search.com, Excite, Webcrawler, MetaCrawler, Dogpile, and Microsoft Internet Explorer Autosearch." The implication is that the defendants had a high quality distribution network when they didn't. The court soundly rejects this contention, saying:

Stating that the FindWhat network “includes hundreds of distribution partners” and identifying seven of the well-known distribution partners says and implies nothing about the Saveli and Dmitri traffic. The press release did not claim these distribution partners were representative of the others, and made no assertion as to the traffic attributed to any of them.

3) 10/20/03 press release: "FindWhat.com's services are a source of revenue and relevant keyword-targeted listings for its partners, while providing its managed advertisers with exposure to potential customers across the Internet. As with the Yellow Pages in the offline world, FindWhat.com's managed advertisers get their message in front of prospects at the exact time they are looking for the advertisers' products and services. Unlike the Yellow Pages, advertisers only pay for those visitors that “walk” into their virtual stores." The court says that this quote does not address the quality of FindWhat's network.

4) 12/10/03 press release: "FindWhat.com operates online marketplaces that connect the consumers and businesses that are most likely to purchase specific goods and services with the advertisers that provide those goods and services....This cost-effective, pay-for-performance model allows Web advertisers to pay only for those prospects which click-through to their sites, and increase their potential for exposure through the millions of advertisements distributed throughout the network per day." The court says this press release predates Miva's alleged knowledge of click fraud in its network, which (as alleged by plaintiffs) started June 2004.

5) 3/5/04 10-K: "We expect that our consultants, agents, resellers, distributors, subcontractors, and other business partners will adhere to lawful and ethical business practices. It is important to our company's reputation that we avoid doing business with companies which violate applicable laws or have reputations which could harm our business. Our policy prohibits engaging agents or other third parties to do indirectly what we as a company should not do under our own policies outlined in this code....The FindWhat.com Network is dedicated to delivering high-quality keyword ads as a result of an Internet user's search query. As such, we have written and strictly enforce advertising guidelines to try to ensure high relevancy standards....We are dedicated to delivering high-quality traffic to our advertisers' websites. We employ an integrated system of numerous automated and human processes that continually monitor traffic quality, often eliminating any charges for low quality traffic proactively from the advertisers' accounts. We enforce strict guidelines with our Network partners to ensure the quality of traffic on the system....We purchase Internet traffic from our distribution partners. Expressed as a percentage of revenue, Internet traffic purchases from one distribution partner represented over 10% of total revenue for each of fiscal 2003 and 2001 and Internet purchases from two individual distribution partners represented over 10% of total revenue for fiscal 2002....During the years ending December 31, 2003, 2002, and 2001, no advertiser represented more than 10% of the Company's total revenue. The Company purchases Internet traffic from distribution partners. Expressed as a percentage of revenues for the year ending December 31, 2003, Internet traffic purchases from one distribution partner represented over 10% of total revenue, for the year ending December 31, 2002, Internet traffic purchases from two distribution partners each represented over 10% of total revenue, and in the year ending December 31, 2001, Internet traffic purchases from one distribution partner represented over 10% of total revenue. However, none of these distribution partners represented more than 15% of total revenue during the three-year period ended December 31, 2003."

Plaintiffs take several swipes at this language, including (a) its 2 distribution partners had acted unethically, (b) the math doesn't add up when 2 distribution partners were about 1/3 of total revenues, and (c) Miva had failed to strictly enforce its policies against the distribution partners.

The court says that there was no promise that all business partners were ethical, dedication to a high-quality network isn't inconsistent with having some bad apples in the network, Miva properly disclosed that 2 distributors represented over 10% of revenue, and these statements were mostly protected forward-looking statements tempered with appropriate cautionary statements.

6) 7/6/04 conference call statements about revenue growth. The court says these statements weren't alleged to be untrue. Also, the plaintiffs alleged that Miva had an obligation to disclose bid deflation, but the court says that this wasn't required in a between-reporting-period conference call.

7) 11/1/04 conference call: an analyst asked about Miva's traffic sources, Although the Miva execs gave a garbled and ambiguous response, the court says that both execs' responses were the equivalent of "no comment."

8) 12/16/04 Jeffries research report. The court says that statements in that report don't bind Miva because they were made by an independent analyst.

9) 2/23/05 press release: Miva made some projections for 2005 revenue, which plaintiffs say were tainted by the fact that they included revenue from the questionable distributors. The court says that these projections were protected forward looking statements.

10) 2/23/05 conference call: Miva claimed that it has terminated specific rogue distributors, but plaintiffs introduced evidence that in fact Miva hadn't terminated those distributors. The court said that this was adequately pled.

11) 3/16/05 10-K. "Plaintiffs allege that statements made in the Form, “[w]e do not rely on ‘spyware’ for any purpose and it is not part of our product offering,” were false and misleading because the two largest distribution partners did in fact rely upon spyware. (¶¶ 89-90.) Additionally, statements made in the Form assuring that FindWhat was implementing screening policies and procedures to minimize fraudulent clicks were allegedly false and misleading because Defendants knew or should have known that the majority of their distribution network relied on click fraud, (¶¶ 91-92); statements made that “none of the traffic purchased from any of these distribution partners represented over 10% of consolidated revenue in 2004” were false and misleading because the percentage of revenue generated by two distribution partners exceeded the threshold without disclosure, (¶¶ 93-94); and statements that distribution partners were taken off line in the fourth quarter of 2004 were untrue. (¶ 96.)" The court said that these were adequately pled.

Implications

All told, the court dismissed the lawsuit for 9 of the 11 statements identified by the plaintiffs, leaving only statements #10 and 11 for further proceedings. As with the other recent Miva click-fraud ruling, Miva would have loved to see the entire lawsuit dismissed, but the lawsuit’s narrowing still represents good news for them.

This lawsuit also illustrates how hard it will be for the plaintiffs to succeed in the "syndication fraud" lawsuit against Yahoo from last year. Although Yahoo used different language, the court’s ruling regarding statements #2 and 3 pertain directly to the gist of the Yahoo plaintiffs’ allegations. That lawsuit is currently on hold while the parties try mediation and settlement discussions, but as part of those discussions I suspect Yahoo will be pointing this opinion out to the plaintiffs.

Posted by Eric at 03:05 PM | Adware/Spyware , E-Commerce , Marketing , Search Engines | TrackBack

March 12, 2007

Affiliate Spam Liability is Fact Question--US v. Cyberheat

By Eric Goldman

U.S. v. Cyberheat, Inc., 2007 WL 686678 (D. Ariz. March 2, 2007)

This case deals with one of the great unresolved Cyberlaw questions: when is an online advertiser liable for the downstream behavior of its media outlets? This question is so important because advertising fuels the Internet economy, both the good--such as the great social benefits produced by ad-supported search engines--and the bad--such as unwanted spam and pernicious spyware. Accordingly, it is critical that advertiser liability policy be set very carefully. Set correctly, bad spam/spyware could dry up. Set incorrectly, the Internet ecology could be destroyed.

Typically, consumer protection advocates favor strict liability for online advertisers. Thus, regardless of advertiser scienter, advertisers should have absolute liability for running ads via unwanted adware or spam. On the plus side, such a theory would probably have the desired benefit of cutting off the flow of advertising to spam and adware.

On the minus side, strict liability for online advertisers also would reduce online advertising across-the-board. Advertisers don’t want the additional liability, nor would they want to spend the time/money to monitor downstream behavior. Perhaps more importantly, I am not aware of any equivalent liability on the part of offline advertisers, so strict liability for online advertisers would represent a type of cyberspace exceptionalism that would likely direct dollars away from online advertisement back to offline advertising.

Interestingly, we have surprisingly little law involving online advertiser liability for media outlets. Statutorily, advertiser liability was enacted in CAN-SPAM and the Utah/Alaska anti-adware laws, but I'm not aware of other statutes. From a case law standpoint, there is surprisingly little precedent. Two relatively recent spam cases, Fenn and Hypertouch, have implicitly rejected strict liability for advertisers (the Fenn case dealt with Utah's anti-spam statute, not CAN-SPAM); in both cases, the advertiser’s use of a contract prohibiting advertising by spam was sufficient to cut off liability for downstream behavior. The Cyberheat case pointed to another case I hadn’t caught before, the Fare Deals v. World Choice Travel.com case, 180 F. Supp. 2d 678 (D. Md. 2001), which also rejected advertiser liability (in that case, for ads running on a website that allegedly infringed trademarks). Finally, there was the recently hyped settlement between the NY Attorney Generals' office and three adware advertisers. However, it's hard to divine much precedent from a settlement, and the chicken-scratch settlement terms imply that the defendants didn't settle because they were quaking in their boots over their legal liability.

(There are other cases, and I haven't done a complete regression to validate this point--but I trust the point is clear that the case law is scrappy and defense-favorable).

The dearth of relevant case law makes the newest case on the topic, US v. Cyberheat, so interesting. The FTC went guns ablazin’ after a porn website for spam sent by its affiliates that allegedly violated CAN-SPAM, arguing under the terms of the statutory advertising liability provision that the advertiser is strictly liable for these spam or should be liable under an implied negligence theory (the case doesn’t use the term “implied negligence,” but the term is designed to characterize the FTC's theory that the facts so clearly establish negligence that the defendant should be liable without any further showing about its mental state).

This tussle over the appropriate scienter requirement appeared to overwhelm the judge, and we get a pretty garbled opinion in response. However, we get one clear statement here: the judge unambiguously rejects strict liability for the affiliate's behavior. Instead, after chasing his tail articulating various vicarious liability/respondeat superior/agency theories, the judge concludes that the advertiser is liable for the affiliate spam only if the advertiser had sufficient knowledge of and control over the affiliates' behavior.

But...how much knowledge and control is sufficient? I have no idea, and frankly, I don't think the judge does either. However, let's look at the facts alleged by the FTC that weren't sufficient to win summary judgment:

* the advertiser didn't have a significant screening process for retaining affiliates
* the advertiser didn't ask affiliates if they planned to do email marketing
* the advertiser had an agreement prohibiting spam but terminated affiliates slowly/inconsistently even when the advertiser received consumer complaints about an affiliate's behavior
* when the advertiser terminated affiliates, it didn't always terminate multiple accounts held by the same affiliate
* the advertiser provided web hosting, marketing and promotional tools to affiliates, including (I believe) serving up the porn images displayed in the emails when opened

The advertiser's principal counterarguments were that it had its contract restriction against spam and that the affiliates were independent contractors. (It was unclear to what extent the advertiser disputed the other facts alleged by the FTC).

So this case will go to trial to determine the advertiser's knowledge/control and whether it acted reasonably under these circumstances. While the FTC might still win this case, this ruling nevertheless must be a sobering wake-up call that the government can't simply allege that liability follows ad dollars and expect to win.

More commentary on this case: Venkat and Reasonable Basis.

Posted by Eric at 03:42 PM | Adware/Spyware , Derivative Liability , Marketing , Spam | TrackBack

February 24, 2007

Domain Name Regulation Talk and McGeorge ICANN Conference Recap

By Eric Goldman

Yesterday, I went to the McGeorge conference on ICANN and domain names. My slides from my talk entitled Keyword Regulation and Domain Name Exceptionalism. I made the point (first outlined in my Deregulating Relevancy article) that domain names are just a subset of navigational keywords, yet we've developed a pretty extensive list of domain name-specific regulations. I argued that we should harmonize the regulatory treatment of keywords by deregulating domain names.

A couple of other noteworthy talks from the event:

* Dr. Filomena Chirico from Tilburg University spoke about "Restrictions on Competition in Internet Governance"--basically, an antitrust analysis of the domain name market. The analysis was nicely presented but, I think, misses a critical point--she focuses on domain names as a standalone market, while I think there's significant cross-elasticity of demand between domain names and other types of marketing/keyword purchases.

* Dr. Todd Davies of Stanford gave an excellent talk entitled "Communication Infrastructure and Information as Forms of Private Property: A Behavioral Perspective on Technology Evolution." Effectively, this was a behavioral economics analysis of developing IP regulations. He then applied these principles to ICANN, showing that establishing ICANN creates a number of predictable problems from a behavioral economics approach, so we would be better off without ICANN trying to regulate domain names. He brought a number of interesting and valuable social science tools to the process of developing IP regulations. For example, he pointed to the psychology principle of "loss avoidance" and showed that endowing a person with IP rights creates the prospect of loss avoidance if that person feels like they are being deprived of their property. I've seen a lot of discussions about the problems of creating IP rights, but I'm not sure if I can recall seeing the loss avoidance principle raised as part of the reasons why IP owners fight so hard to protect their rights and howl whenever there is a proposed scale-back of rights. This looks worth exploring.

* Clark Kelso, California's Chief Information Officer (and a professor at McGeorge), gave the lunchtime keynote talk. He started the talk by listing a parade of horribles about Internet content/behavior (porn, spam, security threats, etc.) which led him to characterize the Internet as a "sewer" that needed substantive regulation to clean it up. In Q&A, I asked him if the Internet was more of a sewer than any other communication medium (his response indicated that he probably didn't understand my point). I shudder to think that he might be advancing the "Internet-as-sewer" meme throughout the corridors of power in Sacramento. Clark also came out swinging against net neutrality regulation. It will be interesting to see if the Schwarzenegger administration takes a more aggressive stance in that debate.

Posted by Eric at 08:52 AM | Adware/Spyware , Domain Names , Search Engines , Trademark | TrackBack

February 06, 2007

Ezor on Email Blocklists

By Eric Goldman

Jonthan Ezor has posted a short paper (10 pages + endnotes), Busting Blocks: Appropriate Legal Remedies For Wrongful Inclusion In Spam Filters Under U.S. Law, to SSRN. This article deals with thorny issues created by email blocklist services, although he focuses specifically on volunteer organizations. The article discusses an email marketer's recourse for incorrectly being listed as a spammer on a spam blocklist, including defamation and intentional interference with prospective business relationship claims, as well as the limits of those claims under 230(c)(1) and 230(c)(2). He concludes that blocklist vendors should use objective criteria, should have an appeals process to correct mistaken listings, and should be surgical in blocklisting IP addresses. He also concludes that vendors should be:

held to professional standards of conduct, including objectivity, reasonable care, and (to the extent their activities cause harm) accountability. The alternative, relying on their good faith and internal procedures, is no longer acceptable, given how critical e-mail has become.

The issues raised by blocklist services are complex, and they span a variety of rating services online, including spyware filters, Google's PageRank and eBay's feedback forum. On the one hand, filters are simply in the opinion "industry," and they add significant value by centralizing behavior monitoring because it's too expensive for each of us to independently form our own opinions.

On the other hand, by ceding control to filter vendors, we have to trust that these vendors will make good choices. There have been plenty of examples where filter vendors have made questionable choices--the RBL was notorious for being arbitrary and unresponsive, but I've heard plenty of complaints from software vendors upset by their characterizations as adware/spyware and even more complaints from websites unhappy about the operation of Google's PageRank filter. So the centralization of opinion formation can have significant private (and perhaps social) costs if done poorly, and I'm not entirely clear that the market for centralized opinions is particularly efficient.

Thus, opinion vendors can have a lot of power but may not be fully accountable for wielding that power unwisely. Despite this, I favor the production of such opinions, so from a legal standpoint, I think filters should be broadly protected for their choices. On the other hand, we as consumers of filters need to be vigilant about the filters we trust.

Posted by Eric at 10:43 AM | Adware/Spyware , Derivative Liability , Spam | TrackBack

January 31, 2007

Advertisers Settle NY Anti-Adware Action

By Eric Goldman

Earlier this week, the New York Attorney General's (NYAG) office issued a press release with the blazing all caps headline:

GROUNDBREAKING SETTLEMENTS HOLD ONLINE ADVERTISERS RESPONSIBLE FOR DISPLAYING ADS THROUGH DECEPTIVELY INSTALLED “ADWARE” PROGRAMS

Groundbreaking...or groundless? After all, as I've posited before, the argument that advertisers can be liable for the actions of their advertising venues has almost no legal support. So this settlement may be groundbreaking, but a cynic could argue that the settlement is also legally groundless.

So why settle if the advertisers didn't break the law? Arguably, the settlements merely represent the logical decision by innocent parties under pressure by out-of-control prosecutors who impose massive costs on their targets just by initiating an investigation. I think the specific settlement terms provide some perspective on this. Each of the three advertisers (Priceline, Travelocity, and Cingular Wireless) agreed to three basic operative terms:

* checks in an amount ranging between $30-$35k--an amount vastly dwarfed by the cost of litigating an NYAG enforcement action. Basically, these checks are a small fraction of the nuisance value of the lawsuits.

* a promise to include certain covenants in downstream ad agency or advertising partner agreements restricting the placement of ads into impermissible adware. This is a little bit of a pain because the advertisers may get some pushback from their business partners on the specific terms, but for the most part, this is a meaningless provision. It's easy for the settling advertisers to put the required language into their standard ad buy agreements (or some rider) and satisfy this burden.

* Knowing that talk is cheap, the NYAG added some bite to the previous obligation. Not only must the advertisers include language in their contract, but they must do quarterly audits to confirm that their ads aren't showing up on adware. THAT sounds like a fun job for an employee. Not only does this obligation burn some employee time every quarter, but they will need to buy that employee a disposable computer!

So, what do we learn from this settlement? Not much. We learned a long time ago that if Spitzer's office called with a baseless demand, generally the cheapest and most expeditious course of action is to strike a deal even if it makes your skin crawl. In this case, the decision was easy: settling cost a check that's less than the cost of litigating the defense, plus the loss of a few hours of an employee's time each quarter. Sounds like a pretty cheap way of getting out of prosecutorial cross-hairs.

But what should the advertising industry do in the wake of this enforcement action and settlement? One obvious solution is that every advertiser could contractually require that their ad agencies blacklist adware. This would be a nuisance, especially because it would impose extra burdens on advertisers who have never even used adware, and the value of proactively blacklisting depends in part on advertisers' risk tolerances and predictions of how Cuomo will run the NYAG office now that Spitzer has moved on. (It remains to be seen if Cuomo has the same appetite for bringing dubious enforcement actions as Spitzer.)

Alternatively, advertisers may gravitate towards a standard like the Trusted Download program. Requiring that downstream ad partners adhere to the Trusted Download standards will give advertisers significant legal cover the next time prosecutors get frisky.

Meanwhile, from an academic standpoint, I'm troubled that the advertising industry might change its practices based on a legal theory that the NYAG didn't prove in court and could be legally baseless. Therefore, I renew my call for anyone to articulate the legal doctrine on which advertisers should be liable for the behavior of their advertising venues (excluding spam, which is statutory), preferably with supporting caselaw precedent. I'm all ears.

Posted by Eric at 10:04 PM | Adware/Spyware , Derivative Liability , Marketing | TrackBack

November 02, 2006

Keyword Law and Blog Law Presentations

By Eric Goldman

I took a lovely (but wet) 30 hour trip to Portland to give 2 talks:

* Keyword Law talk (substantially revised from my last talk on the topic August 2005)
* Blog Law talk (modestly revised from my last talk on the topic April 2006)

Posted by Eric at 08:21 PM | Adware/Spyware , Derivative Liability , Search Engines , Trademark | TrackBack

October 25, 2006

NY v. DirectRevenue Hearing Transcript

By Eric Goldman

I previously blogged on the New York v. DirectRevenue case and the amicus brief that David Post, Scott Christie and I filed. Last week, there was a hearing on DirectRevenue's motion to dismiss. The transcript. Note that all transcript references to "Mr. Christie" actually should be to Justin Brookman of the NYAG's office.

One exchange that caught my attention: the judge got feisty with Brookman over the NYAG's continued misuse of the term "spyware" to describe software that lacks a report-back feature (see the Merriam-Webster definition of spyware). On page 17, the judge says to Brookman:

Wait a minute. You called it spyware. And then when your adversary says wait a minute, none of this is alleged in their papers. Forget spyware. It's not spyware unless you tell me different.

I've complained before about the problems created by the lack of standard nomenclature for adware and spyware. This sloppy nomenclature can benefit plaintiffs to the extent they can use the term "spyware" as a scary smear tactic. But as the judge's retort indicates, it can also backfire when judges realize that the term is being used to misportray the facts.

Posted by Eric at 02:51 PM | Adware/Spyware | Comments (3) | TrackBack

October 13, 2006

One Judge's Derisive View of Junk Faxes as Conversion

By Eric Goldman

Rossario's Fine Jewelry, Inc. v. Paddock Publications, Inc., 443 F. Supp. 2d 976 (N.D. Ill. Aug. 17, 2006).

I've blogged before on courts' rejection of a common law conversion claim based on the receipt of junk faxes. I've always viewed such claims as not really passing the smell test because of the de minimis nature of the putative harm. So I couldn't resist Judge Shadur's crunchiness when presented with this issue (Rossario is the recipient and Paddock is the sender):

What Rossario's counsel identifies as the "property" purportedly converted by Paddock is the "ink or toner and paper" in Paddock's [sic--I think the court meant Rossario's] fax machine that were consumed in generating the one-page fax production. As modern a development as the fax may be, that contention reconfirms the teaching of Ecclesiastes 1:9 that "[t]here is no new thing under the sun," for the ancient maxim "de minimis non curat lex" might well have been coined for this occasion.

More importantly, even apart from the niggling nature of the claim in those terms, it is lacking in the formal requirements of a conversion claim....

...it would impermissibly warp the concept of "conversion" if that label were to be attached to Rossario's property (ink, toner and paper) that never came into Paddock's possession at all--that was never "unlawfully held" by Paddock and as to which Paddock could be said to have "assumed control, dominion or ownership over the property" (Cirrincione v. Johnson, 184 Ill.2d 109, 114-15, 234 Ill.Dec. 455, 703 N.E.2d 67, 70 (1998)) only by stretching that language beyond its normal meaning....

Under Rossario's approach this Court could well charge it and its counsel with "conversion" for the Court's having had to waste paper and ink in the just-completed analysis...

Uh, in case this wasn't clear, claim dismissed!

Posted by Eric at 09:22 AM | Adware/Spyware , Marketing | TrackBack

October 11, 2006

Article on Regulating Marketing--A Coasean Analysis of Marketing

By Eric Goldman

Eric Goldman, A Coasean Analysis of Marketing, 2006 Wis. L. Rev. __ (forthcoming).

In 2001, I had a career-altering epiphany while I was working at Epinions (this is the topic that prompted me to consider becoming a full-time academic). Epinions was morphing from a content generation engine (generating consumer reviews of products and services) into a shopbot where a core value proposition was to refer users to vendors to consummate transactions. As we made this transition, I realized that we were really entering the attention broker business. We aggregated consumer attention, principally from search engine referrals, using copyrighted content (the consumer reviews) as marketing to capture consumer attention. We then redirected that attention to vendors for our economic benefit. To the extent we bought the consumer's attention (say, through paid search listings), we were just in the attention arbitrage business (i.e., we wanted to sell the attention for more than we paid to buy it).

As a result, I realized that we competed against every other attention broker, including adware vendors (who were nascent in 2001), spammers, and every other marketing intermediary. But I couldn't resolve an underlying question--what gave us (or anyone) the right to broker a consumer's attention? Who "owned" attention, and when was it permissible to profit from someone else's attention?

It took me 5 years and 8 complete rewrites to complete my paper, A Coasean Analysis of Marketing, that answers these questions. This was one of the hardest things I've ever done professionally. It was truly a labor of love!

Part of my difficulty is that I ultimately realized that "attention" wasn't the real issue (and, in fact, it was distracting me). Instead, "attention brokering" is really a matching problem--marketers and consumers want to match with each other, but the matching process is costly. In particular, the key challenge is that consumers incur costs to express their preferences, a problem exacerbated by rising data glut.

Thus, the only sustainable solution allows consumers to express and manage their preferences at a near-zero cost. This will require a technological, not legal, solution, and the technology will look a lot like what we currently call adware and spyware. In turn, we may be doing ourselves a disservice if our efforts to regulate adware and spyware inhibit the development of technology that provides improved marketer-consumer matching in an information overload environment.

Certainly, many of these themes will be familiar to blog readers. However, this article ties together numerous threads that I've addressed on an ad hoc basis and, for the first time, lays out my vision comprehensively. Thus, I hope you'll take a look at it. I welcome your comments and thoughts.

Some discussion about the article from around the blogosphere:

* Peter Huang's comments
* Frank Pasquale's comments
* Conglomerate Junior Scholars Workshop comments (including responses to Peter's and Frank's comments)
* Daniel Solove's comments

The abstract:

Consumers claim to hate marketing - mostly, because they get too much unwanted marketing. In response, regulators develop medium-by-medium marketing suppression regulations. Unfortunately, these ad hoc solutions do little to satisfy consumers, and dynamic technologies and business practices quickly render them moot. Instead of continuing this cycle, there would be some benefit to developing a cross-media marketing regulatory scheme.

However, any holistic solution must be predicated on a clear rationale for regulating marketing. The most common justification is that marketing imposes a negative externality on consumers, but this argument ignores the private and social welfare created by marketing and can lead to cost overinternalization and marketing undersupply.

The Coase Theorem also suggests that social welfare improves by reducing the costs of matching marketers with interested consumers. To achieve this, consumers need a low cost but accurate mechanism to manifest their preferences. This Article shows that typical regulatory and marketplace solutions do not provide effective mechanisms.

Instead, marketer-consumer matchmaking will improve from technology that will automatically infer consumer preferences and use these inferences to filter incoming marketing and seek out wanted content. This technology is rapidly emerging, but regulation of surreptitious monitoring devices (like adware and spyware) may inadvertently block the development of this socially-beneficial technology. As a result, current regulatory overreactions to developing technology may counterproductively foreclose social welfare improvements

Posted by Eric at 11:33 AM | Adware/Spyware , E-Commerce , Marketing , Privacy/Security , Search Engines , Spam | TrackBack

October 09, 2006

Must Websites Comply with the ADA (and State-Law Equivalents)? National Federation of the Blind v. Target

By Eric Goldman

National Federation of the Blind v. Target Corp., No. C 06-01801 (N.D. Cal. Sept. 6, 2006)

This case got a fair amount of attention when it first came out, so I'm a little late to this party. However, I think there were some key points from this case that got overlooked.

Must Websites Comply with the ADA?

To the limited extent addressed by the precedent, websites have not been obligated to comply with the ADA (or similar anti-discrimination laws). See, e.g., Access Now v. Southwest Airlines; Noah v. AOL. This is because the laws apply to physical spaces, not virtual spaces. This opinion breaks with the precedent by denying a motion to dismiss by target.com. Thus, this case could stand for the proposition that websites may be required to comply with the ADA.

However, I think this opinion is substantially narrower than that. The court says that target.com may be tightly integrated with Target's physical stores to the point where the inability to use the website may interfere with blind people's ability to fully enjoy the physical stores. (On that front, FN 4 is telling: "It appears from a review of the website in question—which the court notes is not in evidence but nonetheless does raise some questions—that Target treats Target.com as an extension of its stores, as part of its overall integrated merchandising efforts.")

Thus, this reasoning should only apply to "bricks 'n' clicks" retailers who have both physical and online stores and integrate the two. Thus, the reasoning does not apply to pure e-commerce retailers with no offline stores or to web publishers of any sort. It should also exclude retailers who completely separate their online and offline stores.

(Having said that, it's a no-brainer that businesses should try to accommodate blind visitors to their websites; not only are blind visitors a valuable market segment, but it's the right thing to do).

In any case, the court just refused a motion to dismiss. As a result, Target's ultimate liability remains to be determined. It may be noteworthy that the judge denied the motion for a preliminary injunction despite the favorable legal ruling to the plaintiff.

Must Websites Comply with State-Level ADA Equivalents?

I think the even more important ruling in this case relates to the dormant commerce clause (DCC). Based on the DCC, Target tried to dismiss claims under some California state laws that overlap the ADA. This is not a new issue on the Internet--there is a pretty good list of DCC cases, but with an odd split. In one line of cases, I believe every court that has opined on state anti-Internet porn laws have deemed them invalid under the DCC. In contrast, most other courts, especially those involving anti-spam laws, have upheld state Internet regulation from DCC challenges.

Here, Target argues that the CA ADA-equivalents will have an extraterritorial effect by forcing Target to change its website even for non-CA residents. Judge Patel breezily dismissed this argument, saying that Target should just build a CA-specific website to comply with CA law. She continued:

Pataki asserts that someone who puts content on the internet has “no way to determine the characteristics of their audience . . . [such as] age and geographical location.” Pataki, 969 F. Supp. at 167. This is simply incorrect. It is common practice for websites for entities operating in multiple countries to have a single site that directs customers to different versions based upon language. Websites can determine the location of a user from information they provide, such as a credit card number, or from the internet service provider an individual uses. It may, or may not, be prohibitively expensive for a website to tailor its content based on the location of its users, but it is certainly technically feasible.

It's true that this is technically feasible, but that's hardly insightful. Other than outcomes that break the laws of physics, anything is possible with the proper application of time and money. But this argument misses two critical points.

First, applying CA law here to require Target to display an interstitial page to request geographic information from web visitors may regulate the interaction between two entities not resident in CA. (This is harder to see when Target chooses to do business generally in CA, but consider this argument in the context of the Alaska anti-adware law where I believe no adware vendor is resident in Alaska but they still must ask non-Alaskan residents for geographic information due to the Alaska law.) This is exactly the kind of extraterritorial effect that the DCC should preclude. This is also a place where the Internet is just different from offline circumstances because of an implicit tautology: the laws require websites to authenticate visitors to determine if these visitors trigger the website's requirement to comply with the law--thus, the laws required the websites to take certain steps even in the circumstances where the laws don't apply because the interaction is between two non-residents. (Which is almost certainly true in 99%+ of adware downloads putatively governed by "ask geography before downloading" requirement of the Alaska anti-adware law).

Second, and more importantly, this would be a terrible policy result. It's hard to imagine the counterfactual Internet where every website visitor is bombarded by interstitials or pop-ups from every website requesting geographic information before they can proceed to see the website's contents. This would be a horrible user experience that would inhibit the seamless floating from website to website that characterizes the web's link economy. We just won't go across websites as freely as we do today. Also, some users would be uncomfortable with providing geographic information to the website. (Some users provide this geographic information unwittingly through their IP addresses, but many do not).

The battle over geographic authentication rages on, and this case's pithy analysis doesn't do much to advance our understanding. Nevertheless, it gives us another important data point that our days of being able to browse the web without constant self-reporting of geography may be numbered. Personally, if that comes to pass, I'll miss the Internet the way it is today.

Posted by Eric at 02:50 PM | Adware/Spyware , Content Regulation , E-Commerce , Spam | TrackBack

September 22, 2006

New York v. Direct Revenue Amicus Brief

By Eric Goldman

David Post, Scott Christie and I have filed an amicus brief in New York v. Direct Revenue LLC, No. 401325/06 (N.Y. Supreme Ct.), one of Spitzer's office's high-profile enforcement actions against adware companies.

Among other aggressive positions, the NYAG's office argues that Direct Revenue committed deceptive trade practices by disclosing certain information only in the EULA. Our amicus brief notes the potential implications of this argument given the ubiquity of clickthrough agreements as a disclosure mechanism on the Internet. We don't opine on Direct Revenue's specific practices, but we express concern that the expedited procedure chosen by the NYAG's office isn't the right venue to set precedent implicating the practices of millions of companies.

Posted by Eric at 10:45 AM | Adware/Spyware , E-Commerce , Licensing/Contracts | Comments (1) | TrackBack

September 16, 2006

Internet Law Updates Talk

By Eric Goldman

Yesterday I gave a talk called "Internet Law Updates" at an event sponsored by the California State Bar's IP Section. My slides.

Posted by Eric at 02:06 PM | Adware/Spyware , Copyright , Search Engines , Trademark | Comments (1) | TrackBack

September 07, 2006

Adware, Spam and Some of My Other Favorite Topics

By Eric Goldman

There has been a flurry of interesting legal developments in the last few days:

* The plaintiffs voluntarily and unilaterally dismissed (with prejudice) Simios v. 180solutions, one of several putative class actions against adware vendors. See the 180solutions press release.

* The Battaglia v. DirectRevenue lawsuit, another of the putative class actions against adware vendors, has preliminarily settled. As David Fish points out, the settlement offers very little additional value for consumers beyond the settlement in the Sotelo case. Plaintiff's counsel gets $45,000--a pretty small payday for a case like this.

* The FTC case against Enternet Media has reached a stipulated order/settlement, including a $2M+ payment to the FTC. Enternet Media allegedly was one of the companies flashing banner/pop-up ads warning that your computer was infected and they would help; when users took advantage of their "help," they allegedly installed a bunch of harmful software onto users' computers.

* Jaynes v. Virginia, 2006 WL 2527678 (Va. App. Ct. Sept. 5, 2006). Virginia's intermediate appellate court upheld Virginia's harsh anti-spam law against both jurisdictional and First Amendment challenges. I believe Ethan Ackerman will guest-blog a more thorough analysis of this case soon. For now, Venkat has a thoughtful discussion. According to the Washington Post, Jeremy Jaynes will appeal the appellate ruling. If he can't overturn the ruling, he's facing an incredible 9 years in jail.

* Lands' End, Inc. v. Remy, 2006 WL 2521321 (W.D. Wis. Sept. 1, 2006). An affiliate registers some typosquatted domain names as a way of "diverting" consumers through those URLs to get the affiliate commission. The court denies the defendants SJ on the ACPA, fraud and breach of contract claims, but they do get SJ on the false advertising claim. Rebecca has the recap.

* According to Reuters, Bertelsmann is paying $60 million to settle Vivideni's lawsuit over Bertelsmann's investment in (and support of) Napster. (It's not clear how this settlement relates to Vivendi's acquisition of BMG). This lawsuit was particularly interesting because it tested the boundaries of investor liability for investing in copyright-infringing companies (a liability normally we expect to be precluded by the corporate veil). John O's discussion of some previous rulings in this case. Note that Bertelsmann was not the only investor-defendant in the case, so it may still be ongoing.

* The lawsuit over the fictional status of James Frey's putatively non-fiction book A Million Little Pieces has preliminarily settled. Buyers can get a full refund, but only if they jump through some significant hoops (like sending in an actual part of the book or packaging, plus a sworn statement that the purchaser would not have bought the book if they knew it was partially fiction). The publisher's liability is capped at $2.35M, which includes refunds, attorneys' fees and a donation to charity. Note that the publishers had offered rescission earlier in the case, but some plaintiffs were seeking compensation for their lost time/attention. It appears the publisher successfully limited its liability to rescission, and by making the barriers high enough, the publisher won't even have to make rescissions across-the-board.

Posted by Eric at 10:43 AM | Adware/Spyware , Copyright , Derivative Liability , Domain Names , Spam , Trademark | TrackBack

August 31, 2006

Alaska's Anti-Adware Law--A One-Year Status Report

By Eric Goldman

A year ago today, Alaska enacted the most expansive anti-adware law to date. This post gives a quick status report on the law.

So, what's happened in the past year? As far as I can tell, nothing. I've not heard of any preemptive challenges or any enforcement actions. Radio silence.

Contrast this with Utah's enactment of its problematic anti-adware law in 2004--the law was promptly challenged on Constitutional grounds, the court quickly issued an injunction, and the legislature amended the law within a year to render it largely irrelevant. As far as I know, Utah's law also sits unused. Overstock.com did sue SmartBargains under the initial version of the act; I'm not sure what happened to that claim after the law was enjoined.

I'm always fascinated when laws are passed with lots of fanfare and then sit dormant. Why hasn't the Alaska law generated any action (pro or con) yet? I think the secret may lie in some odd language that I overlooked when I initially dissected the statute. The law defines a pop-up ad as:

material offering for sale or advertising the availability or quality of a property, good, or service that is displayed on a user's computer screen, without any request or consent of the user, separate from an Internet website that a user intentionally accesses (emphasis added)

What does it mean that a user "requests" or "consents" to a pop-up ad? It could mean that the user must consent to each pop-up ad individually immediately prior to its delivery--a bizarre HCI process, but one that would be consistent with the apparent legislative intent. Alternatively, it could mean that a user's consent to receive pop-ups at the time of software installation suffices as consent for all subsequent pop-up ads delivered by that software. This interpretation is consistent with the express statutory language, but then it raises the question (like the question raised when Utah amended its Spyware Control Act)--what's the point of such a toothless law?

This statutory interpretation issue may explain why there hasn't been any action under the law. From the adware vendor's side, the express statutory language may provide them enough cover that there's no need to rally up the troops for a heavy-duty Constitutional challenge. Meanwhile, plaintiffs may be scratching their head trying to figure out if they have a valid cause of action.

There are, of course, other possible explanations for the seeming lack of action, including:

* there may be some lawsuit I'm not aware of (please let me know if I've missed something)
* 1 year may be too short a time period to evaluate the law.
* some adware vendors may be shunning Alaska. See, e.g., HotBar's license, which says "Special Notice to Alaska Residents: Unfortunately, according to Alaska's SB 140 Act, users who reside in Alaska may not install the Hotbar software. Therefore, by downloading or installing the Hotbar software you declare and represent that your computer is not located in the state of Alaska. To the extent that our system is able to recognize that your computer is located in the state of Alaska, we will not enable you to download the software." Superficially, perhaps the law has changed the behavior of some adware vendors. However, I don't know what Hotbar does to detect Alaskan IP addresses or otherwise detect Alaskan computers, but these procedures generally are imperfect. As a result, depending on the rest of Hotbar's interaction with users, it could be that some Alaskans may still be downloading the software in a manner inconsistent with the statute.

I can't resolve these alternative explanations yet, but for now, my vote is that this law is sufficiently poorly drafted that it will never be used by anyone. If so, consistent with other state-level attempts to regulate the Internet, Alaska may have muffed its effort. Fortunately, if this law is truly irrelevant, Alaska's muffing will be relatively harmless.

Nevertheless, Alaska's muffing may have some bearing on Congress' motivation to pass an anti-adware/anti-spyware law. For the most part, the other anti-spyware laws passed by the states add little to the legal regulatory environment (the "intentionally deceptive" standard is both duplicative of other laws and a very high threshold), so coping with them does not require vendors to do something special. However, putatively Alaska and Utah's laws were much broader, as they were intended to outlaw an entire industry--which motivates industry players to seek preemption of state laws. Yet, if both laws are effectively irrelevant, adware vendors have less incentive to push Congress for a preempting law.

Posted by Eric at 03:30 PM | Adware/Spyware , Internet History , Licensing/Contracts | TrackBack

August 12, 2006

Brand Spillovers Talk

By Eric Goldman

Yesterday, at the IP Scholars Conference at Boalt, I presented my paper currently titled "Brand Spillovers." This is the evolution of my project from last year I was calling Trademark Adjacency. I'm still trying to think through this issue, so I would welcome your comments/input.

My slides
My "draft" paper (really, more of a high-level sketch)
Rebecca Tushnet's writeup of the talk

Posted by Eric at 12:50 PM | Adware/Spyware , Derivative Liability , Search Engines , Trademark | TrackBack

July 06, 2006

Merriam-Webster Defines "Spyware"

By Eric Goldman

A lot of attention has been directed to Merriam-Webster's addition of Google to its dictionary--as a verb, no less. I'm sure the Google trademark department isn't thrilled about the genericide implications of this.

Meanwhile, this announcement overshadowed another significant addition to the dictionary: Merriam-Webster also defined the term "spyware" as follows:

software that is installed in a computer without the user's knowledge and transmits information about the user's computer activities over the Internet

I thought this was a competent and pithy (22 words!) definition. It captures what I think are the three essential elements of spyware:

* the software watches user behavior
* the software reports this information somewhere other than the user's hard drive
* the software isn't consensual

Perhaps this definition will become the long-desired standard definition of spyware. Productive dialogue is only possible with standardized nomenclature, and the Anti-Spyware Coalition definitions, while competent, haven't really emerged as the standard.

Posted by Eric at 05:42 PM | Adware/Spyware | Comments (2)

June 28, 2006

CDT Report on Spyware Enforcement Actions

By Eric Goldman

The Center for Democracy & Technology has provided a public service by releasing its report, "Spyware Enforcement." The report describes, in table format, various federal and state enforcement actions against spyware purveyors. The report summarizes the action:

Since [2004], law enforcement officials have increasingly applied statutes – some long-standing, some relatively new – to spyware cases. Leading the charge has been the FTC, which to date has brought six cases under its unfair and deceptive practices authority. The Department of Justice has actively pursued spyware purveyors under the CFAA and the Wiretap Act, with 11 cases to date. And three attorneys general at the state level have filed spyware lawsuits under state fraud and consumer protection laws, with two more cases initiated under new state spyware statutes.

In addition to these government enforcement actions, also note that there have been dozens of adware- or spyware-related civil lawsuits. I don't have a single page categorizing all of these, but I've blogged repeatedly on this topic here.

UPDATE: Fred von Lohmann comments:"The report is a useful reminder to Congress that we may not need more new laws to tackle the spyware problem. As we've pointed out in the past, if Congress weighs in with new laws, those laws may do more harm than good (especially once the lobbyists for adware companies get into the game)."

Posted by Eric at 10:35 AM | Adware/Spyware

June 27, 2006

June 2006 Quick Links

By Eric Goldman

I have had virtually no Internet access over the past 10 days due to my move and travels, so my Bloglines account was bulging with more than 1700 articles. Here's a quick look at some of the items that have caught my attention this month:

* The FTC announced its own data breach due to a stolen laptop. Hmm...is it just me, or is this incident dripping with irony?

* Microsoft appears to be in its "benevolent" dictator mode again. Last year I blogged about how Microsoft made the unilateral decision to wipe some "malicious" software off users' computers without user notice or consent. (If it makes you feel any better, AOL has done the same thing). Now, Microsoft is installing mandatory software that phones home and doesn't tell users it's phoning home. Most people would categorize the phone home capability as spyware, and I'll be interested to see how the undisclosed feature doesn't violate 18 USC 1030(a)(2)(C). Yet, as Andy Patrizio wonders, where's the outrage? The consumer protection lawsuits? Andy writes:

All manner of hell broke loose over the major phone companies reportedly cooperating with the National Security Agency over international phone calls, but the news that Microsoft is watching every single Windows XP PC has been met with deafening silence.

Suzi rounds up the situation.

[UPDATE: First lawsiut over WGA filed. I'm sure more are coming.]

* JP Enterprises v. Yahoo, No. 06-cv-01046-REB-PAC (D. Colo. amended complaint filed June 6, 2006). Complaint against Yahoo Dating and other dating sites for purchasing keywords of a competitor, LoveCity. I'm not optimistic about the plaintiff's chances here, given that it doesn't seem to understand the differences between metatags and keyword triggers. Also, note the irony that Yahoo is buying ads from competitor Google.

* The WSJ writes about the accuracy of recommendation engines. The article explains how consumers make some decisions based on brand perceptions rather than actual utility they derive from the product. As a result, recommendation engines do a better job serving consumer desires by watching consumer behavior rather than relying on self-reported consumer preferences.

This also raises interesting implications for the role of brands in the search process. Brands may help consumers find what they think they are looking for, but at the same time may interfere with utility maximization. To avoid this, one recommendation engine contemplated hiding brands from the consumers.

* Heidi Cohen states the obvious. (Well, she and I think it's obvious, but apparently most marketers still don't get it.) Marketers are in the content publishing business, so they need to think like publishers, not marketers. And, from a policy standpoint, this continues to reinforce the illusory line between marketing content and editorial content.

* Another shocker: Marketers pay-for-placement in editorial content in print publications.

* Michael Scott (from his new blog, Singularity) writes a fun article about the implications of three generations of cyberlawyers: the veteran "computer lawyers" from the 1980s (that includes him), the dot com boomers from the 1990s (which I belong to), and the post-dot com busters from the 2000s.

* More evidence of "banner blindness." As usual, consumers can organically adjust to annoying marketer tactics if legislators avoid jumping into the fray.

* Finally, an article on fake consumer reviews. This is hardly the first article on the topic, but interestingly it hints that some merchants may be outsourcing/offshoring the creation of fake reviews. Forget click fraud shops in India and gold farming in China; those are passe. Instead, here's a new possible tort for you plaintiffs' lawyers--review "fraud"?

Posted by Eric at 05:50 PM | Adware/Spyware , General , Internet History , Licensing/Contracts , Marketing , Privacy/Security , Trademark

May 26, 2006

Merck v. Mediplan Redux--Keyword Purchases Really Aren't Trademark Use

By Eric Goldman

Merck & Co. v. Mediplan Health Consulting, Inc., 2006 WL 1418616 (SDNY motion for reconsideration denied May 24, 2006)

In late March, the legality of the search engine keyword advertising industry got very murky due to two inconsistent rulings within the span of 10 days. One case, Edina Realty v. TheMLSOnline.com from Minnesota, held that keyword purchases could constitute a "use in commerce" for trademark infringement purposes, while Merck v. Mediplan from the Southern District of New York held that such purchases were not a trademark use in commerce.

Worse, these opinions didn't cross-reference each other, so the courts did not try to reconcile their positions. Further, the Edina Realty case recently settled, eliminating the possibility that the Edina Realty court (or an appellate court) would clarify the interaction between the two cases.

Fortunately, Merck sought reconsideration of its ruling, and this week the Southern District of New York issued a clarifying ruling that has turned into a big win for keyword advertisers. This is the first ruling explicitly confirming that the landmark 1-800 Contacts v. WhenU case from last summer, which dealt with adware and pop-ups, applies to search engine keywords. As such, I think this is an important ruling that may have greater precedential impact than either of the previous rulings from March.

Merck moved for reconsideration on two grounds: (1) the court should have considered the Edina Realty precedent (which had just come out 10 days earlier), and (2) the court failed to recognize meaningful differences between keyword-triggered pop-up ads and keyword-triggered search results.

The Edina Realty Precedent

The court said that the Edina Realty ruling (which was thinly reasoned on the specific point) did not persuade the judge to change his views. Instead, the judge felt bound by the 1-800 Contacts precedent, which said that not all commercial activities qualify as a "use in commerce." The court says, "in the search engine context, defendants do not ‘place’ the ZOCOR marks on goods, containers, displays, or associated documents, nor do they use the marks to indicate source or sponsorship....This internal use of the keyword ‘Zocor’ is not use of the mark in the trademark sense."

Differences Between Pop-Up Ads/Adware and Search Engines

In an even more significant clarification, the court confirms that the 1-800 Contacts reasoning extends beyond WhenU's comparatively unique directory-matching process to cover search engine keywords. The court correctly understood that in both the adware and search engine context, the machines "use" keywords to trigger ad content, but that matching takes place outside the searcher's view and thus does not indicate source or sponsorship. Thus, where the Second Circuit avoided opining on the standard search engine keyword context (see footnote 11 of the Second Circuit opinion), this court thinks the Second Circuit's rationale cleanly covers the situation.

Conclusion

This is a great win for the defense. Not only did the initial ruling fully validate the defense-side arguments, but this ruling clarifies the ambiguity created by the Edina Realty case and further explicitly confirms that the Second Circuit 1-800 Contacts precedent extends to search engine keywords. And, from my (admittedly biased) perspective, this court got the analysis 100% right.

This will not be the last ruling on this topic, but perhaps the tide is turning against plaintiffs here. If, in fact, the Second Circuit has concluded that search engine keyword usage isn't a trademark use in commerce, then an important and influential appellate court will have blessed the basic practices of search engines and their advertisers, making it more difficult for plaintiffs to find a friendly court. Thus, this ruling increases the likelihood that purchasing (or selling) keyword advertising doesn't violate trademark law.

Of course, it remains to be seen if the Second Circuit will agree with the Merck court's reading of the 1-800 Contacts precedent. It wouldn't surprise me if Merck asks them to do so.

Meanwhile, if the Merck court is right about the reach of the 1-800 Contacts precedent, then I think future defendants have a very strong basis to claim that keyword metatag usage isn’t a trademark use in commerce either. If so, then perhaps this case will help put an end to the ridiculous cases treating keyword metatag usage as per se trademark infringement.

UPDATE: Rebecca Tushnet has some thoughtful remarks on the linguistics of the "use in commerce" defintion in the statute.

Posted by Eric at 11:42 AM | Adware/Spyware , Search Engines , Trademark

May 11, 2006

Quick Links May 2006

By Eric Goldman

My blogging queue has gotten too thick. Here's some items that caught my attention that I've been meaning to blog and simply haven't gotten to.

* I previously blogged about Chris Wilson, the website operator who allowed users to post pornography and was then prosecuted for distributing pornography under state law. I argued then that such prosecutions were immunized by 230. According to AP, in January, Chris pleaded no contest to 5 counts of possession of obscene material (this news report sounds garbled; the crime of possessing obscene material, without more, should protected by Stanley v. Georgia). For this, in April, he was sentenced to 5 years probation.

* Deborah Wilcox has written an article about situations when trademark owners should NOT send a trademark cease-and-desist letter. Given how many trademark plaintiffs' lawyers mistakenly shoot first and ask questions later, this article raises an important but overlooked perspective.

* The blogosphere is doubling every six months. 4 million bloggers update their blogs at least weekly.

* Cedric reports that, in February, Google finally won an AdWords case in France.

* 310,000 consumers were affected by Lexis-Nexis' data breach. Lexis-Nexis offered them a free year of credit monitoring services. Only 6% took Lexis-Nexis up on the offer, a number that's similar to other such offers (Citibank only had a 4% signup rate). Bob Sullivan tries to figure out why. Among the theories:
- consumers discarded/ignored the notification as junk mail
- consumers were suspicious that the free offer wasn't going to be free in the end
- consumers are apathetic about privacy issues
I have my own speculation about this, but I think the time for relying on intuition is long past. Instead, I think further empirical research is critical before more legislatures robotically rubber-stamp existing legislation designed to remediate data breaches. I remain suspicious that these mandated solutions are doing nothing to help the problem, and may in fact be exacerbating the problems.

* Barton Beebe's slides from his presentation, US Contextual Advertising Law, at the Fordham International IP conference in April.

Posted by Eric at 09:03 AM | Adware/Spyware , Content Regulation , General , Privacy/Security , Search Engines , Trademark

May 09, 2006

Ebates Sued for Trespass to Chattels--Sotelo v. Ebates

By Eric Goldman

Sotelo v. Ebates Shopping.com, No. 06C-2531 (N.D. Ill. complaint filed May 5, 2006)

The Collins Law Firm has filed a third class action lawsuit over adware, this time targeting Ebate's Moe Money Maker client software. The complaint alleges that Moe Money Maker interferes with other client-side software and that Ebates misrepresents the nature of Moe Money Maker in its marketing. Similar to the other complaints from the Collins Law Firm, this complaint alleges the following causes of action:

1) Computer Fraud & Abuse Act
2) Electronic Communications Privacy Act
3) Trespass to Chattels under common law
4) Illinois Consumer Fraud Act
5) Negligence
6) Computer Tampering
7) Invasion of Privacy under common law
8) Cal. B&P 17200 and Civ. Code 1021.5

The Chicago Tribune article on this lawsuit and Collins generally.

A status report on the other adware-related civil litigation that I know about:

* Sotelo v. DirectRevenue. Settled in March (Suzi's report on the settlement). It appears that settlement freed up Sotelo's time to become lead plaintiff again. I've recommended to David Fish that Sotelo should buy some really good anti-spyware software.
* Simios v. 180solutions. Case is in discovery.
* Michaeli v. eXact Advertising. Motion to dismiss filed Dec. 12, 2005 and still pending.
* Consumer Advocates Rights Enforcement Society v. 180solutions (a/k/a Battalgia v. DirectRevenue), No. 2:05-cv-02547-LKK-PAN (E.D. Cal). According to PACER, the last reported action was a motion to dismiss filed April 24 (principally on procedural grounds).
* Kerrins v. Intermix Media. The case appears to be proceeding. A trial date has been set for January 2007, but the parties could settle before that.

If you are aware of others that I missed, I'd love to hear about it.

Posted by Eric at 11:51 AM | Adware/Spyware , Licensing/Contracts , Publicity/Privacy Rights , Trespass to Chattels

May 08, 2006

Yahoo "Syndication Fraud" Lawsuits--Crafts by Veronica v. Yahoo and Draucker Development v. Yahoo

By Eric Goldman

Crafts by Veronica v. Yahoo, Inc., No. 2:06-cv-01985-JCL-MF (D. N.J. complaint filed May 1, 2006)
Draucker Development v. Yahoo, Inc., No. CV06-2737 (C.D. Cal. complaint filed May 4, 2006)

Two companion lawsuits against Yahoo for what the plaintiffs characterize as "syndication fraud." These complaints allege that Yahoo made false promises about where it would put advertisers' pay-per-click (PPC) ads. Specifically, Yahoo ran the plaintiffs' ads via adware and on typosquatting pages when advertisers believed that their ads would not appear in such formats (and presumably paid a premium to avoid such placement).

However, despite the serious-sounding use of the term "fraud," this is actually a fairly garden-variety breach of contract action, and a weak one at that.

The Complaint and Its Deficiencies

The complaint levels three principal charges against Yahoo: Yahoo promised that (1) advertisements would be “highly targeted,” (2) Yahoo would run ads on “popular” and “high-quality” sites, and (3) the ads would appear along with “relevant articles [and] product reviews.” Yahoo purported violated these promises by placing advertisers’ ads in adware and on typosquatted pages.

Let’s look more closely at these allegations.

Highly Targeted

The complaint repeatedly says that Yahoo promised that the ads would be highly targeted. But there’s a big problem: Yahoo didn’t say this, according to the plaintiffs’ own evidence. The complaint points to the following language from one of Yahoo's marketing pages:

You already know how Yahoo!'s flagship product Sponsored Search delivers highly targeted customer leads to your business by allowing you to control placement within sponsored search results across the Web.

Notice the bolded language—Yahoo says it delivers highly targeted customer leads, not highly targeted ads. If Yahoo promised highly targeted ads, arguably it was promsing a certain type of placement--but it didn't promise this. Thus, the difference between targeted ads and targeted leads could be fatal to the complaint—the plaintiffs never allege that they got poorly targeted customer leads, so the plaintiffs’ allegations don’t make a prima facie case of a breach.

This raises an interesting question—plaintiffs clearly know what Yahoo said, so why do the plaintiffs repeatedly mischaracterize Yahoo’s statement throughout the complaint? At best, this is sloppy work by the plaintiffs. At worst, the plaintiffs are blatantly and intentionally misleading the court. Either way, there’s a certain irony when plaintiffs in a misrepresentation case misrepresent the facts to the court, isn’t there? (Maybe Yahoo should bring an action against the plaintiffs for “complaint fraud”?).

My hypothesis is that the plaintiffs don’t want to litigate over lead quality because doing so would destroy the class. To determine lead quality, the court would have to look at each individual plaintiff’s situation to see what leads they got and how they converted, and thus there may not be enough commonality of interests to support a class action. To avoid this pitfall, perhaps the plaintiffs decided that the only way to keep a class action would be to misrepresent what Yahoo said. Other explanations could account for the misrepresentation, but I’m skeptical that it was mere sloppiness.

Let’s put aside the plaintiffs’ misdirection and assume that somewhere Yahoo has actually promised that the ads would be highly targeted. The words “highly targeted” are capable of multiple meanings. For example, the ads were targeted by keyword rather than by category or demographics, so arguably the ads were highly targeted regardless of where they were displayed.

However, the plaintiffs offer no basis to suggest why their interpretation is better than any other interpretation—they don’t cite to any evidence of the term’s meanings (such as private definitions created by the parties, or course of conduct, or industry convention). Instead, the plaintiffs only cite their subjective definition of the term. I’m not sure if this is enough to survive a motion to dismiss.

Popular and High-Quality Websites

Yahoo's marketing page also says:

The Content Match distribution network consists of popular, high-quality sites such as Yahoo! and MSN.com, providing you with better leads that are more likely to convert to sales.

Below this statement, the page gives some more examples that the complaint cites, including sites like Microsoft, CNN and the Wall Street Journal. I’ll stipulate that these sites should fulfill anyone’s definition of popular and high-quality. However, intermixed with these examples, Yahoo gave more examples of what it meant by “popular” and “high-quality,” including sites that I’ve never heard of, such as Away Network and Go2Net. By selectively cutting and pasting only the most prominent sites, the complaint tries to overstate Yahoo’s promise. Instead, plaintiffs who read this page should have gotten the impression that Yahoo’s network included a range of sites, some well-branded and others relatively obscure.

Articles and Product Reviews

Yahoo also says that:

Content Match™ complements your Sponsored Search campaign by displaying your existing listings along with relevant articles, product reviews and more, thereby providing an additional source of targeted leads.

Yahoo uses this same language in other places, such as the very lengthy Yahoo! Search Marketing Advertiser Workbook (see the glossary on page 97—referenced as page 98 in the complaint and labeled as page 109 in the file).

Notice what Yahoo actually said: “and more.” The complaint repeatedly omits those two words because it prefers to focus on the other words. But what do the words “and more” mean? They seem to contemplate that Yahoo would put ads in other contexts, and this negates the claim of a breach.

What Did the Contract Say?

The complaint works hard to pull in language from various marketing collateral, but interestingly it does not mention (not even once!) the centerpiece document in any breach of contract action: the contract that Yahoo and the advertisers actually entered into. I've not seen Yahoo's contract, but I'm assuming it has standard provisions such as a disclaimer of warranty and an entire agreement clause that may squash these extra-contract statements. Also, I wouldn't be a bit surprised if it specifically disclaims promises about where the ads would go or the likelihood of conversion. Either way, plaintiffs will have an uphill battle getting traction from language outside of the contract when the language in the actual contract may shut down these arguments pretty squarely.

Did the Plaintiffs Monitor Their Campaigns?

Let’s assume that plaintiffs read Yahoo’s marketing collateral and didn’t read their contract. Did the plaintiffs monitor their campaigns? There was lots of opportunity for plaintiffs to realize what Yahoo was doing if they monitored their campaign, and their resulting choices would be very telling. When plaintiffs learned of the purported deception, did the plaintiffs terminate the campaign or complain to Yahoo? Or did they keep on buying new ads despite their new-found knowledge? Recall the irony when a click fraud plaintiff (Click Defense) claimed that Google engaged in click fraud while it kept on advertising via Google.

Two Other Observations

(1) The plaintiffs had a massive mound of material to mine for misstatements by Yahoo—Yahoo’s website, securities filings, press releases, press quotes, etc. While not required, typically plaintiffs put the most egregious, most shocking misstatements by the defendant right into the complaint. Yet, given the universe of Yahoo’s public statements, I think it’s telling that the plaintiffs could marshal up language that, I think, is pretty feeble overall. To make the prima facie case, the plaintiffs pulled a few minor statements from some secondary marketing collateral and then heavily manipulate those statements (such as leaving out the “and more,” omitting some of the obscure syndication partners that Yahoo expressly enumerated, repeatedly mischaracterizing the “highly targeted” reference) to try to establish some basis for arguing breach. If this is the worst language that Yahoo communicated, I think they did pretty well (a lot better than I could do when I was an in-house counsel at Epinions!).

(2) Under standard contract law, “puffery” isn’t actionable. For example, if a car salesperson says “this is a wonderful car” in the sales process, the buyer can’t sue later if the buyer thinks the car wasn’t wonderful. The language cited by the plaintiff looks a lot like puffery, especially statements like “popular” or “high quality.”

Conclusion

Let’s be clear what this complaint isn’t about—it’s not about protecting consumers. Consumers may hate adware or typosquatting but this lawsuit doesn’t protect consumers from either. Instead, this is a dispute between Yahoo and advertisers over how much advertisers should pay for the advertising they got. And on that front, there’s little evidence that advertisers didn’t get exactly what they bargained for. They wanted advertising; they got advertising. There’s not even an assertion that the advertising performed poorly. I’m struggling to see a real problem here.

As a result, I think these lawsuits are nothing more than a shakedown for cash. Even unmeritorious class action lawsuits are expensive to defend, so the plaintiffs’ lawyers can exploit those defense costs for their personal largesse. They can make this argument to defendants: settle with me for a fraction of your total expected defense costs, and we’re both better off (defendants save some defense costs, plaintiffs’ lawyers grab some personal loot).

In particular, I’ve been trying to figure out why the plaintiffs (and a largely overlapping group of plaintiffs’ lawyers) filed two separate but virtually identical lawsuits. However, it does make sense as part of a shakedown. By opening up two battlefronts, the plaintiffs increase Yahoo’s defense costs, which should increase the incentive to settle (and the dollar value of a settlement).

It may be cheaper for Yahoo to settle than fight, but I hope Yahoo doesn’t reward the extortionists. Extortion shouldn’t pay, and I hope the plaintiffs find this out the hard way.

UPDATE: Evan Schaeffer offers a different possible explanation for why the plaintiffs filed overlapping lawsuits:

it's possible the plaintiffs' lawyers filed similar lawsuits in different forums because they plan to ask the MDL panel to consolidate the cases. By being in control of the majority of the transferred cases, it increases the likelihood that the lawyers will be able to control the litigation once the cases are consolidated

Posted by Eric at 01:00 PM | Adware/Spyware , Domain Names , Licensing/Contracts , Search Engines , Trademark | Comments (1)

April 17, 2006

Winn on Adware Contracts

By Eric Goldman

The Berkeley Technology Law Journal has published Jane K. Winn, Contracting Spyware by Contract, 20 Berkeley Tech. L.J. 1345 (2005), a follow-up to her presentation at the Boalt Spyware Conference in April 2005.

Jane details the phenomenon that I’ve described as the “crisis of contract” online. People may manifest assent to adware from a legal formalities perspective, but we don’t really believe that they manifested assent. She thinks it would be a mistake to develop a one-off “solution” to the crisis of adware contracts (she analogizes such responses to the “dismal failure” of ad hoc solutions in the privacy context). Instead, she favors an across-the-board change in American contract law to incorporate the principles of the EU’s Unfair Contract Terms Directive.

Unlike many other adware commentators, Jane carefully distinguishes between existing law (adware contracts usually enforceable) and her preferred policy result (adware contracts should usually be invalid as “unfair marketing”). Thus, although she doesn’t like the existing contracting practices, she acknowledges that “in the absence of a conflict between contract terms and fundamental public policy of the forum, or evidence of misconduct so egregious that it might rise to the level of unconscionable, courts are likely to find that adware EULAs are enforceable contracts.”

The abstract:

The question of what constitutes "spyware" is controversial because many programs that are adware in the eyes of their distributors may be perceived as spyware in the eyes of the end user. Many of these programs are loaded on the computers of end users after the end user has agreed to the terms of a license presented in a click-through interface. This paper analyzes whether it might be possible to reduce the volume of unwanted software loaded on end users' computers by applying contract law doctrine more strictly. Unwanted programs are often bundled with programs that the end user wants, but the disclosure that additional programs will be downloaded is usually buried deeply within dense form contracts. Even though this makes it difficult for end users to recognize that they are agreeing to have multiple programs installed at once and that some of those programs may be objectionable, US courts are unlikely to invalidate those disclosures. This is because in business to consumer online contracting cases in the US, courts have tended to be very deferential to the intentions of the merchants in designing the contract interfaces. In the EU, by contrast, such conduct by software distributors would not be binding on consumers. Under unfair contract terms laws in place in EU member states, consumer objections to bundled software could not be overridden by terms hidden in standard form contracts.

Posted by Eric at 02:44 PM | Adware/Spyware , Licensing/Contracts | Comments (2)

April 12, 2006

WSJ Debate on Advertiser Liability for Adware

By Eric Goldman

Today, the Wall Street Journal published an email debate between me and Ari Schwartz of the Center for Democracy and Technology about advertiser responsibility for adware.

Regular blog readers know that this has been a hot button issue of mine for some time because I think it's vitally important. The contours of liability will determine the future viability of the adware business. And depending on the precedents set in the adware context, advertisers could face liability for the acts of media vendors in other media. These have tremendous consequences for the flow of both advertising information and for ad-supported editorial content.

Ari is a great sparring partner and someone I respect a lot, but unfortunately the word "responsibility" is inherently ambiguous. As a result, in our debate Ari focused a lot on branding consequences to advertisers from running ads delivered by adware, while I focused mostly on existing legal precedents. The fact that we emphasize different aspects of this issue shows how easy it is for people to talk past each other on this topic. Nevertheless, I believe the WSJ debate is one of the more extensive and detailed discussions on the topic of advertiser liability for adware, so I highly commend it to you.

Posted by Eric at 09:19 AM | Adware/Spyware , Derivative Liability , Marketing

March 22, 2006

CDT Report on Adware Advertising

By Eric Goldman

The Center for Democracy and Technology has released "Following the Money: How Advertising Dollars Encourage Nuisance and Harmful Adware and What Can be Done to Reverse the Trend."

The report details the complex web of relationships between advertisers, agencies, adware vendors and software vendors that can lead to big brand advertisers having their ads unwittingly delivered via adware. This isn't really news; Ben Edelman (and others) have demonstrated this for some time, and last year PCWorld ran a good article on this very topic.

The real question is: what to do about it? FTC Commissioner Leibowitz's solution is to shame the advertisers. The plaintiff lawyers are trying to hold the advertisers legally responsible. In its report, CDT offers an alternative: advertisers should adopt and enforce advertising placement policies. Again, this isn't really new; TRUSTe has launched a "trusted download program" that is designed to serve as a proxy for advertisers' policies.

The most interesting part of the report is where CDT describes how it contacted 18 advertisers who ran ads via 180solutions. Only 7 replied to CDT. 2 advertisers adopted advertising policies in response to the contact, but the other 5 had policies that were breached by running ads on 180solutions.

Personally, I don't find this very surprising. It is expensive for companies to monitor vendor behavior/contract compliance in all contexts. Let me offer a personal example.

When I was in-house counsel, I had effectively zero ability to monitor our vendors' compliance with our contract provisions. I could write the prettiest contract with the terms that we really wanted, but the contract goes into someone's desk drawer and the terms are effectively forgotten. To overcome this, we would have needed to make monitoring part of someone's job, but that is a very expensive solution (especially when we were a very small company with too much to do and not enough people to do it).

At the same time, when we were someone else's vendor, I built and disseminated various charts to outline our promises/responsibilities. However, ensuring my co-workers' compliance with those responsibilities was difficult/impossible. One of my worst realizations as in-house counsel is that I needed to clone myself and look over the shoulders of each and every employee of our company, because each person's decisions affected our compliance with our contractual obligations. Clearly, this isn't scalable, and my efforts to scale using employee education did little to improve the situation.

The lesson I learned, then, is that it's easy to put policies in place, but ensuring adherence to those policies by employees and third party vendors is hard--perhaps impossible. And there was absolutely no hope of policing third party behavior unless it was someone's job responsibility.

In the adware advertising context, most advertisers are not going to be willing to incur significant costs to police their vendors. They'd rather pour those dollars into actual advertising, and other media don't require such costs. So smart advertisers would either (a) redirect their ad dollars into enforcement-free media, or (b) cut corners and minimize/skip the monitoring process. We've already seen what most advertisers choose under the current model.

This brings me to my most fundamental confusion about adware advertising. Every advertising-supported media vendor has the capacity to break the law, and yet we don't expect advertisers to be the policemen of those media. On the contrary, we often want advertisers to subsidize the costs of producing editorial content for the positive externalities created by that content. (See Edwin Baker's Advertising and a Democratic Press.)

So what's so unique about adware that we are creating a form of cyberspace exceptionalism? Some adware is legitimately installed and some isn't; expecting adware advertisers to incur the monitoring/enforcement costs to figure out which is which (especially when there's no direct relationship) makes no more sense to me than expecting newspaper advertisers to determine if newspapers commit trespass when they deliver their newspapers. For more on this point, see my CNET editorial.

Posted by Eric at 02:04 PM | Adware/Spyware , Derivative Liability , Marketing

March 04, 2006

San Francisco Presentation, March 15 12:30 pm

By Eric Goldman

I'm presenting my latest article, A Coasean Analysis of Marketing, at University of San Francisco on March 15. The talk is free and open to the public.

Although the title suggests that the talk will be heavy on economics theory, I'm giving a "economics-free" version of the talk. As an added incentive, I suspect the Q&A will be fun as audience members hammer me for my pro-spam, pro-adware arguments.

Details

What: "A Coasean Analysis of Marketing," alternatively titled "Regulating the Distribution of Marketing"
When: Wednesday, March 15, 12:30-1:30 pm
Where: University of San Francisco School of Law, 2130 Fulton Street, San Francisco. (Official university directions). Go to Kendrick 102.
How: RSVP to Julia Dunbar [jtdunbar@usfca.edu]
Cost: Free

If you're in the Bay Area, it would be a delight to see you there!

Posted by Eric at 08:00 AM | Adware/Spyware , Marketing , Spam

March 01, 2006

Symantec v. Hotbar Lawsuit Settles

By Eric Goldman

Symantec Corp. v. Hotbar.com, Inc., Case No. C05-02309 (notice of dismissal Feb. 1, 2006)

In June, Symantec sought a declaratory judgment that Symantec could characterize Hotbar's software as "adware." This lawsuit has settled. According to ComputerWorld, "the deal calls for Symantec to dismiss its suit, but continue to classify Hotbar's program files as low-risk adware."

It's good that this particular matter got resolved, but legal disputes over characterizing software as adware/spyware will not go away any time soon. As a result, there would be significant benefit to creating some unambiguous breathing room for anti-spyware vendors to make their characterizations without having to seek declaratory judgments to do so.

Hat tip to Geist's Internet Law News for catching this.

Posted by Eric at 03:31 PM | Adware/Spyware

February 25, 2006

NYU Workshop on Spyware March 16-17

By Eric Goldman

NYU's Information Law Institute and Princeton's Center for Information Technology Policy are putting on "A Workshop on Spyware," March 16-17, 2006 at NYU Law School. This looks like an interesting event that is worth checking out. Unfortunately, I won't be there, but I'm looking forward to reports from the event.

Posted by Eric at 07:29 AM | Adware/Spyware

February 14, 2006

Anti-Spyware Coalition Workshop Recap

By Eric Goldman

I attended the Anti-Spyware Coalition Public Workshop last week in Washington DC. This was a well-attended event (my guess is that 300+ people attended), with a good mix of anti-spyware vendors, anti-spyware activists, adware vendors, policy wonks/politicos and reporters. This post recaps some of my notes from the event.

A few consensus themes emerged from the talks:

1) No one really knows if the adware/spyware problem is getting better, worse or staying the same. There is conflicting statistical evidence addressing this problem, but no one is treating that evidence as dispositive. At the conference, there was some anecdotal evidence that the legitimate players are cleaning up their act while the cheats are using more egregious tactics, but there was contrary evidence on all sides. This metrics issue strikes me as critical; if things are improving already, there may be less justification for new spyware-specific regulations.

2) Consumers don't want to futz with different technologies for anti-spam, anti-virus, anti-spyware, anti-pop-up, etc. They just want their computers to work. Therefore, standalone anti-spyware products should be a short-term market opportunity. Over time, vendors necessarily will have to provide integrated services that give consumers what they want (a working computer).

3) A number of commentators expressed the view that, after a couple of decades of effort, we've solved the virus problem and are well underway with solving the spam problem. However, we are in an early stage fighting spyware, so it will take some time before anti-spyware technology turns the corner. Another way of viewing this is that regulators should be patient because industry hasn't had enough time to fix the problem.

4) The representatives of state AG offices seemed to agree that spyware-specific laws are nice but unnecessary. They feel that they have enough power under the catchall restriction on deceptive and unfair trade practices. The federal enforcers took a similar line that spyware-specific laws aren't needed.

Some comments about a few specific talks:

Justin Brooknan, from Spitzer's office, led the Intermix enforcement action. He described some of the background on that action. Justin had arrived at Spitzer's office 18 months earlier with a securities law background. Spitzer then told him to do something about spyware. They decided to focus on "mainstream" adware instead of malicious spyware because: (1) adware gets the most complaints from consumers, (2) they wanted to make the most impact, and (3) adware companies operate in a zone of "plausible deniability." He said the NYAG's office isn't anti-adware, but they think that consumers don't understand the value proposition. Justin thinks that the adware crowd is cleaning up their act since the Intermix action, so the NYAG's next action probably will be against malicious spyware.

FTC Commission Leibowitz spoke at lunch. He recited some basic FTC attitudes about adware/spyware, but then moved onto his hot button. He thinks advertising dollars fuel adware, so he wants the FTC to reduce demand for adware advertising. He then reiterated his proposal for "shaming" adware advertisers by publicly announcing whose ads run on adware (naming names).

Although some news reports treated Leibowitz's idea as a new proposal, Leibowitz has been championing this idea for at least a couple months--I blogged on it back in December. I did not have kind words for this idea in that post. To recap: If advertising via adware is illegal, bust the advertisers. If it's not illegal but the FTC thinks it should be, then lobby Congress to make it illegal. But if it's not illegal and Congress won't make it illegal, then on what grounds can the FTC delineate what it considers "shame-worthy"? Government manipulation of consumer perceptions (in this case, by communicating, under government authority, that advertisers have done something that the FTC thinks is legal but morally wrong) is called PROPAGANDA, and it's a terrible abuse of power. I recognize that Leibowitz's idea is appealingly simple, and it plays well with crowds, but I really hope that he rethinks his advocacy of it.

Following Leibowitz was Walt Mossberg of the WSJ. I don't normally read his column, so I wasn't well-prepared for his shtick. As a result, I was shocked at how error-riddled, uninformed and internally inconsistent his talk was.

Mossberg's basic point is that he owns his hard drive and no one should put stuff on it without robust notice and his consent. This point is fine so far as it goes, but converting this theoretical view into practical suggestions got Mossberg into a jam. For example, he argued that no one should place tracking cookies on his hard drive without permission, but then he struggled to explain why he didn't mind the nonconsensual placement of other cookies.

He also argued that he doesn't want his anti-virus vendor to notify him every time when there are new updates; instead, they should just install it without bothering him. I agree with him, but I and many other audience members immediately noticed an obvious inconsistency with his basic "my hard drive is my property" attitude. When asked about this in the Q&A, he mumbled something about users giving advance consent when installing the anti-virus software, but I'm not sure many of us were satisfied with his answer.

So, Mossberg appears to subscribe to the more-info-is-better view (I had thought behavioral economists had destroyed this thinking by now, but maybe some people haven't heard). In Mossberg's world, consumers get lots of notices about their computers (like, every time someone tries to place a tracking cookie) so they can make choices. This sounds like a very noisy world to me. Recognizing that this world may be too noisy, Mossberg doesn't want notifications that he doesn't need (like from his anti-virus vendor). I'm not exactly clear how Mossberg plans to distinguish good from bad notices on an ex ante basis.

(I could point out more examples of Mossberg's inconsistencies and ill-informed opinions, but I think I've given his talk more airtime than it deserves).

After lunch, I participated in the "industry self-regulation" panel. Our moderator Tori Case asked us: what's the biggest problem facing the industry?

Fran Maier of TRUSTe said the biggest problem is loss of consumer trust. Bill Day of WhenU said the biggest problem was rogue installations. I said that the biggest problem was the "crisis of contracts"--the disclosures and consent that vendors need to form a legally binding contract may not be enough to believe that consumers are making good private ordering decisions. Eric Howes of Sunbelt Software said the biggest problem is that the responsible players aren't accepting their responsibility. Jules P of AOL said it was hard to set appropriate defaults for consumers.

The next panel discussed legislative developments, particularly in Congress. It appears that the Senate has a low likelihood of passing anti-spyware legislation this session; there are a limited number of legislative days left, and the bill would have to pass unanimously to get through.

The Senate logjam appears to be attributable to 2 main factors. First, the two competing bills (Burns v. Allen) take very different approaches to the problem, and those approaches haven't been reconciled. Second, there appears to be some contentiousness over an immunity for anti-spyware technology that removes identified spyware. Personally, I would strongly favor an immunity for categorizing software as "spyware" or "adware" or whatever--the vendors' demand letters over these classifications strike me as silly but problematic. But according to an industry lobbyist, there have been only 4 lawsuits over these classifications, so from one perspective, this hasn't emerged as a big problem yet.

However, giving technology vendors the absolute liability-free right to blast software off someone's desktop may be too much, even for a defense-side guy like me. Remember in 2001 when the RIAA wanted the right to hack downloaders' computers and not be liable for any damages? Bad, bad idea.

In the final panel, US Attorney Mitch Dembin (who prosecuted some users of Loverspy) said that he felt the laws were pretty good ("we don't need new statutes--we have enough!"). Nevertheless, he proposed a couple of minor tweaks to the CFAA. He'd like to see 18 1030(a)(2) a felony instead of a misdemeanor, and he would like 1030(a)(5) to apply if someone damages 50 computers. I'm not sure either change is all that necessary, but these suggestions might warrant further consideration.

At a lot of these conferences, industry participants just get up and repeat the corporate line they've outlined many times before. Personally, I find those talks really boring. While there were a few rehash-y talks, for the most part I thought most of the speakers had something new and valuable to add to the dialogue. Thanks to Ari Schwartz and CDT for organizing an interesting conference.

Posted by Eric at 09:50 AM | Adware/Spyware

January 25, 2006

Wasted Time as a Damage--Paglinawan v. Frey

By Eric Goldman

Paglinawan v. Frey, No. 2:06-cv-00099-RSM (W.D. Wash. complaint filed Jan. 19, 2006).

James Frey publishes the book "A Million Little Pieces." It's marketed as a non-fiction book, but some of it is actually fiction. Readers are upset by the deception. What recourse?

Marketing a fictional book as non-fiction is a material misrepresentation. Normally, a material misrepresentation should create a rescission right, but I'm not sure about the privity issues. The author knew it was fiction, but the readers don't have a contract with the author. The publisher may not have known the book was fiction, in which case the publisher might claim mutual mistake rather than misrepresentation. At that point, the readers might have recourse, but it's not clear that they would.

But even if the publisher knew that some of the work was fictional, the publisher has unilaterally offered rescission (at least to the buyers it had privity with). So what more could any aggrieved reader want?

The readers want their time back--the time spent reading a book they thought was non-fiction but was partially fictional. But since a court can't manufacture time, the readers want the next best substitute--cash. They want the author and publisher to pay them for their wasted time.

I'm not sure the time was really wasted. If the story was good, it doesn't really matter if the book was fiction or non-fiction. Entertainment is entertainment, after all.

But let's assume the readers truly wasted their time. Should we recognize wasted time as a damage under contract law or other theories?

This is hardly a novel request, especially in the marketing context. I haven't done exhaustive research of this, but I can think of a couple of junk mail cases where wasted time was specifically rejected as an actionable damage. [Harris v. Time, Inc., 191 Cal. App. 3d 449 (1987); Smith v. Chase Manhattan Bank, 741 N.Y.S.2d 100 (N.Y. App. Div. 2002)] And, in perhaps an analogous context, recall that the Hamidi court specifically rejected the time wasted by a spam was a recognizable damage under common law trespass to chattels. As a result, I'm skeptical that a court is going to be sympathetic to the aggrieved readers' requests for damages for their wasted time.

On the other hand, should time-wasting become a proper basis for damages, I plan to nail the IRS first and airlines second.

Hat tip: ContractsProf blog

UPDATE: Overlawyered provides a few details of 2 other related lawsuits.

Posted by Eric at 03:52 PM | Adware/Spyware , Licensing/Contracts , Marketing , Spam

January 20, 2006

Anti-Spyware Coalition Conference February 9

By Eric Goldman

The Anti-Spyware Coalition has released the agenda and schedule for its Public Workshop: Defining the Problem, Developing Solutions on February 9 in Washington DC. If you're interested in adware/spyware policy-making and can easily get to DC, this looks like an event worth attending. I hope to see you there.

Posted by Eric at 11:40 AM | Adware/Spyware

January 16, 2006

Second Anti-Adware Lawsuit Survives Motion to Dismiss--Kerrins v. Intermix Media

By Eric Goldman

Kerrins v. Intermix Media, Inc., No. 2:05-cv-05408-RGK-SS (C.D. Cal. Jan. 10, 2006)

Blogging the latest developments in anti-adware/anti-spyware lawsuits has become a full-time job, which is why I've fallen behind. I'm now aware of 5 anti-adware class action lawsuits pending:

* Sotelo v. DirectRevenue
* Simios v. 180Solutions
* Michaeli v. eXact Advertising
* Consumer Advocates Rights Enforcement Society v. 180Solutions [sorry, I haven't had a chance to blog on this case yet, but you can find the complaint here]
* the newest one to emerge from the haze, Kerrins v. Intermix Media

All of this leaves me wondering--just how many of these anti-adware class action lawsuits are out there? I'm not even counting the FTC enforcement actions or any of the private litigation or government enforcement actions related to the Sony rootkit.

Back to the Kerrins case. On January 10, the judge ruled on Intermix Media's motion to dismiss Kerrins' putative class action. In a brief opinion, the court dismissed the unjust enrichment and California B&P 17200 claims.

However, the court refused to dismiss the trespass to chattels claim, saying that the "Plaintiff has alleged that Defendant's adware damaged his existing software and reduced the efficiency of his computer system. Plaintiff has also alleged that removal of the adware requires users to spend time and to hire a computer specialist."

Note that, in Intel v. Hamidi, the California Supreme Court were specifically rejected the latter two damages as non-actionable in common law trespass to chattels claims. Hamidi should be controlling precedent on this lawsuit, so it will be interesting to see if the court addresses Hamidi in future rulings.

The court also refused to dismiss the computer crime claim (Cal. Penal Code 502). Penal Code 502 is a quirky statute--like the old-line computer crimes statutes, it initially focused mostly on unauthorized access to/use of computer resources, but it has since transmogrified into a general anti-computer trespass statute with a civil cause of action. The court says that the plaintiff "alleges sufficient damage and interference to his computer system," so this cause of action survives the dismissal motion as well.

In discussing unjust enrichment and trespass to chattels, the court cites to the Sotelo case--reinforcing the importance of the Sotelo case as a precedent for these follow-on anti-adware lawsuits.

As a result of this minute order, Kerrins' trespass to chattels and computer crime causes of action will continue. (There may also be a third cause of action that survives--there is an internal inconsistency in the ruling, and the complaints and various motions/briefs are not in PACER). Of course, as with the Sotelo case, the plaintiffs have a lot more work to do before getting a payoff.

Posted by Eric at 02:27 PM | Adware/Spyware , Trespass to Chattels

December 11, 2005

The FTC, Adware Advertising and Badges of Shame

By Eric Goldman

New FTC Commissioner Jon Leibowitz has embraced one of the favorite causes of the anti-adware grumblers: dry up adware funding by making adware advertisers feel some pain. According to AdAge, he recently said that the FTC might publicly announce the companies who ran advertisements on adware that the FTC tries to bust, saying "The FTC could consider that when it brings adware cases, listing all the advertisers whose content was delivered without notice of consent." The idea is (I think)--if the FTC can't legally bust the advertisers, maybe it can pin a badge of shame on them.

There are some obvious flaws with Leibowitz's thinking. First, and foremost, the money trail is already well-documented by Ben Edelman and his compadres. What does the FTC bring to the party? Maybe better PR muscle than Ben? (I wouldn't bet on it!)

Second, because advertising money often flows through multiple layers of agencies and affiliates, an advertiser's decision to spend money can be fairly attenuated from the selection of a venue to run the ad. Therefore, characterizing the advertiser's role precisely will require the FTC to pick its words carefully. It's one thing for the FTC to say that X's ad was displayed by someone via a pop-up ad; it's another thing to say that X displayed the ad if the decision was made by ad agencies or affiliates downstream from X. Maybe the FTC will need a grammar lesson before it engages in its shaming campaign.

To be clear, I have no problem with the accurate flow of information. Advertisers should be accountable for the choices they make. But these corrective mechanisms will fail if tainted by grammatical sloppiness.

Third, from my perspective, it's a potentially serious abuse of governmental power for the government to get into the business of shaming people for activity that is legal. If the activity is illegal, the FTC should enforce the law (and explain why advertising via adware is illegal--something that Spitzer has conveniently avoided). If the activity is legal but the FTC thinks it should be illegal, the FTC should petition Congress to make it illegal or promulgate a rule under its delegated powers. But a government actor's use of shaming as a law-substitute is, in my opinion, way out of bounds.

Though Leibowitz may not have thought out his ideas very thoroughly, I do think he is part of a general movement towards regulating advertiser decisions about where to run advertising. CAN-SPAM was the first modern iteration in this process, but I doubt it's the last. I expect that, over time, every advertising placement decision will be fraught with legal peril. Personally, I think this regulatory regime will significantly distort social information flows, in many cases for the worse, but it may be unavoidable nonetheless.

Ironically, Claria and DirectRevenue have recently announced that they are migrating away from pop-up ads. So, as usual in the technology arena, the marketplace is already making progress at correcting some of its worst abuses before the government can even fire up its propaganda machine.

(Thanks to Chris Hoofnagle for calling my attention to the AdAge article).

Posted by Eric at 03:04 PM | Adware/Spyware , Derivative Liability , Marketing

November 29, 2005

Microsoft Will Be an Adware Vendor

By Eric Goldman

Microsoft is considering migrating some of its software titles to an ad-supported model instead of a consumer licensing fee model. This isn't exactly a new idea--this development has been anticipated for at least a decade. However, if Microsoft decides to scrap a licensing fee model (even for a limited number of software titles), this will be a Big Deal. Microsoft has made billions in licensing fees, and giving up upfront cash for the hope of ongoing ad revenues could radically shift their basic economic structure.

Ad-supported software makes a ton of sense to me. CNET reports that Microsoft makes only $2/copy from its Works product, and its Money software loses money. With the $2/copy revenue number, I'm convinced that Microsoft could do better--way better--with ads. Depending on CPCs, Microsoft could make that amount from as little as one click. Surely they can get several clicks during the years that a user uses that software install. Heck, I would gladly pay Microsoft $2/copy for the opportunity to plug Google AdSense into the software. If Microsoft cuts out an intermediary, the profits would be even greater.

From the consumer's perspective, I think ad-supported software is a good move. First, consumers won't have to pay upfront for software they may not even want. (Right now, consumers implicitly pay some license fees as part of the bundled price when they buy new computers). Second, the ads could have significant utility for consumers, especially if they are contextualized based on the consumer's behavior and data.

As for Microsoft, I think the move towards ad-supported software reinforces that Microsoft is a media company, not a technology company. Microsoft may currently sell functionality, but eventually it will be in the business of selling attention.

As that process matures, I expect to have a tough time recognizing the differences between adware and Microsoft ad-supported software. Many adware vendors already provide some software functionality as part of their adware bundle, and Microsoft will do the same. Therefore, the way I see it, Microsoft inevitably will become an adware vendor. Perhaps this confirms that adware is an essential part of our future information economy, current anti-adware sentiments notwithstanding.

Posted by Eric at 06:59 PM | Adware/Spyware , Copyright , E-Commerce , Licensing/Contracts , Marketing

November 28, 2005

Supreme Court Denies 1-800 Contacts Cert Petition

By Eric Goldman

Today the US Supreme Court denied 1-800 Contacts' petition for certiorari of the second circuit opinion in 1-800 Contacts v. WhenU. I'm not surprised by the denial, but the bigger question is--now what for 1-800 Contacts' campaign against WhenU? Will they drop the obsession? Or will they just move the battle front to Utah and Alaska and bring suit under those states' anti-adware laws?

Previous blog coverage:
WhenU's cert opposition
1-800 Contacts files for cert
The second circuit opinion
Alaska's anti-adware law
Utah's anti-adware law

Posted by Eric at 01:50 PM | Adware/Spyware , Derivative Liability , Trademark

November 21, 2005

Texas AG Sues Sony Under State Anti-Spyware Law

By Eric Goldman

Texas v. Sony BMG Music Entertainment (Tx. Dist. Ct. complaint filed Nov. 21, 2005).

From a legal standpoint, today wasn't a good day for Sony. In addition to being sued by the EFF, Texas decided to join the fray. Texas has brought a lawsuit against Sony based on Texas' new Consumer Protection Against Computer Spyware Act.

Based on the specific requirements of that statute, the alleged violations involve Sony's file naming conventions, Sony's masking of file names and Sony's implied claims that its software needed to be installed to enjoy the music on the CD. The claims do not involve any of the software's phone-home capabilities (which is what I thought was Sony's biggest legal problem), nor do they directly involve the challenges of uninstalling the software or the software's ability to be used by bad actors for malicious purposes.

I was amused by the extensive self-promotion of Texas AG Greg Abbott in the news release. Abbott's name is referenced no less than 6 times on the page (among other self-aggrandizement). I don't think there can be a serious question that Texas' lawsuit represents the typical exercise of prosecutorial discretion for political benefit. Does Texas need to correct a failure of private enforcement against Sony? No. Is this a strong case to test a newly-enacted statute? No (at least, not in my opinion). So why is Texas rushing to join the party? My instincts tell me that Abbott wants to break Spitzer's current monopoly as the only state AG who gets press as being tough on spyware.

Even though the prosecutorial motivation is questionable, there's no question that Sony's strongest--and perhaps only--move is to settle up with Texas, and quickly. There is no upside to a long-term battle on this topic, so the quicker that Sony makes amends for its choices, the quicker it can refocus on its core business.

UPDATE: Unsurprising announcement--Spitzer wants to grab some of the spotlight for himself.

UPDATE 2: Good grief--now spam-happy Florida AG Charlie Crist wants a piece of the action.

Posted by Eric at 05:16 PM | Adware/Spyware | Comments (1)

November 14, 2005

Spyware Litigation Recap

By Eric Goldman

There's been an explosion of litigation involving spyware/adware--so much that I've not been able to blog it all on a timely basis. This post "catches up" some of the lawsuits from the last couple of months.

In re. Trudeau. On November 7, a Minnesota attorney was disciplined for using spyware in her personal dealings.

FTC v. Enternet Media, No. CV05-7777 (C.D. Cal. complaint filed Oct. 27, 2005). The FTC got a TRO against some adware/spyware distributors, their principals and an affiliate. The defendants allegedly bundled adware and spyware with various freeware. According to Para. 38 of the complaint, the defendants had a EULA but did not encourage or require users to read it before the download commenced. (As a backup, the FTC claims the EULA disclosures were too general to adequately disclose the bundled software's implications). FTC press release.

Lawsuits against Sony for its DRM software. I've written about Sony's DRM software here and here. Not surprisingly, the lawsuits are mounting, including class actions in CA and NY.

FTC v. Odysseus Marketing (D. N.H. complaint dated Sept. 21, 2005). Software vendor and its principal sued for alleged spyware/adware. Interestingly, the FTC implicitly acknowledges that the EULA formation process and disclosures were pretty good. The complaint is a little vague (and I didn't have time to trace through the exhibits), but it appears that the EULA explains most of the software's operation, and users had to check a box acknowledging that they had read the T&Cs before downloading (see complaint Para. 14-20). Nevertheless, the FTC initiated the bust based on (1) false representations about how the software would anonymize P2P file sharing, (2) inadequate disclosure of bundled software coming along for the ride (this claim seems difficult given the EULA disclosures), and (3) inability to remove the software. I'm not convinced that these defendants should be free from liability, but to me it looks like the FTC is stretching a bit here. FTC press release.

Michaeli v. eXact Advertising, No. 05 CV 8331 (SDNY complaint filed Sept. 27, 2005). The third lawsuit in a troika of class action lawsuits against adware vendors (the Sotelo and Simios cases are the other two). The plaintiffs allege trespass to chattels, deceptive consumer acts under NY law (NY Gen. Bus. Law 349), false advertising under NY law (NY Gen. Bus. Law 350), common law negligence and unjust enrichment. See my write-ups on Sotelo and Simios for critiques about these causes of action. Suzi's comments.

I hate to state the obvious, but I can pass along a friendly tip to current/prospective law students: spyware/adware litigation appears to be a growth industry!

Posted by Eric at 08:54 AM | Adware/Spyware , Trespass to Chattels

November 07, 2005

Is Sony's DRM Spyware?

By Eric Goldman

Sony's DRM software generated lots of discussion and new information since my last post on the subject. The discussion (especially the many great comments I got in response to my previous post) has prompted me to change some of my thoughts—in particular, my statement that the DRM software isn’t spyware.

1) Sony's technological implementation of DRM exhibited some ineptitude, but Sony is being held to a rigorous standard because of DRM

ZDNet called Sony’s DRM “ineptware”—-software that doesn’t have a malicious intent but nevertheless can have a pernicious effect. For example, the software may make a computer unstable or slow. And the unnecessarily intrusive use of a rootkit “smokescreen” allows bad actors to hide behind the smokescreen.

However, Sony (and its upstream vendor First4Internet) hardly has cornered the market on inept software designs that lead to undesirable outcomes. There's plenty of brain-dead software implementations out there. Why beat up on Sony?

I continue to believe that the underlying problem is DRM. Many technologists and consumer advocates harbor a deep animus towards DRM, so Sony's technology failings are being held to a heightened standard.

I understand why there's so much antipathy towards DRM, but I don't think we should overreact to Sony's failings. In particular, sloppy software design isn't "spyware" or "malware," or else those terms become far too overinclusive and thus meaningless.

2) Most of Sony's failures to disclose are probably legally inconsequential, but the implied affirmative representation that the software could be uninstalled may be problematic

In my previous post, I said that Sony's EULA adequately obtained consent to install its software. I still stand by that statement, for the most part, but the issue is more nuanced than my statement might indicate. Specifically, there are 2 separate disclosure issues-—Sony’s affirmative disclosures and Sony’s failure to disclose--and they should be addressed separately.

Except for the “phone-home” aspect (discussed below), I’m not particularly troubled by Sony’s failures to disclose the details of its software. In general, vendors aren’t obligated to make every affirmative disclosure that every consumers might find interesting. In this situation, I think many disclosures desired by the technologists aren’t legally compelled or expected. Sony and its vendor have made dozens or hundreds of design choices to implement the software. Consumers don’t need to know those choices, would not change their behavior if the choices were disclosed affirmatively, and would be overwhelmed by complete disclosure.

In contrast, I’ve become less comfortable with Sony’s disclosures regarding the difficulties uninstalling its software. The difference is that Sony made some affirmative statements that implied the software could be uninstalled. If Sony created the false impression that the software could be uninstalled when it couldn't (or could be uninstalled only by breaking the OS), then Sony may have created some problems for itself.

3) If Sony's DRM software reports information back to a central server, this looks like spyware and could be legally problematic

Of the various problems with Sony’s technological implementation, I am most troubled by the allegations that Sony's software "phones home"; i.e., reports some information about each user back to a central server, including the combination of an IP address and a record of each album the user plays.

In my previous post, I said that Sony’s software wasn’t spyware. However, if the software is reporting back information about each user’s behavior, and that reporting back feature wasn't disclosed, then I agree with Suzi that surreptitious and undisclosed monitoring and reporting back of user activity sounds like spyware.

Further, if the reports are true, the software’s behavior could be a prima facie violation of the Computer Fraud & Abuse Act (18 USC 1030(a)(2)), which applies to an actor who:

"intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains...information from any protected computer…"

Every computer connected to the Internet is a protected computer. The software allegedly obtains information (at minimum, the album being played). The phone-home “feature” may exceed the authorization given by the user; I don't think that mere consent to installing the software acts as consent to the reporting back of information. If the reports are true, I don’t envy the position of Sony’s defense counsel.

UPDATE: Declan reports that the class action lawyers are circling.

UPDATE 2: Several anti-spyware software vendors have classified Sony's software as spyware.

Posted by Eric at 10:10 AM | Adware/Spyware , Copyright | Comments (9)

October 31, 2005

WhenU Opposition to 1-800 Contact's Certiorari Petition

By Eric Goldman

WhenU has filed its opposition to 1-800 Contact's petition for certiorari from the US Supreme Court. WhenU's main argument:

"1-800 mischaracterizes the decision below as holding that the “covert” use of a trademark can never support an infringement claim. But the Second Circuit did not rule that the unseen use of a trademark can never be infringing; it merely held that the particular manner in which WhenU employs the plaintiff’s mark to generate online advertisements does not constitute the “use” of a mark. Petitioner also argues that the decision below is at odds with cases involving metatags, cybersquatting and keyword advertising. But the Second Circuit addressed each of those situations in its opinion, explained why they differ from WhenU’s advertising, and expressly stated that it was expressing no view on the validity of other Internet cases. Accordingly, the conflict posited by 1-800 simply does not exist."

I think it's correct that the Second Circuit opinion does not evidence a particularly strong circuit split, but only because the opinion was so limited. If we try to read the Second Circuit opinion broadly to opine on trademark use on the Internet, a split becomes more pronounced. If we read the opinion narrowly, in that it opines only on the specific under-the-hood database practices of WhenU, there's no circuit split--but then there may be very little precedential impact from the case.

Posted by Eric at 05:07 PM | Adware/Spyware , Trademark

October 25, 2005

Can Kids Bind Parents to EULAs?

By Eric Goldman

Abramson v. America Online, 2005 US Dist. LEXIS 10095 (N.D. Tex. May 25, 2005).

One of the great unresolved issues in Cyberlaw: if a kid downloads P2P file sharing software, are the parents responsible? This issue is germane to the P2P file sharing lawsuits when kids use the software to engage in illegal file downloads. It's also germane to adware because the P2P file sharing software may be bundled with adware, and the parents may (legimitately) complain that they did not ask or want the software to be installed on their computer.

In the Abramson case, mom wanted AOL installed on her computer. She told dad, who asked Jr. to install AOL. Unfortunately, the case doesn't mention Jr.'s age. Mom develops a legal gripe against AOL, and she sues in Texas. AOL responds that she is bound by AOL's user agreement requiring that the lawsuit be brought in Virginia. Mom says she never agreed to the user agreement. AOL says that Jr. did and that binds mom.

The court says that mom is bound to the user agreement for two alternative reasons:

1) Jr. had "apparent" authority to bind mom to the agreement. With apparent authority, a third party reasonably believes that a principal delegated authority to the agent. Here, this seems confusing--how can an automated agent (AOL's click-through mechanism) "perceive" authority? The court fails to address that. Instead, read at its most literal level, if an automated agent "thinks" the person clicking has authority, then a clicking kid binds the parents.

2) Mom "ratified" the contract by continuing to use the AOL service knowing that the service was governed by a contract of some sort.

What does all this mean for adware vendors? This case probably doesn't speak directly to the typical bundled download. First, mom gave instructions to install the AOL software, whereas many parents may not give equivalent instructions to their kids regarding P2P file sharing software (in fact, many parents probably give instructions not to download). Second, we may be hard-pressed to say that a parent "ratifies" the adware install, especially if the parent tries to remove the install.

However, this case also shows that an "ignorance of the contract" defense on the part of parents is dicey. And, if followed by other courts, this court's bald statement that an automated agent could believe that the clicker has apparent authority could have a powerful impact on attempts to finger-point otherwise.

Hat tip: ContractsProf blog.

UPDATE: Going back through some old notes, I'm reminded of Motise v. America Online, Inc., 346 F. Supp. 2d 563 (SDNY Nov. 30, 2004), where a stepfather signed up an AOL account and his stepson (who apparently shared use) was bound by AOL user agreement for choice of forum purposes.

UPDATE 2: I received the following email from "Elaine Abramson" from email address "AAArtWork@aol.com" (reposted with permission). Obviously, I'm in a worse position to evaluate the facts than the judge was, so I offer this up for your consideration:

"1) My son was NOT a minor on May 20, 1999, the date that AOL paralegal Carrie Davis claimed in her PERJURED Affidavit. My son was 30 years-old on that date.

2) My son was working in New York on that date while I and my computer were in Dallas, Texas.

3) May 20, 1999 was a Thursday, a working day. My son was at work.

4) On May 20, 1999 I owned a Magnavox 386 computer. It did NOT have a modem and did NOT have internet capabilities. I did NOT purchase a computer with Internet connections until March 21, 2000, eleven (11) months after Carrie Davis's PURJURED Affidavit claimed that I had become an AOL member.

5) My Magnovox computer only had a floppy drive. It did NOT have a CD drive and could NOT use AOL's Internet connection CD's.

6) AOL.5 was the CD that was used to connect my computer to the internet. The packaging states that it has a 2000 copyright date. Therefore, I could NOT have become an AOL member prior to AOL releasing that CD to the public.

7) On Google I found listings for Carrie Davis having created (depending on how it was listed) between 10,700 and 260,000 Affidavits similar to the PERJURED one she submitted to the Texas and Virginia courts in my case.

Because of all of the above facts, it was physically impossible for me to have become an AOL member on the date stated in Carrie Davis' PERJURED Affidavit. I have repeatedly submitted these documents to the United States District Court Eastern District of Virginia - Alexandria Division but have been ignored because I am pro se."

Posted by Eric at 04:17 PM | Adware/Spyware , Copyright , Licensing/Contracts | Comments (1)

October 22, 2005

Barnes on Adware Contracts

By Eric Goldman

Wayne Barnes, a law professor at Texas Wesleyan University School of Law, has posted "Rethinking Spyware: Questioning the Propriety of Contractual Consent to Online Surveillance" to SSRN.

The first 50 pages largely recap the technology and the case law. If you're new to the area, this is an admirable summary of what's been happening. If you're already pretty familiar with the adware space and the case law, you might start at page 50.

Starting around page 50, the paper gets especially interesting. The paper applies some Restatements and UCC provisions to the contracting process. The paper also tries to establish the proposition that adware-mediated online surveillance is so intrusive--as intrusive as a human stalking you in physical space--that we should simply ban adware. Or, if we choose a lesser step, we should require adware vendors to make extreme disclosures and then require consumers to provide repeated consent just to make sure they really meant it.

I had many critiques of the paper, which I emailed to Wayne privately. With Wayne's permission, I have included my global structural comments at the end of this post so that you can "look over our shoulders" to see what I suggested to him.

One thing I agree with Wayne about: the contract formation process with adware raises important questions about the validity of private ordering in this context. In other words, do we really believe consumers when they say "Yes" to adware? If we don't--and there are some good reasons why we might not--then we may have a defect in private ordering. However, I'm not yet convinced that's a big problem. First, I'm not sure such a defect is unique to adware--I think we have many private ordering crises throughout the law of contract, and we've resolved this issue before (maybe not satisfactorily, but we're not dealing with new issues here either). Second, even if there is a defect, I'm not 100% sure that there's any cure that's better than the current situation. Wayne's paper is a commendable first step in addressing these questions, but I think a lot more theoretical and empirical work will need to be done on this topic before we reach really satisfactory resolutions.
_________

Wayne's abstract:

The spyware epidemic has reached new heights on the Internet. Computer users are increasingly burdened with programs they did not knowingly or consciously install, which place strains on their computers’ performance, and which also trigger annoying “pop-up” advertisements of products or services which have been determined to match the users’ preferences. The users’ purported preferences are determined, in turn, by the software continuously monitoring every move the consumer makes as she “surfs the Internet.” The public overwhelmingly disapproves of spyware which is surreptitiously placed on computers in this manner, and also largely disapproves of the pop-up advertising paradigm. As a result, there have been many legislative proposals, on a state and federal level, to address the spyware problem. All of the proposals assume that, if knowing and effective consent to spyware installation is granted by the consumer, then the software is lawful. Existing case law would seem to provide a means for corroboration of this conclusion. However, the implications of allowing such profound and invasive surveillance appear to be largely ignored in all of the proposals and discussion concerning spyware. This may be because of the “problem of perspective” concerning online activities, as first highlighted by Professor Orin Kerr. This article seeks to illuminate the true nature of the spyware bargain, and questions the propriety of sanctioning such “surveillance bargains” under principles of contract law. Such bargains may often be unenforceable because a term allowing continual surveillance may be beyond the range of reasonable expectations of most consumers. Even if not, however, the privacy implications are such that we as a society may wish to condemn such “bargains to be spied upon,” and conclude that such contracts should simply be unenforceable as a matter of public policy, and therefore banned.
______________

My conceptual global comments to Wayne about the paper (cut and paste from my email to Wayne):

1) I think you did an admirable job recapping the debate over the words "adware" and "spyware." However, in the end, I was still confused throughout the paper exactly what "spyware" meant to you. It may simply be that you are hypothesizing a unique type of software that both (a) watches behavior, and (b) triggers ads. However, does your hypothesized model also report the captured data back to a home base, or does the data just sit in a directory on the user's computer? (And does it matter?). In the most narrow form of hypothesized software you might be discussing, I wonder if anyone is actually doing what you're concerned about. In the broadest interpretation of your hypothesized software, I think in many cases you're really discussing adware (as I would use the term), not spyware. Perhaps this confusion was mine alone, but I was confused throughout the paper about exactly what were the essential attributes of the software you were characterizing as "spyware."

2) A centerpiece argument in your paper is that electronic surveillance is fully equivalent to human surveillance. I know that some agree with you, but this point deserves considerable attention. I think, if I understand your argument (and it depends exactly on the key attributes of your definition of spyware), that you think that electronic software aggregating electronic behavior onto a hard drive but not telling anyone (and no human ever cognitively considering that data) is as bad as a person physically being in the same room as another person, watching them have sex, masturbate, douche, go to the bathroom, inject themselves with cocaine or commit the other myriad of personal activities that one might want to keep "private." Note that while a person can engage in cybersex, there are some qualitative and cognizable differences between cybersex and physical-space sex or masturbation...aren't there? And while I personally feel uncomfortable with the idea of a stranger (or even my son) watching me defecate, exactly how can the computer monitor a person going to the bathroom?

[Note, I address the inconsequence of inchoate data collection in http://papers.ssrn.com/sol3/papers.cfm?abstract_id=685241]

If there are some activities that are conducted in physical space that aren't replicatable in cyberspace, or if the idea of a computer recording electronic behavior is different from having a person in the bathroom with me while I'm defecating, doesn't this undermine your analogy on Page 52? And if that analogy is weakened, I think that also weaken the various conclusions you draw from it.

Your analogy on Page 52 also assumes that a person is stalking another person "for whatever purpose." I agree that would be creepy, but that's not the right analogy to spyware, which is monitoring behavior putatively to deliver contextually relevant results that would create positive utility for me. I wouldn't want someone tailing me for no reason, but I might very well want people tailing me if they were going to help me. Thus, I disagree with your point on Page 53, where you say no one would voluntarily seek to be tailed--I can think of several situations where that's not true because the tailer would provide valuable services to the tailee--for example, medical care, nannies/butlers, stars with entourages.

Because of this general problem of distinguishing the physical from the virtual, your analogy to the Article 9 repossession law didn't work for me. I'm not an Article 9 expert, but I can think of several distinctions. With repossession, there is a risk of physical altercations that create a breach of the peace. There's also the risk that the repossessor lacked the rights to do what they are doing, thus depriving a legitimate owner of possession and use of their chattel and being difficult to distinguish from an outright theft/conversion of the chattel.

All told, I personally thought your analogy and your virtual/physical distinction (or lack thereof) didn't clarify things for me, but instead raised lots more questions.

You might also note that there is a large literature on this general question--you cited a couple of articles (like Dan Hunter's article), but I'm sure you know that the literature on the physical/virtual distinctions in Cyberlaw, and developing the appropriate analogies, is very rich.

3) You repeatedly take potshots at spyware because it is typically bundled with "modest-value" applications. There are 3 issues with this.

a) there is always a risk of a person externally valuing the subjective utility a party receives from a transaction. This is why the law doesn't question the adequacy of "consideration." But you were willing to make an across-the-board assessment of the subjective value that users place on the bundled applications. You might want to acknowledge more explicitly the basis on which you form that conclusion of subjective value.

b) If you are trying to cost-account for the benefits consumers receive, you need to include any ads received that create positive utility.

c) Current practices are changing rapidly. So whatever the current value proposition is, we should be reluctant to make any predictions about future value propositions.

See http://blog.ericgoldman.org/archives/2005/10/does_anyone_rea.htm for more on this point.

4) I have an idiosyncratic hot button. Personally, I am completely unpersuaded by any policy rationale in the Internet space about preserving the "sanctity of the home." I know this meme has propagated widely, but in the online context, it's nonsensical. Spyware can be installed on home computers and office computers. If the law depends on the "sanctity of the home," then it should make a difference--home-installed spyware bad, office-installed spyware not as bad. Is that what you intend? Also, assume spyware is installed on a laptop that the owner shuttles between the office, home and a cybercafe. Now what? I think there may be underlying policy concerns masked by the "sanctity of the home" argument that deserve to be unpacked and examined more closely. Otherwise, I personally find the rationale very empty.

5) Based on the problems of defining spyware, and tying it to your core objection about surveillance, I think your proposed solution covers a wide range of software--virus checkers, parental filtering software, Windows XP, Google Desktop's Sidebar. Are you really proposing that all of these software programs should be banned because of their surveillance capacity? If so, you might want to acknowledge that expressly. If not, then I'm not sure I understood how you distinguish between the objectionable features of spyware and the ubiquitous monitoring capacities of software.

Posted by Eric at 04:00 PM | Adware/Spyware , Licensing/Contracts | Comments (3)

October 21, 2005

"Does Anyone Really Like Adware?" My Response to Suzi's Question

By Eric Goldman

Suzi of Spyware Confidential asks: "Does anyone really like adware?"

I think this question is crucial, and it's one I've been wondering myself. However, I think there are really 2 subquestions embedded in this one, and I'd like to deal with them separately.

Adware Today

One way to frame Suzi's question is: does the value proposition of adware, as currently implemented, work? To that, I think many of us--even me!--would answer the question negatively, and I think the adware vendors can largely blame themselves for this.

Most adware vendors today say: we'll give you X for free (or help you get X for free), but you'll pay for it with pop-up ads. In this model, the pop-up ads are the "price" or the "cost" of the consumer getting something they want.

But thinking of ads as a cost to consumers, rather than a benefit, seals the fate of the adware vendors. When consumers view ads as a cost, they have every incentive to avoid the ads. We've seen this behavior over and over again with ad-supported media. Consumers take the "good" stuff (the "content") and avoid the "bad" stuff (the ads). For example, drivers in cars switch between preset radio stations when an ad comes on, and TiVo and VCR owners blast through the ads. (Even I do that--with my TiVo, I can shave a half-hour show down to 22-23 minutes).

Thus, each time adware vendors bang the drums that adware-served pop-up ads are the price of something else, they are reinforcing that consumers should resent the value proposition and try to vitiate the deal. And, on that basis, I think even the adware vendors are admitting that the current answer to Suzi's question is no (at least with respect to adware qua adware).

Adware in the Future

Personally, I am less interested in the state of adware today. I recognize that some bad practices today are creating significant difficulty, and I don't want to trivialize those. But technology, business practices and consumer expectations are evolving rapidly, so focusing on today's snapshot of activity may be too myopic. Accordingly, we could reframe Suzi's question as--does adware have the capacity to be something people like and value?

I think the answer to this reframed question is emphatically yes. Indeed, I'll go one step further and say that adware has the potential to have a positive value proposition even if it's distributed on a standalone basis (i.e., without any bundled applications).

I know it sounds crazy to most people conditioned to hate advertising, but advertising can be a benefit, not a cost. Consider, for example, a person looking for a job or an apartment might buy a newspaper to get the classified ads. Stated another way, this person would pay to purchase advertising. Crazy, isn't it? Not at all. Where ads add value to consumers, consumers will want them, seek them out, potentially even pay for them.

Adware vendors have the theoretical capacity to make their software valuable enough that consumers will want it on a standalone basis. If adware vendors succeeded in that, I predict that consumers would gladly embrace adware.

While this capacity may be theoretical, there are existing models of such a mutually-beneficial vendor-consumer relationship: "infomediaries."

An infomediary model works only if consumers trust the infomediary. This is why I think adware vendors' current efforts are so misdirected. Adware vendors should be focusing on how to win consumer trust in the ads they serve, not how to improve distribution or the bundled value proposition. The current crop of adware vendors may or may not evolve to meet this challenge, but future market entrants will--so long as we don't destroy the competitive environment in a way that prevents their entry.

Posted by Eric at 10:47 AM | Adware/Spyware | Comments (5)

October 20, 2005

Spitzer's Witchhunt Nails Adware Executive Personally

By Eric Goldman

In response to my post yesterday about adware witchhunts, a reader privately criticized me for analogizing the adware situation with manias where people's lives were at stake. Ben Edelman made a similar point in his comment to the post. I didn't mean to suggest (directly or via an analogy) that people would die because of the anti-spyware mania, and I apologize for any statements that suggested or implied otherwise.

However, I was trying to say, and I remain fully convinced, that the anti-spyware mania will extract significant personal tolls on those targeted, even if the legal basis of their targeting is questionable. As if on cue to provide evidence for this point, today Sheriff Spitzer announced his latest trophy: Intermix CEO Brad Greenspan entered into an "Assurance of Discontinuance" which requires him to pay $750,000 for his alleged wrongdoings, which allegedly included

* "Greenspan directed Intermix’s employees to bundle adware programs with other free software programs to avoid informing consumers of their existence by disclosing Intermix’s adware programs only in a linked, inconspicuous, End User License Agreement."

* "Greenspan directed subordinates to bundle the adware programs to make them difficult to uninstall."

Now, given that Intermix sold for $580M, Greenspan may be able to afford the $750,000 check. I also suspect that Greenspan had other personal motivations for consenting rather than fighting. For example, perhaps his assurance of discontinuance was a precondition to final approval of the overall Intermix settlement with Spitzer, which in turn might have been a precondition to the close of the Intermix acquisition. I don't know if this hypothesis is right, but my point is that there may have been behind-the-scenes motivations that explain this settlement.

But what about the law? On what legal basis is an executive individually and personally responsible for decisions taken on behalf of a company?

I'm not an expert in this area, but the default rule is that if a company breaks the law, individual officers, directors and employees aren't liable personally. There are statutory exceptions to this, and in some cases the corporate organization is so thin that we can't distinguish between a corporation's actions and an individual's actions (such as a company where a single person is sole owner and employee). And in consumer protection actions, it's not unprecedented that individuals who run small operations to be covered by an enforcement action.

But actions against executives of "real" companies are pretty rare. Further, Greenspan's decisions were both legally colorable in their propriety and extremely typical of the decisions made by adware executives...and many other software vendors.

The universality of Greenspan's decisions surely must be the point. Spitzer's sending the message that no one in the adware business is beyond his reach. Accordingly, I completely reject any argument that the witchhunt won't significantly affect the lives of the people targeted. Greenspan's $750,000 check says otherwise.

Posted by Eric at 04:34 PM | Adware/Spyware , Derivative Liability | Comments (1)

October 19, 2005

Latest Junk Fax Lawsuit--Adler v. Vision Lab Telecommunications

By Eric Goldman

Adler v. Vision Lab Telecommunications, Inc., 2005 WL 2621984 (D.D.C. Oct. 17, 2005).

I've set up a Westlaw alert to notify me of new TCPA cases and I'm pretty shocked by the volume of cases being reported under the law--it's way higher than I imagined. I typically get 3-5 emails from Westlaw a week with new cases interpreting the TCPA. Not surprisingly, plaintiffs seem to be loving it!

I'm blogging about this case in particular because of its direct relevance to the adware/spyware cases like Sotelo v. DirectRevenue and Simios v. 180Solutions (I know there's a third case against eXact, but I haven't had a chance to read the complaint yet).

In the Adler case, the plaintiffs brought suit over junk faxes. The defendants moved to dismiss the various claims.

Of particular interest is that the judge granted the motion to dismiss the common law negligence claim, saying that the common law claim was subsumed by the TCPA law. It appears that this specific question has created a split of precedent. The court cited both Morris v. Fax.com, Inc., No. 03-CA-1109 (D.C. Sup. Ct. June 13, 2003) allowing (reluctantly) the negligence claim to survive a motion to dismiss, and Chair King, Inc. v. GTE Mobilnet of Houston, Inc., 135 S.W.3d 365 (Tex. App. 2004), which granted the motion to dismiss.

While the Sotelo court denied the motion to dismiss the negligence claim, I think the Sotelo court ultimately will reach the same conclusion as this court that the negligence claim is subsumed in the other claims.

Also interesting is that the judge denied the motion to dismiss the common law invasion of privacy claim (raised in the Simios case but not (yet?) raised in the Sotelo case). Referring to the Restatements and a motley assortment of precedent, the court says "in extreme circumstances, sending unauthorized fax advertisements may be an intrusion upon seclusion." The court then hastened to add that "Adler may have difficulty proving that defendants' faxes were a frequent enough intrusion to be highly offensive to a reasonable person."

I'd have to research the case law more, but on the face of it, this seems like a big win for anti-fax/anti-telemarketing plaintiffs. There's an acknowledgement that with the right facts, a common law invasion of privacy claim is valid.

Does this thinking port over to the adware/spyware context? The motley precedent cited by the Adler court is heavily laced with references to telephone calls being intrusive, so as precedent this case could be easily distinguished. On the other hand, if the standard is that any marketing intrusion could constitute invasion of privacy so long as the intrusion is frequent enough, then anti-adware plaintiffs should be thrilled!

UPDATE: BNA (subscription required) reports that the case has settled.

Posted by Eric at 06:28 PM | Adware/Spyware , Marketing , Publicity/Privacy Rights

Adware Witchhunt Gone Awry

By Eric Goldman

Ben Edelman's latest "research report"/attack salvo goes after Claria because an ad promoting a Claria product was delivered via alleged spyware. To connect Claria with the "spyware" vendor, Ben traces the money as follows:

Step 1: Claria pays ad network Zedo.com
Step 2: Zedo.com pays 02320.com
Step 3: 02320.com pays ad network Yieldmanager.com
Step 4: Yieldmanager.com pays Venus123.com
Step 5: Venus123.com pays "spyware" vendor ContextPlus
Step 6: ContextPlus does a non-consensual installation (this presumably happens before the money flows)

Based on this 6 step process, Ben’s report reaches the conclusions that "Claria pays spyware vendors to show Claria's own ads through their popups," "Claria funds and supports such vendors" and "Claria Shows Ads Through Exploit-Delivered Popups."

Notice the pronoun-verb connection/disconnect here. Claria "pays"..."shows"..."supports." But per Step 5, Venus123.com was the one who entered into the relationship with the "spyware" vendor, and Claria was six contractual relationships away from the delivery of the ads via a non-consensual installation. Was the report confused about who dealt with the vendor? Was this a deliberate decision to ignore steps 1-4?

Either way, this grammatical sleight-of-hand reveals a critical assumption of the report--and of anti-spyware zealots generally--that has not been adequately elucidated, examined or justified. Before we can care about the report's assertions, I feel like someone--anyone--ought to establish that a money source six contractual relations away is "supporting"/"paying"/"funding" the downstream party. If we don't agree with this grammatical construction, there's nothing interesting at all in the report.

Note that I'm not disputing that cash originating from Claria ends up in the hands of a "spyware" vendor who may have directly (or more likely indirectly) made a non-consensual install. (I haven't validated the findings, but I'm willing to accept their truth for now). But even if this finding is true, SO WHAT? If we open up an inquiry to find every person or entity who is a source of funding for ContextPlus 5 degrees of separation away, my guess is that we find hundreds, thousands or even tens of thousands of "supporters." And if we keep working upstream from Claria (going 6, 7 or 8 degrees of separation from the offending event), we find more "supporters" of Claria that are, by association, supporters of ContextPlus. Go far enough up the chain, and I'm 100% convinced we'll find money flowing through Claria to ContextPlus from every anti-spyware zealot and agitator out there. Using this illogic, I think we would unavoidably conclude that every anti-spyware zealot “supports” spyware.

The previous sentence would be partially in jest if it weren't prompted by a serious social threat. That threat isn't spyware; it is witchhunts where mere association, even if attenuated, equals guilt. We saw similar manias in the Seventeenth century witchhunts of Puritan New England, with the 1940s and 50s Red Scare of McCarthyism, and now with the latest round of zealotry, the anti-spyware crusade. I think each of us has the personal responsibility to vigilantly guard against the temptation of a taint-by-association mania and the resulting significant negative consequences it can produce for the falsely accused.

[NB: I've made some changes to the previous paragraph to clarify some points that may have been misinterpreted.]

To be clear, I recognize that Claria, in theory, derives an economic benefit from the ad placed by Venus123.com and delivered via ContextPlus. But once again, SO WHAT? Everyone upstream from Claria derives the same economic benefit--its investors, its landlord, its Internet access providers, etc. Using this rationale, shouldn't they be on the hook too?

No. As a matter of law, policy and logic, we don't go this far. We don't hold stockholders or lenders responsible for the illegal actions of the company they invested in. We don't hold the power company responsible for the actions of a customer. And we don't hold Company A responsible for what Company B, five contractual relationships away from it, does.

Here's how I propose we put a stop to this nonsense. It’s time for the anti-spyware zealots to make their assumptions explicit. We deserve a simple and plain answer to the following question:

When is X responsible for an adware vendor’s unauthorized installation, and why?

In answering this question, I would like to know: (a) the full universe of people who could be X (and does it include their vendors? customers? investors? employees?), and (b) is X's responsibility based on the law (if so, which legal doctrines?), morality (if so, what moral doctrines?), blinding emotional outrage, or some other basis?

Until we get upfront and clear answers to these questions, any report concluding that X or Y supports/funds/pays for/is responsible for "spyware," without justifying the causality link, lacks credibility. I further think any reporter who repeats those report's findings without also referencing this omission abrogates his or her journalistic responsibilities.

More on this topic:
* Copyright Infringement for Bundling with P2P File Sharing Software?
* 2004 Case on Advertiser Liability for Spam
* Are Adware Advertisers Responsible for Adware?
* AP Story on Advertiser Responsibility for Adware
* More on the Adware Advertiser Witchhunt
* Edelman on "Intermediaries' Role in the Spyware Mess"
* LA Times on Adware Advertisers--Including 1800 Contacts?
* Will Spitzer Go After the Adware Industry?
* Does AskJeeves Have a Spyware/Adware Problem? Diller Says No. I Say...

Posted by Eric at 10:12 AM | Adware/Spyware , Derivative Liability | Comments (24)

October 16, 2005

Copyright Infringement for Bundling with P2P File Sharing Software?

By Eric Goldman

Suzi of Spyware Confidential/Spyware Warrior relayed the following question to me:

"Saw your recent posting on the Direct Revenue/KaZaA partnership. Many have praised this move despite the fact the Supreme Court has ruled that these P2P networks are illegal. I can see why people are praising Direct Revenue for getting out of the distribution networks they are in, but I’m just surprised to see no one question the legality of distributing with KaZaA. Any thoughts?"

You can read my lengthy response about tertiary copyright infringement at her Spyware Confidential blog.

One correction: a commenter at Suzi's blog notes that the tertiary liability lawsuit named other defendants beyond Bertelsmann, including Hummer Winblad, Hank Barry and John Hummer. I didn't get into this detail in my write-up but the commenter is correct--thanks for the clarification.

Posted by Eric at 12:38 PM | Adware/Spyware , Copyright , Derivative Liability

October 03, 2005

Menell on State Anti-Spyware Regulation

By Eric Goldman

Peter Menell has posted his article "Regulating 'Spyware': The Limitations of State 'Laboratories' and the Case for Federal Preemption of State Unfair Competition Laws" to SSRN. This article thoroughly examines state-level unfair competition laws and how they may apply to regulating spyware and adware. He also raises some fundamental questions about the wisdom and utility of state-level efforts to regulate the Internet generally.

The abstract:

"Drawing on Justice Brandeis's oft-cited observation that states can serve as "laboratories" of policy experimentation, this Article develops a framework for assessing the allocation of governance authority for regulating Internet activities. In particular, it focuses on whether states should be free to experiment with regulatory approaches or whether the federal government should have principal, if not exclusive (preemptive), regulatory authority over Internet-related activities. Using recent efforts to regulate spyware and adware as a case study, the analysis shows that the lack of harmonization of, and uncertainty surrounding, state unfair competition law produces costly, confusing, multi-district litigation and pushes enterprises to adhere to the limits of the most restrictive state. Such a governance regime unduly hinders innovation in Internet business models. On this basis, the Article favors a uniform federal regulatory system and pre-emption of state statutes and unfair competition common law as applied to spyware and adware. The final section of the Article extrapolates from this study of spyware and adware regulation to the larger context of Internet governance."

Posted by Eric at 05:23 PM | Adware/Spyware

September 30, 2005

1-800 Contacts Appeals 2nd Circuit WhenU Decision to the Supreme Court

By Eric Goldman

1-800 Contacts has appealed the 2nd Circuit decision in the WhenU case to the US Supreme Court. A copy of the petition (warning--5+ MB PDF file).

As the brief states, the question presented is: "Does 'use' of a trademark under the Lanham Act require that the trademark be displayed or visible to consumers?"

This is a great question, and it would be fantastic to have the Supreme Court give us a definitive answer. However, I'm very much hoping that the Supreme Court does not grant the petition, both because the 2nd Circuit got it right and because the narrow issues presented by the WhenU software may not give the court enough reason to opine on the question we all REALLY care about--does search engine keyword triggering constitute a trademark use?

Frankly, I'm a little surprised 1-800 Contacts is pouring more money into this litigation. They have already bought themselves an anti-WhenU law in Utah (although, bizarrely, the law does not directly overwrite the 2nd Circuit case because trademark infringement is a required element). Alaska has piled on with its own anti-adware law that appears even more favorable to 1-800 Contacts' interests than the Utah law. So why keep fighting in the courts when legislators appear eager to limit competition for them?

I'm not very good at predicting Supreme Court cert grants, so I'm adopting a wait-and-see attitude. However, I think there are good reasons why the court won't take this case. First, the cert petition is well-written from a technical standpoint but it's a bit of a dull read. From my perspective, it lacks the personality/"pizazz" that would grab a clerk's attention.

Second, the attempt to manufacture a circuit split isn't that compelling. The main cases the petition cites as holding that "covert use of marks" is a use in commerce (Playboy v. Netscape, Brookfield, Promatek) don't expressly address the "use in commerce" issue. Ultimately, the petition tries to graft together various domain name, metatag and keyword-triggered ad cases in a generalized effort to show that courts have been tough on trademark uses on the Internet. In shifting the grounds, the petition strays from its own "question presented" and becomes a catch-all rant against various types of trademark uses on the Internet. If the clerk catches this loss of focus, that will hurt its chances as well.

One final interesting point: there appears to be a change of counsel on 1-800 Contacts' side. 1-800 Contacts' lead counsel used to be Terence Ross of Gibson Dunn's DC office; the attorney on this appeal is Terry Rader of Rader Fishman and Grauer in Detroit. I'm not sure what's behind this change. If I wanted the Supreme Court to take a case and I was willing to change counsel, I would hire one of the Supreme Court "specialists" in DC who have enough repeat business with the Supreme Court that the court will recognize their brand. In this case, switching from a DC powerhouse like Gibson Dunn to a Detroit-based IP firm seems like an odd move.

UPDATE: To be clear, all of the rulings cited in the petition had to resolve the question of trademark "use" to find for the plaintiff. My point is that only a few of them did so explicitly. Most of the cited cases did not discuss "trademark use" at all--presuming that the defendant made such a use or forgetting that this is a required element in the plaintiff's prima facie case. On further reflection, when reviewing all of this precedent, the clerk may be shocked at the truly abysmal state of Internet trademark jurisprudence when the clerk realizes just how many times plaintiffs win when the courts do not explicitly consider the trademark "use" threshold question.

Posted by Eric at 10:05 PM | Adware/Spyware , Trademark

September 25, 2005

Crawford on Spyware Regulation

By Eric Goldman

Susan Crawford has posted her paper First do no Harm: The Problem of Spyware to SSRN. This is the paper associated with her talk at the Boalt conference on spyware in April. I read a draft of the paper at that time and I thought it was an intelligent and efficiently-expressed recap of the spyware "problem" with some worthwhile policy proposals (mostly, a call not to overreact).

The abstract:

Over the last few years, there has been enormous U.S. interest in legislating rules governing spyware. This Article provides a comprehensive overview of the bills that have been proposed (and passed) in the states and on the federal level. It argues that because spyware is impossible to define, these legislative efforts may do harm to the extent they either are focused on design mandates or are attempts to require notice for electronic interactions. Only a technical approach-and only a particular kind of technical approach at that-will work in addressing spyware. Technical actors need to take an immune system approach to spyware, dividing their efforts and experimenting in the field the same way immunity networks do. If we think of the legal system as a medical expert operating on this difficult disease, our first priority must be to wait to allow these already-emerging immunity networks to take effect, and to do no harm in the interim. This is a time for patience, not for the knife.

Posted by Eric at 09:39 PM | Adware/Spyware

September 22, 2005

Second Anti-Adware Class Action Filed--Simios v. 180Solutions

By Eric Goldman

Simios v. 180Solutions, Inc., No. 05C 5235 (N.D. Ill. complaint filed Sept. 13, 2005). This complaint isn't "new" news; Suzi blogged about it 10 days ago.

This is the second anti-spyware class action lawsuit initiated by David Fish of Collins Law Firm. The first target was DirectRevenue; this time it's 180Solutions. I've critiqued the merits of many of the claims in my review of the judge's first substantive ruling in Sotelo v. DirectRevenue. In this post, I'm going to principally critique some of the differences between that lawsuit and this one.

Venue

In the Sotelo case, the plaintiffs sued in state court. To avoid the Class Action Fairness Act, which mandates that most class action lawsuits are heard in federal court, the plaintiffs tried two techniques: (1) the proposed class covered only Illinois residents who had DirectRevenue's software on their machines, and (2) the complaint named some Illinois-based defendants in an attempt to destroy diversity.

Those techniques failed, and the Sotelo case is in federal court. This time, the plaintiffs didn't even try any of the venue-manipulation techniques and instead originated the lawsuit in federal district court. I'm not entirely clear why being in Illinois state court was desirable, but skipping ahead to federal court seemed like a smart move to me. Among other things, it creates the opportunity to plead some new causes of action.

Defendants

In the DirectRevenue case, the plaintiffs sued DirectRevenue, its holding company, an advertiser and an ad serving network. The diversity of defendants created some complexity and increased the paperwork, as each of the defendants are in different legal positions.

This time, the plaintiffs are suing just 180Solutions. However, it's possible that additional defendants will be added. In particular, I expected the plaintiffs to name some of 180Solutions' advertisers because the DirectRevenue advertiser was not able to get out of the lawsuit on the first try.

New Cause of Action--Computer Fraud & Abuse Act

Because the Sotelo plaintiffs tried to keep their lawsuit in state court, they did not plead any federal claims. Now, freed from that restriction, the plaintiffs bring a Computer Fraud & Abuse Act claim for the first time. The CFAA is a complex law, and I'm not entirely sure that the plaintiffs can establish a prima facie violation. However, I teach my Cyberlaw students that they should always plead common law trespass to chattels and CFAA together (if they can do so within ethical constraints), so adding the CFAA claim made complete sense here.

New Cause of Action--Electronic Communication Privacy Act

Another new federal claim, this time under the ECPA. I'm pretty skeptical about the ECPA claim. The lawsuit alleges that the 180 software "intercepts" communications and "discloses" the contents to third parties. These are the appropriate words under the statute, but I'll be interested to see if the plaintiffs can marshal the right facts to support the claim.

Trespass to Chattels

The complaint has cleaned up some of the damage allegations in support of the trespass to chattels claim (see, in particular, Para. 27), so the claim has an even better chance of surviving a motion to dismiss.

The plaintiffs, however, continue to plead some damages (such as user "frustration") that a court following Intel v. Hamidi simply will ignore. The plaintiffs also kept in some of their silly damages allegations (the software "utilizes pixels and screen-space on monitors"; the software slows performance, which causes the computer to stay on longer, which results in additional electrical consumption). I think the plaintiffs do themselves a disservice by mixing some legitimate and substantive allegations with some trivial and de minimis "harms."

New Cause of Action--Invasion of Privacy

The plaintiffs allege that the software invades their privacy under the common law. I think the plaintiffs intend to fit under the "intrusion to seclusion" tort. While this appears to have been appropriately pled, it's a stretch and, I think, has a low likelihood of success.

Conclusion

I understand that some plaintiffs' lawyers like to use rhetorical tricks, but I thought calling 180Solutions' software a "virus" and referring to computers as "infected" undermined the plaintiffs' credibility. Aside from that (and some other gratuitous allegations that have zero legal significance but were apparently made simply to smear 180Solutions), this complaint is noticeably more tightly drafted than the Sotelo complaint. I expect this tighter drafting gives it even better odds of surviving a motion to dismiss. Whether the lawsuit can survive summary judgment, however, is a much different story!

Posted by Eric at 06:49 PM | Adware/Spyware , Publicity/Privacy Rights , Trespass to Chattels

September 13, 2005

Specht v. Netscape--What Happened After the 2nd Circuit Remand?

By Eric Goldman (with help from Matt Goeden)

The Specht v. Netscape 2nd Circuit opinion is a modern classic. The case articulates a clean (and, in my opinion, sensible) rule about online contract formation. I think it's a great teaching case because of the clarity of its rule and because it illustrates the consequence of sloppy third party distribution practices. The case is also noteworthy as an early skirmish in the spyware battle. As a result of its significance, the case has become pretty popular in both Cyberlaw and Contracts courses.

I just taught the case in my Cyberlaw class, and it occurred to me that I could not recall hearing about any developments in the case since the 2002 2nd circuit ruling. A quick Google search was fruitless, so I asked Marquette 3L Matt Goeden (who runs his own blog, fscklaw.com) to research what happened.

Here is Matt's report on his findings:

R.I.P. -- Specht v. Netscape

While we weren't paying attention, Specht v. Netscape, an oft-cited click-through contract formation case, was settled in early 2005. Apparently, there was even a website outlining the settlement; the website doesn't exist anymore, but can found at archive.org. The official settlement notice could also be found on the website (but not any more; here is a copy).

[Eric's comment: some of the parties' posturing about the settlement is pretty amusing, such as the following:

"Netscape and AOL believe that the versions of SmartDownload at issue were entirely lawful, effective, and valuable software products that harmed no one and that made using the Internet and downloading files simpler, more convenient, and more reliable."

Tip to Netscape--a settlement notice over your software being spyware is generally not the best place to make a sales pitch for your software!]

As far as I can see, the plaintiffs received nothing but the satisfaction that Netscape will never allegedly "intercept" their (and others') electronic communication again.

Moreover, the district court denied awarding attorney's fees for the settlement because the ECPA "requires a violation to trigger relief" and the settlement expressly denies any violation. The attorneys were seeking a cool $1.5 million. See the ruling.

In 2003, New York fared slightly better when Attorney General Eliot Spitzer and Netscape settled for $100k and similar cease-and-desist promises.

So, for having allegedly been a spyware purveyor, the net consequences to Netscape were:

* $100,000 check to NY and no money to consumers
* paying their defense legal fees but none of the plaintiffs' attorneys fees
* flushing of the collected data
* issusing a new version of the software (which is still online; I use the screen shot of this page in class to show how Netscape converted the page to a mandatory non-leaky clickthrough agreement)
* a few other minor promises, like agreeing to some third party audits

All told, a pretty good outcome for Netscape. We'll have to see if all alleged spyware purveyors (like DirectRevenue) are so lucky!

Posted by Eric at 05:56 PM | Adware/Spyware , Licensing/Contracts

September 01, 2005

Downloading Software onto Home Computer May Be Trespass to Chattels--Sotelo v. DirectRevenue

Sotelo v. DirectRevenue LLC, No. 05 C 2562 (N.D. Ill. Aug. 29, 2005).

It was pretty obvious when the complaint was filed in March that this lawsuit warranted careful scrutiny. This initial ruling reinforces that point. This ruling is interesting and important...but it is also frustrating due to its procedural limitations (as a motion to dismiss) and substantive mistakes. Nevertheless, this case could have some impact on other lawsuits. And should the court's plaintiff-friendly rulings gain more traction, this case could usher in a lawsuit extravaganza against adware companies and perhaps software vendors generally.

Background

This lawsuit arises from users' frustration with unwanted adware. Although there have been a few attempts to bring private causes of action against adware vendors and their advertisers/distributors, none of these efforts have met with much success yet.

Procedurally, the case was initially filed in Illinois state court. However, because the plaintiffs are seeking to form a class, the defendants were able to remove the case from state court to federal court (N.D. Ill.).

The Arbitration Clause

DirectRevenue's EULA contained an arbitration clause, so DirectRevenue moved to dismiss this lawsuit in favor of arbitrating the claims. However, to decide if the claims are arbitrable, the court has to decide if the plaintiffs agreed to the EULA containing the arbitration clause. Thus, the court confronts the well-discussed topic of whether DirectRevenue properly formed a contract with its users.

This is an issue that has perplexed me for some time. Given the legal risks they face, I simply do not understand why adware vendors do not use mandatory non-leaky clickthrough agreements. I further do not understand why adware vendors rely upon third party distributors to form the requisite agreements with users. Instead, to ensure proper formation, adware vendors should display a mandatory bootscreen the first time their software tries to run (i.e., before serving any ads). This bootscreen should give users the choice to accept or reject the terms, and the adware vendor should control the text and the mechanical process of the bootscreen completely. If adware vendors did this, they wouldn't have to worry about (a) sloppy practices by distributors, (b) users saying they didn't know what they were doing, and (c) courts shredding their contract formation process.

In this case, it appears that DirectRevenue was trying to rely upon a browse-wrap style formation process (i.e., the agreement was on a page that users did not need to see to install the software). Although some courts will give effect to browse-wrap terms, the vast weight of precedent is against such formation processes. This court joins the majority line of cases (although, interestingly, without citing any precedent despite dozens of cases on point). The court's opinion is entirely opaque on its thinking, except that it seems to accept that the EULA process wasn't mandatory and the plaintiff didn't see the terms otherwise. (The court also rightly rejects a silly argument that the "?" in the top bar of advertisements (which, if clicked, would lead to the EULA), properly formed the contract.)

Finally, the court correctly distinguishes DirectRevenue's situation from that of ProCD in ProCD v. Zeidenberg because, in ProCD, the existence of terms was disclosed on the software box before the purchase was made. However, the court does not even mention Hill v. Gateway, where point-of-purchase disclosure was adamantly dismissed as immaterial, so it's frustrating that the court wouldn't even address the correct precedent.

As a result, the court does not give effect to the EULA's arbitration clause, and the case stays in federal court. However, the court's reasoning does put the plaintiff in a box for class certification. Because some members of the putative class may have gone through a process where the EULA was properly formed as a contract, these people would be governed by the arbitration clause and not eligible to participate in this lawsuit. As a result, the court does seem to signal that the class size may have shrunk.

Does Downloading Adware Onto a User's Computer Constitute "Trespass to Chattels?"

The plaintiffs allege that the installation and operation of DirectRevenue's adware constitutes a trespass of the user's computer. The defendants moved to dismiss this claim.

The court acknowledges the paucity of Illinois precedent on the doctrine, but it references other jurisdiction's cases--specifically CompuServe v. Cyber Promotions, AOL v. IMS, Hotmail v. Van$ Money Pie, AOL v. LCGM and AOL v. Prime Data.

Reading this list of cases is like a time warp--none of them are later than 1998! Where's the Hamidi case? (The court does cite the case later, but for a subsidiary proposition). Bidder's Edge? Register.com? Ticketmaster? It's pretty frustrating that the court overlooked 7 years of precedent development.

Working with a 7 year old conception of trespass to chattels, the court rejects the defense's argument that the trespass to chattels doctrine only protects service providers. Instead, the court says, "the cause of action may be asserted by an individual computer user who alleges unauthorized electronic contact with his computer system that causes harm, such as Spyware."

The court explains a little more about what constitutes "causing harm" by noting that the plaintiffs allege that spyware:

* causes significant and cumulative injury to computers
* interferes with the computer usage
* slows down the computer
* uses bandwidth
* increases "Internet use charges"
* depletes a computer's memory
* uses pixels/screen space on monitors [this one is pretty silly]
* requires more energy because slowed computers must be on longer [also pretty silly]
* reduces user productivity
* increases user frustration

Finally, the court gets to its bottom line: "Many companies and computer users consider pop-up advertisements and Spyware an Internet scourge." This does not bode well for the defense.

But many people think spam is a scourge too, yet in Intel v. Hamidi, all of the enumerated factors were true (although maybe not alleged by the plaintiffs) and Intel still lost its claim. It would have been nice for the court to discuss the Intel v. Hamidi precedent. I don't understand how it was overlooked.

Contributory Trespass?

As if the court's standards for trespass weren't troubling enough, the court then raises the specter of a new doctrine: contributory trespass to chattels. The advertiser and agency defendants move to dismiss on the basis that they are not liable for DirectRevenue's action. The court's responded by applying the motion-to-dismiss standard liberally. The court says:

"Plaintiff's allegations that aQauntive works 'in cooperation with' DirectRevenue to download advertisements, that AccuQuote utilitizes Spyware to send unwanted advertisements, and that both defendants have access through DirectRevenue to millions of computers for their targeted advertisements are sufficient to" clear the motion-to-dismiss standard.

These defendants also argue they lacked the requisite intent to commit trespass. The court says that they had intent to advertise, which is good enough to survive the motion to dismiss.

These defendants also argue that they caused no recognizable damage. The court finally acknowledges Intel v. Hamidi here, but says that the plaintiff alleged more damages than other precedent. The court specifically references the allegations of "wasted time, computer security breaches, lost productivity, and additional burdens on the computer's memory and display capabilities," although of course the wasted time and lost productivity arguments were specifically rejected in the Hamidi case, and the burdens on the display capabilities is just plain silly.

Negligence for Distributor's Actions

There are other claims and issues addressed in the ruling, but the final point for this post is the negligence claim. The plaintiffs make a general allegation of negligence, and the court says that there were sufficient allegations to avoid a motion to dismiss. DirectRevenue then argues that its distributors, not DirectRevenue, breached any duty.

The court notes the general legal principle that a hiring party is not liable for its independent contractors' negligence. However, the court refuses to dismiss on this ground, citing the plaintiff's allegation that "the Spyware distributors are controlled by DirectRevenue." However, if the plaintiffs cannot produce more facts to show that this control is beyond the typical control exercised by a hiring party in an independent contractor relationship, it seems like the negligence claim has to fail.

Conclusion

The defendants did win a few minor victories. DirectRevenue's holding company was dismissed from the lawsuit for want of jurisdiction, and the claim for unjust enrichment was dismissed. However, the principal claims--including trespass to chattels, unfair/deceptive trade practices and violations of the Illinois Computer Crime Prevention Act--all survived the motion to dismiss. As a result, I think this ruling was a big win for the plaintiffs.

Moreover, the judge signaled in a few places that he was sympathetic to the plaintiff's concerns. While there's plenty of litigation standing between the plaintiffs and a payday, this ruling dramatically increases the odds of the plaintiff's success.

From a precedent standpoint, this case is (as far as I can remember) the first case to say that individual users may have a valid cause of action for common law trespass to chattels claim based on software using their personal computers. While I think this is a logical extension of the trespass to chattels doctrine as articulated in cases like CompuServe v. Cyber Promotions (cited by the court) and eBay v. Bidder's Edge (not cited), the ruling is in tension with the Intel v. Hamidi case (barely cited), which many of us thought effectively wiped out the CompuServe/eBay cases as precedent.

I trust we all can appreciate the floodgates of litigation that may open if undisclosed downloading of software (not just adware) onto a user's computer can support a trespass to chattels claim (if you're having trouble visualizing, just think two words: Flash and Java). We'll have to see if the court puts any better parameters on its thinking at the summary judgment stage.

Suzi's take at ZDNet.

UPDATE: Alex at SunbeltBlog relays some of the plaintiff attorney's comments on the ruling.

Posted by Eric at 04:28 PM | Adware/Spyware , Derivative Liability , Licensing/Contracts , Trespass to Chattels | Comments (1)

August 31, 2005

Alaska Governor Signs Anti-Adware Law

No surprise, but Gov. Murkowski signed SB 140 into law yesterday, enacting the most problematic anti-adware law to date. In signing the law, the governor said: "By signing this bill, I am sending a strong message that we will not tolerate those who would use the Internet to dupe vulnerable Alaskans." Given that the law takes power away from consumers to pick their own software and instead empowers trademark owners to squelch competition, there may be multiple parties who are duping Alaskans in this context. Still no word yet on if there's going to be a challenge to the law and, if so, who will lead it.

Posted by Eric at 02:16 PM | Adware/Spyware

August 24, 2005

Alaska Anti-Adware Law Finally Sent to Governor

BNA reports (BNA subscription required) that the anti-adware law passed by the Alaska legislature back in May was sent to the governor August 19. The article intimates that the hold-up was due to some behind-the-scenes lobbying by Google, Yahoo and others.

The governor has until September 20 to act on it, but the BNA report indicates that the governor intends to sign the law. If signed, I assume a lawsuit challenging the law will follow unless (a) everyone waits to see how it is enforced, or (b) Congress preempts the legislation.

Posted by Eric at 01:30 PM | Adware/Spyware , Trademark

August 20, 2005

2004 Case on Advertiser Liability for Spam

Fenn v. Redmond Venture, Inc., 2004 UT App 355 (Utah Ct. App. Oct. 15, 2004).

I was digging through my stack and stumbled across this case from last year. It seems apropos to a running theme on this blog about advertiser liability for adware, so I thought it was worth blogging about even at this late date.

Plaintiff sued for violating Utah's anti-spam law, which applies to a person who "sends or causes to be sent" a spam. Sec. 13-26-103. Given the statute's wording, the state (as it has the right to do) has made it clear that advertisers could be liable for spam sent by others.

However, the defendants win summary judgment. Why? The court points to the advertiser's "Anti-Spam Agreement," which clearly prohibits the marketer from sending spam. Because of the restrictions in the Anti-Spam Agreement, the court accepts the defendant's argument that this agreement means that the advertiser did not "cause" the marketer to spam. In other words, by prohibiting spam in the advertising contract, the advertiser gets let off the hook under the anti-spam statute.

Can this result be correct? The court notes that the plaintiffs did not introduce any evidence that the defendants "encouraged or required" its marketer to send spam or that the anti-spam agreement was otherwise a "sham." So perhaps the plaintiffs could have avoided summary judgment if they could have adduced evicence of some willful blindness.

Otherwise, this case--if followed by other courts--seems to suggest that anti-spam/anti-adware advocates who want to hold advertisers liable for the spam/adware face an uphill battle. Even if a statute expressly creates advertiser liability, a simple (and perhaps rarely-enforced) restriction in the contract would cut off liability for the downstream activity.

Frankly, this seems like an all-too-simple way for advertisers to avoid liability and defeat the statutory intent, so I'm skeptical that every court will reach the same result. But I'm not aware of any contrary case law, so for now this is the leading precedent on the topic.

Finally, it should go without saying that, if I were advising advertisers, I would strongly recommend that they include non-negotiable anti-spam and anti-illegal-adware provisions in their advertising contracts.

Posted by Eric at 01:19 PM | Adware/Spyware , Derivative Liability , Marketing , Spam

August 15, 2005

Interview at Astalavista.com

I was interviewed by Astalavista.com on copyright and adware/spyware issues for their newsletter. Check out some of my loosely-structured latest thoughts on those topics.

Posted by Eric at 09:45 PM | Adware/Spyware , Copyright

August 05, 2005

Keyword Disputes Presentation

Tomorrow I'm speaking at the ABA Annual Meeting about trademark law and keyword disputes. I've prepared slides discussing the latest state of the law regarding keyword-triggering of ads by both search engines and adware.

Posted by Eric at 12:06 PM | Adware/Spyware , Search Engines , Trademark

August 03, 2005

FTC Says No Undisclosed Adware? In the Matter of Advertising.com

In the Matter of Advertising.com, Inc., and John Ferber, Federal Trade Commission File No. 042-3196 (consent order announced Aug. 3, 2005).

The FTC is signaling that it is sending a "message" with this case. The only problem? I'm not sure what message the FTC is trying to send!

The Facts

Advertising.com distributed the SpyBlast software, which claimed to be security software that would protect users from hackers. SpyBlast included adware in a download bundle. The adware was not prominently announced in the advertising, but it was disclosed in the EULA and (inconspicuously) on the SpyBlast home page. The FTC brought the enforcement action against Advertising.com (and its principal) for deceptive trade practices for failing to adequately disclose the adware component of the download bundle.

On first blush, this action makes sense. SpyBlast promised security and privacy, and many users would think that undisclosed adware is exactly the kind of thing that security software would prevent--not contain. So it would be easy to connect the dots and say that if you're a security software vendor, undisclosed adware contravenes user expectations so greatly that they deserve to be unambiguously aware of the adware in the bundle.

The "Message"

However, the FTC went out of its way to make sure that we got some greater message from this enforcement action. In a separate analysis of the proposed consent order, the FTC says:

"However, the limitation in the proposed order to respondents’ software programs whose principal function is to enhance security or privacy should not be read more broadly to suggest that the requirement for clear and prominent disclosure is necessarily limited to those situations."

Huh? There's an implicit double-negative in this sentence (the limit...should not be read...to suggest a limitation), so (as usual) the FTC is trying to say something without saying it.

Helpfully, the paragraph continues:

"Moreover, the problem here was not the security software that Advertising.com disseminated with its adware. Instead, it was the
respondents’ practice of downloading software onto users’ computers, without adequate notice and consent, that generated repeated pop-up ads as the computer users surfed the Web."

Putting this paragraph together, the FTC seems to be saying that if you distribute adware in a bundle, you have to give users adequate notice and consent of the adware.

What Did Advertising.com Do Wrong?

So the question is--why wasn't Advertising.com's disclosure adequate? They made the disclosures in the EULA and on their website. The problem was that users had no reason to read either.

The EULA was not presented with meaningfully strong call-to-action encouraging the reading of the EULA such as "By clicking the 'Yes' Button, you agree to all the terms of this EULA." Instead, the anchor text for the EULA read "Personal Computer Security and Protection Software from unauthorized users" (complaint, paragraph 6). This language was presented in a Microsoft software download alert box (what some would call a "drive-by download," although I think that term covers other situations). The language does continue "once you agree to the License Terms and Privacy Policy...click YES to continue" (see Exhibit B) but the grammar in the sentence still does not create a mandatory clickthrough. Like the gentle language in Specht v. Netscape, the language is more like "you should consider Y" than "if you do X, you're binding yourself to Y." (Plus, apparently the words "License Agreement and Privacy Policy" were not hyperlinked to the EULA, which is odd).

So although the document was styled as a EULA, it was presented more like a browsewrap than a clickthrough. Many Cyberlaw lawyers would think that it wasn't a binding contract at all.

Similarly, there was no call-to-action that would have encouraged the user to visit the SpyBlast web page to be exposed to a significant disclosure--and even if the user did, the disclosure was pretty hard to see.

The "Message" Redux

Based on this, I can read the FTC enforcement action one of two ways:

(1) Every software bundle containing adware must clearly and conspicuously disclose the presence of the adware as an integral part of the ad copy, or

(2) If a vendor wants to distribute adware as part of a bundle, then the disclosures don't need to be in the ad copy but do need to be integrated into some legally binding EULA or otherwise preceded by a sufficiently strong call-to-action.

The only thing the FTC does to tip its hand further is to say that the behavior did not comport with its Dot Com Disclosures document. Unfortunately, the Dot Com Disclosure document is far from clear--it rarely tells the reader yes or no, but instead it casts most behaviors as shades of grey. So pointing to the Dot Com Disclosures document without a little more guidance still leaves me scratching my head.

Sending a Message via a Defendant Who Couldn't Care Less

One other thing about sending a message through this enforcement action really bothers me. The FTC is going after a group of defendants who presumably are incredibly unmotivated to care about their requests. Advertising.com has already sold to AOL, who has no interest in messing with the FTC...plus, they have no reason, as AOL is not bound by the agreement. Further, the settlement does not involve any cash, and Advertising.com claims to be long out of the SpyBlast business, so the agreement's restrictions will be particularly easy to comply with (i.e., they don't have to change their behavior at all). So Advertising.com has virtually zero skin in the game, and they have absolutely ZERO incentive to push back on any FTC request. It's a little hard to fully get the message in an enforcement where the defendants are going to instantly roll over and play dead.

This is not to say that hard negotiations didn't proceed this announcement. Maybe the FTC initially demanded cash and Advertising.com/AOL avoided that only through skillful negotiation. But as the consent agreement now reads, there's no meaningful consequence to Advertising.com to signing the document, so why wouldn't they happily do so?

Conclusion

In its analysis memo, the FTC seems to be going out of its way to solicit comments on this enforcement action. I might take it up on that request. If I do, my principal comment will be simple--tell us if you meant reading #1 or #2! More specifically, if the FTC is trying to take position #1--that every download bundle containing adware must prominently annouce the presence of adware in the ad copy--I think we deserve a clear pronouncement to that effect and perhaps even some explanation for why the presence of adware must be elevated above many other product attributes that consumers might care about.

Without further clarification from the FTC, I think many lawyers will cautiously interpret this enforcement as a signal that disclosures about adware need to be an integral part of the marketing. My hunch is that the FTC would be happy with that outcome even if they are unwilling to issue an edict directly.

UPDATE: Suzi weighs in with her assessment: "The FTC is now on the record that companies must specifically disclose adware functionality in a clear and conspicuous manner OUTSIDE OF THE EULA."

UODATE 2: Cracker of an Issue weighs in with a thoughtful analysis. I agree that companies generally should consider the FTC's standards as minimum baselines that they frequently exceed, but I'm not sure that the FTC has picked the right standard here or has even made the standard clear.

In the end, we can't tell consumers EVERYTHING about the software on the hopes that some of it might be useful to some of the consumers. Overdisclosure is costly to producers, but more importantly, it's costly to consumers to wade through lots of disclosures that they do not consider relevant.

It might be that virtually all consumers consider a prominent notification of "adware-inside" to be relevant, so on that basis, this issue may be worth elevating. But if the FTC is trying to say that disclosure in the EULA isn't enough, the FTC ought to articulate its reasons why this topic is elevated over the dozens or hundreds of other disclosures that a company must make or wants to make in its EULA.

Posted by Eric at 09:36 PM | Adware/Spyware , Licensing/Contracts , Marketing

August 02, 2005

Are Adware Advertisers Responsible for Adware?

The topic of "who is responsible for what?" in the adware industry keeps coming up. I've repeatedly blogged on this topic in somewhat piecemeal fashion, but I finally organized my thoughts into an editorial that ran this morning in News.com. It will not surprise regular readers of this blog that I argue that the anti-spyware advocates have gone too far.

Posted by Eric at 08:42 AM | Adware/Spyware , Derivative Liability , Marketing

July 25, 2005

Bellia on Spyware, and Searcy v. Microsoft

Patricia Bellia of Notre Dame Law School recently posted a paper on spyware and surveillance laws, Spyware and the Limits of Surveillance Law. She challenges those who believe that the Electronic Communications Privacy or the Computer Fraud and Abuse Act adequately address spyware, concluding that “there is good reason to question whether federal electronic surveillance statutes can successfully combat anything but the most extreme forms of spyware.”

If nothing else, this article points out that there is an existing body of law pertaining to “spyware,” and much of it constitutes plaintiffs’ losses in court (although, I should note, there have been a number of settlements where defendants have paid money). As Bellia points out, some of these losses are attributable to judicial formalism.

As an example of these phenomena, consider Searcy v. Microsoft Corp., 2005 WL 1163114 (M.D. Fla. May 4, 2005). This case is putatively a spyware case, although (like many spyware cases) it doesn’t really discuss the allegations in those terms. The case is further muddled by the fact that (a) Searcy was a pro se plaintiff, and (b) worse, he was an incarcerated man with a history of repeat frivolous lawsuits. Usually these attributes produce poor judicial reasoning, as evidenced here.

In this lawsuit, Searcy alleges that Microsoft and AOL created and distributed software devices that surreptitiously captured personal information. He alleged that the capture violated the ECPA. However, he never alleges that the defendants ever did anything with that information. As a result, the court immediately rejects the lawsuit.

So far, so good. Then, the court continues:

"Defendants could not be held liable for the manufacture and distribution of software which may be exploited by third parties and used to illegally obtain a person's electronic information."

[An aside: the court footnotes this sentence to Zeran and AOL v. Green, both cases where the defendants relied on 47 USC 230. However, by its terms, 47 USC 230 doesn't apply to ECPA claims, so the court's reliance on these cases is sloppy at best.]

The court then concludes:

"[The ECPA] simply does not contemplate imposing civil liability on software manufactures [sic] and distributors for the activities of third parties."

This latter sentence is a strong statement, and it seems germane to the continuing confusion over how we sort through the allocation of responsibility between advertisers, manufacturers and distributors/affiliate marketers. The court was clearly saying that merely developing a tool to capture data does not violate the ECPA, even if some unrelated third party exploits that data. However, this language might also suggest a broader principle that there are strong limits to derivative liability under the ECPA irrespective of 47 USC 230.

Unfortunately, this case will never be good precedent because of the plaintiff's unique situation. However, the case both reinforces Bellia’s points and represents yet another example where a court rejects the legal claims of anti-spyware plaintiffs.

Posted by Eric at 11:54 AM | Adware/Spyware , Derivative Liability , Privacy/Security | Comments (1)

July 23, 2005

Spyware, the Pew Report, Anti-Terrorism Efforts and Coping with Spam

I'm a little late blogging about the most recent Pew report on spyware. A couple of weeks ago, Pew Internet & American Life Project released its report "Spyware: The threat of unwanted software programs is changing the way people use the internet." I thought the report was generally interesting, but one fact stood out above the others: "91% of internet users say they have made at least one change in their online behavior to avoid unwanted software programs."

I think it's tempting to lament these behaviorial changes. At minimum, they represent a loss of innocence. Plus, there might be deadweight losses from these changed behaviors--if these changes do not produce any corresponding benefit, they just represent wasted effort.

I've wrestled with these issues as I've witnessed our response to terrorism (particularly after 9/11). As a society, we have increased our spending on security--new assets (super-duper baggage scanners), new labor (screeners), new time-consuming practices (it takes me 5 minutes to get through baggage scanning...and don't even get me started on the time my plane was diverted from National Airport to Dulles because some yutz stood up from his chair in the last 10 minutes of the flight). Collectively, these represent a major social expenditure, and I'm not sure if we get back concomitant social benefits.

However, there's another way to look at this issue, a viewpoint I am slowly embracing. There will always be terrorists, just like there will always be purveyors of viruses, malware and other harmful software. As much as we'd like to retain our innocence, we necessarily must incur some costs to cope with these inevitable threats as part of the consequences of living in a complex society. So given that we have to incur costs to protect ourselves from online threats, my policy objective is to make sure that those costs are appropriately measured at each incremental step.

On that front, I found the 91% statistic from Pew to be good news, not bad. We need online users to exercise some vigilance against online threats, and the Pew report suggests that consumers are going from doing nothing to protect themselves to doing something. This is a major step in the right direction, and I'm reasonably confident that society gets concomitant benefits from these incremental steps.

This statistic also reinforces a pattern that I've seen with various new online technologies that are initially perceived as threats. One of the reasons why I'm not panicked about "spyware" is that we are in the earliest stages of dealing with spyware. There will be a number of organic systems that will automatically correct for the spyware threats--entrepreneurs will spot new market opportunities and develop new coping/protection technologies, evolved business practices will marginalize the most egregious commercial behavior, and consumers will get smarter. The Pew report shows that the latter system is already organically correcting itself. We don't need new laws to do what consumers will naturally start doing themselves. A little patience will show that the spyware threat can and will be contained even if it is never eliminated--just like the threat of terrorism can be controlled but never eliminated.

There are those who will insist on regulation nevertheless. In some cases, it may be in their commercial interest to game the legislative system. In other cases, the early abuses/excesses create such moral outrage towards the entire category that some people will demand legislative vengeance even as the problem is ameliorating in the marketplace.

However, if we can keep our cool and exercise a little patience, everyone else will find that the market self-corrects. I'm 100% convinced that if Pew releases a report on spyware in 2007, its statistics will show that consumer anxiety about and problems with spyware will be significantly lower than they are today--even if we were to roll back all the new anti-spyware laws and didn't pass any new ones. Pew already demonstrated this phenomenon with spam ("email users say they are receiving slightly more spam than before, but they are minding it less"). I'm convinced spyware will be no different.

While many people may point to this Pew report as further evidence of a problem (which would be partially consistent with the report writer's gentle spin on the data), instead I point to it as resounding evidence that we are on the path to a solution. The quicker we implement coping strategies, the quicker we will realize that the spyware problem is eminently controllable.

Posted by Eric at 08:15 AM | Adware/Spyware

July 12, 2005

"Adware's Second Act"

Stefanie Olsen at News.com recaps some of the efforts that adware makers have undertaken to become more legitimate. She points to the example of WhenU, which changed its installation policies and cleaned out some distributors--and watched its installation base drop up to 50%.

This is good news, isn't it? Adware vendors have heard the critics (and others) and are cleaning up their practices accordingly. There was a bubble of bad practices for a couple of years, and we've moved beyond that.

As a result, I hope we will get a truer picture of social demand for adware. I think it's far greater than most people give it credit for. Specifically, I think in 10 years from now, virtually every online ad-delivery mechanism/network will look a lot like adware. And I further think we'll be appalled at how crude the ad-delivery mechanisms of the late 1990s and early 2000s really were.

Posted by Eric at 10:47 AM | Adware/Spyware

July 09, 2005

Gosbee v. Martinson--Trial Court Motion to Dismiss Reversed on Appeal

Gosbee v. Martinson, 2005 ND APP 10 (N.D. Ct. App. July 6, 2005). This is the latest ruling in a RICO action based on the "Spy Wiper" software program. The plaintiff alleges that the defendants hijacked his computer to create demand for the software. David Bank wrote a story on Gosbee's plight back in April 2004.

The appeals court summarizes the lower court's determination as follows:

"Martinson moved for dismissal of the complaint under N.D.R.Civ.P. 12(b)(6) for failure to state a claim, or alternatively for summary judgment. Martinson alleged that any "highjacking" of Gosbee's computers was caused by one of Martinson's marketing affiliates, and he was not responsible for the actions of the affiliate. The trial court granted Martinson's motion for dismissal, [FN1] and judgment was entered dismissing the action and awarding costs and disbursements to Martinson."

Gosbee objected to the award of costs/disbursements and asked for reconsideration of the dismissal and an opportunity to amend the complaint. The trial court rejected both, and Gosbee appealed. In this ruling, the appeals court reversed the trial court, saying that the trial court has to give Gosbee a hearing.

The plaintiff is going to get another day in court, but it's never a good sign for the plaintiff when a trial court grants a motion to dismiss the complaint, does not give an opportunity to amend, and refuses to reconsider. Some of this may be due to "inartfully drafted" pleadings, and some news reports indicated that the plaintiff wasn't responding promptly to the trial court. While the appeals court practically instructs the trial court to give the plaintiff an opportunity to amend, it's going to be tough for the plaintiff to win back this judge.

Spyware Warrior has a small repository of papers related to this action.

Related action: in April, the FTC extended an enforcement action to include the defendants in this case. This, along with Spitzer's enforcement action against Intermix, raises the recurring and critical question of when a vendor is liable for its affiliate's actions. Note how the trial court in this case resolved that question. I'm not yet clear, however, if the FTC's theory is advertiser liability under CAN-SPAM; there is statutory authority for that.

Posted by Eric at 05:23 AM | Adware/Spyware , Derivative Liability

July 08, 2005

Study on User Consent and Spyware

Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware by Nathaniel Good et al. I've already lauded this study after I heard Deirdre Mulligan present the findings at the Boalt Spyware conference in April. If we agree with its findings, then this paper destroys many of the foundational assumptions of regulators and anti-spyware advocates about consumer behavior and psychology, thus highlighting how many current regulatory/consumer protection efforts are misdirected.

The key findings (from the abstract):

"Our study indicates that while notice is important, notice alone may not be enough to affect users’ decisions to install an application. We found that users have limited understanding of EULA content and little desire to read lengthy notices. Users found short, concise notices more useful, and noticed them more often, yet they did not have a significant effect on installation for our population. When users were informed of the actual contents of the EULAs to which they agreed, we found that users often regret their installation decisions.

We discovered that regardless of the bundled content, users will often install an application if they believe the utility is high enough. However, we discovered that privacy and security become important factors when choosing between two applications with similar functionality. Given two similar programs (e.g., KaZaA and Edonkey), consumers will choose the one they believe to be less invasive and more stable. We also found that providing vague information in EULAs and short notices can create an unwarranted impression of increased security. In these cases, it may be helpful to have a standardized format for assessing the possible options and trade-offs between applications."

Highly recommended reading.

UPDATE: Eric L. Howes does a careful analysis of the study and, not surprisingly, identifies some possible limitations of the study. No study is perfect, and that includes a limited-scale ethnographic study. Instead, I look at this study as a challenge to the anti-spyware community to question some deeply-held views about what users are doing in the field and what will help those users make good (better?) choices.

Posted by Eric at 05:12 PM | Adware/Spyware , Licensing/Contracts

June 30, 2005

Symantec Sues Hotbar for Declaratory Judgment That Symantec's Classifications/Descriptions Do Not Create Liability

Symantec Corp. v. Hotbar.com, Inc., Case No. C05-02309 (N.D. Cal. complaint filed June 7, 2005).

This complaint was filed 3 weeks ago, but I was only able to get a copy of the complaint today. Even then, I have not yet seen or uploaded the 169 pages of exhibits; I will try to get those online soon. [UPDATE: see below--Exhibits are now online]

As helpfully catalogued by Ben Edelman, a fair number of software vendors have demanded that anti-spyware vendors or anti-spyware critics stop characterizing their software as “spyware” or “adware.” In this complaint, Symantec fights back against one such demand, seeking a declaratory judgment that Symantec’s descriptions and characterizations of Hotbar’s software do not create legal liability.

Specifically, as best as I can tell from the complaint (without the exhibits), Symantec has characterized Hotbar’s software as “adware” (Para. 32), which Symantec defines as “Programs that facilitate delivery of advertising content to the user through their own window, or by utilizing another program’s interface. In some cases, these programs may gather information from the user’s computer, including information related to Internet browser usage or other computing habits, and relay this information back to a remote computer or other location in cyber-space. Adware can be downloaded from Web sites (typically in shareware or freeware), email messages, and instant messengers. Additionally, a user may unknowingly receive and/or trigger adware by accepting an End User License Agreement from a software program linked to the adware or from visiting a website that downloads the adware with or without an End User License Agreement.” (Para. 9).

In addition, Symantec described Hotbar’s software as follows: “Adware.Hotbar adds graphical skins to Internet Explorer, Microsoft Outlook, and Outlook Express toolbars and adds it [sic] own toolbar and search button. These custom toolbars have keyword-targeted advertisements built into them. Adware.Hotbar can send information on browsing habits to various servers, which may be used for targeted marketing.” (Para. 34).

As far as I can tell, these two statements (the labeling as “adware” and the description of the software) comprise the entire set of "statements" that Symantec is concerned about creating liability. Symantec seeks a declaration from the court that the characterization and description:

· Is accurate
· Does not create trademark infringement
· Is not trade libelous or disparaging
· Does not intentionally/negligently interfere with contract
· Does not intentionally interfere with prospective economic advantage.

These requests indicate the types of claims that Symantec feels that Hotbar could theoretically bring against Symantec. Presumably, these also represent the types of claims that software vendors might generally bring against anti-spyware vendors or critics.

So far, so good. However, I was surprised at how many seemingly extraneous and gratuitous facts were alleged in the complaint. It appears that Symantec alleged a bunch of facts whose only relevance is to illustrate how Hotbar is not a good corporate citizen. While I know many anti-spyware vendors and critics feel this way, Hotbar’s corporate citizenry has absolutely zero relevance to the merits of Symantec’s classification or description.

Some examples of the gratuitous remarks. First, the complaint spends several paragraphs talking about “spyware” and how lots of institutions don’t like Hotbar’s software. I assume this is designed to make readers of the complaint think negative thoughts about Hotbar by implicating that it might be spyware. Only problem—at least as alleged in the complaint, Symantec never called Hotbar “spyware” either in the classification or description at issue, making all of the discussion about "spyware" completely irrelevant to the complaint.

Second, the complaint makes extraneous remarks such as that Hotbar has a really long EULA (Para. 24) and that it targets its application to kids (Para. 26). True or not, these facts once again have nothing to do with Symantec’s description or classification (i.e., Symantec's definition of adware does not implicate either EULA length or target audiences).

I understand litigators play hardball; that’s why they get paid the big bucks. However, litigators can go too far, and personally I think it’s unprofessional to put facts in a complaint that have no relevance to the causes of action but instead serve only to smear the defendant’s character. I’m not 100% convinced that happened here; perhaps the exhibits make some of these facts relevant. If not, then these facts should not be in the complaint, and Hotbar probably could get the judge to strike them if it chose to go that route. Further, if these facts are truly irrelevant, then I find their inclusion in the complaint entirely consistent with the general anti-spyware zealots' campaign to misdirect and obfuscate the real legal issues in a hope that sufficient taints by association can lead to their desired outcome regardless of the law or what constitutes the best social outcome.

Despite the complaint's seemingly gratuitous attempt to smear Hotbar, I nevertheless applaud Symantec for standing up for its classification and description. I can’t opine on the merits of Symantec’s allegations or the merits of its case; that’s for the court to decide. However, I remain deeply troubled that software vendors are attacking anti-spyware vendors and critics solely to bully them into changing their legitimate opinions. We need room for honest critiques of software vendors, and nastygrams can distort the marketplace by excising helpful but critical comments that consumers need to know.

Therefore, we need some counterweight against the senders of bogus nastygrams to discourage them from sending such letters without fear of negative consequences. I’m a little disappointed that Symantec—if they really believe in the accuracy of their classifications and descriptions—didn’t try harder to find some affirmative causes of action it could have brought against Hotbar based on their nastygrams.

Finally, the complaint indicates just how much we would all benedit from consistent, widely-accepted definitions of adware and spyware. Symantec's complaint introduces no less than 6 different definitions of adware, each with their own unique nuances. I know the CDT is leading an effort to come up with good definitions, and I'm watching this effort closely. I remain hopeful but cynical that we can reach consistent definitions so that we can at least all speak the same language.

UPDATE

Ben Edelman has graciously agreed to host the 6MB+ of exhibits, which unfortunately came off PACER in seven different PDFs.

Exhibits A-E
Exhibits F-H
Exhibits I-J
Exhibits K-M
Exhibit N (part 1)
Exhibit N (part 2)
Exhibits O-Q

Posted by Eric at 10:36 AM | Adware/Spyware | Comments (1)

June 28, 2005

Important 2d Circuit Adware Case--1-800 Contacts v. WhenU

1-800 Contacts, Inc. v. WhenU.com, Inc., Docket Nos. 04-0026-cv and 04-0446-cv (2d Cir. June 27, 2005).

Overshadowed by yesterday’s Grokster mania, the Second Circuit finally issued an important ruling about WhenU's liability for trademark infringement.

The court found that WhenU was not liable for trademark infringement as a matter of law: "We hold that, as a matter of law, WhenU does not 'use' 1-800's trademarks within the meaning of the Lanham Act, 15 U.S.C. 1127, when it (1) includes 1-800's website address, which is almost identical to 1-800's trademark, in an unpublished directory of terms that trigger delivery of WhenU's contextually relevant advertising to C-users; or (2) causes separate, branded pop-up ads to appear on a C-user's computer screen either above, below, or along the bottom edge of the 1-800 website window."

By rejecting 1-800 Contact's case for lack of a trademark "use," which is a precondition for any trademark infringement liability, all other aspects of the trademark case (likelihood of confusion, defenses) were moot. In other words, if the plaintiff can't establish trademark use, then trademark infringement defendants are entitled to summary judgment regardless of any other alleged facts. Thus, the appellate court did not remand the case to the district court for further fact-finding; instead, 1-800 Contacts loses as a matter of law, and 1-800 Contact's trademark claims are completely dead unless they want to appeal the case to the Supreme Court (which would strike me as an odd move here). Because 1-800 Contacts already lost its copyright case, I think their case is effectively dead as well.

What Does This Case Mean?

I think the opinion is generally great. The lower court opinion was truly awful, and the Second Circuit clearly and unambiguously rejected that opinion. In particular, the court gave us lots of insights into what constitutes trademark "use" in the Internet keyword context. There has been considerable confusion on this very question, and the Second Circuit's opinion will be persuasive precedent in all future cases throughout the nation.

The court also understood that this case involved important issues about how consumers look for wanted information and pick preferred tools to do so. Specifically, the court derisively rejects WhenU’s repeated exhortations that WhenU’s pop-up ads are “unauthorized.” The court emphatically states that contemporaneous displays of software windows on a user’s computer screen do not need to be authorized by a trademark owner. The court then notes that WhenU’s pop-up ads are authorized because the user downloaded the software. The court fully appreciates that 1-800 Contacts’ arguments had the potential to take choices away from consumers about how they manage their computer desktop and windows, and the court correctly shuts down this anti-consumer effort.

Amidst the abundance of good news, I do have a few minor twinges of disappointment. Most notably, the court did not discuss the "initial interest confusion" doctrine at all. This doctrine has junked up Internet jurisprudence since 1999, and the lower court opinion exemplified exactly how courts misuse the doctrine. Thus, I was hoping that the Second Circuit would confront this issue and, optimistically, give us a clear statement of the doctrine. That clear statement will have to wait until another day.

Also, the opinion is plagued by several odd arguments that mostly seemed designed to limit the case to WhenU's facts. As a result, this opinion may offer very limited utility to search engines regarding their practices of selling keyword-triggered ads. This is unfortunate because we desperately need clarity on this topic, and the court's reasoning easily could have extended to search engines.

Finally, I fear this case will only exacerbate the trend where plaintiffs like 1-800 Contacts use their legislative influence to convince state legislators to pass protectionist/anti-consumer anti-adware laws like Utah and Alaska have done. Under the Second Circuit’s reasoning, the Utah anti-adware law is currently ineffective against adware vendors (at least, as applied to WhenU) because it requires trademark infringement as an essential element of the claim, and the lack of trademark use means that WhenU is not committing trademark infringement as a matter of law. However, Alaska's anti-adware law has no such requirement--an omission that, I think, reinforces both its unconstitutionality and preemption by federal law—which may also lead other states to replicate Alaska's law as a "model."

Whether this battle is fought in courts or the legislatures, this opinion does not end the battle over keywords, adware or how law can help (or hurt) consumers in making choices. Nevertheless, this case will have a major impact in the Second Circuit and beyond, and fortunately the opinion reaches the right result and makes a number of great points in doing so.

What Constitutes Trademark “Use”?

The court unambiguously says that WhenU did not engage in trademark use. In doing so, it points to two previous cases, Wells Fargo v. WhenU and U-Haul v. WhenU, where district courts had found that WhenU had not engaged in trademark use. The lower court simply ignored this precedent, and the Second Circuit properly chided the judge for cutting this corner. As the court says: “the district court’s consideration of these two comprehensive decisions on the precise issue at hand was confined to a footnote in which it cited the cases, summarized their holdings in parantheticals, and concluded, without discussion, that it ‘disagree[d] with and [was] not bound by these findings.’….Unlike the district court, we find the thorough analyses set forth in both U-Haul and Wells Fargo to be persuasive and compelling.”

The court then discusses how keyword triggers and displaying pop-up ads do not constitute a trademark use:

Trademarked Keywords in the Database Used as Triggers

The court says that WhenU does not use 1-800 Contact’s trademarks when it puts the term in its database of keywords that trigger ads. The court properly notes that WhenU “does not ‘place’ 1-800 trademarks on any goods or services in order to pass them off as emanating from or authorized by 1-800.” Later, the court correctly says that including the term into WhenU’s database “does not create a possibility of visual confusion with 1-800’s mark.” Thus, the court understands that if consumers do not see or perceive the trademark in association with the defendant’s goods or services, there is no trademark use. This is a point that many courts simply overlook or misunderstand, and the Second Circuit gets it 100% correct here.

However, in support of this point, the court makes an odd distinction between “www.1800contacts.com” and the trademark “1-800Contacts.” The court says that www.1800contacts.com “functions more or less as a public key to 1-800’s website.” I have no idea what the court means by this. The court could have said that the term www.1800contacts.com is functional and thus is not entitled to trademark protection, but the court doesn’t say that. If it did, we would have a hard time understanding why the trademark “1-800Contacts” isn’t also functional (it’s the “public key” to calling the company).

I think the court is trying to distinguish between using words as trademarks and using words for other cognitive or semantic meanings. I support such a distinction, but it is a difficult distinction to make. This brings to mind the attempted distinctions made by the district court in Playboy v. Netscape. In that case, the search engine was triggering ads on the words “playboy” and “playmate,” and the lower court said that the search engine was using the words as dictionary words, not for their trademark meaning. I think this subjective inquiry is dangerous (I would rather focus on what consumers understand the words to mean), and the distinction only applies to trademarks that are also dictionary words (i.e., not fanciful terms).

Is the Second Circuit trying to revitalize that distinction? It seems so. The court says that WhenU is using the term www.1800contacts.com “precisely because it is a website address” while for WhenU to have capitalized on the trademark’s fame/recognition, WhenU would have had to include the exact trademark (1-800Contacts) in the database. Thus, arguably the court could, in the future, distinguish any other keyword in the WhenU database that aren’t a URL. The court recognizes this potential but sidesteps it. In FN 11, the court says that it doesn’t opine on whether including the exact trademark in the database is necessarily infringing. Too bad—we’d like to know the answer to that question!

The court then further limits its reasoning to WhenU-specific facts when it notes that WhenU customers cannot buy specific keywords. Instead, WhenU sells topical categories, so customers cannot “request or purchase specified keywords to add to the directory.” This distinguishes WhenU from other adware companies, but it also distinguishes WhenU from all search engines that sell individual keywords. I don’t think it’s fair to read the opinion for the converse proposition—that selling individual trademarked keywords is a trademark use—but the opinion arguably leaves that possibility open.

Finally, in a footnote, the court takes a dig at 1-800 Contacts for duplicity. The court notes that 1-800 Contacts has bought keyword-triggered ads in adware using trademarks of its competitors (including the advertiser defendant in this case, Vision Direct). Note to plaintiffs: courts don’t like it when you engage in the same behavior that you claim caused you harm.

Placing Pop-Up Ads Over Plaintiff’s Website

The court says that placing pop-ads on 1-800 Contacts’ website is not a trademark use because the ads do not display the 1-800 Contacts’ trademarks. This is a confusing statement because some ad copy could have displayed 1-800 Contacts’ trademarks (if only to make comparative advertising, or perhaps more confusingly). It’s not entirely clear how the court can make a sweeping factual statement about the ads’ contents.

However, the court might not care about the ad copy, at least for purposes of WhenU’s liability. WhenU’s ads were labeled as coming from WhenU, so the court might be saying that WhenU didn’t display the trademarks itself and therefore the court cares less what was in the advertiser’s copy. Note that Google’s contributory liability for ads that contained the GEICO trademark is the remaining issue in the GEICO v. Google case.

The court continues by arguing that the pop-up ads are not directly triggered by 1-800 Contacts’ trademarks. In support of this argument, it again makes the distinction between a URL and the trademark, but it also says that the pop-up ads could have triggered by a number of terms other than 1-800 Contacts’ trademarks, including “contacts” and “eye care.”

In my mind, there are lots of reasons why the pop-up ad could have appeared, and we can’t make any assumptions about what happened, why it happened, or what consumers expected. The court fully gets this point. It notes that WhenU users receive ads “in a myriad of contexts,” and then in FN 14 it fully embraces the point: “1-800’s claim that C-users will likely be confused into thinking that 1-800 has sponsored its competitor’s pop-up ads is fairly incredulous given that C-users who have downloaded the SaveNow software receive numerous WhenU pop-up ads – each displaying the WhenU brand – in varying contexts and for a broad range of products.”

Reinforcing that simply overlaying pop-up ads on plaintiff’s website isn’t trademark use, the court analogizes to offline trademark “adjacencies”—such as how retail stores put their house brand next to branded products on store shelves. I have a lot more to say about adjacencies in a future paper. However, I think the court is 100% correct that adjacencies should not be a trademark “use,” and I further think the court understood that the pop-up ad is just another form of adjacency.

Finally, the court again notes that WhenU’s practices differ from other adware companies and search engines because WhenU sells categories, not individual keywords. As with the prior discussion, I would not read this opinion for the converse proposition (i.e., selling individual keywords is a use), but the liability seems to be left open.

My Bias

I worked with the Electronic Frontier Foundation to file an amicus brief in favor of WhenU. Although the brief didn't get cited, it may have been helpful to the court to recognize the important social issues implicated by the case and to see how the lower court opinion was a travesty that needed to be soundly rejected. I have also written a lengthy law review article criticizing the lower court opinion (among others) and making several arguments that dovetail well with this ruling.

Posted by Eric at 12:35 PM | Adware/Spyware , Derivative Liability , Trademark

June 25, 2005

AP Story on Defining Spyware/Adware

As a follow-up to yesterday's story on advertiser liability for adware, today the AP runs a story about the definitional ambiguities of the words "spyware" and "adware," and the problems those ambiguities create. I think this quote sums it up best:

"`Spyware' has sort of become the euphemism for any software I don't want," said Wayne Porter, co-founder of SpywareGuide.com.

The result is chaos.

As the article points out, the characterization has important consequences for consumer behavior. The story gives some illustrations of how spyware/adware label is just another type of ambiguous metadata that can lead to mistakes in judgment.

There's plenty of other good tidbits in this article. Recommended reading.

Posted by Eric at 12:44 PM | Adware/Spyware

June 24, 2005

AP Story on Advertiser Responsibility for Adware

Michael Gormley of the Associated Press has finally released his story on advertiser responsibility for adware (I interviewed with him almost a month ago). The article does a good job recapping the issues. I have a lot more to say on this topic; I've written an op-ed piece that I am hoping to publish in the near future. Stay tuned.

In the interim, this article illustrates the witchhunt process being used by the zealots. When "caught" advertising on adware, many advertisers will turn tail--the textbook response to unwanted PR. But advertisers aren't all that excited about preemptively avoiding advertising on adware for a simple reason--advertising on adware is, in the words of Verizon's spokesperson, "effective."

If the zealots have their way, they will find a way to change the legal environment (or obfuscate the issue to make it sufficiently impossible to tell what the law is) to make advertisers feel some of their angst. However, the fact that many advertisers aren't just folding in the face of zealousness should not be ignored. There's real value being created by the advertising--not just for advertisers, but for consumers and society at large. We should not allow misdirected zeal to moot this value.

Posted by Eric at 02:02 PM | Adware/Spyware | Comments (10)

FTC Goes After Another Bogus Anti-Spyware Remover

FTC v. Trustsoft, No. H05-1905 (S.D. Tex. complaint filed May 31, 2005; Stipulated Preliminary Injunction Order granted June 14, 2005). The FTC has busted another vendor of anti-spyware software for making false claims about its products--specifically, that the "SpyKiller" software properly identified spyware and effectively removed it. The FTC claims that the software used an overinclusive definition of spyware to scare consumers into paying money to the vendor, then failed to remove the identified spyware. The FTC also claimed that the vendor sent emails that were not CAN-SPAM compliant.

I have no opinion about the legitimacy of this vendor's actions. It wouldn't surprise me to learn that SpyKiller was fraudware designed to play on the overhyped media frenzy about the perils of spyware. With consumers scared stiff, there's plenty of room for hucksters to prey on consumer fears.

However, I have a major concern about enforcement actions against anti-spyware vendors generally. If we can't agree on the definition of "spyware," how can we evaluate if a vendor's software is properly identifying spyware or not? One person's spyware is another person's legitimate and useful software. I know the FTC understands this point, and I'm hoping they are treading cautiously accordingly.

SIDE RAMBLE: Hey, FTC, have you considered setting up an RSS feed for your newsroom page? It would be great to be get notifications of your announcements rather than having to wait for someone else to pick up the news report or having to check the page myself manually. The Copyright Office's RSS feed is pretty nifty...

UPDATE: Suzi caught this too.

Posted by Eric at 11:39 AM | Adware/Spyware

June 23, 2005

Interview at Spyware Informer

Alex Morganis at Spyware Informer interviewed me about adware/spyware issues. Read the interview here. This ended up being a great way for me to articulate some of my latest thoughts. I hope you find the interview interesting, and I welcome your comments.

[note: I've asked Alex to fix the introduction; I don't have any affiliation with Spyware Warrior other than being a regular reader]

UPDATE: Dave Bove deconstructs my interview. Suzi has a few critical remarks too.

Posted by Eric at 11:27 AM | Adware/Spyware | Comments (1)

June 22, 2005

Some People Like "Spyware"?

I'm catching up on back reading, and I came across this December 2004 Wired News article by Michelle Delio called "Spyware on My Machine? So What?" [see update below about questions about the article]

Anti-spyware advocates are wedded to the notion that spyware is never legitimate because no one wants it. Therefore, all spyware downloads must be fraudulent or illegitimate. Yet, this article provides a number of examples of people who voluntarily downloaded "spyware" or adware knowing full well what they are doing.

For example, the article discusses how some users deliberately downloaded the Claria/Gator adware software because they wanted the e-Wallet application and were willing to trade the adware exposure for the application.

In one of the quotes that hasn't been confirmed [see update below], another user talks about how his college blocked a "spyware" application that was bundled with a file sharing program. The user says: "This sucks....I can't surf the web and I can't trade files if I uninstall the spyware. Why can't the college let me do what I want to do with my computer? The school computer security guys are being way more annoying than the spyware was."

Perhaps this reporter found the only crackpots in the world who affirmatively, intentionally and voluntarily chose to install spyware/adware on their systems [see update below], but I don't think so. In fact, I think there's a pretty large group of people who went through the exact same thought process.

As a result, the foundational assumption of most anti-spyware zealots--that "spyware" is, by definition, unwanted--is false. In turn, all arguments predicated on this inaccurate assumption are tainted.

Meanwhile, the fact that some people gladly use adware reinforces just how anti-consumer the Utah and Alaska anti-adware laws are. These laws remove consumer choice about what consumers can have on their desktop--not because such choices might harm consumers, but because such choices interfere with some websites' desires to reduce competition. The student who says that "the school computer security guys are being way more annoying than the spyware was" will next be saying "my legislators are being way more annoying than the spyware was."

UPDATE: I was working off a contemporaneous printout of the article. I see now that some questions have been raised about some quotes in the article. Wired hasn't retracted the article, but it would be nice if we could confirm the quotes in question. Nevertheless, I remain convinced that there are people who subscribe to the viewpoints articulated in this article. Certainly the research work of people like Deirdre Mulligan indicate that people are willing to make knowing tradeoffs to accept spyware as part of bundles.

UPDATE 2: I have asked one of my student research assistants to look for other articles that discuss people who like their adware/spyware. If you have any suggestions, recommendations or anecdotes, I'd be grateful if you would send them to me.

UPDATE 3: I was reviewing old material and I came across this article. Michael Warnecke, Developers Ratchet Up Anti-Spyware Efforts, But Legislators Will Wait for Tech Solutions, Privacy Law Watch (BNA), April 21, 2004. The article says;

"Matthew Sarrel, technical director for PC Magainze, said that when his magazine ran a cover story on spyware in March 2003, he received scores of e-mails from readers who said that they don't mind the hidden programs as long as the trade-off allows them to get other free software they like (such as peer-to-peer file sharing programs)."

I'll keep looking for more anecdotes like this.

Posted by Eric at 09:43 AM | Adware/Spyware | Comments (4)

Alaska's Anti-Adware Law

Alaska’s legislature has passed SB 140 (to be codified at Sec. 45.45.792, 45.45.794 and 45.45.798), which is awaiting the governor’s signature. This statute contains some anti-Internet porn provisions (probably unconstitutional under the First Amendment and Dormant Commerce Clause), but I’m more interested in the law’s anti-adware provisions.

I’ve generally stopped tracking state anti-spyware laws because of the sheer volume of the state-level efforts. However, most of the statutes have been unremarkable; they are principally modeled off California’s anti-spyware law, which got defanged prior to passage by the repeated insertion of an “intentionally deceptive” standard for the proscribed acts. This intentionally deceptive standard makes these laws mostly irrelevant, because intentional deception in this context usually should trigger other legal violations without the anti-spyware laws being on the books.

Instead of starting with the California model, Alaska started with a version of the Utah amended Spyware Control Act. I blogged unfavorably about that law when it passed. In that post, I concluded that the amended Utah Spyware Control Act was effectively irrelevant. To violate the law, the plaintiff must prove that the defendant committed trademark infringement, so the statute merely creates an additional cause of action to supplement a standard trademark infringement claim.

Alaska’s anti-adware law goes further--much further. It omitted the requirement that the defendants commit trademark infringement. Instead, a defendant commits a violation simply by using adware to display pop-up advertising triggered by trademarks or URLs (whether trademarkable or not). Further, unlike the amended Utah law, the Alaska law does not contain any exclusions for fair use or nominative use.

In short, Alaska took a terrible Utah law and made it worse.

Like the Utah law, I have my doubts that the Alaska law will survive any court challenges. First, it may violate the Dormant Commerce Clause. To avoid this fate, the Alaska law tries the "clever" Utah trick of expecting that adware vendors throw up pop-ups to every user in the world to identify (and then refuse downloads to) Alaska residents. This trick has not been blessed by the courts, and given the courts’ concerns about restricting the free flow of Internet content, I doubt it will be. (Plus, there’s the bizarre irony of an anti-pop-up law mandating that adware vendors display lots of pop-ups to consumers).

Second, it may not survive 47 USC 230’s preemption, which preempts most state laws that try to hold intermediaries liable for third party content except in limited types of claims, like IP claims. At least the Utah law could claim to be an “IP law” because trademark infringement was an essential element of a claim. Alaska's law doesn’t limit itself to trademarks and does not require trademark infringement to establish a violation. Instead, it’s squarely housed in consumer protection law. Therefore, I think there's a good chance that the law, at least as applied to adware vendors (as opposed to advertisers), is preempted by 230.

Third, I’m not entirely convinced that this law survives a First Amendment challenge. It regulates commercial speech, so it “only” triggers intermediate scrutiny. However, I’m not sure the law can make a good enough argument about the government need or the law’s efficacy to support that need. Note that, like the Utah law, the Alaska law does not give consumers the right to consent to regulated adware on their own (except that user-installed filtering software is excluded from the definition of adware). So even if users expressly say they want the software, the Alaska law deprives them of it.

Let's hope the Alaska governor vetoes the law, but it seems politically imprudent to veto a (mis-characterized) anti-"spyware" law that also attacks "online enticement." Thus, assuming the Alaska governor signs the law, any predictions about who will lead the lawsuit to clean out this stinker?

Posted by Eric at 09:27 AM | Adware/Spyware

June 18, 2005

Good Primer on Spyware

Spyware: Background and Policy Issues for Congress, Congressional Research Service, Order Code RL32706 (May 18, 2005). This report, written as a primer for Congress, is one of the most balanced descriptions of the spyware issues I've seen. (Balance is a rare commodity in the adware/spyware area, given that very few commentators are neutral--including me). For anyone looking to get up to speed on the spyware issues and understand the various Congressional proposals, this report is an excellent choice.

Posted by Eric at 04:04 PM | Adware/Spyware

AWOL Opinions

While we are on Grokster watch, I also have been thinking of two opinions that seem to have disappeared into the void:

* Second Circuit opinion in 1-800 Contacts v. WhenU. The district court ruled in December 2003, the parties briefed the case in February/March 2004 (links to briefs) and the case has gone away. What's taking the Second Circuit so long?

* Written opinion in GEICO v. Google. The court stopped the trial in mid-December and said:

"Unless there's any objection, what I propose is that we terminate the trial at this point, I don't mean end it, but stop right now what we're doing to give the Court a brief amount of time, which given the holiday season might be two or three weeks, although we're going to try to do it sooner than that, to get a written opinion out on this ruling, consistent with this ruling, and to allow you-all the opportunity to see whether or not there can be a resolution of what is left in the case."

(Emphasis added). Instead of 2-3 weeks, it's now been about 6 months, and still no written opinion. What's the holdup?

UPDATE: The 1-800 Contacts and GEICO opinions are in!

Posted by Eric at 11:55 AM | Adware/Spyware , Derivative Liability , Trademark

June 15, 2005

Enhanced Consumer Protection Against Spyware Act of 2005 (S 1004)

Sen. Allen's anti-spyware law has finally hit Thomas (the law was initially announced in April).

Description

The law has several substantive provisions, mostly revolving around a central provision making it illegal "to install through deceptive acts or practices software on protected computers." On its face, this is already illegal, but that is consistent with Allen's objective. As the bill says in the preamble:

"According to the Commission's statements to Congress, the vast majority of unfair or deceptive acts or practices involving spyware, such as deceptively asserting control over a consumer's computer and capturing keystroke information, are already unlawful under the Federal Trade Commission Act."

In support of this threshold prohibition, the bill provides some new consequences for the illegal behavior, such as giving the FTC the ability to treble damages, impose new sanctions for a "pattern or practice" of violations, and disgorge profits.

The bill contains a tough preemption clause that would wipe out a lot of state-based legislative initiative. Given the poor drafting and diversity of regulatory models at the state level, preemption would be a particularly good thing, and this law's preemption would clean out a lot of the junk. The law also minimizes private causes of action, another good thing.

A separate section of the bill adds some new criminal sanctions under a new 1030A, presumably enforced by the DOJ instead of the FTC. The first criminalizes unauthorized installation of software and using it to commit another federal offense, giving the DOJ another opportunity to charge-stack or pick the easiest conviction. This provision tracks the I-SPY Act passed by the House.

The second criminalizes installation of software and using it to impair a computer's security protections. The consequences of this provision are a little less clear to me; I think it would be great if this provision got tightened during review to make sure it does not create false positives. This provision does not track I-SPY, but (as I discuss below) chances are that it will just be added to I-SPY.

Finally, the law proposes to augment the FTC's budget by $10M/year to increase enforcement on the Internet.

Conclusion

I think this bill has a lot of promise. The bill is comparatively well-drafted and relatively surgical, compared to abominations like the SPY Act (which is neither). I think this bill might actually support, rather than destroy, user experience on the Internet, and therefore it has a lot more merit than its alternatives.

However, I'm not entirely clear what will happen to this bill and the others pending in the Senate. A typical compromise in this situation would be to smush this act into some other act (maybe the SPY Act/I-SPY Act as passed by the House, or perhaps one of the other pending Senate bills), instead of trying to undertake the harder effort of figuring out which policies would actually be the best. In my world, smushing this act into a lousy act won't cure the defects of a lousy act, so I'd much rather see the lousy act be trumped than preserved.

Another possibility is that the Allen bill will cause gridlock in the Senate. From my perspective, this wouldn't be a bad thing either--I think it would be fine to wait some more time before regulating hard-to-define "spyware." With the Senate embroiled in bigger controversies, it does remain a possibility that the Senate won't act on any of the proposals in time.

Posted by Eric at 09:16 PM | Adware/Spyware

Intermix Says It Has Settled NY Enforcement Action Over Adware

Intermix issued a press release today claiming to reach an "agreement in principle" to settle the Spitzer enforcement action over Intermix's alleged distribution of illegal adware.

Have the Parties Settled?

On the same day, Intermix announced improved earnings. The combination of the two caused Intermix's stock price to rise 27% in after-hours trading.

Hmm. This timing seems, well, interesting. This isn't the way most lawyers would advise a company to proceed. Standard lawyer advice: no press releases on deals that aren't signed. Indeed, there have been a few reports today from Spitzer's office that the lawsuit has not been settled. Even the Intermix press release says that the details need to be worked out and approved by the court.

The way I see it, there's a non-coincidental fortuitous combination of elements:

* Good news on a closely watched lawsuit that will generate a lot of press coverage for the company.
* Good financial news at the same time.
* A predictable bump in the stock price, perhaps temporary as the press attention to the company dies down.

A cynic might smell a pump-n-dump. The conditions sure seem optimal for it.

The Terms

The terms of the claimed settlement:

* Intermix pays $7.5M over 3 years. According to Bambi Francisco at Marketwatch, this amount "represented the disgorgement of global advertising sales from the allegedly improper downloads."

* Intermix stops distributing its adware, redirect and toolbar programs, which Intermix says it has already done.

In addition, although these developments do not appear to be part of the settlement, Intermix's press release touts that it has created a chief privacy officer position (although, interestingly, the press release does not name this person) and has joined the Network Advertising Initiative.

Who Wins?

The $7.5M settlement is a sizable payment from Intermix to the NY AG. Spitzer's office can surely spin this as a big win for its office and allow it to tout that adware doesn't pay (at least, adware that doesn't meet Spitzer's standards, whatever those are).

On the other hand, clearly Intermix thinks this is a win. Their stock price rises, they lift the cloud over their business, and the insiders have a great opportunity to dump their stock on the heels of good news.

So another way to look at this settlement is that Spitzer was able to extort some cash from a public adware company that was willing to pay out to buy a boost in its stock price. These types of extortive deals are fairly common in litigation, but it's a little sad to see elected representatives (especially the enforcers of our laws) playing the game.

Meanwhile, a settlement would have 2 other consequences, both negative.

First, it means we don't get any precedent about exactly what constitutes legal/illegal adware distribution. We sorely need this precedent to prevent future extortive deals like this one.

Second, we don't get any more clarity about who else is on Spitzer's hit list and how aggressively Spitzer's office will pursue them. Thus, uncertainty will continue to dog the adware industry until we see more of the cards in Spitzer's hands.

Posted by Eric at 05:40 PM | Adware/Spyware

June 14, 2005

More on the Adware Advertiser Witchhunt

I've been traveling for 3 weeks, so I missed a lot of good stuff while I was gone. One posting I missed was this one, discussing which stocks should be shorted because of Elliott Spitzer's enforcement action against Intermix Media.

This was a very interesting post for a couple of reasons. First, I've gotten a call from several equity traders seeking my perspectives about what they should do with their stock holdings. I've found this all a little amusing, because if I really had any valuable insights on stock trading, I'd be a lot quieter and a whole lot richer (and I wouldn't still be holding on to some of my dot com stocks from the late 1990s).

Second, the referenced post was interesting because it shows how a pundit like Ben Edelman, who assiduously avoids offering his legal perspectives, can move the equity markets. (Notice how the trader put some new stocks on his short list simply because they were referenced in Ben's report). Seeing equity traders respond to innuendo and ambiguous data reinforces just how important it is that we get some legal clarity on the topic of who is liable for what.

Posted by Eric at 09:09 AM | Adware/Spyware

May 26, 2005

Edelman on "Intermediaries' Role in the Spyware Mess"

Ben Edelman’s latest post discusses intermediary responsibility for adware. The post details how cash goes from advertisers to advertising representatives ("intermediaries") to adware vendors to distributors.

The Legal Liability Question

This implicates an essential question: if someone commits an illegal act somewhere in this chain, who is “responsible”? I’ve previously complained that anti-spyware critics have been opaque on this front, generally assuming that everyone in the chain as responsible for everyone else’s actions without acknowledging this assumption expressly. To Ben’s credit, he lays his cards on the table (sort of). He writes:

“Are ad intermediaries responsible when their ads are shown by installation installed improperly? Marquette law professor Eric Goldman thinks not. But the New York Attorney General's office has repeatedly suggested they might be. My take: Advertiser and intermediary liability is an interesting question of law, well beyond my aspirations for this brief piece. But where ad intermediaries purport to certify or stand behind the quality of the venues where their ads are shown, I'm not receptive to their claims that they can't do what they've promised. Where ad intermediaries merely count advertisement clicks without even claiming to assure traffic quality, the case for blaming intermediaries for improper use of their tracking links may be somewhat weaker (though still cognizable).”

I thought this paragraph helped frame the discussion. Ben freely acknowledges that this post does not address the legal liability question. But if not, then what is it about? We may understand the money trail better, but so what?

When Is Traffic “Legitimate”?

Ben says that some ad networks make “the mistaken assumption that if a user made a purchase, the traffic must have been legitimate.” For this position to make sense, we need to understand exactly what constitutes “legitimate” traffic. I believe Ben takes the position that traffic is illegitimate if it comes from an adware vendor who does not get adequate consent (based on his standards, which may or may not be consistent with legal standards). This definition deserves some careful scrutiny. The way I read it, a consumer who understands how adware works and deliberately clicks on an ad because the searcher finds it useful would still constitute “illegitimate” traffic under Ben’s definition.

Does Google Support Illegitimate Traffic?

Finally, I laughed out loud when Ben pointedly observed that Google pays websites (though AdSense) that, in turn, pay adware vendors for traffic. The joke, of course, is that Google pays AdSense websites for Google’s own traffic! Consider the following sequence of events:

Searcher conducts search at Google =>
Searcher clicks on organic search result =>
Searcher goes to website offering AdSense ads =>
Searcher clicks on AdSense ad =>
Searcher goes to AdWords advertiser’s website

The net effect is that Google pays its AdSense partner for a searcher who Google already had generated.

So why does Google pay for this traffic? Either Google is stupid and should just cut out the middleman, or the AdSense partner offers some value to Google/advertisers in the process, such as filtering or aggregating interested users. If it’s the latter, then adware-sourced traffic is just as legitimate as traffic that originates at Google. (Indeed, the traffic could be effectively identical—in both cases, sourced by the searcher-selected keyword and exposed to some filtering content that sets some expectations for the searcher). Therefore, I simply did not understand how Google is violating its stated policies. As far as I can tell, nothing about traffic to AdSense sites sourced by adware vendors runs contrary to Google’s stated positions.

Posted by Eric at 05:04 PM | Adware/Spyware , Search Engines

May 12, 2005

Sen. Allen Introduces New Anti-Spyware Legislation

Sen. Allen promised to introduce an anti-spyware law about a month ago, but Internet News is reporting that he introduced a bill yesterday. A copy is not yet on Thomas or on Sen. Allen’s website. The article suggests that Allen is focusing on funding enforcement efforts and increasing the civil and criminal penalties for fraudulent spyware. Other than the fact that increased sanctions will likely have no effect on behavior, this approach seems more promising than the Spy Act (HR 29).

Posted by Eric at 11:45 AM | Adware/Spyware

Schwartz on Adware Advertisers

Ari Schwartz comes out swinging against adware advertisers, saying “Advertisers, too, should be pushed to take greater responsibility for the companies they advertise with.” His remarks raise a number of questions, including:

1) Is there something unique about the adware industry, or should we make advertisers liable across-the-board for the actions of ad-sponsored media? i.e., Newspaper runs a defamatory article?--hold the advertisers liable.

2) If we want to follow the money, why limit liability to advertisers? Shouldn’t we hold investors liable for investing in adware companies? For that matter, shouldn't we nail all of the service providers to adware vendors too? If the power company shut down the electricity to adware vendors, they would go out of business!

3) Is it possible that some social value is created through the chain of adware relationships?

The witchhunt continues….

Posted by Eric at 10:06 AM | Adware/Spyware , Derivative Liability

May 09, 2005

LA Times on Adware Advertisers--Including 1800 Contacts?

The LA Times reports on brand name advertisers found advertising on adware, including Mercedes-Benz and Travelocity.com. As is typical in these situations, the brand names disavow any connection with the adware advertsing as soon as the press contacts them. This may be true--as discussed in detail in the article, third parties may be fully responsible for the behavior--but it's hard not to speculate that some of these advertisers actually meant to advertise on adware because it works.

The article also demonstrates just how hard it is for brand owners to manage affiliate marketing. In an ironic twist, 1800 Contacts, one of the most cutthroat users of the legislative and litigation process to stifle legitimate competition by preventing adware-spawned ads from appearing in connection with its site, apparently has paid an affiliate marketer for activity generated from adware/spyware distributed through a drive-by-download. The LA Times reports the following:

"Schmidt [a rep for 1800 Contacts] recently bought tools to check into his company's biggest online referral claims and threw out a third of the commissions as improperly earned. The worst offender, he said, was a "drive-by download" that installed spyware without asking and then claimed credit when infected users went to the 1-800 Contacts website on their own."

If a company as brand-sensitive as 1800 Contacts can't run a clean affiliate program, who can?

Posted by Eric at 06:31 PM | Adware/Spyware

May 06, 2005

Will Spitzer Go After the Adware Industry?

In the wake of Spitzer’s action against Intermix, I’ve been seeing lots of speculation that Spitzer’s office will go after other companies as well, given Spitzer’s reputation for pursuing an entire industry. See CBS Marketwatch (registration required); Riva Richmond of Dow Jones Newswire also ran an article yesterday. In Richmond's article, she says “Among the companies that experts say could come under scrutiny for distributing similar programs are Ask Jeeves Inc. (ASKJ), FindWhat.com Inc. (FWHT) and CNET Networks Inc. (CNET). Fallout could also extend to search-ad providers like Yahoo Inc. (YHOO), which have benefited indirectly from some of these programs.”

On the one hand, this speculation could be helpful if it helps clarify when an vendor is liable for the actions of its distributors—a point that is an untested and generally novel point of law. The anti-spyware zealots have successfully obfuscated this issue by castigating distributors and vendors equally, without even acknowledging that the law may treat them separately. Perhaps through sheer repetition, this meme is gaining traction. We could use some additional authority to enlighten, and perhaps eliminate, this meme.

On the other hand, I have an uncomfortable feeling that this is turning into a witchhunt, where otherwise-rational people make poor “guilty until proven innocent” assumptions that result in a wake of dead bodies. The zealots may get some schadenfraude, but a lot of people get hurt and society ends up worse off. There’s a certain tyranny implicit in every witchhunt; we need to vigilantly resist them accordingly.

UPDATE: AP quotes Spitzer's office threatening the entire industry.

Posted by Eric at 01:44 PM | Adware/Spyware | Comments (1)

May 05, 2005

Does AskJeeves Have a Spyware/Adware Problem? Diller Says No. I Say...

Ben Edelman leveled two charges at AskJeeves on Monday. First, Ben asserts that AskJeeves targets kids for toolbar downloads. Second, Ben asserts that an AskJeeves distributor exploits security holes to install the toolbar without consent. This follows on the heels of Spitzer’s action against Intermix.

Yesterday in the InterActiveCorp Earnings Conference Call, an analyst asked the following question: “I was curious about whether the Spitzer or how you saw the Spitzer probe on spyware affecting generally search or maybe profitability in search.” Diller responded:

“As far as the issues on spyware and ad ware that have recently been raised, to the attorney general has dove into, we are confident that askjeeves doesn't have an issue with either spyware or adware, full stop. It is an issue, obviously, but it is not our issue. And that's that. Next question, please?”

Certainly nothing equivocal about that! But is Diller right or wrong? Let me explain both perspectives.

Why Diller is Right

AskJeeves has a toolbar that provides some minor benefits to users. I have not seen an assertion, by Ben or otherwise, that the toolbar constitutes either spyware or adware. So on that basis alone, Diller is technically correct.

However, the toolbar is distributed using the “bundling” method, where it is combined with some other application that acts as the “carrot” to get the user to download the bundle. Again, there is nothing inherently wrong or illegal about bundling. For example, when a person buys a computer, the pricing often includes a bunch of software that will be pre-installed before the user takes possession of the computer. Bundling? Yes. Harmful? No; in fact, usually, just the opposite.

Let’s assume that Ben is correct that some distributors distribute the AskJeeves toolbar in a bundle using security exploits that bypass user consent. Let’s further assume that loading software onto a computer using those exploits violates the law. (Probably a fair assumption, but this is not necessarily a simple analysis).

At the moment, there is no legal doctrine that automatically makes AskJeeves liable for its distributors’ actions. Assuming the distributor is a separate legal entity, the basic (and venerable) legal rule is that one corporation is not liable for another corporation’s actions.

There are, of course, many exceptions to this rule. For example, if the distributor is the legal “agent” of AskJeeves, then AskJeeves will be automatically (“vicariously”) liable for the distributor’s actions. But legal agency requires a significant legal interrelationship between the companies. I would be extremely surprised if AskJeeves has an “agency” relationship with its distributors (this is far from the norm). There are other theories beyond agency where AskJeeves would have the liability, but my point remains—such liability is the exception, not the rule; we would need to find the requisite facts to establish that liability; and those facts would normally contemplate a relationship far more involved than a standard manufacturer/distributor relationship.

Thus, if Diller was trying to say that AskJeeves is not legally responsible for its distributors’ actions, he is probably correct.

Why Diller is Wrong

Anti-spyware zealots have a rather unsophisticated but nevertheless understandable view of the world: software vendors are guilty by their association with shady distributors. Thus, the zealots hold the vendors “responsible” for the distributors’ actions—regardless of what the law says, the level of control the vendor actually had over the vendor, or any other facts that would be germane.

We do see this type of “guilt by association” in some contexts. For example, with franchises, our view of the franchise’s brand is affected by the behavior of any individual franchisee. Have a lousy Big Mac? You might think less of the entire McDonalds’ franchise in a way that reduces your future desire for visiting other McDonalds—even if the lousy experience was attributable to idiosyncratic problems with one individual franchisee. So as a matter of “business reality,” software vendors may very well take the branding hit for what their distributors do.

There may also be legal consequences. Although the software-vendor-liable-for-distributor-behavior syllogism is currently an unproven legal theory, it’s being tested in at least two cases right now (the Direct Revenue lawsuit and the Spitzer action against Intermix). More importantly, legislators may be tempted to create this type of liability statutorily. We’ve already seen this in the spam context; in CAN-SPAM, an advertiser is liable for the behavior of spam distributors in certain contexts. I think it’s highly likely that legislators will create some legal relationship between vendors and distributors; but even if they don’t, courts may be willing to massage the common law to create such liability regardless of the black letter law.

Finally, as AskJeeves acknwoledges in its 10-K, the adware/spyware paranoia is causing a shrinkage in the overall channels of distribution for desktop software applications generally. (See, e.g., Download.com's announcement that it will not distribute software that has adware bundled with it). This means fewer channels and more pricing competition. Although this is not a legal issue per se, there's no doubt that AskJeeves will feel the impact of the legal developments with adware/spyware.

Conclusion

Therefore, I think Diller’s brusque and unequivocal response was absolutely wrong. AskJeeves will be liable for its distributors’ actions in the court of popular opinion. And legally, when the legislators finish with their anti-spyware frenzy, I’m pretty confident that AskJeeves will have to change its business practices to comply with the law. So where AskJeeves says the adware/spyware problem is not “our issue,” I disagree—and I predict that any intransigence on this topic will ultimately be punished severely in the marketplace and perhaps in the courts.

I'm not saying this is a good outcome—if public opinion and the legal system overreact, we may lose the ability to get the software we really want, or we may have to fight through a blizzard of unwanted disclosures to get it. But putting aside my preferences, objectively the current environment is pointing in that direction, for better or worse. As the saying goes, “be careful what you wish for.”

Posted by Eric at 05:31 PM | Adware/Spyware , Derivative Liability , Licensing/Contracts

Declan Interviews Edelman

Interview here. I have a lot of issues with Ben's positions, and I will have more to say about that later. In this interview, though, notice how Ben conflates adware and spyware. Even Declan found that confusing.

Posted by Eric at 11:36 AM | Adware/Spyware

May 03, 2005

McCullagh on HR 29

Declan weighs in against HR 29. He says, “politicians write laws that treat technology as something that's as easy to define as a food product or an agricultural implement. It isn't.” Too bad Congress isn't listening to the many rational concerns about HR 29.

Posted by Eric at 08:37 PM | Adware/Spyware

May 01, 2005

Download.com Becomes Adware Bundle-Free Zone

Download.com has declared itself adware bundle-free—all downloads from Download.com will be certified not to be bundled with adware. Personally, I think this step goes a little far. Many of the software programs offered on Download.com are shareware or freeware, so an adware bundle may be the only realistic way for independent developers to recoup their investment. Further, Download.com could have addressed this through greater labeling of software that (in theory) would have let consumers choose between options, such as a free bundled software vs. the for-pay/shareware version that's adware-free. On the other hand, it’s Download.com servers, and they are of course free to do what they please with them.

In any case, Download.com’s step represents a noteworthy step in shrinking the range of distribution channels for adware. Should other distribution platforms take similar steps, adware vendors will either need to reform their ways…or become more pernicious.

Thanks to Spyware Warrior for the tip.

Posted by Eric at 05:00 PM | Adware/Spyware

Widmaier on Internet Trademark Law

Uli Widmaier of Pattishall, McAuliffe, Newbury, Hilliard & Geraldson LLP has written an important new article, Use, Liability, and the Structure of Trademark Law, 33 Hofstra L. Rev. 603 (2004). The article makes a persuasive argument why keyword triggering should not be trademark “use.” Recommended reading.

Posted by Eric at 04:06 PM | Adware/Spyware , Domain Names , Search Engines , Trademark

April 28, 2005

Adware Vendor Sued by New York Attorney General

New York v. Intermix Media (complaint filed April 28, 2005). Elliott Spitzer has sued software vendor Intermix Media (formerly eUniverse) for violations of New York’s consumer protection act, false advertising and common law trespass to chattels based on Intermix’s “spyware/adware.” New York press release. AP story.

The complaint focuses on Intermix Media’s bundling of adware with other software (games, utilities, etc.). Specifically, the complaint alleges:

“Intermix offers consumers either no notice or only token notice about the hidden spyware programs. Intermix either fails to disclose these additional programs in any manner, or hides mention of them deep within lengthy, legalistic license agreements. Even in the latter case, the information Intermix does provide about the spyware programs is vague, incomplete and often factually incorrect….. In every single test, Intermix provided either no notice or woefully insufficient notice about Intermix’s bundled spyware programs.”

The complaint also targets the ways in which Intermix allegedly intentionally made it difficult to figure out how to uninstall the program.

This case is important because it might help define the line about how much disclosure is sufficient. Right now the law is extremely unclear; even the New York complaint lumps together no disclosure and inadequate disclosure, and in my mind these are two very different standards. Failing to disclose means no one would understand; inadequate disclosure depends on the consumer, their expectations, and how much responsibility the consumer has to figure things out for themselves. As I’ve discussed before, part of the problem is that software vendors have to make a long list of disclosures, so the disclosures will never be easy for consumers to understand. As Deirdre Mulligan has claimed, even full disclosure doesn’t necessarily change behavior. So more clarity on the applicable legal standards for disclosure would be useful, but I’m not immediately convinced by the complaint that NY is drawing the line in the right place.

This case may also reinforce that Congressional action may be neither necessary or prudent. If states can enforce their current consumer protection laws, then Congress getting into the act (especially through rigid command-and-control laws like HR 29) adds little value. Even if NY loses the case, the mere fact that the case was brought indicates that the current law can be used to combat bad actors when they are engaged in bad behavior.

UPDATE: Wendy Seltzer on the lawsuit.

UPDATE #2: CBS Marketwatch (reigstration required) reports that Spitzer may be planning more lawsuits against adware vendors, adware distributors and potentially advertisers/revenue sources.

UPDATE #3 (10/21): The formal settlement was finally announced.

Posted by Eric at 10:45 AM | Adware/Spyware | Comments (2)

April 18, 2005

Howes' Recap on Spyware/Adware

Eric L. Howes gives a one-year retrospective of the state of spyware/adware. I was surprised that he was able to find any good news from his perspective, but he did! Of course, I would probably reverse some of his labels (i.e., some of his “good news” is bad news from my perspective, and vice versa), but it’s an interesting recap from any perspective.

Thanks to Spyware Warrior for the tip.

UPDATE: I got an email asking me to explain my "vice-versa" remark (what bad news on Eric's list would have been good news on my list?). Here's how I responded:

"I'd reverse the listing of VC funding of adware companies. This is good news in my book, but I know that opinion is not shared universally. FTC deference is also good news, but I'd rate that as more of a mixed bag (we want them to clean up the real bad guys but I want them to leave others alone). I would also characterize industry practices as improving--maybe not fast enough, certainly not substantively enough to satisfy you--but I think we could find good news here as well.

In any case, the core deficiency in Eric's analysis is a common one--we still don't have bright line rules distinguishing malware, spyware, adware and garden-variety software, and without that, it's impossible to make a uniformly-acceptable list of good or bad news."

Posted by Eric at 04:45 PM | Adware/Spyware

April 13, 2005

Boalt Spyware Talk

My notes from my presentation at Boalt on spyware. See my earlier post summarizing the conference.

UPDATE: Sunbeltblog has some pointed commentary about my remarks.

Posted by Eric at 07:03 PM | Adware/Spyware

April 04, 2005

Boalt Spyware Conference Recap

On Friday I attended the Spyware conference at Boalt. This was an outstanding conference—I learned a lot. You should take any opportunity to attend a Berkeley Technology Law Journal annual symposium in the future—their events are typically first-rate.

Tutorial on Spyware

Jeffrey Friedberg, Microsoft’s “Director of Windows Privacy,” started off the conference with a spyware tutorial. He proposed rejecting the term “spyware” in favor of “deceptive software,” a useful nomenclature shift. He then made the typical technologist’s argument that we should focus on bad behavior instead of bad software features, as many features that are included in deceptive software can be used for beneficial purposes. Thus, he wants to preserve room for “horse trades” where users willingly make a choice to cede desktop control in exchange for some desired benefit. However, he then gave examples of deceptive software to show how bad actors exploit various user interface design elements to trick users into downloading their software. He listed a number of attributes of XP Service Pack 2 designed to correct some of those design elements.

He then gave an extended depiction of an “Internet battlefield” to argue that spyware and phishing are really the same problem—an attempt to convert data from the user/their desktop into cash. He offered his solutions to the deceptive software/phishing problem: a combination of consumer education, technological innovation, industry cooperation, enforcement and new legislation.

Two points were especially interesting to me:

First, he explained why users should never put personal information into a pop-up window because users don’t/can’t know who served the pop-up window (e.g., there are no address bars in the pop-up window). He showed how phishers may launch a pop-up while redirecting the main window to a trusted website at the correct URL. In this case, the user might mistakenly assume that the pop-up window was spawned by the underlying trusted site. I realized that even I could fail prey to that trick, so I’ve made a mental note—no personal information into pop-up windows!

Second, he discussed how occasionally Microsoft has used its automatic update feature to eradicate (he called it “clean”) software from users’ computers. He gave the example of Download.ject, some malware code that Microsoft simply deemed impermissible, so it wiped Download.ject off the face of the Windows universe. Perhaps I missed the publicity about this at the time, but I’m troubled by this exercise of power. On the one hand, so long as Microsoft executes its powers as a benevolent dictator wisely, it’s a great asset to combat malware. On the other hand, (1) it isn’t clear how clearly Microsoft communicates its decision, (2) I am not aware that Microsoft has published its standards for software that it will unilaterally eradicate (or that it applies those standards consistently), and (3) we have to trust Microsoft to do the right thing, and I’m not sure how comfortable I am with that!

Panel on Privacy and Surveillance Issues

Patricia Bellia made an argument that some existing federal laws are inadequate to deal with spyware. She deconstructed the ECPA and made a convincing case that the law has a tough time stretching to cover actions on a single desktop computer. She also deconstructed the CFAA and suggested a little more hope there, but still argued that several standards (such as the $5,000 damage requirement) may be fatal to claims. I need to see her paper, but her talk makes me question my previous beliefs that CFAA and ECPA already covered spyware and that additional legislation was superfluous.

Ari Schwartz presented CDT’s positions on spyware. He argued that adware vendors cater only to advertiser interests, not user interests, and therefore these misdirected loyalties disadvantage consumers. I disagree with this argument: if adware vendors do not provide a suitable user experience, they will not be able to perform well for advertisers. So adware vendors will have to create a good value proposition for users, and their interests are far more aligned than Ari portrays.

Paul Schwartz recapped his recent article Property, Privacy, and Personal Data, 117 Harvard Law Review 2055 (a very interesting read, BTW). In that article, he pointed out two separate reasons to regulate privacy: first, there is a privacy market failure because data collectors know more about what they will do with the data than data subjects, and second, that there are social costs to privacy, and therefore a privacy commons needs to be protected.

Based on this, he favors an opt-in scheme that, among other benefits, forces data collectors to tell consumers about their practices. After his talk, I pointed out to him that I see the information asymmetry differently—consumers have heterogeneous but undisclosed interests, so perhaps we should set up a system to force consumers to disclose those interests. I doubt I’ll convince him on this point!

Paul S. surprised a number of us by supporting the mandatory disclosure requirements in HR 29, favoring efforts to sharpen the notice/consent process.

Reed Freeman of Claria then presented Claria’s perspectives on regulation. Claria generally favors regulation of software that operates without consent. From their perspective, these laws would not affect them because they see themselves as obtaining consumer consent.

Seth Lesser then gave his perspectives as a plaintiff’s lawyer in the Doubleclick cookies, Avenue A and Pharmatrak cases, saying that user consent issues are tough to overcome and echoing Patricia’s assessment that the federal statutes may not be robust enough.

Deirdre Mulligan moderated this panel, and I thought she made a great observation when she noted that spyware purveyors are experts at exploiting consumer expectations about user interfaces.

Intellectual Property and Contracting Issues

Dan Burk discussed how intellectual property law does not protect consumers from spyware because, among other things, consumers lack standing to sue. Later I asked Dan if spyware raises any unique issues because consumers don’t have standing under IP laws generally. Dan observed that the relevant “infringing” actions take place on a chattel owned by the consumer, yet the consumer cannot use IP laws to protect that chattel. I’m still not sure if that is a meaningful difference; I’m looking forward to reading his paper.

Jane Winn talked about contract law. Her perspective is that American law upholds contracts very liberally. She favors an approach like the EU directive on mass market contracts, where courts have the power to reject terms that are substantively unfair.

Tim Ehrlich spoke about the costs that legitimate businesses incur due to the spyware paranoia, including the costs incurred by advertisers and the costs attributable to being labeled as spyware or adware. Ehrlich called for some type of appeals process when private companies characterize software as spyware or adware.

Alex MacGillivray described Google’s software principles.

Keynote

Christine Varney was scheduled as the keynote, but she scratched at the last minute due to illness. Instead, her partner Mary Ellen Callahan took her place. I think we had all been looking forward to hearing Christine, so the substitution was a little disappointing, but Mary Ellen did the best she could under the circumstances. Mary Ellen focused on whether adware businesses could be legitimate, and taking a very FTC-esque approach, she concluded that the answer was yes with adequate notice/consent and easy uninstall procedures.

Regulatory Challenges

Peter Menell asked whether regulation was better located at the state or federal level. He used the unfair competition doctrine as a case study, showing that it used to be a federal doctrine but is principally the province of state law now. However, on the Internet, state-based regulation has the risk of creating a lowest-common denominator environment where the most restrictive laws control nationally. He took particular aim at the notion that states can be a laboratory for testing new policy, showing that state law is often influenced by federal policy (such as in the case of unfair competition laws), so they are not pure testing environments. After the talk, I added that states are lousy laboratories because (1) they are especially susceptible to regulatory capture/rent seeking, (2) there is no empirical measurements of results or effort to divine best practices from states’ experiences, and (3) often, at least in the Internet context, a pioneering state’s law is adopted by other states before it has been tested. California’s anti-spyware law is a typical example, having propagated to approximately a dozen states before we have gotten any empirical results in California.

Ira Rubinstein deconstructed several of the proposed federal laws, showing both their breadth and ambiguity.

Susan Crawford gave a good overview of how various legal efforts have failed to address spyware. Her solution is to think about unwanted software as a pathogen and allow technology to develop immunizations organically. She has written a nice paper surveying the spyware/adware topic and I hope she’ll post the paper soon (before it gets too far out of date…).

Deirdre Mulligan gave a great talk (my choice for the best of the day). Her clinic has conducted an ethnographic study of 30 people downloading software and how they processed disclosures. Under current practices, downloaders did not understand the contract terms or even review them. However, when she explained the terms post-download, most users expressed regret. She then presented downloaders with summary notices of some key terms (a layered notice approach). The summaries improved user understanding, but to her surprise, they did not change behavior—people still clicked through to complete the download! This empirical research seems to completely destroy the assumptions incorporated into laws like the Spy Act—the fact that behavior did not change undercuts any belief that more prominent or understandable disclosures will help consumers. I am anxious to see Deirdre’s write-up of her findings; they appear to be both important and useful.

I spoke after Deirdre and made two principal points. First, consumers will benefit from having software on their machines that learns their preferences passively and using those inferred preferences to deliver surplus-producing information. Therefore, we don't want laws that would keep that type of software off users' computers. Second, regulators are forcing consumers to see notice/consent information that consumers don’t care about—basically, foisting new types of pop-ups onto consumers, except that consumers can’t turn these pop-ups off. You can see my notes here.

Henry Chesbrough talked about business models of adware companies. He gave Ebates as an example of a company creating consumer value based on monitoring consumer behavior. He also talked about how government can affect policy not just through negative regulations, but also by encouraging behavior through subsidies and its purchasing protocol.

Michael Geist spoke about transnational jurisdictional issues. He noted the split regarding defamation jurisdiction between the US (which applies the law of the poster) and the other Commonwealth countries (which apply the law of the target).

Conclusion

I thought the conference was great both substantively and as a place to exchange information. My only “criticism” is that many talks did a good job identifying the problems but gave little attention to any solutions (my talk suffered this same defect). In the end, I think this reflects the difficult nature of the problem, but it would have been great if there are new innovative solutions that we should support. Ultimately, such an inquiry is probably moot, because Congress appears to be determined to pass an anti-spyware law regardless of its policy merit.

Posted by Eric at 11:45 AM | Adware/Spyware , Marketing , Privacy/Security

March 31, 2005

Infomediaries--Where Are They?

I have been thinking a lot about “infomediaries.” If you’re not familiar with the term, John Hagel first described it in a 1997 Harvard Business Review article The Coming Battle for Customer Information (with Rayport) and then fleshed out his vision in the 1999 book Net Worth (with Singer).

Infomediaries interpose themselves between marketers and consumers to facilitate better marketing matches. Consumers disclose their personal preferences to an infomediary, who can then offer marketers the ability to engage in highly targeted marketing without knowing consumers' personal identities. Further, infomediaries will use their aggregated consumer demand to cut consumer-favorable deals with marketers. To make this work, consumers must completely trust that infomediaries will respect their privacy and will not become a biased shill for marketers based on which marketer pays the infomediary the most.

From an academic’s perspective, I think infomediaries would substantially improve social welfare. Consumers get what they want—relevant and trustworthy marketing without sacrificing privacy; marketers get what they want—a cost-effective source of interested consumers; and infomediaries profit by taking cuts of the deal. Society wins due to lowered transaction/search costs and fewer marketing mismatches between consumers who don’t want the marketing and marketers who cannot target granularly enough.

Compare this with our current marketing environment, where consumers lack an easy one-stop way to disclose their preferences (and many consumers refuse to do so due to privacy fears). More regulated solutions of marketing communications have high transaction costs (for marketers, and sometimes for consumers too) and a high risk of Type I and Type II errors (i.e., relevant marketing is squashed; unwanted marketing is unregulated).

Despite all of these benefits, as far as I can tell, the infomediary industry has failed to materialize. In Feb. 1999, James Glave wrote a Wired News story called The Dawn of the Infomediary listing five companies trying to enter the infomediary business: Lumeria, PrivaSeek, InterOmni, @YourCommand, and PrivacyBank. On January 24, 2005, I visited the purported websites of all five infomediaries discussed in Glave’s article. Lumeria’s site still exists but appears not to have been updated since 2000. InterOmni was acquired by Lumeria in 1999. The PrivaSeek and @yourcommand domains appear to have lapsed and been reregistered by others. InfoSpace.com bought PrivacyBank in 2000; it is unclear what happened thereafter.

In other words, it appears that all of these infomediaries are out of the business. Also gone are the group buying sites (like Mercata and Accompany) that aggregated consumer interests to negotiate better deals with merchants.

We have some more success if we broaden our definition of infomediaries further. In some industry verticals, infomediary-like businesses have emerged, like LendingTree for loans and Autobytel for cars. However, to some extent, Autobytel act like messaging services—I submit my information, a message goes to interested dealers, then the dealers spam me directly (sometimes relentlessly). Rather than protecting my privacy (whatever that means), Autobytel just ratchet up the email volume. There is still value to consumers to messaging systems, but I don’t think they rise to the infomediary level. LendingTree actually makes offers, not just referrals. However, I'm not entirely clear how these offers are ordered.

We could also try to analogize the shopbots to infomediaries. Shopbots like Shopping.com, Shopzilla and PriceGrabber have survived the dot com crash and offer some infomediary-like services, such as organizing marketing information by product and pitting merchants against each other. However, shopbots do not personalize the offers based on a consumer’s preferences or try to act as a consumer agent; instead, like some industry vertical sites, shopbots view their role as referral services (i.e., send the consumers to the merchant and get out of the way). Further, merchant listings are generally presented based on merchant willingness-to-pay, so consumers may feel like shopbots put merchant interests ahead of their own.

Why haven’t infomediaries emerged? I am struggling to answer this question. Some of the possible theories I’ve come up with:

· Infomediaries do exist but I’m not defining the term expansively enough.
· Infomediaries cannot convince consumers that they are trustworthy. In my experience, my clients would routinely start out saying that they wanted to protect their customers’ privacy, but inevitably they would, over time, look for ways to monetize their customers’ information. Further, companies usually cater to those who pay the bills; so any infomediary will inevitably be tempted to put merchants’ interests over consumers.
· Consumers’ privacy concerns are not strong enough that they need infomediaries. The empirical evidence here is sharply split. Consumers routinely say that privacy concerns inhibit their online actions, but consumer behavior routinely belies this. There are plenty of good reasons to use an infomediary beyond privacy protection, but perhaps this motivation is not as strong as Hagel predicted.
· There is no viable profitable business here (i.e., the economics simply don’t work).
· There is a market failure that prevents companies from entering the market. If we could find a market failure, would this support government intervention to sponsor the creation/operation of one or more infomediaries?

As you can see, I’m stuck. I ask for your help, and I’m opening comments on this post. (Unfortunately, to prevent comment spam, registration is required—sorry). Why do you think infomediaries have not arisen?

Posted by Eric at 10:04 AM | Adware/Spyware , E-Commerce , Internet History , Marketing , Privacy/Security | Comments (1)

March 27, 2005

Boalt Conference on Spyware April 1

If you’re in the Bay Area and interested in adware/spyware, you should consider the Boalt conference on spyware on April 1 (this coming Friday). Boalt has a history of putting together superior events on emerging intersections between law and technology, and this conference looks like it will continue that tradition.

Posted by Eric at 06:59 PM | Adware/Spyware

Liability for Labeling Software as Spyware

Ben Edelman’s latest research describes various efforts by software vendors to curtail characterizations of their software as spyware (or a synonym). These bigfoot letters often attempt to distort the information marketplace by forcing the removal of unflattering but potentially accurate and useful information. Unfortunately, there are very few meaningful consequences (other than bad publicity) to software vendors due to sending nasty but bogus letters. For recipients of such letters, I have been able to think of only a few causes of action that could be brought against the sender:

· If the sender actually brings a lawsuit, the defendant could have rights under anti-SLAPP laws
· If the sender sends an unsupported copyright takedown notice, there could be a claim under 17 USC 512(f). [this was used in the Diebold case]

However, should a lawsuit ever be brought, recipients might have some effective defenses:

· Characterizations of software could be an opinion protected under the First Amendment (or simply not actionable under defamation law). See the Search King v. Google, 2003 WL 21464568 (W.D. Okla. May 27, 2003) (and previous unreported decision). I think this defense has particular merit because there is no standard definition of spyware (or any of the synonyms), so merely characterizing software as spyware may not be a factual statement.
· 47 USC 230 should immunize a website for any third party characterization. This safe harbor has been used to protect against liability for third party characterizations that someone is a spammer. See OptInRealBig.com v. Ironport Systems, 2004 WL 1459337 (N.D. Cal. June 25, 2004).

I’ve opened up comments (unfortunately, to avoid comment spam, registration is required) if you have any other suggested causes of action or defenses.

My previous posts on this subject:

Comments on iDownload letter (initial and follow-up)
Microsoft's characterization of a Dutch search engine as spyware (initial and follow-up)

Posted by Eric at 11:53 AM | Adware/Spyware , Derivative Liability

March 23, 2005

SPY BLOCK Act Reintroduced

Burns and Wyden have reintroduced the SPY BLOCK Act in the Senate (S 687). Initial text here. This is the Senate complement to the SPY Act in the House (HR 29).

Posted by Eric at 09:39 AM | Adware/Spyware

March 22, 2005

Utah Amends Spyware Control Act

Last week, the Utah governor signed HB 104, the amendment to Utah’s Spyware Control Act. The amendment is, in fact, a nearly complete rewrite of the prior law. I blogged on the proposed law last month, and since then further changes were made. Here’s an initial critique of the law.

Definition of Spyware

The act defines “spyware” as adware that displays trademark-triggered pop-up ads. There is no user consent exception to the definition. Software is regulated even if the user enthusiastically consents to its installation after comprehensive disclosure. As I complained last time, this law is not about protecting consumers, it’s about limiting competition.

Prohibited Acts

The law prohibits using adware to display a pop-up ad (1) contemporaneously in response to a specific trademark or URL, (2) that infringes a registered state or federal trademark, and (3) for an advertiser who is not one of six classes of permitted purchasers (including users engaged in trademark fair use).

Requirement #2 was added since my last critique, and it changes the law significantly. It removes my concern that the law creates trademark-like protection for domain names that are not registered trademarks (which, though included in the definition of a “Mark,” receive no protection under Requirement #2).

In fact, because the law requires that the plaintiff must prove trademark infringement, I'm not entirely clear what this law adds to existing trademark law. As far as I can tell, there are really only two new consequences. First, this law may create some new remedies against the infringing advertiser, such as statutory damages. Second, it codifies a cause of action against the adware vendor rather than relying on an unproven contributory trademark claim. (I should note that, like trademark law generally, the law does not create a private cause of action for affected consumers).

Nevertheless, the law still leaves open the most basic question—does triggering a pop-up ad in response to a registered trademark constitute trademark infringement in the first place? If the answer is no, then by definition this law is moot. I’m pretty surprised if the legislative patrons missed this point—they could have simply defined triggering as a per se trademark infringement. Without that definition, a court could deem triggering a trademark non-use, non-infringing, or fair use—any of which cause the plaintiff to lose both the trademark infringement and spyware control act claims.

Anti-Spyware Software

The act gives software vendors and websites a safe harbor if they clean a user’s computer of spyware if (a) they have a relationship with the user, and (b) they gives notice to the user. There has been some litigation over this very question, so Utah appears to be the first state to offer a safe haven for attack software. Given the legislative patrons for this act, it wouldn’t surprise me if Overstock.com and 1-800 Contacts start offering hard disk cleansing services for their customers (that conveniently look for certain adware from, say, Claria or WhenU).

Open Issues

· What does this law do to the pending lawsuit to enjoin the prior version of the law? WhenU won a preliminary injunction against the previous version of the act. I assume the existing lawsuit is now moot, though perhaps we will see a new challenge to this version.

· Does this law survive the dormant commerce clause? As I discussed earlier, the law contemplates that adware vendors will ask users to reveal their geography—creating the specter that users will be bombarded with pop-ups requesting geographic information as they use the web. I’m not entirely sure this structure avoids the DCC claim, however. The law puts the burden on adware vendors not otherwise doing business in Utah to ask geography, even if the adware vendor has no users in Utah. This seems to be a pretty clear extraterritorial reach by Utah, so I could see that raising a serious DCC claim.

· Will the adware vendor’s liability be preempted by 47 USC 230? 230 does not preempt IP laws, and this law may or may not be considered a trademark law. Certainly its title—attempts to control spyware—suggests that this is not an IP law, although the prima facie requirement of a trademark infringement supports a contrary conclusion. If this is not an IP law, then I think adware vendors may be able to claim that this law is preempted by 230 because it attempts to treat them as the publisher/speaker of its advertisers’ content. In fact, 230 has specifically protected a website from being liable for its advertiser’s content in Ramey v. Darkside Productions, although that case involved claims for emotional distress (and others).

Posted by Eric at 11:00 AM | Adware/Spyware , Derivative Liability , Trademark

March 09, 2005

SPY Act Passes House Committee

The House Energy and Commerce Committee passed the SPY Act, sending it to the House floor. The article illustrates continuing definitional problems with the bill.

Posted by Eric at 04:04 PM | Adware/Spyware

iDownload's Latest Letters

iDownload backs off of its legal threats to bloggers who characterized its software as spyware. If they were going to backpedal like this, why bare their fangs in the first place?

Posted by Eric at 02:23 PM | Adware/Spyware

March 07, 2005

FTC Report on Spyware

The FTC has released a report entitled “Monitoring Software on Your PC: Spyware, Adware, and Other Software” as a follow up to its April 2004 workshop. I need to read through it, but it looks like a typical FTC response: “there’s a technology problem, consumers are screwed, so we should fix it through a combination of technology, education and enforcement.” To wit, the introduction concludes:

“The incidence of spyware can be decreased if the private sector and the government act, separately and in concert.
• Technological solutions – ﬁrewalls, anti-spyware software, and improved browsers and operating systems – can provide signiﬁcant protection to consumers from the risks related to spyware.
• Industry should: (1) develop standards for deﬁning spyware and disclosing information about it to consumers; (2) expand efforts to educate consumers about spyware risks; and (3) assist law enforcement efforts.
• Government should: (1) increase criminal and civil prosecution under existing laws of those who distribute spyware; (2) increase efforts to educate consumers about the risks of spyware; and (3) encourage technological solutions.”

Posted by Eric at 06:05 PM | Adware/Spyware

Edelman on P2P Disclosures

Ben Edelman released a report entitled “Comparison of Unwanted Software Installed by P2P Programs.” The report evidences Ben’s typical skill and thoroughness, and it’s a worthy read.

However, the report struggles with the appropriate standards for measuring a workable disclosure system. For example, he writes: “substantive disclosures are generally detailed only in license agreements presented in scroll boxes -- often squeezing thousands of words of text into small windows requiring dozens of page-downs to view in full.”

From a legal standpoint, several cases have affirmatively upheld the use of scrollboxes (the Forrest v. Verizon case comes most immediately to mind). This does not mean that scrollboxes are a good user experience—unquestionably, it is hard to read through long scrollboxes—but then again, there is no good user experience to deliver thousands (or even tens of thousands) of words of legal mumbo-jumbo. Putting these words in an uncluttered printable page will not make them any more likely to be read.

To me, this points to the real problem. The problem isn’t poor presentation of lengthy contracts, it’s a legal system that encourages or mandates lots of disclosures that consumers don’t care about. This trend towards mandating more disclosures can be seen in the regulatory efforts towards spyware, yet it’s generally predicated on assumptions about consumer interests that are not validated by social science. In other words, the more disclosures made by software manufacturers, the less likely consumers can understand and appreciate them—yet the legislators and class action lawyers are forcing manufacturers to make more disclosures.

Therefore, while Ben’s report is another great contribution by him, it would have been even better if we could have a common understanding of a disclosure process that actually facilitates consumer interests as documented by the social sciences. Without that understanding, Ben’s observations don’t point us in a helpful direction.

(FWIW, I do plan to write a lengthier article on the topic of mandatory disclosures over the summer, so I will offer more concrete suggestions then).

Posted by Eric at 12:12 PM | Adware/Spyware , Licensing/Contracts

February 24, 2005

Another Follow-up on Microsoft Antispyware Misclassification

Another article on Microsoft’s antispyware tool blocking access to a Dutch search engine. See earlier posts #1 and #2.

Posted by Eric at 01:18 PM | Adware/Spyware

February 23, 2005

Fracas over iDownload C&D Letters

iDownload has been sending C&D letters to people who have characterized iSearch software as “malware” or “spyware.” See postings at Spyware Warrior and CastleCops. I’ve blogged on the misclassification problem before, and I remain deeply troubled that valuable software functionality will be prevented from coming to market in an overzealous pursuit of “spyware.” On the other hand, these C&Ds strike me as completely inappropriate. First, there are no well-accepted definitions of “spyware” or “malware.” Second, these characterizations may be protected opinions. See, e.g., Search King Inc. v. Google Technology, Inc., No. CIV-02-1457-M (W.D. Okla. Jan. 13, 2003) and Search King Inc. v. Google Technology, Inc., 2003 WL 21464568 (W.D. Okla. 2003). iDownload might consider spending its energies educating consumers rather than trying to conform discussion to meet its standards.

Posted by Eric at 12:44 PM | Adware/Spyware

February 22, 2005

More on Dutch Search Engine Lawsuit Against Microsoft

Michael Geist’s ILN reports that Microsoft has altered its software and issued an apology in response to the Dutch search engine’s lawsuit over being labeled spyware.

Posted by Eric at 10:21 AM | Adware/Spyware , Search Engines

February 21, 2005

Lawsuit Over Spyware Label

Microsoft sued for characterizing a Dutch search engine as spyware. See my previous post expressing concerns about Microsoft’s anti-spyware tool becoming the standard.

Posted by Eric at 02:56 PM | Adware/Spyware , Search Engines

February 18, 2005

Spyware, Researchware, Trackware, Greyware...What to Ware?

ClickZ’s Rob McGann reports that comScore’s tracking software has been on a spyware “rollercoaster.” CA called it spyware, then changed its mind, and has changed its mind yet again. comScore wants a new category for the software: “researchware.” Computer Associates did create a new category called “trackware,” which is still spyware to CA, and put comScore’s software in it. However, CA is kind enough to permit comScore to “appeal” the decision in CA’s private courtroom.

David Nason of eAcceleration calls trackware “greyware” (presumably because it’s neither black nor white?). He continues: “There is anti-spyware software that is arguably spyware. There is anti-spyware software that is not spyware that gets identified as spyware and removed by competitors. When it gets down to the consumer level, it's hard for people to know what to believe.”

Reading that quote makes my head hurt! Meanwhile, I’m proposing a new category called euphemismware.

UPDATE: Suzi has some fun with nomenclature--ultimately championing "sneakware."

Posted by Eric at 10:25 AM | Adware/Spyware

February 16, 2005

Ninth Circuit En Banc ruling in Gator.com v. LL Bean

Gator.com v. LL Bean, 2005 WL 351228 (9th Cir. Feb. 15, 2005). In 2001, LL Bean sent a C&D to Gator (now Claria). Gator responded by suing for a declaratory judgment. The district court dismissed Gator’s lawsuit for lack of personal jurisdiction over LL Bean. The Ninth Circuit reversed, and then granted an en banc rehearing.

So far, so good. Now things get weird. The parties brief the jurisdiction issue and make oral arguments. Then they reach a “confidential” settlement that “does not provide for the dismissal” of the Ninth Circuit appeal. The Ninth Circuit asks for a copy of the settlement agreement. The parties submit the agreement “under seal.” However, the Ninth Circuit learns that no court has ever agreed that the settlement was confidential. Therefore, the Ninth Circuit says “it is appropriate for us to disclose the settlement agreement's content because the outcome of our mootness inquiry hinges upon those specifics.”

Out goes the confidentiality seal. The Ninth Circuit proceeds to dish on the settlement terms:

Gator got a 3 month “wind-down” period where it could display up to 25 pop-ups per month over the LL Bean site. After that, the LL Bean site is off-limits to Gator. Gator also paid money (unfortunately not revealed) to LL Bean, and LL Bean waived all claims relating to the pop-ups.

Finally, the parties make a “side bet” on the 9th Circuit’s ruling. If LL Bean wins the ruling, it gets an extra $10k; otherwise no money is exchanged. Although the court’s discussion seems to suggest that other litigants have used side bets in the past as a way to preserve a lawsuit post-settlement, I find the approach uncomfortable. Gambling on the lawsuit’s outcome is illegal; why isn’t this?

The en banc majority concludes that LL Bean’s release of liability moots the appeal and dismisses the lawsuit. A minority would have let the lawsuit continue because the side wager was enough to provide an actual case or controversy. From my perspective, the majority got it right.

Of course, this leaves the adverse Ninth Circuit jurisdictional ruling against LL Bean as precedent.

Posted by Eric at 01:39 PM | Adware/Spyware , Trademark

House Subcommittee Approves SPY Act

The Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce has approved the SPY Act with a modification to clarify that cookies are not covered.

Posted by Eric at 12:50 PM | Adware/Spyware

February 15, 2005

Claria Goes Mainstream

Claria is planning to deliver ads by buying excess inventory and reselling the inventory at a higher price by using behavioral targeting. This seems to turn Claria into a pretty run-of-the-mill ad network. Is this a good thing or a bad thing?

Posted by Eric at 05:43 PM | Adware/Spyware

Microsoft Anti-Spyware Tool

Microsoft will be giving away its anti-spyware tools. I’m not sure this will be a good thing. Given the inherent subjectivity of the definition of “spyware,” the last thing I want is Microsoft making that decision for me. Do you Microsoft will be particularly quick to label software as “spyware” if it might also have the ancillary effect of competing with Microsoft’s offerings? It reminds me of the age-old dilemma: who watches the watchers?

Posted by Eric at 01:52 PM | Adware/Spyware

February 14, 2005

State Anti-Spyware Laws

Ben Edelman has put together this very helpful page on state anti-spyware laws.

Posted by Eric at 01:39 PM | Adware/Spyware

Goodlatte Reintroduces Anti-Spyware Law

Goodlatte has reintroduced his anti-spyware bill. As of today, I didn’t see a bill number yet. Compared to the other anti-spyware bills, Goodlatte’s bill was relatively inoffensive. The basic structure was to criminalize unauthorized placement of a software program on a computer to comment another federal criminal offense, obtain or transmit personal information, or impair the computer’s security protections. I find this relatively unobjectionable mostly because it seems to overlap substantially (completely?) with the Computer Fraud & Abuse Act. If anyone figured out what Goodlatte’s bill would criminalize that wasn’t already criminal under the CFAA, I’d be grateful to hear from you.

Posted by Eric at 01:10 PM | Adware/Spyware

"Rich Internet Applications" and Spyware

Bob Tedeschi runs a good article on “rich Internet applications.” This technology is a small applet that is downloaded to the user’s computer to facilitate getting the user to the right place. For example, the software will monitor a user trying to check out from an e-commerce site and will request a correction if the user types an invalid zip code. Using this technology dramatically improves checkout rates—the article cites how TJMaxx.com had 50% more customers complete the checkout process using this technology.

So far, so good. But isn’t “rich Internet applications” a synonym for “spyware”? The software is surreptitiously downloaded to the user’s computer, watches their every move and varies its content displays based on user behavior (including, in some cases, based on users’ personal data). Poorly drafted anti-spyware laws have the risk of making these types of programs illegal or heavily regulated (i.e., lots of disclaimers/additional screens of disclosures before the user can gain the benefit). As a result, these types of technologies expose exactly how regulators are out-of-sync with the market and consumer behavior. In the zeal to be the toughest on spyware, there’s a real risk the regulators will merely force us back to hard-to-complete e-commerce checkout processes.

Posted by Eric at 11:25 AM | Adware/Spyware

February 13, 2005

Avoiding Attention Distractions

Katie Hafner writes a good article on the difficulties we have avoiding distractions when we use our computer. It’s so true! There are so many temptations and messages competing for our attention. I know I struggle with this—there’s always something new going on somewhere in my of my email/web accounts, and it takes tremendous self-restraint not to prioritize those above more difficult/time-consuming but ultimately higher-value projects.

Katie talks about some of the technological efforts to prioritize computer-delivered announcements and alerts. If these efforts have any hope of succeeding, they need to learn our behavior and intelligently parse through a message’s contents. These intelligence-based efforts are exactly the type of technological developments that are threatened by the current emotional overreaction to spam and adware.

Posted by Eric at 10:23 AM | Adware/Spyware , Marketing , Spam

February 11, 2005

Ben Edelman's Response to My Post on Utah's Spyware Law

I got an email from Ben Edelman in response to my earlier posting on Utah’s anti-spyware law. If you don’t know Ben, you should. Ben has done some first-rate empirical research on the Internet, and I cited several of his research projects in my Internet search paper. Ben also is a leading crusader against spyware and adware, so we have crossed swords in the past.

Ben suggested that I overstated my argument that the proposed Utah amendments make adware illegal. Ben is right—I did overstate. As Ben reminded me, some types of adware are not covered, such as adware that delivers untargeted ads or that displays trademark-triggered ads on a delayed basis (he think this would not satisfy the “contemporaneous” requirement, though that may depend on judicial interpretation of the word).

While I may have gotten carried away in my earlier post, I think my core point stands. While some adware is not covered by the law, I think the law outlaws the only types that have commercial viability. For example, the law still allows adware displaying untargeted advertising, but who wants that? Most/all of the adware programs that delivered ads on a poorly targeted basis are dead—AllAdvantage is a leading example, but they are just one of dozens/hundreds of browser bars that failed. Consumers (and advertisers) have little interest in software that just throws up random ads. If that’s what the Utah law allows, gee thanks (for nothing)—there’s no one left in that space, and isn’t that a good thing?

Instead, consumers do want software that infers consumer interests through behavior. This is why trademark-triggering adware gets high clickthrough and conversion rates. This is also the wave of the future—in the future, software will try to read our minds through the words we type and our online activities. These types of useful software programs are precisely what the Utah amendment targets.

The more I think about this law, the more depraved I think it is. I did a thought exercise that clarified for me exactly why this law is so objectionable. Let’s start with a simple question. This law is basically a trademark law, so why doesn’t Utah just amend its state trademark laws instead of proposing a new law?

This would be easy to do. Utah could simply pass a law saying that a trademark “use” occurs when a trademark is used to trigger ads. This approach has a chance of surviving the dormant commerce clause. State trademark laws presumably aren’t immune from a DCC inquiry, but given the long-standing state regulation of trademarks, courts will likely be far more deferential about upholding a state trademark law than a sui generis law. Also, defining “use” would have a secondary “benefit” of giving plaintiffs the right to go after all types of trademark triggering, including search engines.

However, defining trademark “use” would still require plaintiffs to show likelihood of consumer confusion. But plaintiffs who would take advantage of Utah’s proposed law don’t want to be required to show consumer confusion because they probably can’t. Doesn’t this reinforce the problem with the proposed Utah amendments? The proposed law requires zero showing of consumer confusion. In fact, defendants lose under the law even if no consumer is ever confused about anything. As I mentioned before, this law applies even if consumers expressly and unambiguously want the software to trigger ads based on online behavior.

Even so, Utah could still use existing trademark law by saying that it is presumptively confusing to consumers to trigger ads based on third party trademarks. Doesn’t this accomplish the goal?

The short answer is no. Why not? Its principal advocates include 1-800 Contacts and Overstock.com—both companies with extremely weak “trademarks.” They do not want to rely on trademark law. They want protection for words/phrases that aren’t trademarks. This explains why the law covers “registered domain names” in addition to trademarks. Protecting domain names is the key to this bill—strike that, and there’s no reason why its advocates need this law. In other words, this law is really about creating sui generis property rights for the few Utah companies that chose weakly-trademarkable domain names.

As a result, this law isn’t about protecting consumers from software that harms their computer. This law isn’t about protecting consumer privacy. This law isn’t about protecting consumers from being misled when making purchases. This law is about taking choices out of consumer hands. This law is about restricting competition to increase profits for a few Utah companies. This law represents everything that’s wrong with our current legislative system.

Posted by Eric at 10:05 PM | Adware/Spyware , Trademark

February 09, 2005

More on Utah Spyware Law Amendments

I finally had a chance to look at the proposed amendments to the Utah Spyware Control Act. They are much worse than I imagined! The law talks about spyware but instead makes adware illegal in Utah--regardless of how the software is installed, any disclosures made by the adware vendor, and any consents given by consumers. In other words, a consumer may expressly and unambiguously want the software but the Utah law would deny them the opportunity to have it.

The proposed law represents a frontal assault on the use of keywords to deliver content to consumers. The law prohibits client software from using any trademark or domain name to trigger ads. As far as I can tell, the law permits any trademark owner to veto any sale of their trademark, regardless of context (i.e., Apple Computers could veto any ad triggered by the word Apple, even if the ad was selling fruit). To ameliorate this, the statute says: “This chapter does not preclude any person accused of violating this chapter from asserting any fair use or other defense that is available to persons alleged to have engaged in trademark infringement.” But I don’t understand how these defenses would work. Plaintiffs would not be suing for trademark infringement, so how can a defendant claim trademark law defenses? The law also protects against the use of non-trademarked domain names to trigger ads, so what trademark defenses are available against those?

The law gives a private cause of action to trademark owners but not consumers. This law is not about protecting consumers, and anyone who might claim otherwise is lying. This is pure anti-competitive protectionist rent-seeking behavior by a few trademark owners in Utah (like 1-800 Contacts and Overstock.com) using legislators as their shills. Shame on all of them.

Posted by Eric at 06:07 PM | Adware/Spyware , Trademark

February 08, 2005

Utah/Urquhart on an Anti-Spyware Crusade Again

Utah is reworking its anti-spyware bill. I need to see the legislation but this news report sounds ominous. It reminds me of the expert report from the LICRA v. Yahoo case, where the experts predicted that we would be bombarded with queries about our geography as we traipsed around the Internet, making Internet browsing far less seamless than it is today (and for some, raising troubling issues about privacy disclosures). Having recently looked at Washington’s proposed anti-spyware law, and wondering how that would survive the dormant commerce clause, I am dubious that any state-based anti-spyware effort will improve social welfare one bit.

Posted by Eric at 09:33 AM | Adware/Spyware

Search

Archives

Recent Entries

March 14, 2013

Court Rejects Attempt to Hold Software Company Liable for Surveillance Conducted by Its Customer – Luis v. Zang

September 06, 2012

Lawyer Who Advised Brother-in-Law Regarding the Use of Spyware on His Wife Disqualified in Ensuing Privacy Dispute -- Zang v. Zang

June 12, 2012

State Privacy Claims not Preempted by ECPA -- Leong v. Carrier IQ

October 14, 2011

Court Disregards Check-the-Box Agreement and Doesn't Enforce Venue Clause -- Dunstan v. comScore

February 10, 2011

Comparative Domain Name and Keyword Regulation Talk Slides

November 23, 2010

Wildcarding Subdomains Is OK; Reverse Domain Name Hijacking Isn't--Goforit v. Digimedia

April 06, 2010

Fourth Circuit: Email, ECF, and Domain Name Woes do not Excuse Failure to Respond to Summary Judgment Motion -- Robinson v. Wix Filtration

January 27, 2010

Utah May Repeal Its Spyware Control Act--SB 26

December 26, 2009

November-December 2009 Quick Links, Part 1

August 06, 2009

State of the Net West Recap

July 06, 2009

June 2009 Quick Links, Part 1

June 26, 2009

Anti-Spyware Company Protected by 47 USC 230(c)(2)--Zango v. Kaspersky

May 03, 2009

April 2009 Quick Links

April 12, 2009

Q1 2009 Quick Links, Part 4

March 04, 2009

Utah Trying to Regulate Keyword Advertising....Again!? Utah HB 450

February 24, 2009

Zango v. Kaspersky Ninth Circuit Oral Arguments

February 06, 2009

2008 Cyberlaw Year-in-Review

November 18, 2008

October 2008 Quick Links, Part 2

October 14, 2008

September 2008 Quick Links, Part 3

August 27, 2008

7Search Sues McAfee For Red Flagging It

August 20, 2008

Competitive Pop-up Ads Aren't Unfair Competition or Tortious Interference--Overstock v. SmartBargains

August 08, 2008

Affiliate Liability Extravaganza

July 01, 2008

June 2008 Quick Links

May 20, 2008

Zango Files Reply Brief in Zango v. Kaspersky

May 06, 2008

CDT Files Amicus Brief in Zango v. Kaspersky

May 01, 2008

Adware is Dead. Long Live Adware!

April 29, 2008

Kaspersky Files Answering Brief in Zango v. Kaspersky

April 09, 2008

Pro-Zango Amicus Brief in Zango v. Kaspersky

March 30, 2008

Zango's Brief in Zango v. Kaspersky Ninth Circuit Appeal

December 28, 2007

December 2007 Quick Links

December 13, 2007

Oct.-Nov. 2007 Quick Links, Part 1

November 21, 2007

Search Redirection Tool Could Be Trespass to Chattels--Burgess v. EForce

August 29, 2007

Anti-Spyware Vendor Protected by 47 USC 230(c)(2)--Zango v. Kaspersky

August 13, 2007

2007 Cyberspace Law Syllabus

August 01, 2007

July 2007 Quick Links, Part II

July 19, 2007

Advertiser Liability for "Contributory" Trespass to Chattels Redux--Burgess v. American Express

July 02, 2007

June 2007 Quick Links

June 06, 2007

SPY Act Passes House...Again

Zango Also Loses Kaspersky TRO Motion