Technology & Marketing Law Blog: Licensing/Contracts Archives

Technology & Marketing Law Blog

June 11, 2013

Warranty Disclaimer in PC TuneUp's EULA Fails -- Rottner v. AVG

[Post by Venkat Balasubramani with comments by Eric]

Rottner v. AVG Technologies, 12-10920-RGS (D. Mass May 3, 2013) [pdf]

Rottner sued AVG Technologies on behalf of a putative class, alleging that AVG’s “PC TuneUp” product did not perform as advertised. Rottner alleged that PC TuneUp's advertisements claimed it would improve his computer’s performance; he downloaded a trial version, and later purchased a full version. In the process, he agreed to a “mandatory” end user license agreement.

According to Rottner, an update to PC TuneUp caused his computer to freeze, and because he had to reinstall his Windows operating system, he lost a bunch of files in the process. He asserted a variety of claims, including breach of express and implied warranties. AVG moved to dismiss. After getting a few preliminary procedural issues out of the way (Delaware law applied in accordance with the EULA; AVG US could not be held liable because the product was sold by AVG CZ and there was insufficient evidence to pierce the corporate veil), the court focused on the claims against AVG CZ.

Defendants argued that warranty claims should fail because those claims were pled under Article 2 of the UCC, and PC TuneUP was not a “good” under Article 2. Applying the “predominance” test, the court says that this is not a contract for services—AVG CZ did not design or develop the software in accordance with the customer’s specifications.

The UCC provides broader warranty protection than the EULA contained. While the EULA just said that the software would conform to the “applicable specifications,” the UCC says that a contract for sale is something “described,” and a disclaimer cannot neutralize a seller’s obligation with respect to a description. Therefore, PC TuneUP’s marketing statements that trumpet its functionality become part of a warranty that Rottner can rely on.

On the other hand, the court does say that AVG effectively disclaimed any implied warranties. The UCC allows for these disclaimers, and in this case, the disclaimer was clearly and conspicuously displayed.

Finally, the court allows Rottner’s fraudulent inducement claim to proceed as well. He cited to marketing copy that said PC TuneUp would “boost internet speeds” and “eliminate freezing and crashing,” and these claims were contradicted by the assessment of Rottner’s forensic expert. The expert said that the software routinely served up “numerous and severe errors regardless of the health of the computer, and never recommends anything other than the weekly scans.”

As we've known for a long time, UCC Article 2 is not a great fit for something like downloadable software, but this case reminds us that it very well could apply. Among other things, application of Article 2 may tend to constrain the typically robust disclaimers in typical EULAs. On the plus side, the court did uphold the choice of law provision in the EULA, so to the extent there are jurisdictions that allow parties greater latitude in implementing disclaimers and other terms, they may be well served to put some thought into the choice of law issue.

A final note is that blowback seems to be an inevitable consequence of marketing copy (here, statements regarding PC TuneUp’s benefits). I suppose this goes without saying, but claims made by a company that touts its own product will almost always end up haunting it in some way.
___

Eric's Comments: For as long as I've been practicing, we've struggled with the interplay between software and UCC Article 2. Is software a good, a service, or a tertium quid? See, e.g., the Second Circuit's Specht v. Netscape opinion by Judge Sotomayor, which explicitly sidestepped this issue in a long footnote. UCC Article 2B and UCITA were supposed to resolve this, but their failures left us with a known unresolved ambiguity. I've always taken the position that UCC Article 2 probably applies to software, whether delivered via physical media or downloaded electronically, even though there is no physical "good" in the case of downloaded software. As a result, I draft software license agreements optimized for Article 2.

Once we know Article 2 applies to downloaded software, this opinion seems pretty straightforward. Under Article 2, EULA warranty disclaimers can't trump express warranties but can erase implied warranties. Thus, a software lawyer drafting a EULA must also review the client's ad copy to see if any express representations are inconsistent with the EULA's attempts to manage risk.

To me, the most interesting aspect of this case is that it involves software designed to "clean up" your hard drive. We've blogged on others in this niche before (e.g., Ascentive), and I have yet to develop enough confidence in any provider that I would trust them with my computer.

[image credit: Shutterstock / Erwin Cartoon -- image of a cartoon character with a wrench]

Posted by Venkat at 11:24 AM | E-Commerce , Licensing/Contracts

June 05, 2013

Craigslist's Anti-Consumer Lawsuit Threatens to Break Internet Law--Craigslist v. 3Taps/Padmapper (Forbes Cross-Post)

By Eric Goldman

Craigslist, Inc. v. 3Taps, Inc., 2013 WL 1819999 (N.D. Cal. April 30, 2013)

Craigslist is one of the best examples of the Internet’s sharing economy. Craigslist improves markets by helping buyers and sellers find each other. Remarkably, it offers most of its matchmaking services for free, reducing transaction costs to matching buyers and sellers and expanding the zone of potential matchmaking.

Given all of the ways Craigslist makes our lives better, I find it disheartening when Craigslist takes steps that aren’t clearly in their users’ interests--especially when Craigslist initiates a lawsuit (as opposed to defending lawsuits brought against it). Craigslist displays a mean streak as a plaintiff. Worse, Craigslist demonstrates zero sensitivity to the potential adverse consequences to Internet law from its litigation.

Craigslist’s lawsuit against 3Taps, Padmapper and Lovely is one of Craigslist's overreaching anti-consumer lawsuits. Padmapper, for example, offered a service that enhanced the searchability of Craigslist’s listings—a valuable and user-friendly complement to Craigslist's weak searchability. Yet, Craigslist technologically attempted to shut down these useful-to-consumer services; when that failed, Craigslist went to court.

In late April, the court issued a ruling largely refusing to dismiss Craigslist's lawsuit. This ruling is not only bad for consumers, but it is bad for Internet Law—in the sense that Craigslist is creating legal precedent that other websites can use in the future for anti-competitive/anti-consumer purposes. Some of the opinion's most troublesome conclusions (note: for this ruling, all inferences were drawn in Craigslist's favor):

* Craigslist properly stated a claim for violations of the Computer Fraud & Abuse Act because it sent the defendants “cease-and-desist” letters and IP address-blocked 3Taps (who allegedly supplied Craigslist data to the others). This ruling bends basic legal principles. Cease-and-desist letters are often the sender's wish-lists, so it's odd to see the court treat the letter's requests as legally binding obligations. Furthermore, the defendants other than 3Taps didn’t take data from Craigslist’s servers (3Taps did), yet somehow they are still facing potential liability for misusing Craigslist’s servers. Does this mean Craigslist (and other server operators) can control data that is housed on its servers but it doesn't own, even if the data isn't gathered from its servers directly? If followed in other cases, this ruling could have profound effects on data movement on the Internet. (This is a good example of why I generally object to the Computer Fraud & Abuse Act as a server protection statute).

The court also survived the common law trespass to chattels claim on the bare unsupported assertion that the defendants had consumed some of its chattel’s capacity—exactly the kind of non-injury that the California Supreme Court rejected in Intel v. Hamidi because broad trespass to chattels doctrines threaten the Internet's architecture (after all, we necessarily use other people's computers as part of using the Internet).

* the court said that Craigslist successfully acquired an exclusive license to the copyright in users’ advertisements for a short period of time, and thus Craigslist could enforce that copyright interest. It’s a terrible and anti-competitive practice for a classified advertising website to claim exclusive copyright interests in its advertisers’ ad copy. Read literally, advertisers violate Craigslist’s copyright interests by displaying their ad copy at any other online publication. Want to simultaneously post a photo of an item for sale on eBay and Craigslist? Craigslist's position is that you would infringe its copyright by doing so. It's like NBC saying that advertisers must prepare unique commercials that can't run on ABC, CBS or Fox. Could you imagine the TV networks trying such stunts with advertisers?

Further, advertisers want buyers for their goods and services, so generally it benefits advertisers for their advertising to reach as many buyers as possible. Here, the court green-lights Craigslist’s efforts to restrict the widespread dissemination of its advertisers' ads and circumscribe the potential buyers who see the ads. This doesn't benefit either the advertisers, the other publications that would republish the ads, or potential buyers who don't get to see the ads. The only "winner" in this scheme is Craigslist.

* the court says that Craigslist could claim a separate copyright interest in its taxonomy for ads, which is organized “‘first by geographic area, and then by category of product or service,’ with these categories organized in ‘a list designed and presented by craigslist.’” Normally, copyright law does not protect a thin and obvious taxonomy based on geography and product categories, and the court’s willingness to do so here likely will encourage other anti-competitive efforts to protect taxonomies.

This ruling reminds me of the dreadful 2007 ruling in Ticketmaster v. RMG, where a court spanked a ticket broker for using automated means to jump the electronic buying queue and snap up scarce tickets to the inexplicably popular Hannah Montana/Miley Cyrus concert. To reach the result it wanted, the court twisted and contorted a half-dozen Internet law doctrines, leaving a jurisprudential mess in its wake. Similarly, even if subsequent opinions in the 3Taps case reach more sensible results, last month's initial ruling paves the way for more problems for the entire Internet community.

Posted by Eric at 09:50 AM | Copyright , E-Commerce , Licensing/Contracts , Marketing , Trespass to Chattels | TrackBack

May 09, 2013

Yahoo's User Agreement Fails in Battle Over Dead User's Email Account--Ajemian v. Yahoo

[Post by Venkat Balasubramani]

Ajemian v. Yahoo!, 12-P-178 (Mass. Ct. App. May 7, 2013)

This is a very interesting dispute that raises the question of ownership over digital assets after a person’s death.

Plaintiffs, John Ajemian's (the decedent's) executors and siblings, sued to declare his estate owner of email messages he sent and received via his Yahoo! account. Prior to filing suit, they tried to negotiate with Yahoo! to get access to the account, among other things, to notify friends of John’s death and service arrangements, and to organize and administer John’s assets. Yahoo! co-operated in providing basic subscriber information as part of an initial lawsuit, but Yahoo took the position that the Stored Communications Act barred disclosure of the message contents. A probate judge dismissed the complaint, finding that the forum selection clause required the lawsuit to be brought in California. The appeals court reverses.

Were the contract provisions reasonably communicated to the end user: On the core question of whether the online agreement is enforceable, the court says that Yahoo!’s terms should be enforced under the standards of any other agreement. The key question is whether the terms had been reasonably communicated to the end user. The terms had been amended to add a no third-party beneficiary and a “no-survivorship” clause. The court says the record is unclear as to how the initial terms, and the revised terms, were communicated to users. Because of the lack of clarity in the record on this issue, Yahoo! is not entitled to dismissal based on the forum selection clause, or based on other terms that would limit the estate's rights vis-a-vis the account.

Is the forum selection clause enforceable against the administrators?: Even assuming the terms and revisions were adequately communicated to the decedent, the court says that it would be unreasonable to enforce the forum selection clause against his estate administrators. The administrators are not parties to the agreement, which references the singular “you” in describing the counter-party to Yahoo! The decedent was domiciled in Massachusetts, and probate courts in the State of Massachusetts have a strong interest in resolving ownership questions over a resident decedent’s assets. Because the lawsuit involves a narrow issue about the account contents of the account, Yahoo!’s interest in having the lawsuit resolved in California is not as strong as it otherwise might have been (e.g., if the lawsuit was about Yahoo!’s services). The court also says that the forum selection clause is overly broad, and as written requires any suit between a subscriber and Yahoo! to be brought in California.

(The probate judge concluded that Res Judicata barred the second complaint which sought the contents of the email; the appeals court reverses on this question as well.)

An interesting factual backdrop to the case is that as the court notes, one of the administrators actually helped the decedent set up the account and may have even “shared” the account with the decedent. (Unfortunately, he did not remember or have the password.)

The merits are a veritable thicket. Does the Stored Communications Act allow an estate to grant consent on behalf of the decedent? Earlier cases involving Facebook address the waiver issue, but none really resolve it. (Stored Communications Act Bars Disclosure of Facebook Records to Surviving Family Members in the UK; "Court Orders Facebooking Juror to Disclose Additional Facebook Posts--Juror No. 1 v. Superior Court".) There's also the distinction between copyrights in the communications and ownership of the account (i.e., the "chattel"). While the estate probably owns the copyrights to the account contents, this does not mean that it can force Yahoo! to provide access to the account itself.

It's worth looking at what (if anything) Yahoo! could have done differently here.

1. Better contract amendment process: It's tough to say definitively whether the terms of service may be vindicated down the road, but the court’s approach to the terms of service issue reflects a fair amount of skepticism towards online agreements. While the court pays lip service to the fact that online agreements should be treated the same as any other contract, the court engages in some judicial contortion to not enforce the contractual terms. I'm not sure Yahoo! could do much more on this front to change the result here. On the other hand, Yahoo!’s terms contain the unfortunate “we can amend this agreement without providing you notice” language that companies would be wise to avoid.

2. Interplead the contents: Could Yahoo! have deposited the emails in the court’s registry and just have abided by the court’s decision? I'm not sure the Stored Communications Act envisions this, but it's not a great alternative for Yahoo! anyway. On a long term basis, this would mean that it will have some administrative involvement in far-flung jurisdictions.

3. Create a mechanism to allow users to control the fate of their accounts post-death: Google recently offered an “Inactive Account Manager,” that lets people designate what happens to the accounts when they pass. (See Kash Hill’s post: “Will You Use Google's Death Manager To Let Loved Ones Read Your Email When You Die?”.) This sounds like a good solution, although it requires an investment of resources on Yahoo!'s part.

Yahoo! could have, per its terms of service, merely deleted the content altogether, but it took a relatively consumer-friendly approach and preserved the contents. Unfortunately, as a result, it's now embroiled in an ongoing dispute in probate court in Massachusetts.

[image credit: Shutterstock / JMiks - "Login Box"]

Posted by Venkat at 08:52 AM | E-Commerce , Licensing/Contracts , Privacy/Security

April 05, 2013

First Sale Doctrine Doesn't Allow Resale of Digital Songs – Capitol Records v. ReDigi

[Post by Venkat Balasubramani, with comments from Eric]

Capitol Records, LLC v. ReDigi Inc., 2013 WL 1286134 (S.D.N.Y. Mar. 30, 2013)

[There has been a recent whirlwind of copyright activity in the courts. We will try to get caught up soon!]

ReDigi looks like a law professor’s exam question that sprang to life. The basic question involves the legality of a marketplace for digital music files. Unfortunately for ReDigi, the court is not very sympathetic to its enterprise, and the court grants Capitol’s request for summary judgment. I expect an appeal will be forthcoming.

Background: ReDigi put some good energy into architecting its service to try to avoid infringement. It only allowed for re-sale of certain files, and more importantly, took steps to insure that only one user could enjoy a particular song at any one time--it made sure that if you sold a track, the computer did not contain extra copies of this track. Although it wasn’t foolproof (the system did not detect whether you retained copies of your track elsewhere), it did prompt you to delete any versions of a song on the particular computer that’s interfacing with ReDigi; and if you declined, it would terminate your account. Sounds pretty carefully structured to me.

Reproduction and Distribution: The court says ReDigi trips over the fact that it must make a copy in order to transfer files between people who trade them. ReDigi tried a bunch of analogies to say that a copy-less transfer occurred, but the court is not sold:

ReDigi asserts that the process involves ‘migrating’ a user’s file, packet by packet – analogous to a train . . . the device was [also] likened to the Star Trek transporter – “Beam me up, Scotty” – and Willy Wonka’s transportation device, Wonkavision.

(James Grimmelmann has an excellent post deconstructing these fictional technology references).

Although the court notes that it’s not aware of any authority dealing with the scenario where digital files are transferred and only one copy exists before and after the transfer, the court says that what occurs through ReDigi’s platform is a “reproduction within the meaning of the Copyright Act.” The court says this reading is supported by the plain text of the Copyright Act (that says reproduction occurs when the work is fixed in a new “material object”) and the legislative history. [The ruling contains a very interesting discussion around the semantics of “reproduction” that is worth reading. As usual, I wasn’t totally sold one way or the other.]

The court also agrees with Capitol that, in addition to the unauthorized reproduction, the sale via ReDigi also implicates the distribution right. Absent an affirmative defense, the court says that there would also be an unauthorized distribution.

No Fair Use or First Sale Defenses: The court applies the fair use factors and says ReDigi comes up short. There’s no transformation of the works (songs). The entirety of the work is copied, and conceivably this will affect the market for new works. Interestingly, the court says that reproduction incident to a sale is what falls outside fair use, but it does not discuss reproduction that may occur in similar contexts such as lending or trading (that may be closer to fair use).

The court also says that ReDigi cannot take advantage of the first sale doctrine. The court starts out by saying that first sale only insulates ReDigi against distribution and does not protect against reproduction. (This is splitting hairs, I think. To the extent there is a first sale defense, any reproduction incidental to it could plausibly be considered fair use.) At any rate, here is the crux of the court’s conclusion on first sale:

the first sale defense is limited to material items, like records that the copyright owner put into the stream of commerce. Here, ReDigi is not distributing such material items; rather it is distributing reproductions of the copyrighted code embedded in new material objects, namely, the ReDigi server in Arizona and its users’ hard drives. The first sale defense does not cover this any more than it covered the sale of cassette recordings of vinyl records in a bygone era.

The court also cites to a 2001 report from the Copyright Office on the DMCA Act that rejected application of first sale to digital works.

Derivative Liability: The final issue was whether this all added up to liability for ReDigi.

First, the court says that ReDigi is directly liable. According to the court, ReDigi’s service was designed to only sell copyrighted work, and therefore, even though ReDigi wasn’t the one doing the copying and distributing, it could be held liable directly for the copying and distribution that takes place via its product.

Second, the court says that ReDigi is liable under vicarious and contributory theories. With respect to contributory liability, the court says that ReDigi was amply aware of the legally grey aspects of its business (its investment offering documents said as much). It also contributes materially by participating at many steps in the process. Finally, the service is not capable of non-infringing uses the court says. The court comes to the same conclusion on the vicarious infringement question, saying that ReDigi had “complete control” over its users activities and it financially benefited from every single sale.

Wow, this is a packed ruling! There is a lot to digest from this one, but a few quick notes.

First, the court footnotes a very interesting point (fn. 3): apparently ReDigi launched new software during the pendency of the litigation that would house material downloaded directly from iTunes and allow later purchasers to access it from the same location. The court declines to consider the legality of this service, but it certainly offers a possible path forward for services such as ReDigi. This also raises the question that if something like this could be accomplished and was plausibly non-infringing, at least from the standpoint of a reproduction right, does it really make sense to ding ReDigi because it accomplished the same thing through other means?

Second, where was the DRM? ReDigi offered iTunes files, but I missed the boat that iTunes decided to offer music that was not tied to a particular device that you had registered. As Eric noted in his post about Kirtsaeng, one of the reasons why the first sale win in that case may be pyrrhic is that digital media will be subject to the whims and fancies of DRM. It's interesting that a big category of digital content is offered without DRM. I wondered about what contractual restrictions were in place (both as between iTunes and the user and the copyright owner and iTunes). It's also strange that music is offered DRM-free (at a higher price), but then you can't legally transfer it anyway.

Third, there’s no discussion of the DMCA at all in this ruling. Maybe I'm missing something foundational, but I would have thought ReDigi would have at least tried to assert a defense based on DMCA safe harbors. The court would have probably rejected the defense (or took the muddled route the 9th Circuit took in the Fung case), but it was still interesting to see the DMCA not figure in the discussion at all.

The court downplayed any discussion of whether there was underlying infringements by ReDigi's users. I also found much of the court’s core conclusions overly formalistic, but then again, the copyright rules are formal in many respects, particularly the rules that govern sounds records and phonorecords. The court seems to do a fairly close reading of the statute and legislative background. It’s tough to fault the court’s order for its core conclusion that a transfer via ReDigi requires a reproduction, although there is room to disagree with it.

Finally, the court’s discussion on direct and indirect infringement was also not totally persuasive. Outside the P2P / inducement context, it’s rare to see a court find that a site or service should be held liable directly for the infringements that take place on its system. This is one example. The 9th Circuit opinion from Fung that we hope to post about soon is another example.

Either way, services have previously tried to crack the "how to transfer copyrighted tracks online" puzzle and have failed. (See, the MP3Tunes case.) As Eric highlights below, it may be safe to assume that there is no first sale right when it comes to digital goods. Surprisingly, even without contractual restrictions in place, you may be fairly limited in what you can do with digital music.
_____

Eric's Comments: I admire the pluck of entrepreneurs who launch businesses that face significant legal risk based on their basic architecture, but ReDigi's legal fate was predictable if unfortunate. The bottom line is that there's no digital first sale right, and I don't think the statutory language provides any colorable basis to argue in favor of it. So I think ReDigi has been legally doomed from the beginning. I wish there were a digital first sale doctrine, and I admire ReDigi's attempts to remanufacture some of the attributes of physical chattel for the digital world, but the judicial system is a poor place to make a last stand on something that contradicts the statutory language so clearly.

Venkat raises a good point about 512(c)--could ReDigi have found greater success positioning itself as an eBay/Amazon-style marketplace for user-to-user transactions of digital files? I can't imagine a 512(c) defense would succeed if the users never had the right to resell song files and ReDigi takes a cut of the transaction, but that defense would have been no less meritorious than the digital first sale argument.

In the end, this case provides a good cautionary tale for us as consumers. PAY LESS FOR DIGITAL SONGS AND MOVIES than you would pay for CDs and DVDs because the digital files are instrinsically worth less over their lifetimes. Protip: before buying a digital song or movie, I check eBay and Half.com to see how much it costs to buy the same CD or DVD used. Even with shipping, it's surprising how often the used good is cheaper than the digital file, and I get a better bargain by also preserving my first sale rights.

I commend reading James Grimmelmann's article--a delicious mix of fandom silliness and deep philosophical musings.

Just a reminder: in 2010, the High Tech Law Institute held a full-day academic symposium on the First Sale Doctrine, and it might be worth checking out some of the materials generated in connection with that event.
_____

Other coverage:

James Grimmelmann's article
Aaron Sanders
Wendy Davis/MediaPost

[image credit: Shutterstork/wongwean - "handdrawn music element"]

Posted by Venkat at 09:45 AM | Copyright , Derivative Liability , Licensing/Contracts

April 04, 2013

Online Trespass to Chattels Needs Structural Reform (Forbes Cross-Post)

By Eric Goldman

In light of Aaron Swartz's tragic suicide, there has been a lot of discussion--some productive, some not--about reforming the Computer Fraud & Abuse Act (the "CFAA"). I support some of the reform proposals, but they don't go far enough. Initially, the CFAA banned hacking, but over the years, it has morphed into a general restriction against online trespass to chattels. In this post, I'll explain why--and how--the concept of online trespass to chattels should be eliminated from the CFAA and analogous state law doctrines.

The Current Law of Online Trespass to Chattels

Trespass to Chattels Offline. "Chattel" means tangible personal property, as opposed to real property like real estate or intangible assets like intellectual property. Colloquially, we often refer to chattel as our "stuff."

In the offline world, a chattel owner has the exclusive right to possess the chattel. If someone permanently takes someone else’s chattel, we call this “theft" or "conversion," and we punish it both civilly and criminally.

Chattel interferences less significant than theft/conversion, such as temporarily depriving the chattel owner of possession (e.g., taking someone else's car for a "joyride"), may be actionable as “trespass to chattel.” Trespass to chattels is a venerable doctrine (it dates back centuries), but it does not apply to all interactions with someone else’s offline chattel. The owner must show some damage from the interference. Petting someone's dog (pets are chattel) or touching someone's car with your finger may technically interfere with the chattel, but typically it's not actionable as a trespass because the chattel owner hasn't suffered any harm. The requirement that the chattel owner show some harm differs from trespass to real property, which in contrast can occur merely by a person's unauthorized presence even if the owner has experienced no other damage.

Trespass to Chattels Online. The Internet operates by passing bits of data over computer equipment, such as servers, routers and cables. All of that equipment is owned by someone. In other words, Internet data moves over a network of privately owned chattel.

Over the years, legislatures and the courts progressively have treated the unauthorized movement of data bits over someone else's chattel into a "trespass" of that chattel--an activity I'll call "online trespass to chattels." For example, many states have enacted computer crime laws that restrict unauthorized use of Internet and telecommunications equipment. In 1997, CompuServe v. Cyber Promotions, a federal district court held that sending spam to an third party’s email router constituted trespass to chattels under the common law (common law is judge-made law, not enacted by a legislature). Many subsequent courts have embraced that precedent. And over the years, Congress has progressively expanded the Computer Fraud & Abuse Act so that it has become, in effect, a federal prohibition on trespassing someone else’s Internet equipment by sending data to it or taking data from it. With respect to the CFAA and some state computer crime laws, we punish violations both civilly and criminally.

All of these legal doctrines (the CFAA, state computer crimes, common law trespass to chattels) require that the online chattel owner show that the defendant's activity was unauthorized and that the owner suffered some damage from the defendant’s use of the chattel, but the legal standards differ somewhat between the doctrines. In practice, the required damages showing is often trivial. For example, both the CFAA and California’s computer crime law count the chattel owner’s efforts to prevent the defendant’s usage as actionable damage--and in California's case, no further showing of harm to the chattel owner is required. Effectively, simply making unauthorized use of a third party's Internet-connected chattel violate the state computer crime law. Some parts of the CFAA requires a higher quantitative showing of damages, but many cases easily clear that threshold.

Rethinking Online Trespass to Chattels

Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn't worked for at least three reasons.

Connecting to the Internet. When a chattel owner affirmatively connects its chattel to the Internet, we might presume that the owner wants to exchange data via the Internet. Of course, not all Internet data exchanges will be welcome; the chattel owner may have security restrictions on who can access some or all of the chattel, and no website wants to be overwhelmed with bogus exchange requests (i.e., denial-of-service attacks).

Acknowledging those caveats, we ought to legally presume that Internet-connected chattel is intended to exchange data with other Internet users. If we start with this presumption, the chattel owner can “bargain” with other Internet users to restrict their usage through a contract specifying permitted and unpermitted uses. Current online trespass to chattels doctrines contemplate this bargaining process, but the laws often let websites communicate their usage restrictions on obscure web pages that most people won't see.

Chattel owners also can use technological controls, such as security measures, to restrict unwanted chattel usage. For example, websites often use “rate limits” to throttle the amount of data that can be gathered from the website during a specified time period and “IP address blocks” to restrict website access by specified computers.

Given that chattel owners can easily restrict how their Internet-connected chattel is used, they should bear the onus to take the contractual or technological steps to do so. Otherwise, society incurs significant transaction costs for individual users trying to determine their rights to interact with Internet-connected chattel, and overly protective legal doctrines create border cases where users engaged in socially beneficially conduct nevertheless unintentionally commit legal violations.

(Side note for economics buffs: the Coase Theorem says it doesn’t matter where we set the property entitlement so long as there are no transaction costs. I favor giving the entitlement to Internet users because (a) the chattel owner chose to connect to the Internet, and (b) it's cheaper for the chattel owner to bargain back for the rights).

Unintended Consequences. Online trespass to chattels now reaches scenarios far beyond the hacking scenarios, sometimes in farcical ways. Three examples of troubling applications of online trespass to chattels:

* because virtually every employee uses computers at work and some employees download company data onto their personal devices, employers now routinely assert CFAA violations against ex-employees. This illustrates the CFAA's scope creep; the CFAA wasn't designed to apply to ordinary employee activities, but sloppy and expansive drafting enables that possibility. Fortunately, courts have balked at this trend (see, e.g., Nosal and WEC). I still favor punishing rogue employees, but online trespass to chattels is not the way to do it.

* websites may assert online trespass to chattels when a third party's automated script gather information from their website (a process sometimes called “scraping” or “spidering”). Technically, search engine spiders commit online trespass to chattels when they access a website without permission, although we don’t often see cases asserting that. Instead, more typically we see anti-competition lawsuits, including efforts to thwart price competition or shut down third party developers who enhance a website's functionality (such as Craigslist's and Facebook's crackdowns).

* Lori Drew’s CFAA prosecution over Megan Maier’s suicide due to Drew’s use of a fake MySpace profile. To establish the CFAA violation, the government (unsuccessfully) argued that MySpace was the victim of Drew’s ruse because she lied to them when she created her online account. The government's theory threatened to make virtually every Internet user a criminal because Internet users routinely fib during online account registration processes.

Doctrinal Overlap. In many situations currently covered by online trespass to chattels, at least one--and often numerous--other legal doctrines already apply. For example, trade secret law already applies to employees who walk out the door with a company’s confidential information, whether the confidential information is analog or digital. Copyright law already applies to search engines republished copyrighted material they scrape. MySpace could have brought a breach of contract claim against Drew for violating its user agreement (if it cared).

Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.

Reforming Online Trespass to Chattels

Lawmakers aren't very good at acknowledging when their legal experiments fail (Tim Wu discusses this point more). But if lawmakers honestly judge the results of their online trespass to chattels experiment, they should:

1) Repeal most provisions of the CFAA (that don't relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.

2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.

3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.

4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).

Obviously, these proposals are dramatic, but they are in keeping with my goal of eliminating the legal concept of online trespass to chattels. Even if we do that, chattel owners are hardly defenseless. They can still take advantage of a panoply of other legal doctrines, they can still use (properly formed) contracts to bargain back the rights from users, and they can still use technological controls. As a result, these proposed changes will end the adverse consequences from the online trespass to chattels experiment while letting chattel owners prevent socially disadvantageous online usage of their chattels.

[Photo Credit: A "Private Property" sign in a field in rural North Yorkshire // ShutterStock]

Posted by Eric at 09:21 AM | Licensing/Contracts , Search Engines , Trade Secrets , Trespass to Chattels | TrackBack

March 26, 2013

The Supreme Court's Kirtsaeng Ruling Is Good News for Consumers, but the First Sale Doctrine Is Still Doomed--Kirtsaeng v. John Wiley (Forbes Cross-Post)

By Eric Goldman

Kirtsaeng v. John Wiley & Sons, No. 11–697 (U.S. Supreme Court March 19, 2013). Prior blog post of the Second Circuit ruling in the case.

In Kirtsaeng v. John Wiley & Sons ($JW-A), the U.S. Supreme Court ruled that U.S. copyright law doesn't restrict the importation of legitimate copyrighted works manufactured and sold overseas. As a result, publishers cannot use U.S. copyright law to enforce their price discrimination schemes of pricing copyrighted works on a per-nation basis.

This ruling is a legal victory for U.S. consumers, who should see cheaper prices in the short run. This ruling is also a win for museums, libraries and other institutional collectors of copyrighted works, who face less risk now when acquiring copyrighted works (especially those initially sold overseas). Still, amidst the good news, it's impossible to ignore the rapid and probably irreversible demise of copyright's First Sale doctrine, meaning this legal victory is likely short-lived at best.

What Happened

In 1998, the U.S. Supreme Court decided Quality King Distributors, Inc. v. L’anza Research Int’l, Inc., 523 U. S. 135 (1998), holding that a copyrighted item manufactured in the U.S. and initially sold outside the U.S. could be legally imported back into the U.S. pursuant to copyright's First Sale doctrine (17 U.S.C. 109) and without violating the copyright owner's importation right (17 U.S.C. 602). The Quality King court expressly declined to resolve the much more common situation where the copyrighted item was initially manufactured overseas and then imported into the U.S.

That well-known issue has remained legally ambiguous for 15 years. The 2010 Costco v. Omega case squarely raised the issue, but the court deadlocked at 4-4 (Judge Kagan recused) and didn't definitively resolve the issue, necessitating the court to revisit the issue just 3 years later. The legal interplay between the First Sale doctrine and the importation right vexes the courts because Congress' poor statutory drafting supports at least two different but equally plausible interpretations of its language. Courts often produce inconsistent results and split opinions in those situations.

The Kirtsaeng court concluded that Quality King didn't apply only to copyrighted goods manufactured domestically. Instead, copyright's First Sale doctrine--allowing the unrestricted resale of legitimate copyrighted goods after they are first sold into the market--applies regardless of where the goods are initial made or sold. This means copyright owners can't prevent goods sold in cheap markets from competing with the same goods sold in higher-priced markets. With the emergence of efficient online retail markets such as eBay ($EBAY), a textbook publisher who sells a low-priced book in Thailand won't be able to sell the same textbook in the U.S. market for a much higher price. The pricing gap will allow arbitragers to buy the books in Thailand, resell them via eBay or textbook e-tailers, and still make a profit even after shipping and taxes. Thus, a copyright owner's trans-border price competition with itself will jeopardize the now-common international price discrimination schemes.

Why the First Sale Victory Will Be Short-Lived

It's hard to be too sympathetic to publishers deploying international price discrimination. Culturally, U.S. consumers intuitively oppose price discrimination; and U.S. consumers are paying higher prices due to price discrimination against them. Still, to the extent that price discrimination helps put more money overall in publishers' hands, the current price discrimination schemes (in theory) have been encouraging publishers to publish more content, so without international price discrimination, at the margins some of that content will go unpublished. At least, that's the story copyright owners like to tell.

Don't cry for publishers just yet. Copyright's First Sale doctrine has become increasingly less useful to consumers over the past couple of decades due to changes in technology and business practices, and I anticipate this ruling will accelerate the trend. Some of the ways publishers may strike back without seeking any changes to the law:

Localization. Publishers can localize their offerings for local markets such that different countries' versions can't substitute for each other. For example, if John Wiley releases a Thai-language textbook, it won't be very interesting to most U.S. consumers. Publishers have numerous other ways of localizing copyrighted works (beyond translations) to restrict trans-border substitutability.

Versioning. Publishers can quickly issue new editions of their works that moot prior editions. We're already seeing this in the textbook market. Publishers are increasingly releasing new textbook editions on a 3-year (or even 2-year) schedule to eliminate competition with used books.

"Shrinkwrapping." Instead of relying on copyright law, publishers can try to impose and enforce contract restrictions on resale. It's clear that software can be sold subject to a contract that restricts transfer (see Vernor v. eBay), but it's less clear if the resale of other physical items containing copyrighted works--such as books, CDs or DVDs--can be restricted by copyright law. The seminal Supreme Court case Bobbs-Merrill Co. v. Straus, 210 U.S. 339 (1908) could be read to say that such shrinkwrapped contracts are ineffective, but I consider that issue legally unresolved.

Geographic Coding. Publishers can encode electronic media in geographic-specific technical formats. For example, DVDs currently have "region codes" that do not permit DVDs sold in one region to be played on equipment built for that region.

Tethering/DRM. Increasingly, physical versions of copyrighted works are "tethered," i.e., they require an interaction with a central server to operate. For example, with some videogames and software, consumers need to input an "unlock code" to access the game or software; and the unlock code can be limited to the initial buyer or to a particular machine in a way that restricts transfer. Even textbooks may be subject to tethering if they have an integrated online component, which is increasingly the case.

Even without any of those efforts, the long-term movement from publishing content in physical items to electronic publication has been effectively shrinking the importance of copyright's First Sale doctrine. There is no "digital" First Sale doctrine, meaning that a buyer of an electronic file cannot resell or transfer "possession" of that electronic file under the First Sale doctrine. So as consumers buy fewer physical copies of copyrighted works and more electronic versions, consumers implicitly forego the First Sale rights associated with the physical goods. Plus, as fewer physical goods enter the market, the copyright owner feels less price competition from them.

In addition, copyright owners might assault the First Sale doctrine legislatively. One possibility is that publishers will simply ask Congress to statutorily reverse the Kirtsaeng opinion. More likely, publishers will advance their interests via negotiations over international treaties or Free Trade Agreements (FTAs). Coordinated special interests can game international negotiations more easily than Congress--the publishers have direct financial payoffs from participating in the process, while the interests of consumers, libraries, museums and other "buyers" are more diffuse. Anticipate more publishers showing up at the negotiations, and don't be surprised if publishers overturn the Kirtsaeng decision without ever approaching Congress directly.

So, as a content consumer, enjoy the upcoming price competition while it lasts. The First Sale doctrine is dying rapidly, and we as consumers are becoming poorer as that happens.

Some Related Materials

* In 2010, the High Tech Law Institute at Santa Clara University School of Law held an all-day academic conference on the First Sale doctrine. See the associated symposium issue in the Santa Clara Law Review.

* In 2010-11, the Ninth Circuit issued a troika of First Sale doctrine cases: Vernor v. Autodesk, MDY v. Blizzard, and UMG v. Augusto. In my opinion, the net effect of these cases was irresolute.

[Photo credit: CD/DVD safely backed up by padlock // ShutterStock]

Posted by Eric at 11:18 AM | Copyright , E-Commerce , Licensing/Contracts | TrackBack

February 18, 2013

Facebook Posts and Twitter Invites Don't Violate Non-Solicitation Clause -- Pre-Paid Legal v. Cahill

[Post by Venkat Balasubramani with a comment from Eric]

Pre-Paid Legal Services v. Cahill, Civ-12-346-JHP (E.D. Ok. Jan. 22, 2013)

Cahill was an associate of Pre-Paid Legal Services, described by the court as a multi-level marketing company. Cahill joined and worked his way up, eventually gaining status as a Regional Manager. He executed a variety of agreements during his time with the organization. The agreements contained restrictions on his use of confidential information, as well as a non-solicitation clause:

The Regional Manager shall not . . . directly or indirectly solicit, entice, persuade or induce any individual who presently is, or at any time during such period shall be, an employee, sales associate or member of the company . . . to terminate or refrain from renewing or extending his or her employment, association or membership with the Company . . . or to become employed by or enter into a contractual relationship with Regional Manager or any business with which Regional Manager is affiliated.

Prior to leaving and joining Nerium, another multi-level marketing company that sold skin care products, Cahill called a meeting of “Elite Leaders” (high performing associates of his) and let them know he was leaving. Although he did not mention by name the name of the new company, he mentioned that anyone who was interested should email him.

After the meeting, he left. There was no allegation at this time that Cahill had access to any confidential associate or account information, but he did post information about his new company on several semi-private Pre-Paid Legal Facebook pages (pages Cahill had created to mentor his associates at Pre-Paid Legal). He did not post further to these pages, but he had been posting information about Nerium on his personal Facebook page.

Trade secrets claim: As to Pre-Paid Legal’s trade secret claim, Cahill argued that he didn't possess any trade secret information. Pre-Paid Legal made available to its supervisors various tools to analyze and track the progress of their associates, but Cahill declared unequivocally that after his departure from Pre-Paid Legal he did not have access to any of these tools. The meeting where he announced his intent to leave had occurred in the past, and the court says that it’s reluctant to issue an injunction where there is no evidence of ongoing conduct.

Non-solicitation argument: The court in a footnote rejects Pre-Paid Legal’s argument that Cahill's invitations to Pre-Paid Legal associates to join Twitter somehow violate the non-solicitation clause. The invitations were merely to join Twitter and at most, follow Cahill’s Twitter feed which did not contain information about either Pre-Paid Legal or Nerium.

The court also rejects Pre-Paid Legal’s argument that Cahill’s post on his Facebook page violated the non-solicitation clause. The court discusses two cases where courts rejected non-solicitation arguments based on online posts (Enhanced Network Solutions v. Hypersonic Technologies and Invidia v. DiFonzo) and says that Cahill’s posts in this case were even less explicit than the posts in Hypersonic and DiFonzo. Cahill touted the benefits of Nerium, and he happened to be Facebook friends with people who were still associates at his former company. But it does not follow that his Facebook posts are solicitations. The court also adds that there is no evidence that anyone actually left Pre-Paid Legal as a result of Cahill’s posts or that Cahill was trying to target any associates by posting “directly on their walls or through private messaging.”

Employers understandably want to restrict the post-employment activities of their employees and prevent ex-employees from targeting customers and current employees. Although there have only been a few decisions in this arena, courts do not appear willing to restrict social interactions between ex-employees and customers or current employees. And this makes sense. Employers can probably restrict some additional activity around the edges (e.g., posting opportunities that are targeted at customers or employees) but this would probably require very precise contractual language. This would still not result in restricting informal interactions and networking between ex and current employees and customers.

Interestingly, Pre-Paid Legal did not raise the argument that the identities of the associates were trade secret information. (This was the argument relied on the Beatport case (which is surprisingly still ongoing), but it was a stretch.)
__

Eric's Comment: This case is a microcosm of the shifting balance of power between employers and professional employees. Any employee can develop their own brand and audience in ways that eclipse the brand/audience of their employees. Interest in Cahill's work and words extended beyond his relationship with his prior employer, so naturally his audience kept following him. As employers continue to invest in employees to help them aggregate audiences, only to recognize the portability of those audiences, it seems inevitable that employers will take ever-more-desperate efforts to prevent employee portability. It's nice to see the courts rejecting these attempts. At the same time, anyone signing non-compete and non-solicitation clauses would be well-served to contemplate how those contract provisions might consider the potential for unwanted restrictions on audience development and management post-termination.

Posts about social media ownership in general:

"Social Media and Trademark Law" Talk Notes
Court Denies Kravitz’s Motion to Dismiss PhoneDog’s Amended Claims -- PhoneDog v. Kravitz
An Update on PhoneDog v. Kravitz, the Employee Twitter Account Case
Another Set of Parties Duel Over Social Media Contacts -- Eagle v. Sawabeh
Employee's Claims Against Employer for Unauthorized Use of Social Media Accounts Move Forward--Maremont v. SF Design oup
Courts Says Employer's Lawsuit Against Ex-Employee Over Retention and Use of Twitter Account can Proceed--PhoneDog v. Kravitz
Ex-Employee Converted Social Media/Website Passwords by Keeping Them From Her Employer--Ardis Health v. Nankivell
Court Declines to Dismiss or Transfer Lawsuit Over @OMGFacts Twitter Account -- Deck v. Spartz, Inc.
Employee's Twitter and Facebook Impersonation Claims Against Employer Move Forward -- Maremont v. Fredman Design Group

[image credit: Shutterstock / cartoonresources - "upset at you for breaching the non-compete, of course not"]

Posted by Venkat at 09:53 AM | Licensing/Contracts , Trade Secrets

February 14, 2013

Israeli Court Says Full-Text RSS Feeds Create an Implied Copyright License (Guest Blog Post)

By Guest Blogger Jonathan J. Klinger

Aggregation of content through RSS feeds has been a big issue every since websites began to use RSS to distribute their content. See, e.g., Prof. Goldman's discussion of the issue in 2005. Still, we haven't had much legal guidance explaining when an aggregator can safely integrate RSS feeds and act as a web-based RSS reader.

Recently, a magistrate court of Petach Tikva in Israel addressed the issue squarely in Apfeldorf v. Yitzhak (C 46636-07-11 Apfeldorf v. Yitzhak, pardon my Hebrew). Tomer Apfledorf is an Israeli Intellectual Property attorney who blogged using Google's Blogger service. Apfeldorf configured the blog's setting to provide an RSS feed in full text (not just excerpts).

Apfeldorf brought copyright infringement claims against Yitzhak and its website for republishing his RSS feed. Yitzhak owns one of Israel's more interesting websites, News First Class (News1),which reports on public corruption, freedom of information and other issues. News1 also is one of the only websites that publish source court documents related to news articles.

News1 also aggregates blogs from Israeli blogosphere, indexes them according to subjects and subject matters, and then links to the blog posts. News1, in the relevant period, indexed Apfeldorf's RSS feed. Because this process was automated, News1 republished Apfeldorf's articles in full because they were gathered from his RSS feed. After Apfeldorf found out, he contacted News1 and asked them to remove the content, compensate him and cease syndication. News1 stopped syndicating his blog and removed its content, but it did not compensate Apfeldorf. Therefore, Apfeldorf sought 200,000 ILS (around $50,000 USD) in statutory damages.

The court made two different and interesting rulings. The first, based on Dr. Yuval Dror's expert testimony, is that RSS facilitates syndication, so by offering the RSS feed and encouraging sharing of blog posts through social media buttons (such as the Facebook share), Apfeldorf waived the right to enforce his intellectual property rights:

The plaintiff testified that he was aware that technically the RSS allows withdrawal of headers and content from the blog, when he did not choose the default of using only headers and allowed headers and full text from the blog. Moreover, the plaintiff installed icons that allowed sharing of content from the blog in social networks and sharing through other sites. By doing so, the plaintiff declared, explicitly, that it means to disseminate the content in the blog, to the possible extent. [...] By installing the RSS protocol there is not waiver of the author on the protections granted by law to his works and you cannot determine that the installation of the RSS by itself means that there is a waiver of protection thereof and a license to copy the works. [...] The plaintiff did not choose a default where the RSS feed shall solely distribute headers, but also the full text, and therefore, the posts were downloaded in full, and this is a statement by the plaintiff about his conduct and wish to distribute his words. Under these circumstances, I rule that examining the plaintiff's conduct under the microscope of current internet practices indicates the conclusion that the plaintiff, by his conduct, waived the protection granted by law"

The court also ruled that even if News1 was infringing, its activity may be fair use; and if the feed is used alongside credit to the original author (and possibly a link), then fair use may be asserted.

This ruling is somewhat logical if you know RSS feeds, and it is consistent with new copyright norms. Raghu Seshadri wrote about the subject (footnotes omitted):

Under copyright law "the creator of the RSS feed retains, automatically, all copyrights in the content in the feed and retains all rights in its republication, use as a derivative work, and so forth." Yet, users are copying these feeds and including them on their own web sites. This has naturally raised an infringement issue with experts arguing for and against finding infringement. In addition, the RSS "community is speaking, to large extent, by creating a norm around syndication and aggregation which is very important." Here the applicable distribution medium architecturally permits other sites to publish RSS feeds. Thus a technology based license would allow such uses unless and until the copyright owner either expressly reserves their rights or revokes such a license.

Raghu Seshadri, Bridging the Digital Divide: How the Implied License Doctrine Could Narrow the Copynorm-Copyright Gap.

Does this ruling mean that the AFP lawsuits against news aggregators may come to an end? Maybe. What is most surely mean is that if you are a website (or the legal counsel of a website) you should begin to think about adding a specific license to the RSS feed (or adding something about it in the website's terms of service), especially if you are offering a full-text feed. In other words, to overcome the "implied license in RSS" presumption, you must take a proactive approach.

[Photo Credit: Person reading RSS news // ShutterStock]

Posted by Eric at 12:47 PM | Copyright , Licensing/Contracts | TrackBack

February 08, 2013

Update: Facebook Countersues Profile Technology For Contract Breach--Facebook v. Profile Technology

By Jake McGowan [writings][LinkedIn]

Facebook, Inc. v. Profile Technology, Ltd., C 13-0459 (N.D. Cal. complaint filed Feb. 1, 2013)

Back in December, we blogged about a suit brought by Profile Technology against Facebook, alleging that Facebook had breached an agreement that had allowed Profile Technology to aggregate the social network’s user information.

That case is still pending, but now Facebook is flexing its legal muscles right back at PT. Earlier this month, Facebook sued PT for violating its Developer Terms by displaying “outdated” user data:

Defendants continue to use and display out-of-date User Data to this day. Public display of User Data that is no longer current is inconsistent with Facebook's services, breaches agreements with Facebook, is contrary to the mutual understanding and intention of Defendants and Facebook when they entered into business dealings and injures Facebook's goodwill and reputation.

According to Facebook, the “old” user data includes:

(1) user names;
(2) user profile photos;
(3) lists of users’ friends;
(4) lists of the groups and pages to which users connected; and
(5) school, work, and location information as entered by the user.

Facebook claims they started investigating the “old data” problem after users started complaining, and that they ultimately revoked PT’s license to access the information in November 2011.

[Defendants did not delete User Data after Facebook terminated their account and revoked their limited license to access Facebook's platform in November 2011 . . . Instead, Defendants have expressly and repeatedly refused Facebook's demands that they return or delete User Data.

As far as the actual harm is concerned, the complaint speaks of old information tarnishing the experience for its users:

”Defendants' use of outdated User Data has tainted the Facebook experience for Facebook users, and Facebook has suffered and continues to suffer harm to its reputation and goodwill due to Defendants' actions . . . Facebook has suffered damages attributable to the efforts and resources it has used to address user complaints, and attempting to stop Defendants' injurious activities.”

Facebook is asking for a permanent injunction to stop PT from accessing any further user information. It is also asking the court to disgorge and pay to Facebook any profit PT made from its social search engine, along with any other damages proved at trial.

______________

It seems these two companies have entered somewhat of a standoff. Based on the parties’ prior dealings and the timing of the complaint, I would not be surprised if this counter-lawsuit is legal arm-flexing to encourage PT to shut up and settle their other case. That would make more sense, especially considering that PT is not a deep pocket defendant, and the policy infraction seemed like something the companies could fix if they wanted to continue doing business. But that’s the whole point: Facebook clearly does not want anything more to do with PT. There are other companies like Profile Technology that may bend or break a few policies on Facebook user information, and not all of them draw the ire of Facebook’s legal department.

As of now, both cases are still pending. With the filing of this complaint, we might expect the parties to revisit their settlement negotiations.

Posted by JakeMcGowan at 09:05 AM | Licensing/Contracts | TrackBack

February 06, 2013

"Privacy Policies in the United States" Presentation Slides

By Eric Goldman

I recently guest lectured on drafting privacy policies in the United States. My presentation slides.

One of my big-picture takeaway points is that privacy laws and associated industry self-regulation have gotten so extensive that drafting privacy policies is strictly for privacy experts. Unlike the good ol' days, the average competent lawyer--and even the sophisticated cyberlawyer who dabbles with privacy issues--may be unintentionally treading towards the malpractice line given the number and complexity of the applicable laws and technology. As a result, in all likelihood, I've already drafted the last privacy policy of my career. I'm curious if you agree (if you email me, let me know if I can post your email as a comment to this post).

[Photo credit: message on keyboard enter key, for privacy policy concepts // ShutterStock]

Posted by Eric at 07:31 AM | Licensing/Contracts , Privacy/Security | TrackBack

January 16, 2013

Court Definitively Rejects AFP's Argument That Posting a Photo to Twitter Grants AFP a License to Freely Use It -- AFP v. Morel

[Post by Venkat Balasubramani]

AFP v. Morel, 10 Civ. 02730 (S.D.N.Y. Jan. 14, 2013)

The court *finally* issued its ruling on the parties’ cross motions for summary judgment in AFP v. Morel, the Haiti photo case. Previous posts here and here.

The facts are interesting and highly relevant to the fast-paced world we operate in. I recommend reading them, if for no other reason than as a cautionary tale. In a nutshell, Morel took photos of the Haiti earthquake, uploaded them to Twitpic and posted to Twitter. Someone else took Morel's photos and uploaded the same photos to their own account. An AFP staffer found the photos on the second individual's Twitter account, communicated with him, and thought AFP obtained a license. AFP then distributed the photos to Getty and other downstream third parties. Morel was understandably unhappy and started firing off takedown letters and requests. This prompted a preemptive lawsuit by AFP. (Joe Mullin has an excellent recap at Ars and he delves into the messy factual backdrop: "News flash for the media: you can't sell photos grabbed from Twitter.")

Highlights from the court’s ruling:

AFP can’t claim the benefit of any license in the Twitter or Twitpic terms: although this may not be the most consequential aspect of this case, this is one that people will focus on, particularly in light of the Instagram TOS controversy. AFP tried to argue that the Twitter terms of service allowed it to freely use content posted to Twitter (& Twitpic). The court previously said nein, and the court again (different judge) definitively closes the door on this argument. There are lots of quotable bits of the discussion, but this one is pretty cut and dry:

These statements [that you “retain your rights to any Content”] would have no meaning if the Twitter TOS allowed third parties to remove the content from Twitter and license it to others without the consent of the copyright holder.

The court also notes that Twitter's Guidelines:

further underscore that Twitter TOS were not intended to confer a benefit on the world-at-large to remove content from Twitter and commercially distribute it: the Guidelines are replete with suggestions that content should not be disassociated from the Tweets in which they occur.

[emphasis added] AFP raised a related argument that a broad license was necessary; otherwise, Twitter users would be infringing en masse. The court doesn't buy this argument either, and this was a pretty wacky argument from AFP. I’m surprised they pressed on with this. They didn't raise any other defenses to liability, so they (along with the Post) are out of luck.

Other defenses to liability: Getty, one of AFP’s co-defendants, raised two other defenses to liability: (1) it was entitled to a DMCA safe harbor, and (2) it did not act volitionally. I have to admit I was a lot more skeptical of these arguments at the outset, but reading the opinion made me change my mind. At minimum, they are “in the ballpark.”

On the DMCA issue, the court asks this strange question of whether the service provider seeking DMCA protection is “doing something useful for a person or company” or providing “a commodity . . . in the form of human effort.” The court raises the related query of whether "an entity that is directly licensing copyrighted material online is . . . a 'service provider' [under the DMCA]." The court intimates that an entity claiming DMCA protection must do something other than merely making content available to third parties. I’m not sure where the court distilled all of this from, but ultimately the court says that there’s a factual dispute as to whether Getty was “actively involved” in the licensing (i.e., was the process totally automated) and whether Getty received a financial benefit directly attributable to the allegedly infringing activity.

Getty loses summary judgment on its no-volitional conduct defense for a related reason. The court says that under Second Circuit law, the volitional conduct defense only extends to the right of reproduction, and here Getty allegedly engaged in distribution. The court also says that there’s a factual dispute as to the extent of involvement by Getty employees in the licensing process.

Neither of these defenses are totally foreclosed to Getty, although I'm skeptical that they will carry the day.

Secondary liability: The court says that there’s enough evidence in the record to create a dispute as to whether AFP and Getty can be held liable for contributory infringement. AFP and Getty both tried to say that they were passive participants at best, and merely passed on the photos, but the court says the available evidence indicates a factual dispute about the extent of their involvement. The court also says that they can possibly be held liable merely for making available Morel's photos to third parties.

Morel can also assert a claim for vicarious liability against Getty (for some reason he didn't bring this claim until too late against AFP). The court says that there’s a factual dispute as to whether Getty benefits directly from the allegedly infringing materials and also whether it acted quickly enough to remove the photos from its system (its failure to do so may give rise to vicarious liability). Defendants argued that the DMCA codifies vicarious liability standards, and Morel's path to derivative liability should be through the DMCA, but the court rejects this argument in a footnote (citing the Second Circuit's ruling in Viacom).

DMCA CMI Claims: Morel made an argument that AFP’s distribution of the photos with incorrect attribution equaled a claim for removal or alteration of copyright management information or the knowing distribution of material with incorrect information. There were predictable factual disputes around how AFP obtained the photos and whether it knew that the photos were Morel’s when it distributed the photos with incorrect attribution. The DMCA claim requires proof of state of mind, and the court says this can't be resolved at the summary judgment stage. AFP also tried to argue that the credit information was not “copyright management” information because this information is not intended to provide information about ownership, but the court rejects this argument, taking a broad view of what can constitute "copyright management" information (e.g., adding 'AFP' or 'Getty' in the caption may form the basis of a CMI claim). Ultimately, factual issues preclude judgment in favor of Getty and AFP on Morel’s DMCA CMI claims.

Statutory Damages: Finally, the parties dispute the scope of statutory damages. Morel says he is entitled to a separate award per work/per downstream subscriber. If Getty or AFP are held derivatively liable for the acts of downstream subscribers, Morel says each such subscriber should result in a separate damage award. This would get really ugly for Getty and AFP. In contrast, they argued that Morel is only entitled to one work per defendant (and jointly liable defendants are only hit with a single award). The court sides with Getty and AFP, saying that they’re only liable once per work and the award against them is not multiplied based on their subscribers. The parties have the same dispute about the scope of DMCA CMI damages, and the court again sides with AFP and Getty. Just one award for each instances of removal of CMI.

Yowza. This is an action-packed ruling that covers a ton of different issues. Tough to do justice in a single blog post. Good fun for copyright geeks, people who like issue spotting, and law profs who can repurpose this for a law school exam question!

It’s nice to see confirmation that AFP’s license argument is silly. We've always known this, but it’s good to get further judicial affirmation, particularly in light of the Instagram terms of service dust-up. Service providers may include broad license grants in their terms of service, but it takes a lot to say that the service provider can exploit content or IP outside the ecosystem. It takes even more to say that a third party who is a stranger to the relationship can do so. The court's interpretation of Twitter's guidelines and terms is sure to give users some comfort that, when a service such as Twitter says "you own your content," this at least means that third parties cannot come along and exploit it freely.

Getty’s DMCA safe harbor argument is an interesting one. A purely automated system that takes in photos (or content) and licenses it out theoretically should be entitled to DMCA protection (or at least should be considered a service provider). The court cites to other examples of service providers (YouTube; Photobucket) but distinguishes them by saying they are doing something in addition to merely acting as a licensing engine. I wasn't terribly persuaded--YouTube is making available user generated videos to the public; it just happens to make them available for free. The court seemed uncomfortable with the notion that a turnkey online service could take in content and license it out and yet fall under the DMCA's definition of service provider. The court could have just focused on the question of whether the material was stored at the direction of a user; if this answer is yes, moved on to other aspects of the DMCA test (that amply allow Morel to argue that Getty is not entitled to DMCA protection). For some reason, the court went off the rails on to a discussion about the precise type of service that must be provided as a threshold matter. I also suspect the facts in this case will make the DMCA safe harbor argument ultimately difficult. The court's discussion about what is or is not a "service provider" under the DMCA may have been superfluous in light of factual disputes around Getty's involvement.

[It’s also worth noting that this isn't a case against the typical online service provider. Much of Getty and AFP’s operations may be conducted online, but there are still humans ultimately pushing the levers. (At least this is my impression from the facts.) This makes me think we shouldn't read too much into this as a DMCA safe harbor case or a case that deals with derivative liability for purely online service providers (e.g., YouTube).]

The CMI ruling is interesting. This isn't the first case to adopt a broad definition of "copyright management information," but courts seem fairly willing to take this approach. (Tip to photographers and content creators: watermarks are your friends.)

The damages ruling is a breath of fresh air for the defendants. I think the law is somewhat mixed and the court could have gone either way (and have treated individual Getty subscribers as supporting additional awards), but it’s the one saving grace to the ruling from Getty's and AFP’s standpoint. From a doctrinal standpoint, it's fairly interesting as well. The court was swayed by what it described as the "absurd" outcome under Morel's suggested damages framework. I don't know that the court's ruling leaves Morel totally out in the cold. He still could claim actual damages and ask the jury to sock AFP and the other defendants, pointing to the revenues they generated. AFP and Getty aren't the most sympathetic defendants in a copyright case, among other things due to their own zealous and sometimes overly aggressive enforcement efforts. Statute of limitations issues notwithstanding, he could also go after other Getty customers. This would get thorny for Getty.

End result: AFP should have looped in the co-defendants and written a check from day one. After furiously litigating the case for almost two years, it's definitely going to be writing a check to Morel. Maybe the real argument was around the extent of damages available to Morel, and the court's ruling on this issue will clear up some grey areas around what he can obtain. Either way, there are a ton of interesting issues addressed in the order, but the simple takeaway is something we already knew: stuff that's posted online is not necessarily fair game for recycling, especially not photos (and particularly if you're a corporate defendant who argues for aggressive enforcement when your own rights are allegedly infringed). A service provider's broad terms of service with its users is unlikely to be of much help to any recyclers.

Posted by Venkat at 09:37 AM | Copyright , Derivative Liability , Licensing/Contracts

January 11, 2013

Top Ten Internet Law Developments of 2012 (Forbes Cross-Post)

By Eric Goldman

I'm pleased to share my list of top 10 developments of 2012:

#10: The Push Towards Anti-Class Action Arbitration Clauses. In 2011, the U.S. Supreme Court ruled in AT&T Mobility v. Concepcion that businesses may be able to adopt mandatory arbitration clauses that ban customer class-action lawsuits. The ruling was hardly crystal-clear, but in its wake, many websites adopted such clauses. Nevertheless, as the Zappos decision points out, these clauses must be adopted according to the laws governing contract formation and amendment, or they will fail in court.

#9: General Patraeus/Paula Broadwell Imbroglio. On the surface, it's just your typical Washington DC sex scandal. However, it had several interesting cyberlaw angles, including the attempts to hide digital conversations and Ms. Broadwell's alleged cyberharassment of Jill Kelley. My biggest takeaway: If the CIA Director can't keep the FBI from reading his email, what chance do you or I have?

#8: Do-Not-Track Meltdown. Everyone hoped that industry would come up with a do-not-track (DNT) standard rather than kicking the issue to Congress or the FTC. Then, it all went to heck. Microsoft announced it would turn on DNT by default in its browser, which prompted Internet publishers to threaten to ignore Microsoft's DNT signal. Meanwhile, Internet publishers and others adopted a narrow definition of "do-not-track," arguing it meant no-tracking for advertising purposes, but tracking for other purposes was still OK. The effort then devolved into acrimonious recriminations and left open the possibility that government regulators will fill the gap--to everyone's detriment. (For what it's worth, I take a very dim view of technological do-not-track efforts for reasons I explain here).

#7: Social Media Exceptionalism. In 2012, regulators eagerly sought to "fix" social media through regulation, but their efforts will fail because no one can precisely define social media as a subset of Internet activity. For example, California's recent attempt to curb employers' attempts to obtain employees' social media passwords led to the astounding definition that "social media" means all digital data, whether online or off.

#6: Megaupload. The US government proudly touted its takedown of Megaupload as a victory for Internet copyright enforcement. Unfortunately, it appears that takedown involved an enforcement action where it appears the US government repeatedly ignored or broke the law.

#5: Software Patents/Smartphone Wars. The smartphone industry has ushered in a glorious era of innovation, but it's also highlighted how patents can hinder, not spur, innovation. Smartphone players have spent (wasted?) billions of dollars on patents with the hope that they can operate without restriction from other players' patents, and many tens of millions of dollars have been spent (wasted?) on legal fees as the players sue each other for patent infringement and defend against interlopers with weak/bogus patents hoping for a little taste of the action. See my essay on software patents:

#4: Europe Hates Silicon Valley. I'm surprised whenever I read about a new European ruling that's adverse to a Silicon Valley company, because at this point I assume that everything Silicon Valley companies do in Europe is already illegal. Google, Facebook and other Silicon Valley players are under constant legal attack in Europe on countless fronts. Everyone might be happier if the Silicon Valley players just got out of Europe altogether.

#3: Google and Antitrust. The FTC largely dropped its antitrust investigation against Google, and dropped it completely with respect to Google's search engine practices. (Technically the denouement rolled out on January 3, 2013, but I'm still counting it as a 2012 development). This is an important development for several reasons. First, the FTC--which makes its living by bringing enforcement actions--admitted it had no reason to complain about Google's search engine practices. Second, the scuttlebutt all throughout the investigated suggested that the FTC was committed to busting Google, and Google turned that situation around 180 degrees. Third, not intervening into the operation of Google's search algorithm is a logical decision, but one still worth celebrating. This was a great resolution for Google, a complete rejection of the concerns raised by Microsoft and other Google-haters, and due to the FTC's non-involvement, ultimately a big win for Google's users.

#2: ITU/WCIT's Attempted Internet Takeover. I really didn't understand what happened in Dubai at the ITU/WCIT meeting. All I know is that nothing good could have happened there, so preserving the status quo is a win, as ironic as that sounds.

However, there has been some teeth-gnashing that the meeting exposed looming fault lines between pro-censorship and anti-censorship governments. I don't understand that angst for at least two reasons. First, all governments are pro-censorship, and that certainly includes the United States. Indeed, the US has exhibited some awkward duality as it rails against foreign attempts to censor the Internet even as both Congress and the Obama Administration exhibit a never-ending pursuit of controlling the Internet themselves.

Second, the Internet has already fractured into multiple "Internets." The Internet in the United States increasingly bears little resemblance to the Internet in foreign countries, both because local regulators simply block certain websites and because websites localize their services to accommodate local regulation. Plus, it's been proven that countries can simply "unplug" from the Internet. Thus, we don't have a single unified Internet; we have many partially-overlapping Internets. I will say more about this in a future post.

#1: SOPA's Failure. The failure of SOPA/PIPA is not the watershed event for our republican democracy that we wished it would be. Citizen-driven rejection of special-interest Internet legislation will not happen very often. But as a David-and-Goliath story--the uncoordinated and oft-ignored Internet user community rising up against a well-oiled and undefeated copyright lobby--it doesn't get any bigger than SOPA. Also, we learned something really important: American voters will acquiesce to a lot of bad and self-interested decisions by their elected officials, but voters will grab the torches and pitchforks if they think the Internet is threatened.

Honorable Mentions

Some other developments of note:

* despite the Fourth Circuit's rekindling of the Rosetta Stone case before it settled, the decade-long keyword advertising litigation battles against Google are basically over with a big win for Google and other keyword advertising vendors. I also think we'll see trademark owner-vs-advertiser lawsuits tapering off too.

* app cloning is a big business, and we're seeing increasing lawsuits in the area, including the EA v. Zynga and TripleTown cases.

* the application of the Computer Fraud & Abuse Act is being dialed back in the employment context (see the Nosal and WEC cases).

* Oracle v. Google gave us one of the cleanest rulings to date that software APIs are not copyrightable. The case was also interesting for the judge's investigation into the paid advocacy efforts of both Oracle and Google.

* the images of Marilyn Monroe and Albert Einstein are moving closer to the public domain.

* the IB v. Facebook ruling could be a watershed decision in spurring class action lawyers to make a buck in the name of "protecting the kids" in court.

* Web publishers can improve their defamation defenses by hyperlinking to original sources.

Most Interesting Cases

I read a lot of cases in 2012, and some of the most interesting cases I saw this year:

* Erickson v. Blake. Music composers can create copyrightable compositions by equating the digits of the number "pi" (π) to musical notes, but they can't stop others from creating their own musical compositions based on pi's digits.

* Bland v. Roberts. Two government employees "liked" their boss' opponent in an upcoming election; after the boss won reelection, the employees allegedly got fired for their divided loyalties. The court (mistakenly, in my opinion) said that "liking" an item on Facebook isn't constitutionally protected speech.

* Scott v. WorldStarHipHop. A classmate posted a video of Scott fighting with an ex-girlfriend. Scott obtained the copyright to the video from his classmate and, as the new copyright owner, sent copyright takedown notices in an effort to scrub the video from the Internet. This copyright acquisition scheme basically converts copyright law into a "right to forget." In 2013, expect to see even more plaintiffs acquire copyright ownership as a way to suppress/control unflattering content about them.

* In re Heartland Payment Systems. This is a settlement of a data security breach class action lawsuit with 130M class members. The parties spent $1.5M to encourage class members to tender damage claims and another $270k to process the tendered claims. A total of 290 claims were tendered, of which 11 were valid, with a maximum payout per valid claim of $175. So the parties incurred $1.75M in transaction costs to award about $2k in damages. Interesting.

* Augstein v. Leslie. If you post a YouTube video promising $1M for the return of your laptop, you could actually owe $1M if someone returns your laptop.

* Olson v. LaBrie. Facebook should bring families closer together, but in one family, photo tagging plus a snarky comment prompted a lawsuit for a restraining order.

Lists from Previous Years

Previous top 10 lists from 2011, 2010, 2009, 2008, 2007 and 2006. Before that, John Ottaviani and I put together a list of top Internet IP cases for 2005, 2004 and 2003.

[Photo Credit: Top Ten Key // ShutterStock]

Posted by Eric at 07:25 AM | Content Regulation , Copyright , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Marketing , Patents , Privacy/Security , Publicity/Privacy Rights , Search Engines , Trademark , Trespass to Chattels | TrackBack

December 31, 2012

Anti-Scraping Lawsuits Are Going Crazy in the Real Estate Industry (Catch-Up Post)

By Jake McGowan with comments from Eric

[Eric's preliminary note: it's taken me weeks to review this blog post, so I've been keeping poor Jake in a holding pattern. Still, I hope the wait is worth it.]

The real estate listings industry has become increasingly concerned with competitive “scraping” by multiple listing service websites. After all, MLS owners make money by exploiting an information asymmetry--they charge participating brokers and agents for access to the database listings. If a website legally scrapes and distributes the MLS’s data, it destroys the valuable information asymmetry and thus hurts the listing services’ revenues.

For these reasons, some MLS sites have tried to squash this type of competition by taking the scrapers to court for copyright infringement. But the listings in question often consist largely of photographs and generic descriptions. Does copyright even apply in the first place?

First, courts tend to enforce copyright protection for photographs in this context. Earlier this year in Pacific Stock, Inc. v. MacArthur & Company, Inc., Pacific Stock went after the owners of a website that scraped real estate listing photographs and used them on the site without a license. The court entered default judgment against the website and its operators.

While photographs often satisfy the originality requirement, questions linger as to whether courts should protect seemingly generic listing information.

In recent cases like Allure Jewelers v. Mustafa Ulu, we have seen defendants make similar arguments (i.e., that copyright does not protect the information in question). Allure involved a dispute between competitors over whether descriptors for jewelry are protectable. Unfortunately, the court did not go into depth about the originality argument; it dismissed Allure's claim for failure to obtain registration before filing suit.

But a district court in Minnesota recently considered this question more directly in Regional Multiple Listing Service v. American Home Realty Network, 0:12-cv-00965-JRT-FLN (D. Minn. Sept. 27, 2012).

Background

The controversy centered around three types of content allegedly scraped from Regional MLS’s “NorthStarMLS” website: (1) photographs; (2) narrative “public”/“agent” remarks; and (3) “field descriptors.”

The narrative public/agent remarks describe the property, but also contain a bit of puffing and tailoring toward a target audience.

Example:

Agent Remarks: Agents this is a must see for your lakehome buyers. Main flr living, gradual slope to lake, sandy lakeshore, finished lower level, ceramic tile & infloor heat, 2 decks & much more. Agent/Seller, questions call listing office. Provide as much notice for show

Public Remarks: Lakefront living at it’s [sic] finest! Southern views from either of your 2 decks or patio, Full finished basement w ceramic tile & infloor heat, & many more upgrades. Sandy lakeshore, yard w minimal maintenance, perfect for that getaway you’ve been looking for.

The “field descriptors,” on the other hand, are usually bare factual statements that describe the property in generic terms.

Example:

Exterior Features: Balcony, Deck, Dock, Patio

Interior Features: Kitchen Window, Security System, Tiled Floors, Vaulted Ceiling(s), Walk-in Closet, Washer/Dryer Hookup, Main Floor Full Bath, [illegible], 3⁄4 Basement, All Living Facilities on [illegible].

RMLS alleged that AHRN infringed its copyrights for all of this content by scraping the data (either from NorthStar or its licensees) and reproducing it on NeighborCity.com. Although the court did not enter a full discussion of the copyright interest in the textual elements of a MLS database, it still shed some light on whether those elements were sufficiently original to warrant protection in any event.

“Narrative” Descriptions of Houses Likely Qualify for Copyright Protection

The court held that the narrative “agent remarks” and “public remarks” were likely copyrightable:

As with other types of copyrights, creativity must exist to protect a compilation . . . These remarks are uniquely-phrased descriptions of property, highlighting those parts of a property that might be most attractive to agents and the public[.]

The court also held that RMLS was likely to succeed in showing “irreparable harm” because NeighborCity detracts value from NorthStarMLS. In addition, RMLS contracted with the brokers under the expectation that it would not distribute any of the listing content without permission from the brokers. Thus, if RMLS didn’t go after NeighborCity, their reputation and goodwill may have suffered.

As for the scope of the injunction, the court refused to grant protection to the field descriptors:

The descriptors do not seem sufficiently creative to warrant protection, especially one-word descriptors such as “deck” and “patio” . . . There are limited ways of expressing the basic facts included in these field descriptors, suggesting these expressions by RMLS are not copyrightable.

Since then, AHRN filed its answer and asserted counterclaims under federal and Minnesota antitrust law:

The concerted effort to suppress competition from companies like AHRN depends in large part on the ability of RMLS and other MLS's to . . . intimidate potential competitors with threats of copyright enforcement litigation – despite knowing that much of the information over which they claim copyright privilege is not copyrightable, not properly registered in compliance with the Copyright Act, or not owned by them.

Same Writ, Different Plaintiff: Metropolitan Regional Information Systems v. AHRN

Metropolitan Regional Information Systems v. American Home Realty Network, 12-cv-00954-AW (D. Md. Nov. 13, 2012)

AHRN just can’t catch a break. The company is also currently a defendant in another copyright case extremely similar to the one discussed above—this time brought by Metropolitan Regional Information Systems (MRIS).

MRIS moved for a preliminary injunction, which the district court ultimately granted. After AHRN filed a motion to clarify the scope of the injunction, the court cited factual disputes about the underlying textual elements and thus specified that the injunction applied only to the photographs in the database.

The Court had originally enjoined AHRN from:

unauthorized copying, reproduction, public display, or public distribution of copyrighted content from the MRIS Database, and from preparing derivative works based upon the copyrighted content from the MRIS Database.

The court concluded that the language in the order was not sufficiently specific under FRCP 65, especially since the court based its order on the copyrighted photographs.

MRIS disagreed to the request to modify the order, pointing out that the Court had previously found that the database is entitled to copyright protection as a compilation. As part of that holding, the Court found that the database (including the textual elements) had exhibited the requisite originality for copyright protection.

But although the textual elements were part of a compilation that had the requisite level of originality, MRIS had not shown that AHRN copied such textual elements. There was still a factual dispute as to whether AHRN copies the database wholesale as part of its operation. For this reason, the court declined to expand the scope of the injunction beyond MRIS's copyrighted photographs.

The revised order now reads as follows:

AHRN and all persons acting under its direction, control or authority are hereby preliminarily enjoined from unauthorized copying, reproduction, public display, or public distribution of MRIS’s copyrighted photographs and from preparing derivative works based upon MRIS’s copyrighted photographs.

Although the court refused to include the textual elements in the preliminary injunction, it noted that the revised order does not mean that MRIS has no copyright interest in the textual elements.

To the contrary, MRIS has demonstrated a likelihood of success on the merits that the MRIS Database exhibits the requisite originality for copyright protection.

But the court did also mention that copyright interests in factual compilations are "thin."

Like in the RMLS case, AHRN subsequently filed antitrust counterclaims.

__________

Initially, it’s worth noting that photographs receive unique treatment in the infringement analysis. The court has no trouble concluding that a competitor potentially infringes when it copies the photos.

These cases both seem to stand for the idea that the textual elements are sufficiently original to qualify for copyright protection—albeit “thin.” Drawing the line in the sand at the "field descriptors," the RMLS court recognizes the psychological difference between lists and narratives from the perspective of the reader. Although these "narratives" might be broken sentences with generous amounts of typos, they evoke certain emotions that bare facts cannot and require some original thought. They might even be useful to an agent who is pondering their best sales pitch. For these reasons, they clear the originality bar (though not by much). [Eric's note: re copyrighting language that's the most effective sales language, see Webloyalty.com, Inc. v. Consumer Innovations LLC.]

By setting the bar relatively low for originality, this decision may lead to more copyright-based attacks on these MLS competitors as a way of suppressing competition. This prompts a bigger question: how much value does the "narrative" aspect of these sections add to these sites?

If customers don't care about the "narrative" aspect of the sites, then this decision may not pose as much of a threat to these listing scraper sites--it seems that as long as they don't use the photographs or copy any original narratives, they are less vulnerable to a copyright infringement suit. This prompts yet another question for these plaintiffs—given the “thin” nature of protection, is a lawsuit really worth it? We’ll have to wait and see.
_____

Eric's Comments

Scraping always raises interesting policy and theory issues, so from that standpoint I'm disappointed we don't see more scraping lawsuits or rulings. These two NeighborCity rulings are among the cleanest to date addressing the copyright implications of scraping, and they show just how hard it is to run a legally permissible scraping-based business. Here, the real gotchas are photos--always a liability trap--and the kicker is that the MLSs are taking copyright ownership in the photos enough to have standing.

In the Northstar case, the court is fairly clear that the MLS doesn't always take 100% ownership and NeighborCity is free to approach the co-owner for the license. Recognizing the logistical difficulties of doing so, so long as the MLS can engage in legal shenanigans like taking a meaningless ownership stake in photos, the MLS can use that ownership stake as an impressively effective anti-competition tool. I was disappointed in the Northstar case how tone-deaf the judge was to the competitive issues at stake. It seemed like once the MLS established its status as a copyright owner, all competition-related issues got turned off. That's troubling from a policy standpoint.

Stitch together the following four copyright ownership data points and you'll see a disturbing trend:

1) As discussed in this post, MLSs, as database aggregators, taking copyright ownership interests in broker-supplied photos/"product shots" to suppress competition from other aggregators
2) Righthaven taking ownership interests in newspaper articles so it could sue mom-and-pop republishers
3) Scott v. WorldStarHipHop and related cases (such as Katz v. Chevaldina) where the subjects of photos/video who are unhappy with their depiction buy the copyrights to the photo/video and then send copyright takedown notices in a synthetic right-to-forget campaign.
4) Medical Justice encouraging doctors and other healthcare providers to take copyrights in written patient reviews of them to have the power to veto those reviews.

To me, the trend is clear. People are monkeying with copyright ownership to achieve purposes that copyright law was never designed to accomplish. I haven't yet figured out a fix for this, but if we aren't careful, this copyright ownership hack will moot many other important social and policy balances we've tried to strike elsewhere in the law.

Two other interesting things from these rulings:

1) NeighborCity appears to have avoided scraping the MLS sites directly, thereby presumably avoiding the risk of trespass to chattels/CFAA and contract breach claims. Still, as these cases indicate, scraping a third party licensee's site doesn't bypass the copyright problem.
2) The Maryland case upheld the validity of an electronic copyright (204(a)) ownership assignment per E-SIGN, favorably citing Hermosilla case. (The court says that, using an online clickthrough agreement "satisfied the signature requirement of E-SIGN and Section 204(a)"). I think this is the right result, but it shows just how easy to accomplish the copyright ownership hack.

[Photo Credit: Olivier Le Queinec / Shutterstock.com]

Posted by JakeMcGowan at 11:40 AM | Content Regulation , Copyright , Licensing/Contracts , Trespass to Chattels | TrackBack

December 28, 2012

Sale of "Damn You Auto Correct!" Website Leads to Fights Over Its Google Analytics Numbers -- Studio 159 v. PopHang, LLC, et al.

[Post by Venkat Balasubramani with comments by Eric]

Studio 159 v. PopHang, LLC & NextPoint, Inc., 2012 WL 6675790 (C.D. Cal.; Dec. 21, 2012) (Copy of Purchase and Sale Agreement)

Studio 159 sold to PopHang and Nextpoint (Break Media) 22 websites, including the popular “Damn You Autocorrect" (DYAC) Website for $2.5 million. $1.5 million was to be paid up front and the remaining $1 million was deferred, payable in six monthly payments after the closing date. Defendants could set off, against the deferred payments, any amounts Plaintiff owed Defendants under the indemnity clause.

Following the sale, traffic predictably declined, and Defendants withheld the $1 million deferred payment. Defendants initially said that Plaintiff breached its representations regarding paid traffic purchase agreements and the state of the traffic to DYAC. Plaintiff sued for breach of contract and asserted that Defendants’ offset was improper (an improper offset allowed Plaintiff to tack on 10% of any improperly withheld amount along with fees and costs – in total, Plaintiff sought $1,070,170.23). In resolving Plaintiff’s motion for a writ of attachment, the court largely expresses skepticism over Defendants’ arguments.

Claim Of Traffic Manipulation: Plaintiff represented in the Agreement that it accurately disclosed the number of page views for the preceding 6 months (as reported by Google Analytics). Plaintiff further represented that:

[it] properly installed [Google Analytics] on the Sites in accordance with industry standard installation instructions and . . . properly maintained the installation of [Google Analytics] on the Sites. Seller is not aware that [Google Analytics] materially overstates the traffic for the Sites for such 6-month period.

Defendants conceded that the Google Analytics numbers were as represented, but contended that Plaintiff artificially boosted the site traffic.

There were two problems with Defendants’ argument. First, the agreement listed all of the “traffic agreements,” and there were no agreements or arrangements that were not listed. Second, Plaintiffs offered a perfectly reasonable explanation for the decline in traffic—a change in management! Finally, there were changes in the site layout following the close. Plaintiff raised the issue in emails with Defendants and “offered to help,” but the offer was not accepted. Defendants also acknowledged in response to the emails that "it did take [them] a while to find what resonated with [them] and the audience for DYAC" and that "the editor [they] put in charge of most of the tumblrs had gone far off the rails, posting images that were neither fun nor funny." [emphasis added]

Issues Relating to Google Accounts: Defendants also raised issues relating to certain Google accounts, including the Google Analytics account and the webmaster tools account. With respect to the Google Analytics account, Plaintiff’s representative stated under oath that she provided Defendants’ representatives access to the account and this access allowed Defendants to download historical data. The court says that Plaintiff’s “alleged refusal to provide access to her [Google Analytics] account is a red herring that goes nowhere and proves nothing.” Defendants also alleged they requested server log data and were told that the logs were allegedly deleted. This claim similarly gets no traction. The court says that the Agreement is silent on server logs, so Plaintiff didn't owe them to Defendants. Additionally, the former CEO of DYAC says that the server logs were overwritten as part of an ordinary business process after the closing. The court also makes the same observation regarding the Google Webmaster account, which was deleted post-closing.

Overstatement of Submissions: Defendants also alleged that Plaintiff misrepresented the number of weekly user submissions. This argument also gets no traction. Interestingly, the Agreement contained a representation that the DYAC site received an average of 150 submissions per day (following closing, this declined to 100 per day). Plaintiff submitted to Defendants before the Closing Date the exact submissions as sent in by readers (including all headers and personally identifiable information) to allow Defendants to verify their authenticity. This effectively rebutted Defendants' claim that there were some improprieties regarding the number of average submissions.

Breach of Obligation to Cooperate: The Agreement contained a provision saying that Plaintiff would “reasonably cooperate” in maintaining the site. She did everything she was asked. She also provided unsolicited advice.

Most likely Break Media is now second guessing its business decision to purchase the site(s) at the price it paid, or is unhappy with its failure to achieve editorial/audience traction as quickly as it thought it would.

Lessons abound in this dispute. For starters, the purchase and sale agreement is worth taking a look at: Purchase and Sale Agreement re DYAC Website (see p. 36 of the .pdf for a breakdown of the traffic figures).

It's not unique to this dispute, but after management changes, revenues (or traffic) often decline. When this happens, any withheld amount is sure to be subject to a claimed offset and become the subject of a dispute. Earnouts based on revenues are a guaranteed recipe for litigation, but withheld payments are equally so. Seller allowed amounts to be withheld but smartly included additional payments based on any amounts that were wrongfully withheld (interest and, more importantly, fees). Also, it was interesting that the agreement permitted buyers to withhold amounts based on a breach of representations, and not just based on indemnification that was triggered by third party claims.

Third party metrics are contractually convenient for a seller. Saying that you've installed Google Analytics and "as far as you know," there are no inaccuracies with the Google Analytics reports (and providing access to the account to the seller prior to the sale) is a great way to insulate yourself against claims of traffic inflation. On the buyer's side, if the traffic does not turn out as planned and you've been disclosed the metrics as part of the sale, you are likely to be out of luck. One option may be to adjust the withheld amount to account for any precipitous decline in traffic.

The seller is always interested in keeping the post-closing obligations soft. The language here worked well for this purpose. On the buyer's side, if you're interested in help from the seller, you should make your expectations clear in the agreement. A vague obligation that seller will cooperate is unlikely to hold up in court, particularly where the seller comes across as reasonable (as it did in this case).

Finally, any peripheral accounts should be dealt with clearly. This includes things like social media (Facebook/Twitter) accounts and accounts dealing with metrics (Google Analytics).

A total guesstimate, but I'm guessing Defendants have expended in the neighborhood of $50K in attorney's fees. A few more (likely necessary) rounds of motion practice and Defendants will have expended an amount equal to a reduction in a purchase price that they would legitimately be entitled to, assuming any misrepresentations are true. When you add to this the fact that someone may be on the hook for the other side's attorneys' fees, this dispute is a great candidate for settlement.
____

Eric's Comments

So much to learn from this case!

1) As Venkat mentions, earnouts are a prime source of post-transaction disputes. If the earnout money doesn't leave the buyer's bank account at the time of closing, it's not coming out without a court battle. It would have been much better for the seller to use a third party escrow service who took possession of the $1M on day 1. Even though the escrow service would have held onto the money when the buyer squawked about the traffic, the buyer would have had to make the affirmative representations about seller malfeasance to the escrow company rather than just not paying. By leaving the money in the buyer's account, it was too easy for the buyer to just not pay.

2) I wonder exactly what the buyer thought it was buying. The asset purchase agreement spells out a list of assets, but those are largely worthless except as pure legacy traffic plays (i.e., they will keep getting some traffic from existing links and search engine indexing). Otherwise, humor-style sites have finicky traffic that depends on a particular editor's voice and constant feeding-the-beast. As a result, this is not a situation where you can just plug-and-play a new editor and expect the same results.

3) It's smart to contractually specify a third party traffic measurement service like Google Analytics rather than debate whose numbers should count. Even if the Google Analytics count is wrong (and that assumes there is a platonic "correct" count), it should be predictably wrong.

4) The buyer seems to insinuate that the sellers were goosing the traffic, either by creating fake impressions or buying undisclosed paid traffic. Those are good concerns for a buyer to investigate, and it makes sense to address those issues in the purchase contract. But there's no substitute for really diligencing the traffic sources before acquisition. So where the buyer complains that the server logs are gone, the buyer maybe wanted to get possession of those and review them before closing.

5) I must confess that the $2.5M purchase price for DYAC seemed a little low. There aren't many properties that had its visibility and market awareness. I hadn't previously known it had sold, though, but now I understand why my wife doesn't send me DYAC posts as often. That, and as the seller hints at in explaining the traffic drop, maybe people are getting to be better typists, or Apple is fixing its bizarre word substitution algorithms? One thing I didn't see in the opinion was any reference to the frequent rumors that some of the DYAC submissions are fake.

Posted by Venkat at 09:21 AM | Licensing/Contracts , Marketing

December 26, 2012

Facebook Isn't--and Shouldn't Be--A Democracy (Forbes Cross-Post)

By Eric Goldman

In 2009, Facebook ($FB) nominally enabled user governance by obligating itself to honor user votes before making certain site policy changes. This experiment in user self-governance was radical and largely unprecedented--especially given the size of Facebook's userbase, which now would outrank all but China and India in population if it were a country. Recently, however, Facebook terminated its user-governance experiment. This post explores two hypotheses for the experiment's failure and explains why users never wanted Facebook to be a democracy.

The Mechanical Problem

Facebook promised to honor users' votes if users achieved a minimum voter turnout of 30%. This threshold was too high by a lot--at least 30x too high, by my estimate.

Facebook logically set a high enough threshold to screen out the crazies or pranksters (see, e.g., the 28,000+ people who petitioned the White House to build a Death Star) and avoid letting small minority interest group hijack the site from the minority. Indeed, in the context of typical U.S. voter turnouts for government elections, 30% would be quite low.

Nevertheless, my rough rule of thumb is that less than 1% of users read any website's privacy policy. Users don't read privacy policies for a variety of reasons: users can't understand them (they are long, dense and filled with legalese); the agreements aren't negotiable; users care more about enjoying the website's functionality than the details governing that enjoyment; and users routinely "free-ride" by relying on more motivated consumers or activists to identify and combat overreaching terms. In Facebook's case, I'd add that its website functionality and policies change so rapidly that it's more than a full-time job to keep up. As a result, we shouldn't castigate users for not caring more about Facebook's policies (see, e.g., this Wired story blaming you for killing Facebook democracy). The 99%+ of Facebook users who don't read Facebook's privacy policies are behaving quite rationally.

But if I'm right that less than 1% of Facebook users have read Facebook's privacy policy, then a minimum voter turnout of 30% was off-the-charts ridiculous. There was never any chance of that ever happening, and it was silly for Facebook to put the procedures in place. It makes me think Facebook always intended user empowerment to be illusory--a type of democracy theater. Robert Hof explores this aspect further.

The Conceptual Problem

An observation: no major user-generated content (UGC) websites operate as democracies. Some UGC websites turn over aspects of their operations to trusted community members, but not the general population; and rarely are key policy questions handled on a straight majority-vote election. Even Wikipedia, perhaps the flagship example of a major community-operated UGC website, isn't a democracy. Wikipedia's operators reserve certain policy decisions for themselves, and community decisions require consensus, not a majority-vote.

Perhaps users don't want their UGC websites to be democracies. Instead, I think users typically prefer "managed" website experiences. The vast majority of users don't want to make policy decisions about how the website should work; instead, they want websites to read their minds and give them exactly what they want automatically (i.e., the "surprise and delight" maxim of customer relations). Stated differently, users want UGC benevolent dictatorships, not UGC democracies.

Rather than imposing majority-rule on consumers, UGC websites actually empower users more by enabling users to individually configure their site experiences, such as letting users individually opt-into or opt-out of site policies or functionality. By letting users choose what policies or functionality they want, users get a more direct payoff from their action than voting on site-wide policies. Unfortunately, Facebook is notoriously poor about giving users complete power over their configuration choices. For example, Facebook forced everyone onto Timeline, even users who vocally hated it, and Facebook still doesn't let users categorically opt-out of being featured in Sponsored Stories.

Admittedly, it's costly for UGC websites to give more configuration options to users, especially if requires the website to maintain old or duplicative code. And from users' standpoint, too many configuration options can become overwhelming (as many users already feel about the multitudinous options Facebook does provide). Still, it's helpful to see how website individualization and personalization is more pro-user than UGC democracy.

When users can't configure their own choices, the next-best option for users isn't website democracy, it's competition. UGC websites will remain most responsive to users' concerns when competitors are nipping at their heels. For example, recall how quickly Facebook's tone changed after Google ($GOOG) rolled out Google+. Unfortunately, social networking site competition isn't robust enough to meaningfully punish Facebook for its steady stream of anti-user decisions. If we could solve that competition problem, Facebook users would get better outcomes than they would from any attempt at user democracy, faux or real.

More: A couple of my related academic papers: Wikipedia’s Labor Squeeze and its Consequences and Online User Account Termination and 47 U.S.C. §230(c)(2).
___

In response to this post, David Post commented:

"Eric, you’re being a little careless in your use of the term “democracy,” I think. A democracy is simply a polity that respects each member’s equal right to participate in formulating policies and rules. Democracy does not (as you imply) mean “majority rule” — majority rule is one of the ways that democracy can be implemented, but it is hardly the only one. To say that Wikipedia is not organized “democratically” because it operates by consensus is bizarre."

I replied:

David, that’s a good point, and you’re right that democracy takes various forms and that I principally used the term only for one implementation. Even so, I don’t see Wikipedia as a democracy–at least, not as it actually operates–for the reasons I explain in http://ssrn.com/abstract=1458162. Eric.

[Photo Credit: Yes Is the Best // ShutterStock]

Posted by Eric at 09:16 AM | Internet History , Licensing/Contracts , Privacy/Security | TrackBack

Lawsuit Against Instagram Over Terms of Service Changes Looks Flimsy -- Funes v. Instagram

[Venkat Balasubramani with a comment by Eric]

Funes v. Instagram, 12-6482 (N.D. Cal. complaint filed Dec. 21, 2012)

Eric and I posted about Instagram’s recent TOS rev. Neither of us were particularly enthusiastic about the changes. (See Facebook's Proposed Amended Sponsored Stories Settlement and Instagram's Revised TOS.) Not surprisingly given the privacy bar's affection for suing Internet companies, the changes sparked a lawsuit. But, the lawsuit is not a winner. In fact, it’s borderline frivolous.

The lawsuit asserts claims for breach of contract; violation of California’s publicity rights statute; breach of bailment (creative!); unfair competition. Plaintiff also asks for declaratory relief.

Courts have held that the imposition of a revised terms of service is not sufficient grounds for a lawsuit. (See Fineman v. Sony Network. Fineman is highly relevant, and involved similar arguments against a paid service.) An even bigger problem is that the revised terms are not in effect yet. Not only can the currently proposed terms be changed by Instagram (Instagram indeed made a few revisions in response to user outcry), the users can remedy any problems themselves—they can exercise self-help and leave the network before the new terms apply. In the event plaintiff does not withdraw its lawsuit (and she really should), I’m sure the many arguments will be fleshed out in Instagram’s motion to dismiss. In any event, here’s my initial summary.

Breach of contract: There’s nothing wrong with Instagram changing contractual terms on a prospective basis. To the extent plaintiff claims that the revised terms “interfere[] with and frustrate[] Plaintiff and the Class' use of the Instagram's service,” this is something Instagram is perfectly entitled to do.

Section 3344 claim: This is the personality rights statute that was at issue in Fraley. As I mentioned in my initial blog post about Instagram’s terms, I don’t believe the revisions really effected a material change. This language around sponsored stories was likely protective in nature, and brought about as a result of the Fraley settlement. In any event, Instagram’s blog post following the uproar expressly disclaimed its intent to broadly exploit user content in this manner.

Bailment: I don’t know what to make of the bailment claim. Query as to whether bailment applies to digital materials at all. [Eric's comment: it doesn't]. In any event, Instagram’s initial terms of service I’m sure allows it to retain any photographs uploaded to its service. Query as to whether Instagram can change the terms and have the terms apply to old content and not allow users to delete or disable the old content. It’s unclear as to whether Instagram allows users to delete their accounts or photos. In any event, this question is premature.

Section 17220 claim: Damages are limited under this section to money that has been paid by plaintiffs. In this case: zero dollars. Injunctive relief may be available, but again this is premature.
__

Instagram’s TOS rollout was clunky, mostly because it did not anticipate user reaction around the key question of whether users could control monetization or off-platform use of their photos. FWIW, Instagram’s various public statements still do not adequately address this issue!

As to whether the revisions warranted a lawsuit the answer is obviously no. This is a classic example of lawsuits against social networks gone completely amok. For the most part, when a change is effected prospectively, plaintiffs will be left to argue unconscionability. As numerous cases make clear, this is an extremely difficult argument to make.

As Eric noted elsewhere, Section 3344 has a mandatory fee-shift, and could result in plaintiff having to write a check to Instagram.
___

Eric's Comment I can't say I'm a fan of Instagram's recent behavior, but I'm even less of a fan of publicity-seeking throw-lots-of-garbage-into-a-complaint-and-hope-something-sticks lawsuits like this one. It's a sign of a slow news week (and a season when reporters have difficulty finding credible sources) when a bogus lawsuit like this gets any press coverage at all--other than the loud and mocking guffaw it deserves.

Posted by Venkat at 05:42 AM | Copyright , E-Commerce , Licensing/Contracts , Publicity/Privacy Rights

December 20, 2012

Facebook’s Proposed Amended Sponsored Settlement and Instagram’s TOS Revs

[Post by Venkat Balasubramani]

Fraley v. Facebook, 11-cv-196193 (N.D. Cal.) (Amended Proposed Settlement) (Motion to Approve) (Preliminary Approval) (case docs, compiled by Citizen Media)

I initially passed on blogging the amended proposed settlement agreement in Fraley v. Facebook, the Sponsored Stories class action lawsuit, but the recent changes to Instagram’s terms of service brought the issues to the fore.

The Fraley Claims: As detailed in several posts here, Fraley involved misappropriation claims based on Facebook’s Sponsored Stories initiative. Essentially, end users claimed that Facebook’s use of their posts for advertising purposes constituted an unauthorized exploitation of their publicity and personality rights. (Minors piled on separately.) Facebook couldn't easily extricate itself from the putative class action, and accordingly it settled. Its first attempt to settle the lawsuit did not meet with judicial approval—the court said that while the terms may be fair, it was not presented with sufficient information to evaluate its propriety. Facebook and the plaintiffs went back to the drawing board and made a few key changes to the proposed settlement. Not surprisingly, the second iteration met with approval.

Amended Settlement: One big change in the proposed settlement: Facebook offered up cash ($20 million settlement fund). It also supposedly offered users greater control over use of their likeness. The lawyers also made a helpful concession about the amount of requested fees that would go unchallenged.

it’s tough to assess the revised settlement in terms of the injunctive relief that it provides—it’s supposed to allow greater control over the use of end users’ likeness. However, the settlement is somewhat awkwardly worded in terms of control to end users. Facebook will create a mechanism that allows users to view their interactions that "have been" displayed in Sponsored Stories and will enable users to "control which of these interactions . . . are eligible to appear in additional Sponsored Stories." The peculiar combination of past and future tense in the phrasing should raise eyebrows. I guess a global opt-out was too much to ask for.

The Upshot: Given the majority opinion in Lane (the Beacon case), the original settlement seemed like it had a chance of being approved. As revised, I imagine it will easily receive final approval. Judge Seeborg already gave it his preliminary thumbs up.

Instagram TOS Changes: On a somewhat related note, Instagram recently unveiled changes to its terms of service. While it’s difficult to assess user reaction (Flickr was billed as the obvious beneficiary), celebrities, high profile users, and photographers all expressed their displeasure. It’s worth stopping to think about exactly what has changed. On this point, see this helpful redline from William Carleton. The big change (and one that may not be material) is the change from Instagram being able to “place . . . advertising and promotions on the Instagram Services or on, about, or in conjunction with your Content,” to the following:

You agree that a business or other entity may pay us to display your username, likeness, photos . . . and/or actions you take, in connection with paid or sponsored content or promotions, without any compensation to you.

I don’t see this as a significant change to what Instagram can do with your photographs. The fact that the language of the revised terms tracks relevant language from the Amended Settlement Agreement in Fraley makes me think this is just a clean up change to bring Instagram’s terms into conformity with what is required of Facebook under the revised settlement.

Unfortunately, both the previous and current version fail to answer the key question about the scope of the license users grant: will usage only occur within the Instagram ecosystem, or can Instagram license out photos to third parties to use in other media (e.g., magazine ads or television)? Could my photo of a Seattle sunset end up in a Coca Cola ad where Instagram is paid money for usage of the photo? "Very IP" makes a persuasive case that new language around transferability or sublicensability means that Instagram can under the revised terms exploit content outside the ecosystem: "The Truth About Instagram." I'm not totally persuaded. In this litigious environment, particularly in light of Facebook's experience with Beacon and Fraley, any off-line rights would be clearly called out in its license agreement. Any other approach would just be inviting a lawsuit. In light of the (still pending) AFP v. Morel dispute (where AFP allegedly took photos from Twitpic and argued that it was entitled to a broad license to distribute content elsewhere), this clarity is important to users. I have no idea why Instagram dropped the ball on addressing this.

A day after the big online meltdown, Instagram’s founder published a post acknowledging user outcry and saying that it is committed to not “selling your photos” . . . whatever this means.

This was a classic example in how not to revise a terms of service. Instagram highlighted the revised terms clearly for users, but failed to anticipate what users would care about. Eric makes a few good points below about the terms that have me scratching my head. Did Instagram really leave in the "we can amend these terms whenever we want" provision in its revised terms? Ouch.

It's easy from our perspective to nitpick about the direction Instagram chose, but overall it feels unimaginative to me. They could have taken a variety of routes, ranging from offering users an opt-out (even a paid alternative) to granular control, to a revenue share (ad/brand marketplace?), but Instagram looks like it is doing what Facebook would do. Not surprising, but sort of a bummer for users. I guess it's a good illustration that the Fraley (and the FTC) settlement notwithstanding, Facebook is ready able and willing to override user preferences. [Query as to whether these changes in any way implicate the FTC consent decree covering Facebook, or the companies' promise to stay separate?]

Other coverage on the Instagram Issue:

EFF (Kurt O.): Instagram's New Terms of Service to Sell Your Photos
Creative Commons: Should Instagram adopt creative commons licensing?
William Carleton: Why not share the revenue?
Verge (Nilay Patel): No, Instagram can't sell your photos
Wendy Davis: User Revolt Spurs Instagram to Backtrack on New Terms of Service
Very IP: The Truth About Instagram
__________

Comments from Eric on Instagram:

1) When Facebook bought Instagram, what did Instagram users think was going to happen? Of course Facebook was going to bring its special style of management to Instagram. The revised user agreement is part of the ongoing Facebook-ization of Instagram.
2) If you run a high-profile website, you need to run any proposed user agreement changes through a user focus group before unleashing the revisions on the public. This way, you can preview the potential pitfalls better than if only lawyers and insiders read the terms. If Instagram did run its proposals through a focus group, then it needs to do a better job of that.
3) Instagram's proposed contract revisions still contain the ability of Instagram to unilaterally amend the terms without notice. After Zappos' meltdown, that's a really bad idea from a legal standpoint.
4) Although I knew what Instagram was trying to say with its provision to let them turn Instagram content into Sponsored Stories ads, the provision was clumsily worded at best and easy to misunderstand. (As Venkat points out, Instagram should have known about the risk people will think they are turning into a stock photo agency after the Twitpic debacle). People overreacted by thinking advertisers could freely recycle their photos; even if Instagram took the copyright license, if anyone appeared in the photos, the advertisers still would need a separate publicity rights consent. Sill, it was absolutely shameful for Instagram to then blame the concerns on users misunderstanding the contract provisions. Users can misunderstand even clear contract language, but this was not clear language. The fault lies with Instagram's drafters, not the users.
5) I was particularly flummoxed by the proposed provision "You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such." Can you even do this by contract? My best guess is that this provision is legally ineffective.
6) My question to all of the unhappy Instagram users: where are you going to go? All of Instagram's competitors--indeed, all free photo hosting options--are equally likely to turn on their users. Recall my dilemmas with Scribd. Moving from one free photo hosting site to another delays the problems, at best. It doesn't solve the underlying problem.
7) Overall, the biggest "problem" here is that Instagram users unrealistically expected that a free cloud service wouldn't turn on them. Every cloud service provider goes rogue on its users inevitably; and where the business' interests diverge from users, users are going to be thrown under the bus. Instagram users must have thought Instagram was the exception; and perhaps before Facebook bought it, they could have enjoyed a cloud utopia for a while longer before the collapse. But all users should have learned by now: when it comes to cloud services, you get what you get and you don't throw a fit. In light of the burgeoning number of times cloud services have quite publicly gone rogue on users, it's becoming increasingly less reasonable for users to expect anything differently. There's only one way for users to truly control the fate of their online digital assets, and that's to host all of their content on their own website. If you don't want to do that and you're looking for a free and easy option, you get what you get.

Added (comments from Venkat): In response to the feedback, Instagram founder Kevin Systrom announced in a blog post that Instagram is "reverting" the advertising language to what had been in effect from the beginning. (Here's the blog post: "Updated Terms of Service Based on Your Feedback" and here is a link to the revised terms.) The post also explains:

Going forward, rather than obtain permission from you to introduce possible advertising products we have not yet developed, we are going to take the time to complete our plans, and then come back to our users and explain how we would like for our advertising business to work.

You also had deep concerns about whether under our new terms, Instagram had any plans to sell your content. I want to be really clear: Instagram has no intention of selling your photos, and we never did. We don’t own your photos – you do.

Finally, there was also confusion about how widely shared and distributed your photos are through our service. The distribution of your content and photos is governed by our privacy policy, and always has been. We have made a small change to our terms to make that as clear as possible.

Left in is the language saying that the license to "use" user content is "transferable, sub-licensable," subject to limitations in the privacy policy. This may be protective (or clunky) drafting, but I still can't tell if Instagram intends to exploit user content outside the ecosystem. It's awkward to use privacy preferences as the limitation on how Instagram can use the photos. (For example, language in the policy says: "[o]nce you have shared User Content or made it public, that User Content may be re-shared by others," but it's not entirely clear what this means.) For public photos, it looks like the language still gives Instagram room to freely use (outside the ecosystem) content that has been designated as "public". Again, this may not be the intent, but to me, the language is not 100% clear.

Posted by Venkat at 11:19 AM | Copyright , Internet History , Licensing/Contracts , Publicity/Privacy Rights

December 16, 2012

Minors’ Suit Over Facebook Credits Survives in Part – I.B. v. Facebook

[Post by Venkat Balasubramani with comments by Eric]

I.B. v. Facebook, C 12 1894 CW (N.D. Cal. Oct. 25, 2012)

Eric posted before about a Facebook sponsored stories lawsuit that was brought on behalf of minors. There, Facebook was confronted with an important issue: are transactions with minors on the same footing as transactions involving adults? ("Facebook's 'Browsewrap' Enforced Against Kids--EKD v. Facebook." That lawsuit is proceeding in the Northern District, and Facebook won a preliminary victory on the enforceability of the venue clause in its terms of service.) This lawsuit over Facebook credits is in the same vein. Although Facebook gets some of the claims dismissed, some survive, and this could turn out to be a painful issue to resolve for Facebook.

This lawsuit involves minors who created accounts on their own behalf (and where the account information reflects minor status). One of the minors asked his mother for permission to buy $20 of Facebook credits for use in "Ninja Saga." After buying these credits, he went on to make other “in-game purchases” and rang up a bill for several hundred dollars.
The other minor took his parents’ debit card without permission and made 20 or so charges that exceeded $1,000. Parents of both kids tried to get refunds and were not successful. They brought putative class claims.

Disaffirmance: The big question was whether the minors’ contract to purchase the Facebook credits were void or voidable.

California Family Code Section 6701 describes classes of agreements with minors that are void: contracts involving (1) a “delegation of power”; (2) real property; or (3) personal property not in the possession or control of the minor. The court agrees with Facebook that the credits transaction did not involve a delegation of power. However, the court disagrees with Facebook as to whether the agreements relate to personal property not in the immediate possession or control of the minor. The court says that the funds used to pay for the credits were not in the possession or control of the minor, and therefore the transaction could come within this prong.

The court also says that the minors may potentially disaffirm the contracts (i.e., they are voidable). Facebook argued that the minors could not disaffirm because they received the benefits, but the court says that if the minors want to disaffirm the entire contracts they can do so (distinguishing E.K.D. v. Facebook, where the court said that minors could not selectively disaffirm certain provisions or continue to accept the benefits but disclaim the burdens). The court also disagrees with Facebook that the minors can’t disaffirm and recover consideration paid by third parties (i.e., their parents). The situations where minors were not entitled to recover amounts paid by their parents all involved situations where the parents made separate guarantees or otherwise agreed to pay the amounts in question.

EFTA: Plaintiffs argued that the transactions violated the Electronic Funds Transfer Act. The court says that plaintiffs do not identify which specific provision of the statute Facebook violated that is applicable to non-financial institutions. The court dismisses with leave to amend this claim.

Consumer Legal Remedies Act: The parties disagreed as to whether the transactions were subject to the CLRA, which applies to sales or leases of “goods or services.” The court (citing to Ferrington v. McAfee) agrees with Facebook that credits were not goods or services and therefore not subject to the CLRA.

Unfair Competition Claims: Plaintiffs argued that the transactions were an unlawful or unfair business practices, relying on violations of the CLRA, EFTA, and the “Money Transaction Act.” The Money Transactions Act does not apply to “closed loop” cards that are only redeemable for goods or services provided by the issuer or its affiliate (e.g., a Starbucks card). The court agrees with Facebook and says that Facebook credits are excluded from the MTA since they can only be used to buy stuff provided by the issuer or its affiliate. With respect to unfair competition based on the CLRA and EFTA claims, the court dismisses but grants leave as to unfair competition based on EFTA violations. The court also allows the unfair competition claim to go forward to the extent it’s based on plaintiffs’ claim that Facebook made statements that all transactions were final, notwithstanding the minors’ right to disaffirm. Finally, the court says that the UCL claims based on the “fraudulent” prong of the statute are not pled with sufficient specificity. Plaintiffs have to go back and plead the what, where, how, and when of the allegedly fraudulent conduct.

Yikes. Facebook gets the court to cut down portions of this lawsuit, but this could turn out to be a problem! It’s one that Facebook should have anticipated, at least as to minors whose profiles indicated minor status, so it’s hard to have much sympathy.

The court reaches a roughly similar result to the one reached in the Apple in-app purchase case: “Parents' Lawsuit Against Apple for In-App Purchases by Minor Children Moves Forward -- In re Apple In-App Purchase Litigation.” It’s interesting how the court sidesteps the issue of whether the minor should be able to disaffirm notwithstanding the fact that the minor has already been conferred (or has consumed) the benefit at issue. (See E.K.D. v. Facebook and the A.V. v. iParadigms posts for discussion of this issue.) It's also interesting that the court does not discuss the possibility of the parents being forced to pursue their rights under Reg Z or under the banking institution's rules (under which they may be limited in the amount of their liability for unauthorized charges). I would think there's some sort of offset possibility here.

Perhaps a possible solution from the merchant’s standpoint is to shift everything to the password level, and require the password to be entered each time a purchase is made? A merchant who does this may be able to take advantage of provisions in its terms that require users to bear all risk of loss from any misuse of passwords. An alternative would be to include a disclaimer directed to parents when dealing with purchases through the accounts or minors (i.e., "once you let someone else make a purchase, they may continue to ring up charges")? I don’t know if either of these would offer any certainty to the merchant, since they underlying contractual relationship is between the minor and Facebook; the parent is arguably a stranger to this transaction.

Maybe Facebook is too big to care, or these types of transactions are fairly small in its overall bucket of revenues, but I'm constantly surprised at how brazenly Facebook pushes the envelope on grey area legal issues.

Related: see this recently filed complaint against Google for allegedly intercepting the gmail communications of minors (A.K. v. Google). I'm a bit more skeptical about this lawsuit, but thought it was worth flagging.

Eric's Comments. This case implicates one of the most enduring problems of cyberlaw: how can websites form legally binding obligations with kids when the websites aren't sure who's a kid and who isn't. In theory, every website's user agreement is vulnerable to collateral attack by the cohort of kids who have "agreed" to it but can treat the contract as voidable. The logical implications of this problem lead us to dark places: either websites are always vulnerable to class action lawsuits "on behalf of the kids" (I put it in quotes because class action lawyers are the real beneficiaries of the lawsuits, not the kids), or websites will have to impose meaningful age verification, with the resulting costs and privacy issues.

Amazingly, we've largely avoided these legal issues for the past two decades. We've seen only a few lawsuits on behalf of the kids, and through various doctrinal machinations, cases like Turnitin and EKD have found ways to avoid ripping open a big hole in cyberlaw.

In contrast, this opinion provides plaintiff lawyers with a number of possible ways to attack websites on behalf of the kids. It remains to be seen if that will happen, because this ruling depends in part on the specific mechanics of Facebook credits. Still, there's a small possibility we'll look back 5 years from now and view this case as a key turning point that structurally changed the web as we know it today--probably not for the better.

Posted by Venkat at 05:00 PM | E-Commerce , Licensing/Contracts

December 14, 2012

Search Engine Developer Sues Facebook for Disallowing Access to User Data -- Profile Technology v. Facebook (Catch-Up Post)

By Jake McGowan

Profile Technology, Ltd. v. Facebook, Inc. (Complaint)

Web developers sometimes try to enhance the functionality of an already-popular social network. But this typically requires permission to access the social network's information, which is not always easy to get or maintain. (See, e.g., Eric's discussion about Craigslist's cutoff of Padmapper).

In October, a developer sued Facebook for allegedly breaching an agreement that previously allowed the company to harvest and incorporate user information through the use of automated web crawling.

"Hand Pressing Social Network Icon" from Shutterstock

Background

Profile Technology is a New Zealand business that develops Facebook apps, including “IQ Test,” “Survey,” “Petition,” and “Polling.” When Facebook started allowing certain search engines to index public personal information, PT wanted in on the action. In 2007, it began developing an independent search engine that aggregated data from over 400 million Facebook profiles.

PT alleges that they entered into an agreement with Facebook in 2008 to scrape the public user data and incorporate the data into a social network search engine called “Advanced Search” (later rebranded as “The Profile Engine”). According to the complaint, Facebook had a dramatic change of heart about the agreement and ultimately tried to shut down Advanced Search altogether. As a result, PT filed a complaint alleging (1) breach of contract, (2) interference with business relationships, (3) defamation, and (4) unlawful, unfair, and fraudulent business practices.

Breach of Contract

By PT’s account, it had a contract with Facebook that was partially written and partially implied. The written part consisted of an email exchange between the company and a Facebook representative, Philip Fung. PT claims that Fung said they could acquire the data as long as they made the data searchable by the public:

Facebook benefited from having a social networking search engine available to its users and offering far more powerful search tools than those provided by Facebook itself. Plaintiffs and Facebook participated in a mutually-advantageous course of conduct that was consistent with and grounded in industry custom and practice.

In 2010, Facebook began blocking PT’s automated crawlers from scraping the profile data. Facebook’s attorneys also sent a letter to PT denying that they had authorization to take and incorporate data from Facebook’s site:

your company, Profile Technology, has taken Facebook user data from the Facebook.com site and services without authorization, and is now leveraging that information to sell background services about Facebook users without Facebook’s or its users’ permission.

PT states that it would have been able to restructure its business model and avoid considerable expense had Facebook abided by the implied covenant of good faith and fair dealing. Along with these avoidable expenses, PT claims that it will be able to prove lost profits at trial.

Interference with Business Relationships & Defamation

In addition to the breach of contract claim, PT also included causes of action for Interference with Business Relationships and Defamation.

Without access to the Facebook user data, Profile Engine users couldn't log into their accounts. According to Profile Technology, this contributed to a loss in users and, therefore, advertising revenue. But more importantly, PT claims that Facebook interfered while the company was in talks of selling the company to independent investors:

In the 2010-2011 time frame, Plaintiffs engaged brokers to sell their business, which had been actually profitable in an industry where profits are mostly speculation. Plaintiffs are informed, believe and thereon allege that, when contacted by prospective purchasers of Plaintiffs’ business, Defendants made false statements such as the false statement in the letter of October 31, 2011 quoted above . . . The value of a potential sale was in excess of millions of dollars (US).

The Defamation claim revolves around alleged statements by Facebook that links to PT's site were "blocked for being spammy or unsafe." PT claims that at trial, they will be able to prove that Facebook made these statements with malicious intent.
_________

It’s difficult to gauge the merit of these claims without analyzing the email correspondence between Profile Technology and Facebook’s representative--especially what provisions, if any, came into effect.

Without commenting on the “unsafe or spammy” claim, the site’s aesthetic does look a bit behind the times. It’s not hard to imagine a Facebook executive auditing the company’s various partnerships and deciding that the Profile Engine didn’t fit well with its brand. Considering Facebook’s numerous legal issues with user privacy, it also makes sense that Facebook might want to keep its users’ data closer to its chest.

Fortunately for Facebook, recent decisions have set the tone that antitrust law should not get in the way of these objectives. In the recent Sambreel Holdings LLC v. Facebook decision, the court noted Facebook’s need “to maintain the quality of of its product” as a legitimate business reason for restricting certain ads that its users see.

But does this same reason justify Facebook’s actions toward the Profile Engine (a separate website)? The Sambreel court’s strong language hints that it might: “Facebook has a right to control its own product[.]” (for more on the recent Sambreel (PageRage) antitrust lawsuit, check out Eric’s coverage at Forbes)

One lesson from all this is that it can be dangerous to build a business that relies inherently on the cooperation of another for-profit business (especially a corporate giant). The broader Facebook’s legal rights are to control its product, the easier it is for them to shut down companies like Profile Technology. And it’s not hard to imagine such a circumstance, either: Maybe they don’t want to associate their brand with the service. Maybe they’re negotiating an exclusive deal with another service. Maybe they want to offer the service themselves.

Still, companies like Profile Technology might have their place; big social networks often welcome and sometimes rely on outside companies and developers to enhance the functionality of their site. As one example, Reddit Enhancement Suite has become an extremely popular browser extension shoring up some of the user-generated content site's shortcomings and keeping users happy.

Relying on the social network does not make these companies unwise for pursuing such a business model. It makes them vulnerable, which makes an enforceable contract crucial. In this case, it seems like both parties would have benefitted from a more thorough written agreement.

Posted by JakeMcGowan at 01:28 PM | Licensing/Contracts | TrackBack

December 04, 2012

Employee/Ex-Employer Lawsuit Over Twitter Account Settles – Phonedog v. Kravitz

[Post by Venkat Balasubramani]

PhoneDog v. Kravitz, No. C 11-03474 MEJ (N.D. Cal.)

This is one of the first cases where employee and employee (in this case contractor) battled over a Twitter account. Noah Kravitz worked for PhoneDog as a contractor.
He left and took the account with him. The parties dispute the sequence of events, but he says he changed the @PhoneDog_Noah username to "@noahkravitz" with PhoneDog's blessing. PhoneDog sued, asserting claims for conversion, misappropriation of trade secrets, and interference with economic relationships. Although they didn’t necessarily seem on solid legal ground, the court ultimately allowed these claims to proceed. (Kravitz predictably asserted counterclaims.) (Here are previous posts on the case: "Courts Says Employer's Lawsuit Against Ex-Employee Over Retention and Use of Twitter Account can Proceed"; "Court Denies Kravitz’s Motion to Dismiss PhoneDog’s Amended Claims"; and "An Update on PhoneDog v. Kravitz, the Employee Twitter Account Case".)

The lawsuit was originally filed in July 2011, and as Mashable initially reported has been finally resolved by agreement of the parties: “Writer Sued for his Twitter Followers Settles Case.” Terms of the settlement agreement do not appear to be public, but at a minimum it looks like Kravitz will be holding on to the Twitter account.

Employment disputes by nature can be emotional affairs, and when you add a social media component to it, I can see emotions running high, and decisions being made based on emotion rather than reason. It’s interesting that the parties decided to settle the case almost a year and a half after it was filed, with no significant litigation activity other than the initial denial of Kravitz’s motion to dismiss. You wonder why they didn’t resolve things easier. (This is often easier said than done, and the pure attrition of time and expenses can work wonders for the parties’ willingness to settle.)

Any useful takeaways from the dispute? The obvious is to have a written agreement in place governing employee social media accounts. The other is that social media accounts often mix the personal and the professional, so from a practical standpoint making a clean break may not be possible. In this vein, recently enacted social media legislation may also fall short of providing a clean solution. (See "Big Problems in California's New Law Restricting Employers' Access to Employees' Online Accounts"; see also the earlier point: a contractual solution is preferable.)

When all is said and done, I really wonder about the economics of the litigation. Was it worth it for PhoneDog to really chase after the account after Kravitz had removed any branding from the account. On the flip side, what would have happened if Kravitz had just abandoned the account and started fresh? Either scenario would not have been the end of the world. Ultimately, the parties were battling over "followers," who can be fickle, unpredictable, and certainly tough to place a value on.

[image credit: Shutterstock:zozian greetings .. "bluebird sticker"]

Posted by Venkat at 08:07 AM | Licensing/Contracts , Publicity/Privacy Rights , Trademark

November 30, 2012

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

[Post by Venkat Balasubramani]

Sterk v. Best Buy, 11 C 1894 (N.D. Ill. Oct. 17, 2012)

The VPPA has spawned a lot of litigation over the past couple of years. One hot button area has been the applicability of the statute to online streaming services. (Netflix; Hulu). Another has been lawsuits brought to plaintiffs seeking to enforce the purging requirement imposed by the VPPA. (Redbox; Netflix). [A proposed update to the statute's consent provisions is winding its way through. See: "Why Netflix Getting What it Wants From Congress Means Your Email Will Get Warrant Protection."]

This lawsuit is a putative class action alleging that plaintiff purchased DVDs from Best Buy, and that Best Buy: (1) retained the purchase history for over a year; and (2) disclosed this information to an affiliated entity (Best Buy Co., Inc.).

No private right of action for improper retention of personal information: Section 2710(e) is a poorly worded provision that requires covered entities to purge personally identifiable information “as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected.” The Seventh Circuit in Sterk v. Redbox (same plaintiff/counsel as in this case) held that section 2710(c) does not provide for a private right of action under 2710(e): “Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information.” Given that this court is clearly bound by this ruling, plaintiff tried to get creative and argue that he could assert a claim under the Stored Communications Act which is part of the same chapter as the VPPA. Judge Kennelly considered and rejected plaintiff’s argument in Sterk v. Redbox (on remand), and the court follows suit here. Another court in the Northern District of California recently came to the same conclusion: Rodriguez v. Sony Computer Entertainment.

Plaintiffs lack standing to pursue injunctive relief: Plaintiffs also sought injunctive relief, which required the court to address the issue of standing. The court runs through the classic test for standing, but importantly says that Congress cannot create standing for injuries that do not satisfy Article III’s minimum standing requirement. The court also notes (citing to the Seventh Circuit’s opinion in Sterk, and to Van Alstyne v. Elec. Scriptorium, an email privacy case) that only plaintiffs that are “aggrieved” may seek relief under the VPPA. Here, any injury from retention is meager at best and shouldn’t support standing. Plaintiffs’ disclosure claim similarly did nothing to establish injury—the data was being disclosed to a 100% parent corporation. Plaintiffs also tried to rely on the diminution of value of their information and the fact that they allegedly overpaid for the services provided by Best Buy, but the court easily rejects these arguments.

Plaintiffs also brought a breach of contract claim. The court says that claims based on older purchases were time-barred. Claims based on later purchases were dismissed due to lack of alleged damages. Plaintiffs are permitted to replead these.

Claims alleging failure to purge under the VPPA represent the far extreme of privacy lawsuits. As the Seventh Circuit’s ruling from Sterk, as well as the rulings in Rodriguez and this case demonstrate, courts will not be very enthusiastic about these claims.

It’s interesting to see the court cite to the Supreme Court’s decision in First American Finance Corp. v. Edwards. Although this case dealt with standing to sue under the Real Estate Settlement Procedures Act, in advance of the ruling, many thought this case would alter the landscape for privacy lawsuits and standing. I thought it fizzled out in this regard, but maybe it has more vitality than originally thought.

[cross-posted at IAPP's Privacy Advisor]

Posted by Venkat at 09:38 AM | E-Commerce , Licensing/Contracts , Privacy/Security

November 28, 2012

Lawsuit Over "Google Tags" Dismissed--Frezza v. Google

By Eric Goldman

Frezza v. Google, 2012 WL 5877587 (N.D. Cal. Nov. 20, 2012)

In Feb. 2010, Google introduced Google Tags, an advertising option in Google Places. Google Tags is now dead, but Google's still dealing with the aftermath. To spur adoption, Google offered free tags to Google Places merchants. There is a dispute about the offering terms. The plaintiffs thought they could get one month of unlimited tags for free; Google says the offer was for $25 off (the amount of one tag for a month). The plaintiffs are also grousy that Google allegedly didn't delete their credit card numbers after they terminated their Tags accounts.

The court dismisses all of the plaintiffs' claims, but gives them a second chance at more futility. I assume the plaintiffs will try again. The court's specific discussions:

Breach of Contract. This claim fails because the plaintiffs didn't quote the written contract terms they think bind Google.

Unjust enrichment. This claim is dependent upon, and therefore merges into, the contract breach claim.

CLRA. This is one of California's consumer protection statutes, and the plaintiffs don't qualify because they are businesses, not consumers.

Breach of Implied Contract. Plaintiffs claim they had an implied contract with Google to flush their credit card numbers. But what contract? The plaintiffs say industry standard is the Data Security Standards ("DSS") promulgated by the Payment Card Industry Security Standards Council, but the plaintiffs don't assert that Google agreed to comply with the DSS.

The court addresses a second argument:

If, as plaintiffs argue in their opposition, Google simply agreed to "handle its customers' credit card information responsibly," Dkt. No. 13, the claim still fails. Plaintiffs contend that Google breached the implied contract because it has retained the credit card information of plaintiffs after they have cancelled their subscription to Google Tags. See Compl. P 60. However, retaining information does not amount to handling it irresponsibly. Without more, plaintiffs have not sufficiently alleged that Google breached a general obligation to reasonably safeguard customer information.

Customer Records Act. Finally, the plaintiffs asserted that Google breached a California statute saying a "business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business." The court says this statute doesn't require the disposal of customer records at any specific time; it simply applies once a business has decided to make the disposal.

[Photo credit: "Crisis" // ShutterStock]

Posted by Eric at 04:22 PM | E-Commerce , Licensing/Contracts , Marketing , Privacy/Security , Search Engines | TrackBack

November 19, 2012

Engaging Facebook Friends Doesn't Violate Non-Solicitation Clause--Invidia v. DiFonzo

By Eric Goldman

Invidia, LLC, v. Maren DiFonzo, 2012 WL 5576406 (Mass. Super. Ct. Oct. 22, 2012)

Let me start with a baseline proposition: we in California have it so much better than the rest of the country because employer-employee non-compete clauses are void in California. With this bright-line rule, we avoid a lot of the nonsense wrangling over non-compete clauses that's so common elsewhere. No dickering about what constitutes a competitive business. No artificial line-drawing about geography or time (is a non-compete radius of 2 miles OK? 3 miles? 4?). No overreaching efforts by employers to squelch employees' efforts to find a new job that will pay their mortgage or student loans.

This case involves an employer's attempt to enforce a non-compete and a non-solicitation clause against a hair stylist. Yes, you read that right: the employer tried to restrict where its former employee plied her scissors. Amazingly, the court doesn't say that the hair salon industry is categorically inappropriate for non-competes or non-solicitations. If anything, the court suggests the opposite, citing a 2007 opinion for the proposition that "Hairdressers are not fungible." I'm struggling to see how widespread litigation in the hair salon industry improves social welfare. Yet, apparently that's the inevitable outcome of allowing enforceable non-compete clauses in that industry, even if most lawsuits ultimately fail in court.

I'm especially interested in the court's discussion about the non-solicitation clause--a provision that might even be enforceable in California. From the court's distillation, it seems like the employer overreached quite a bit here, such as with this example:

Four days after Ms. DiFonzo resigned from Invidia, David Paul Salons, her new employer, posted a "public announcement" on Ms. DiFonzo's Facebook page, noting DiFonzo's new affiliation with David Paul....In the comment section below that post, Ms. Kaiser [a hair salon customer] posted a comment which said, "See you tomorrow Maren [DiFonzo]!"

See anything remotely resembling a solicitation here? Fortunately, the court doesn't either. Cf. Enhanced Network Solutions v. Hypersonic Technologies.

The former employer next argued "Ms. DiFonzo has become Facebook 'friends' with at least eight clients of Invidia." Overall, having hair salon employees develop social media connections with customers sounds like a positive thing as it's likely to improve customer loyalty. For example, if customers are disloyal to their hair stylist and post photos of their new haircuts, they will be outing themselves to their hair stylist. And if the hair salon employee and the customer are bona fide friends (not the fake form of friendship so rampant on Facebook), then that relationship isn't "owned" by anyone.

Finally, Invidia argued that it had an unprecedented wave of 90 customer cancellations after DiFonzo left. The court says:

[Invidia argued that] Facebook "is a significant channel of communication between Invidia and its clients."...If these 90 clients are accustomed to communicating with Invidia through Facebook, they are probably Facebook-sawy enough to locate Ms. DiFonzo's Facebook page after she left Invidia. So long as they reached out to Ms. DiFonzo and not vice versa, there is no violation of the non-solicitation provision of the Agreement.

This gets to the heart of the problems with employers' efforts to squelch competition by their former employees in any customer-facing job. Ultimately, non-compete clause are designed to reduce customers' ability to choose the professional service providers they want. If customers of a hair stylist are loyal enough to seek out her Facebook page, that's the marketplace working exactly as it should, and overreaching non-compete/non-solicitation clauses only distort that market.

[Photo Credit: "Beautiful Young Hairdresser" // Shutterstock]

Posted by Eric at 09:52 AM | Licensing/Contracts , Trade Secrets | TrackBack

November 10, 2012

Email That Says “Done .. thanks!” Doesn't Transfer Copyrights – MVP Entertainment v. Frost

[Post by Venkat Balasubramani]

MVP Entertainment, Inc. v. Frost, B235100 (Ca. Ct. App. Nov. 7, 2012) [pdf]

We enjoy cases where people negotiate or modify contracts via email or other modern methods of communication. The underlying rules haven’t changed, and nor should they, but people don’t expect that casual off-hand electronic communications can form or alter contractual relationships. This can lead to unintended results. The favorite from this genre is the CX Digital case, where an Instant Message conversation modified the terms of an agreement and resulted in a $1.2mm judgment: "Court Rules That Instant Message Conversation Modified the Terms of a Written Contract."

This case involved an alleged agreement to transfer rights in the book titled “The Match: The Day the Game of Golf Changed Forever.” MVP wanted to purchase rights in the book and turn it into a movie. Attorneys for the parties exchanged emails.
The lawyer for MVP sent an email (to the author's lawyer) with proposed terms, and asked whether “this is okay and [he would] send paperwork.” In response, the lawyer for the copyright owner (Alan Wertheimer) said:

done . . . thanks! Werth.

Later, the author and his entity talked to MVP and said that they did not want MVP to make The Match into a movie. MVP sued, asserting a variety of claims, but principally a breach of contract claim. In MVP’s view, Wertheimer’s “done thanks” email created a binding contract.

The court says that a transfer of copyright ownership is not valid unless there is a writing signed by the owner: “It doesn’t have to be the Magna Carta; a one-line pro forma statement will do.” Section 204’s writing requirement is slightly different from the statute of frauds. It serves more than an evidentiary function, and defenses such as equitable estoppel do not apply.

The big problem in this case is that Wertheimer did not have actual authority to transfer the copyrights. He testified that while he often negotiated these types of deals, he never signed the contracts (the author signed the agreements). MVP argued that Wertheimer had “ostensible authority," but the court says this is irrelevant. While California agency law may have certain rules for when contracts should be enforced against principals based on their agents leading others to believe they had authority, the Copyright Act requires a writing signed by the owner or the owner’s duly authorized agent.

MVP also argued that Wertheimer’s signature on the email (i.e., “Werth”) was an electronic signature under the ESIGN Act, but the court footnotes this argument and says it doesn't trump the actual authority issue. Again, the key issue is whether or not Wertheimer had authority--if he did, the email would likely have satisfied the writing requirement (given the court's earlier statement that the writing need not be the Magna Carta). (For context on Section 204 and the ESIGN Act, check out John O.’s blog post on the Hermosilla case: “Can A Copyright Be Assigned By Email?--Hermosilla v. Coca-Cola.”)

I may be saying this out of self-interest, but I like this result. It’s a bummer to have someone argue that one of your casual emails ended up granting someone rights in your client’s property.

In my comments to the Hermosilla post, I mentioned the possibility of a standard disclaimer that may preempt these types of arguments:

Nothing in this email is intended as an offer and the author disclaims any intention to make an offer or create an enforceable agreement through any email messages. Any agreement with the author of this email must be in a signed paper document!

I have not implemented one of these, but I still think it’s a good idea.

(h/t: Courthouse News)

[Image credit: Boris15 / Shutterstock.com]

Posted by Venkat at 11:45 AM | Copyright , E-Commerce , Licensing/Contracts

November 08, 2012

Social Media Producer’s Counterclaims Based on Website Ownership Rejected – Ardis Health v. Nankivell

[Post by Venkat Balasubramani]

Ardis Health v. Nankivell, 11 Civ. 5013 (S.D.N.Y. Oct. 23, 2012)

One of the many social media ownership disputes we blogged about was Ardis Health v. Nankivell, where a company sought, among other things, social media passwords from its ex-employee. Based on the existence of a written agreement, the court awarded injunctive relief and required the ex-employee to turn over the passwords: See “Ex-Employee Converted Social Media/Website Passwords by Keeping Them From Her Employer--Ardis Health v. Nankivell.” (Eric’s advice is still on point. Get the passwords before you sever the relationship.)

[Eric's note: on that point, query if asking her for the passwords would have been illegal under the new statutes regarding social media passwords. I still can't believe the California legislature completely missed the fundamental issue that employers and employees routinely dispute who owns a social media account.]

The ex-employee (Nankivell) brought counterclaims asserting ownership over the “whatsinurs” website. She claimed it was a separate project her and her former employer undertook as a joint venture. She also alleged sexual harassment based on a hostile work environment, but the court declines to exercise supplemental jurisdiction over these claims.

Partnership claim: The parties did not have a written partnership agreement (or separate contract) governing their relationship for the “whatsinurs” site. Jordan Finger, the owner of Ardis Health—her employer—circulated a draft “founder’s agreement,” but it was never signed. She had one of her attorneys review it, and in the meantime, Finger terminated her via email. Nankivell thus had to argue they had created a de facto partnership based on the conduct and understanding of the parties, and the court finds that she will be unable to do so. She failed to make any allegations that the parties agreed to share any losses (as opposed to profits) from the venture, and the two documents relevant to the relationship (the proposed founder’s agreement and the termination email) did not contain any evidence of such an understanding. Accordingly, the court says that she won’t be able to make out a claim for a partnership.

Conversion of the website: Nankivell also brought a claim for conversion based on the website, and the underlying domain name, trademark, trade dress, and copyright. The court says that this claim is preempted:

The gravamen of [her] claim is that she ‘created’ the Whatsinurs website, including its ‘design’ and ‘dinstinctve look,’ and that [defendants] exercised ‘unauthorized dominion’ over the work and presented it to the public as their own.

The subject matter of the dispute (the website) is covered by the Copyright Act, and her claims lack an extra element. Thus the claims are preempted. The court also says that her claims for conversion of the copyright, trademark, trade dress, and domain name fail because she failed to allege that she had demanded her property back.

The court also dismisses her unjust enrichment and quantum meruit claims, finding them preempted.

Ouch. This is a rough break for Ms. Nankivell. On the one hand, she violated the cardinal rule of entering into a business relationship without having documentation in place. On the other hand, it’s tough to fault her too much since she had an employment relationship in place with Ardis Health. To top it off, her boss sent her a proposed co-founder agreement, so he clearly contemplated some sort of equity relationship with her.

The preferred route here for her would have been to claim joint ownership (authorship) over the assets that she created, regardless of any joint venture, and regardless of the fact that the owner of Ardis registered everything in the name of his entities. That could have avoided the preemption hurdle. The court notes this as a possibility, but for whatever reason flags that she didn’t take this route. Either way, the ruling seems fairly draconian from her standpoint, and one that's contrary to the one-time intent of the parties.

Implied joint ownership agreements for websites are pretty much a guaranteed recipe for disaster. We’ve blogged about a ton of these cases—so many that I’ve lost count. Aside from the obvious takeaway of make sure you have a written agreement in place before you invest any significant resources, another one is to keep track of what entity's name the joint venture's assets are registered in. (Here, nothing was registered in the name of the joint venture; an entity was not even formed.) It would have helped to have the domain name, trademarks, copyright registrations in the name of a jointly owned entity.

On a related note: I intended to mention an update to the JustBrand / HotHeadz case—another case involving an employer/employee relationship that spawned a putative joint web venture (outside the employment relationship). (See LLC Members in Online Store Venture Bound by Partnership Fiduciary Duties -- Health and Body Store v. Justbrand Limited.) There the trial court denied injunctive relief to the employer—who claimed joint venture status—on the basis that the parties failed to execute a written agreement governing essential terms. The Third Circuit vacated, finding that the formation of an LLC, listing entities affiliated with the ex-employees and the employer as equity owners was sufficient to find a joint venture. Therefore, fiduciary duties were owed, and one side (the ex-employees) could not “lock out the other” from control of the website. The Third Circuit sent the case back to the trial court, but the trial court isn’t happy turning over control to the employer. The trial court appoints an interim receiver to “manage” any ongoing dissension that arises between the parties. The court says that appointment of a receiver will tax the business and it’s unclear whether any assets will be left over. With this mind, the court admonishes the parties to try to settle, although it notes that settlement is unlikely (given that the parties are dug in).

Related posts:

cases involving social media assets:

"Social Media and Trademark Law" Talk Notes
Court Denies Kravitz’s Motion to Dismiss PhoneDog’s Amended Claims -- PhoneDog v. Kravitz
An Update on PhoneDog v. Kravitz, the Employee Twitter Account Case
Another Set of Parties Duel Over Social Media Contacts -- Eagle v. Sawabeh
Employee's Claims Against Employer for Unauthorized Use of Social Media Accounts Move Forward--Maremont v. SF Design Group
Courts Says Employer's Lawsuit Against Ex-Employee Over Retention and Use of Twitter Account can Proceed--PhoneDog v. Kravitz
Ex-Employee Converted Social Media/Website Passwords by Keeping Them From Her Employer--Ardis Health v. Nankivell
Court Declines to Dismiss or Transfer Lawsuit Over @OMGFacts Twitter Account -- Deck v. Spartz, Inc.
Employee's Twitter and Facebook Impersonation Claims Against Employer Move Forward -- Maremont v. Fredman Design Group
MySpace Profile and Friends List May Be Trade Secrets (?)--Christou v. Beatport
Fight Over Access to Log-in Credentials for Blog Does not Trigger Copyright Preemption – Insynq v. Mann

website/co-blogger ownership cases:

LLC Members in Online Store Venture Bound by Partnership Fiduciary Duties -- Health and Body Store v. Justbrand Limited
Tea Partiers Wage War Against Each Other Over a Google Groups Account--Kremer v. Tea Party Patriots
Cautionary Tale of Website Co-Ownership--Mikhlyn v. Bove.
Web Vendor Dispute Gets Ugly--Ground Zero Museum v. Wilson
Holding on to a Domain Name to Gain Leverage in a Business Dispute Can Constitute Cybersquatting -- DSPT Int'l v. Nahum
Another Cautionary Tale of Joint Website Ownership--TEG v. Phelps [UPDATED]
Web Developer Didn't "Convert" Website--Conwell v. Gray Loon
Ohio Appeals Court: GoDaddy can be Held Liable for Wrongly Transferring Control Over Domain Name and Email Accounts -- Eysoldt v. ProScan

[image credit: Shutterstock/Tribalium ("handshake symbol")]

Posted by Venkat at 10:48 PM | Copyright , Licensing/Contracts

October 29, 2012

How Zappos' User Agreement Failed In Court and Left Zappos Legally Naked (Forbes Cross-Post)

By Eric Goldman

In re Zappos.com Inc., Customer Data Security Breach Litigation, 2012 WL 4466660 (D. Nev. Sept. 27, 2012).

In January, Zappos (part of $AMZN) announced a massive data security breach affecting 24 million consumers. As typically happens in these situations, plaintiffs' class action lawyers swarmed over Zappos for the breach, filing dozens of lawsuits. Zappos tried to send the lawsuits to arbitration based on an arbitration clause in its user agreement. Recently, a federal court struck down Zappos.com's user agreement, denying Zappos' arbitration request. This is an unfortunate ruling for Zappos, because its contract--now dead--would have been quite helpful in combating this high-profile and potentially very expensive data security breach lawsuit. More importantly, the mistakes Zappos made in its user agreement--though common throughout the Internet--are completely and easily avoidable. This post will make some suggestions for how to avoid Zappos' fate.

Nomenclature note: "user agreement" synonyms include "terms of service"/"TOS," "terms of use"/"TOU," "end user license agreement"/"EULA," and "member agreement."

Zappos' Terms of Use Was a "Browsewrap"

Courts generally divide user agreements into one of three groups: "clickwraps," "browsewraps" and "clearly not a contract." I don't use the term clickwrap; instead I prefer the term "clickthrough agreement." A clickthrough agreement is presented to users in such a way that they must take some action--usually, clicking on a button--that unambiguously signifies that they are assenting to the contract. When properly implemented, clickthrough agreements are extremely effective in courts.

In contrast, "browsewraps" are user agreements that purport to bind users simply because users browse the website. I don't use the term browsewrap; instead, I prefer to call those documents "not a contract." Although there are some aberrational cases to the contrary, for the most part courts do not treat browsewraps as a contract, and anyone relying on a so-called browsewrap does so at their extreme peril.

According to the court, Zappos presented its "terms of use" as a browsewrap. You can see the implementation from this screenshot snippet above--look for the obscure link entitled "terms of use" on the left side. (As the court notes, if you printed out the home page of Zappos.com, this snippet would be on page 3 of the 4 page printout).

The court does not have kind words for Zappos' implementation:

we cannot conclude that Plaintiffs ever viewed, let alone manifested assent to, the Terms of Use. The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use. No reasonable user would have reason to click on the Terms of Use, even those users who have alleged that they clicked and relied on statements found in adjacent links, such as the site's “Privacy Policy.”

Later, the court reinforces how unimpressed it is with Zappos' browsewrap argument:

The arbitration provision found in the Zappos.com Terms of Use purportedly binds all users of the website by virtue of their browsing. However, the advent of the Internet has not changed the basic requirements of a contract, and there is no agreement where there is no acceptance, no meeting of the minds, and no manifestation of assent. A party cannot assent to terms of which it has no knowledge or constructive notice, and a highly inconspicuous hyperlink buried among a sea of links does not provide such notice. Because Plaintiffs did not assent to the terms, no contract exists, and they cannot be compelled to arbitrate.

Zappos Reserved the Right to Amend the Contract Whenever It Wanted

As you can see from the screenshot snippet above, Zappos' terms of use says "We reserve the right to change...these terms and conditions at any time." Zappos isn't the only website using language like this; it's ubiquitous on the Internet. Unfortunately, despite its widespread usage, this language is toxic to a contract.

The court takes this amendment power to its logical conclusion. If Zappos can change the terms at any time, then it can change the arbitration clause at any time. Thus, citing to a long list of cases, the court says that such unilateral power to change the arbitration clause makes the clause "illusory"--and thus unenforceable.

Lessons

Zappos can hardly be surprised by this adverse judicial ruling. We have known for years that browsewraps are unenforceable (see some of the cases discussed here) and judges clearly dislike unilateral amendment clauses (see, e.g., the uncited Ninth Circuit's Douglas ruling from 2007 and the cited 2009 ruling in the Blockbuster/Facebook Beacon case).

Still, the ruling leaves Zappos in a bad position. Its contract is legally irrelevant, meaning that all of the risk management provisions in its contract are ineffective--its disclaimer of warranties, its waiver of consequential damages, its reduced statute of limitations, its clause restricting class actions in arbitration...all of these are gone, leaving Zappos governed by the default legal rules, which aren't nearly as favorable to it. Losing its contract provisions meant Zappos is legally naked.

Avoiding this outcome is surprisingly easy. Use clickthrough agreements, not browsewraps, and remove any clauses that say you can unilaterally amend the contract.

Using Clickthrough Agreements. Zappos had an easy way to form a clickthrough agreement. As shoppers are checking out of the store with their shopping cart, Zappos could say "By clicking the 'purchase' button, you agree to the Zappos terms of use" with a link to the document. It's as easy as that. No custom coding, no interstitial web pages, no real risk of abandoned shopping carts.

Even if you aren't an e-commerce site, it's still easy to form a clickthrough agreement if you have an account registration process. Right before users complete the registration, present the terms as "By [creating an account], you agree to the user agreement" with a link to the document.

Thus, the only websites that can't easily implement a clickthrough agreement are sites that have no checkout or registration processes. Websites in that category should carefully consider why they need a user agreement at all.

No Unilateral Amendment Clauses. If you are changing the user agreement only for new users who enter into the contract after the change, you don't need to tell them that you've amended the terms. They are automatically bound to your then-current terms when they click through. If you form a contract with your users each time you interact with them (such as with an e-commerce site), you aren't "amending" your contract; you're just changing the terms for subsequent transactions.

In contrast, if you are providing ongoing services to users and you want to change the deal with them, then you need to amend the existing agreement. Unfortunately, there is no reliable legal way to do so other than to require users to click through the new terms--an imperfect solution because many existing users never come back to the site, and other users will balk at the request. And worse, any failed amendment creates a variety of legal vulnerabilities, so you need an airtight amendment implementation.

Thus, to develop a legally effective contract amendment process, you should brainstorm with your attorney about creative solutions that provide flexibility without breaking the law or undermining your contract. Or, just accept that you can never materially change the contract terms for users who have signed up under a different deal. You might be surprised how little that limits you in practice.

Either way, Zappos' loss provides a good warning what not to do: don't just clone-and-revise the amendment provisions you've seen on other sites. THAT DOESN'T WORK in court, and you'll be in for an unpleasant surprise if you learn that the hard way.

Disclaimer: this post is just a general discussion about legal topics. It doesn't provide legal advice. Consult your own attorney before making any decisions.

Posted by Eric at 09:00 AM | E-Commerce , Licensing/Contracts , Privacy/Security | TrackBack

October 26, 2012

Google Gets Unwanted Ruling in AdWords Trademark Lawsuit--CYBERsitter v. Google

By Eric Goldman

CYBERsitter LLC v. Google, Inc., 2012 WL 5873650 (C.D. Cal. Oct. 24, 2012)

This is one of three remaining trademark lawsuits against Google for AdWords. The other two pending suits are Rosetta Stone and Home Decor Center; Google just won the Jurin case. In this ruling, Google suffers a preliminary loss in the CYBERsitter case on a couple of key points. I still think Google will eventually win this case one way or another, but it's still a bummer ruling for Google. It also is a signal that Google may have an uphill battle with this judge.

Venue Selection Clause

CYBERsitter had been an AdWords advertiser until 2010. Google invoked the venue selection clause in its AdWords agreement to pull the case from Los Angeles to the Silicon Valley. The court rejects Google's request, saying that a trademark owner's lawsuit against Google is outside the AdWords agreement's scope, i.e., a trademark lawsuit has nothing to do with the basic ad network-advertiser relationship. While I see the court's point, this ruling does conflict with the uncited Flowbee and Parts Geek decisions and possibly others, like the uncited TradeComet decision.

47 USC 230

Google tried to clean up some of CYBERsitter's claims via 47 USC 230. Being generous to the judge, the opinion here is garbled. Here's what I think happened:

* the state false advertising claim survived because Google might have "developed" the ad.
* the state law claims for "trademark infringement, contributory infringement, unfair competition, and unjust enrichment" are struck down "to the extent that Plaintiff’s state law claims attempt to hold Defendant liable for infringing content of the advertisements at issue" because CYBERsitter didn't plead that Google made a "material contribution" to the ads. I don't really understand how Google might have "developed" the ads for false advertising purposes but failed to make a "material contribution." I don't understand why the judge uses different vernacular for these claims, either.
* the state trademark claim nevertheless survives to the extent that it tries to treat Google as a direct infringer for selling trademarked keywords.
* the contributory infringement also survives for reasons I don't understand, given that some of it appears to be based on the ad content, which the court had already said Section 230 preempted.
* the 17200 claim survives predicated on the trademark and false advertising claims.

I wonder how many of these rulings would survive on appeal. The court is right that Section 230 applies to third party content and not first party actions, but I'm not sure the court fully understood how to apply that distinction. At minimum, the judge seemed to bend over backwards to preserve the plaintiff's claim. It also matters that Google sought a 12(b)(6) motion to dismiss, so all inferences had to be against Google. I'm keeping my fingers crossed that the judge will modulate his scrutiny of the plaintiff's arguments at the summary judgment stage.

Posted by Eric at 08:45 AM | Derivative Liability , Licensing/Contracts , Search Engines , Trademark | TrackBack

October 19, 2012

A Reward Offer Still An Offer, Even if It's Made on YouTube – Augstein v. Ryan Leslie

[Post by Venkat Balasubramani, with comments from Eric]

Augstein v. Leslie, 2012 WL 4928914 (S.D.N.Y. Oct. 17, 2012).

As the post’s title implies, this case is about a reward offer that the plaintiff is trying to enforce.

Ryan Leslie, a musician, lost his computer and external hard drive while on tour in Germany. He offered a $20,000 reward for the return of his "intellectual property" via YouTube (and publicized the offer via his Facebook and Twitter accounts). Here is a link to the reward video here. He later increased the reward offer to $1 million in a separate video posted to YouTube [229,359 views as of the date of this post]:

In the interest of retrieving the invaluable intellectual property contained on his laptop & harddrive, Mr. Leslie has increased the reward offer from $20,000 to $1,000,000 USD.

Augstein returned the computer and hard drive, but Leslie declined to pay up, saying that he couldn't get his intellectual property from his hard drive. Leslie says he tried to access the information and was unable to, so he sent the hard drive to the manufacturer. According to Leslie, the manufacturer deleted the material and issued him a replacement hard drive.

Was the reward an offer? Leslie argued that a reasonable person would have understood the reward videos as advertisements – i.e., “invitations to negotiate.” The court says no. The videos “sought to induce performance,” and as we should all remember from contracts 101, are offers that an offeree can accept by completing performance! That the offer was posted to YouTube does not make it any less of an offer:

The forum for conveying the offer is not determinative, but rather, the question is whether a reasonable person would have understood that Leslie made an offer of a reward. I conclude that they would.

Ouch.

Should Leslie be held accountable for failing to preserve the data?: The second issue related to whether the court should order an adverse inference against Leslie due to his failure to preserve evidence. Augstein lawyered up when he contacted Leslie about the reward. As the court notes, litigation was “all but certain.” Leslie nevertheless did not take the necessary steps to preserve the hard drive (he sent it to the hard drive manufacturer). The court says that the only question was whether Leslie was negligent or whether he had some higher level of culpability in failing to preserve the data. At a minimum, the court says that he was negligent. Although the court doesn’t issue a ruling on the merits against him, it says that Augstein will be entitled to an adverse inference—the jury can infer that the missing hard drive would have contained the material Leslie was so concerned about.

Double ouch. Leslie is toast. Moral of the story? Don’t make reward offers on YouTube that you don’t intend to follow through on.
____

Eric's Comments. We've seen a few defamation cases where courts have said basically that readers don't take online assertions of fact at their face value. See, e.g., Venkat's discussion here. There's no discussion in the opinion that Leslie argued his $1M number was hyperbolic or a joke. (The opinion cites the modern classic Leonard v. Pepsico, the case involving Pepsi points and Harrier jets). Maybe if he had said it with a Dr. Evil sneer, he might have had something to argue. But it's entirely credible that a well-known musician would pay $1M to obtain work-in-progress on a lost hard drive. Indeed, at that moment of panic when we think our hard drive has melted down and we don't have a recent backup, many of us would gladly pay enormous amounts of money just to have our data back. As Venkat indicates, if you want to tell a joke online, make it really funny; otherwise, say what you mean and mean what you say.

Once we get past the "was he kidding?" question, then we have a venerable line of "rewards" cases where the communication of the reward is an offer for a unilateral contract, not an invitation for further negotiation. The classic Carbolic Smoke Ball case is in this line. If Augstein delivered the requested "intellectual property," then he completed the contract through his performance.

I'm a little puzzled about Leslie's shipping of the hard drive to the manufacturer. I'd like to know more about what steps he took to extract his data from the hard drive. After all, if the data was really worth $1M to him, I'd expect him to act pretty carefully with a balky hard drive; and obviously a replacement hard drive would be irrelevant--and something that we'd expect Leslie to protest pretty heartily. The judge seems to accept the implicit story that Leslie got cold feet about writing a $1M check and buried the hard drive so no one could tell if Augstein had delivered the IP or not. If that's what really happened, shame on Leslie.

This case got some coverage when Augstein first filed suit. See, e.g., this post.

[image credit: blambca / Shutterstock]

Posted by Venkat at 11:44 AM | E-Commerce , Evidence/Discovery , Licensing/Contracts

October 15, 2012

Sony Network Data Breach Class Action Suffers Setback -- In re Sony Gaming Networks

[Post by Venkat Balasubramani]

In re Sony Gaming Networks and Customer Data Security Breach Litigation, 2012 WL 4849054 (S.D. Cal.; Oct. 11, 2012)

This is a class action arising out of a hack of Sony’s online gaming network. The hacks commenced on April 16 or 17, 2011. When Sony discovered that its networks had been compromised, it took some networks completely offline (for up to a month). Approximately 10 days later, Sony acknowledged that customer information had been compromised and said that it was “reviewing options.” Ultimately, Sony offered its consumers:

free identity theft protection services, certain free downloads and online services, and ‘[said that it would] consider’ helping customers who [had] been issued new credit cards.

data breach.jpg Plaintiffs’ lawyers readied their engines and filed multiple class actions that were consolidated in the Southern District of California. (The page listing counsel is worth a look--there were 100s of lawyers involved!) Sony brought a motion to dismiss. The court grants the motion, with leave to amend.

Standing: Citing Krottner v. Starbucks, a case where employee data was stolen from a laptop, the court says that plaintiffs satisfy standing. The court does find that plaintiffs failed to allege any basis for standing as to two Sony entities, but Sony doesn’t have any luck overall kicking the lawsuit on the basis of standing.

Negligence: As to plaintiffs’ negligence claim, the court says that, absent accompanying physical harm, a plaintiff cannot recover for “purely economic loss” in negligence (under California law). In order to get around the economic loss rule, plaintiffs have to plead either the existence of a “special relationship” or allege that they suffered physical or property damage. The court finds that plaintiffs failed to adequately allege facts regarding the exception, but gives them a chance to re-plead. The court also hammers plaintiffs on whether they have alleged cognizable injury for negligence purposes:

without specific factual statements that plaintiffs’ personal information has been misused, in the form of an open bank account, or an un-reimbursed charges, the mere ‘danger of future harm, unaccompanied by present damage, will not support a negligence action.’

Ouch. For good measure, the court also says plaintiffs’ allegations that their consoles have lost value as a result of the data breach are “illusory.”

Consumer protection act claims: The court dismisses the consumer protection act claims brought by the out-of-state plaintiffs. For in-state plaintiffs, to have standing, plaintiffs have to show that they lost “money or other property.” The court rejects each of the plaintiffs’ arguments that they lost money or other property as a result of the breach: (1) heightened risk of injury and money spent allegedly remedying this is not sufficient under unfair competition statutes (citing the iPhone App Litigation and Ruiz v. Gap); (2) interruption of service and damage to the value of their consoles is similarly too speculative; and finally (3) diminution in the value of their consoles isn’t a credible allegation (and one that plaintiffs disavowed at oral argument).

Even if plaintiffs had standing, they had to point to statements by Sony that are “likely to deceive” a reasonable consumer, and show that consumers actually relied on such statements. Even if they get past this hurdle, they fail to point to what type of injunctive relief they would be entitled to; they don’t have restitution available as a remedy because plaintiffs did not pay Sony money for something that they didn’t obtain the benefit of.

Separately, the court says that plaintiffs do not have a cause of action available under the Consumer Legal Remedies Act because the transaction (access to the PSN) did not result in a sale or lease and even if it did, access to PSN is not a “good or service” for purposes of the CLRA (citing Ferrington v McAffee).

CA Data breach statute: Plaintiffs also brought claims under California’s newly enacted data breach statute [pdf]. This statute requires businesses to notify affected consumers of data breaches “in the most expedient time possible and without unreasonable delay.” The court says that only California residents can bring this cause of action. With respect to these plaintiffs, the court says that the savings clause insulates Sony’s actions. Section 1798.84(d) says that unless there’s an allegation that the defendant acted willfully, the defendant company is totally insulated if it provided the known information within 90 days of when it had knowledge that there was a breach.

Bailment: Plaintiffs finally brought a cause of action for bailment, which is where you deposit personal property with someone (and they are required to return it to you?). The court says that the intervening act of a third party malfeasor makes it hard to hold Sony liable, and in any event, it’s difficult to see how plaintiffs “deposited their personal property” with Sony.
__

This is another in a long line of cases rejecting claims brought by data breach plaintiffs. Although the court gives plaintiffs leave to amend their complaint, they don't have an easy task amending to remedy the deficiencies. In particular, application of the economic loss rule will make it tough for plaintiffs to bring negligence claims. The consumer protection act claims also have built in procedural challenges in a situation such as this where plaintiffs are not complaining about a straightforward money for goods/services transaction where consumers were injured. There's the final recurring issue that's common to all of the data breach cases: plaintiffs have to come forward with some credible injury or out-of-pocket loss, and an apprehension that your data will be misused is generally regarded is insufficient.

It's worth contrasting the result here with a recent opinion in a data breach case from the Eleventh Circuit (Resnick v. Avmed). (See posts from David Navetta and SC Magazine on this ruling.) In Avmed the Eleventh Circuit reversed the district court's dismissal of claims brought by data breach plaintiffs, but noted that the named plaintiffs alleged that their information had actually been misused:

Curry's . . . information was used to open a Bank of America account and change her address with the United States Post Office, and Moore's . . . information was used to open an E*Trade Financial account . . . .

In contrast, in this case, the court notes that allegations of misuse of the data were missing ("without specific factual statements that plaintiffs' [information] has been misused . . . the . . . danger of future harm, unaccompanied by present damage, will not support a negligence action").

These cases raise a couple of questions. Are these class actions going to end up consisting of classes of individuals who have had their information misused in some way? Second, does it matter whether these expenses or losses are unreimbursed? If someone opens a bank account in an end user's name and ultimately the bank cancels the card and all of the charges, does the hassle and expense of dealing with the situation count as compensable damages?

The court's conclusion on the California data breach statute is significant given the dearth of rulings (if any) under this statute. [I was slightly confused by the court's application of 1798.84(d), as this appeared to me to be a provision of California's "Shine the Light" statute.]

[image credit: Shutterstock / budiadiliansyah]

Posted by Venkat at 08:18 AM | E-Commerce , Licensing/Contracts , Privacy/Security

October 12, 2012

Second Circuit Says Arbitration Clause in Terms Emailed After-the-Fact Not Enforceable – Schnabel v. Trilegiant

[Post by Venkat Balasubramani with comments by Eric]

Schnabel v. Trilegiant, 2012 U.S. App. LEXIS 18875 (2d Cir.; Sept. 7, 2012)

Eric recently blogged at Forbes about a terms of service gaffe by Zappos that prevented Zappos from being able to enforce their terms. ("How Zappos' User Agreement Failed In Court and Left Zappos Legally Naked".) The Second Circuit recently issued an online terms of service decision that touched on similar issues. It’s been in the blogging queue for awhile, and it festered because it’s a long-winded and roundabout opinion.

online terms image.jpg The Schnabels enrolled in Trilegiant’s discount membership services offering after completing purchases at sites such as priceline.com and beckett.com. The Schnabels alleged that they were unwittingly enrolled; Trilegiant argues that there were clear disclosures around the terms of the rewards program. (We’ve blogged a bunch of these cases before, and federal legislation currently regulates this practice—commonly referred to as “data pass” or negative option marketing. See posts on Intelius and Vistaprint; the Intelius post mentions the "Restore Online Shopping Confidence Act".)

The key issue was whether Trilegiant could force the Schnabels to arbitrate their claims. The Schnabels were taken to an enrollment page containing links to terms and conditions, and these terms contained an arbitration provision. Separately, Trilegiant had a practice of emailing each “newly enrolled member” a document entitled “Great Fun Membership Terms and Conditions.” If this email bounced back, then Trilegiant would send a paper version of this document to the billing address on file.

Enforceability of online terms: Trilegiant didn’t argue that the Schnabels could be compelled to arbitrate the dispute by virtue of having viewed the online terms on the enrollment page. The reasons for their waiver of this argument is not clear. The messiness around the terms may have contributed to this. A related possibility is that it would have focused attention on the negative option marketing aspect of the transaction. Either way, Trilegiant did not have this argument available at the appeal stage. Instead of being about the enforceability of these online terms (see Eric’s discussion in the Zappos case for what loose ends you may want to tie up to ensure that terms such as these are enforceable), the case ended up being about whether terms emailed after the fact were enforceable.

Terms emailed after the fact: On the question of whether the Schnabels can be bound by arbitration terms that they ostensibly became aware of after the fact, the court says that there are two possible arguments: (1) by analogy to the shrinkwrap cases; and (2) the arbitration clause could be analyzed as “additional terms” (think back to battle of the forms from contracts class, except this arguably deals with services). The court goes on a long and winding (and somewhat interesting) tour of basic contract principles and how they’ve been applied in different contexts. Ultimately, the court says that the Schnabels were never on inquiry notice—no reasonable person would expect additional terms to be delivered via email in a context such as this. Therefore, even if the Schnabels received the emails, their continued use of Trilegiant’s service following receipt of the emails can’t be construed as implied assent to the terms:

A reasonable person may understand that terms physically attached to a product may effect a change in the legal relationship between him or her and the offeror when the product is used But a reasonable person would not be expected to connect an email that the recipient may not actually see until long after enrolling in a service (if ever) with the contractual relationship he or she may have with the service provider, especially where the enrollment required as little effort as it did for the plaintiffs here. In this context the email would not have raised a red flag vivid enough to cause a reasonable person to ancitipate the imposition of a legally significant alteration to the terms of condictions of the relationship with Trilegiant.

The court also flags that there’s a possible "additional consideration" problem with terms after the fact that are viewed as possible amendments.

As I mentioned above, this opinion contains lots of interesting references to, and discussion of, old-school contract principles, but it doesn’t do a great job of trying everything together and providing a big picture framework. I had to read it a couple of times and I'm still left scratching my head. One possible way to look at it is that it’s not an online terms case at all (since this argument was waived). Nor is it the case of a customer having to take action in order to indicate their assent to terms—such as in the shrinkwrap context—even though they weren’t necessarily aware of the terms at the time of the contract (purchase). It basically says that you can’t change the terms after the fact unless (1) you hit someone over the head with notice or (2) the customer has to take action to indicate their assent. (See Kwan v. Clearwire and the Qwest arbitration cases.) Given that Trilegiant was selling a membership services offering, Trilegiant probably did not want to make it easy for customers to decide whether to sign up (or easily cancel) after having viewed the terms--that's the nature of these types of deals.

The additional consideration issue is also interesting, and makes me wonder how it would affect situations where companies try to add in arbitration clauses after the fact (e.g., paypal/ebay)? Would they be better served offering some express consideration such as a nominal discount on some fees? Does it matter that some of these companies make it harder if you want to opt-out (e.g., by making you send in a paper form)?

____

Eric's Comments

In theory, this opinion completes a nicely integrated Second Circuit hat trick of online contract cases in conjunction with the Specht and Register.com opinions from a decade ago. In practice, this opinion might have nibbled at the edges of Specht and Register.com, but I think those opinions largely survive intact and this opinion becomes a weird tangent dealing with facts of limited applicability. As Venkat said, it's baffling why Trilegiant decided not to argue contract formation via the front door (its apparent clickthrough agreement) and instead tried the side door (a post-transaction confirmatory email). In light of cases like Hill v. Gateway, where terms delivered post-transaction were in fact enforceable so long as the buyer could unwind the relationship, I don't think Trilegiant's side door argument was frivolous, but I imagine most online contracts aficionados (like Venkat and me) read this opinion and scream "but what about the clickthrough agreement?!" So this addition to the Second Circuit online contracting troika of cases is, at best, a letdown for online contracts geeks.

Because the opinion implicates Specht and Register.com, both of which I teach in Internet Law, I'm going to add a reference to this case in the next version of my Internet Law reader. (I'm also going to add my blog post on Zappos, either as a complement or substitute for the Blockbuster opinion). However, because of its quirks, I think the Schnabel opinion will warrant just a short note, not a lengthy excerpt.
__

Other coverage:

The Shrinking Relevance of Shrinkwrap Decisions (BNA / Tom O’Toole)

[image credit: Shutterstock]

Posted by Venkat at 02:17 PM | E-Commerce , Licensing/Contracts

September 30, 2012

Lovelorn Plaintiffs Strike Out Against Match.com – Robinson v. Match.com

[Post by Venkat Balasubramani]

Robinson v. Match.com, 10-CV-2651-L (N.D. Tex. Aug. 10, 2012) [pdf]

This is another suit brought by users of a dating site who claim that a dating site deceptively leaves inactive users in its system, thus reducing the users’ chances of finding their soulmate. The court dismisses their claims and sends them packing.

Breach of contract: Plaintiffs claimed, among other things, that Match.com failed to vet profiles, failed to purge inactive profiles, falsely labeled inactive profiles as “active”, failed to police the site against scammers, and failed to verify its users' identities. Plaintiffs pointed to various provisions in Match.com's user agreement that required users to assume responsibility for their own profiles and warned users against doing nefarious acts via their profiles. The court easily says that these provisions set forth Match.com’s obligations vis a vis users, and do not require Match.com to undertake any corrective action Match.com said it could take when users engaged in shady dealings with their profiles. The court also relies on Match.com’s disclaimer of warranty, which pretty clearly said that Match.com does not vet its users and is not responsible for any incorrect or inaccurate content.

Duty of good faith: Plaintiffs also argued that Match.com had a duty of good faith, and its failure to adequately police its profiles was a breach of this duty. The court says that such a duty only exists where there is a “special relationship” between the parties. While plaintiffs may have been searching for that “special relationship” using Match.com, it’s just another website that provides services to various customers, and the law does not impose a duty of good faith on Match.com. Plaintiffs also argued that there was a special relationship by virtue of the unequal bargaining power, but this argument fails as well. Similarly, plaintiffs’ argument that their provision of confidential or personal information to Match.com creates a special relationship goes nowhere. The court says that if all that is required to create a special relationship is for one party to furnish the other party with personal information, “virtually every online transaction for the purchase of goods or services . . . would give rise to a special relationship.”

Texas Deceptive Trade Practices Act: Plaintiffs also brought a claim under the Texas Deceptive Trade Practices Act. The court issues a show cause order saying it’s going to strike this claim because under Texas law a claim under the DTPA can’t be based on a mere breach of contract. The court directs the parties to file briefs as to why a claim is (or isn’t) viable under this statute. (This claims looks like it's short-lived as well.)

Oy, another set of dating site plaintiffs get the smackdown. Two other cases in this vein are Anthony v. Yahoo! and Badella v. Dinero Marketing (linked below). Yahoo! settled Anthony for $4mm. The Online Cupid case (Deniro Marketing) wasn't certified as a class and promptly settled on an individual basis.

Plaintiffs pointed to contractual obligations allegedly promised by Match.com to get around the obvious Section 230 issue. The Section 230 rules allow a provider such as Match.com broad immunity for its decisions in deleting, purging, or otherwise dealing with accounts. (See Young v. Facebook and Eric's essay on this topic.) This is also a good example of a case where the service provider’s alleged promises were undercut by disclaimers in its terms of services. For better or worse, a robust disclaimer will undermine even seemingly express assurances made in a website's marketing copy. Finally, we've seen the third party beneficiary argument raised again and again but it never goes anywhere. A website terms exist for the benefit of the site and sets forth obligations vis a vis the site and an individual user. A user is never a third party beneficiary of the site's negative contract restrictions. (See Godard v. Google; Balsam v. Tucows; Noah v. AOL.)

At the end of the day, maybe there's some skepticism--around whether the judicial system should be used as a tool to remedy the broken hearts of online daters--that influences the results in these cases, but the court’s reliance on Match.com's terms was in line with other cases.

Posted by Venkat at 12:12 PM | E-Commerce , Licensing/Contracts , Marketing

September 14, 2012

Another Blow to Banks in ACH Fraud Cases: Funds Transfers Act Preempts Indemnity Agreements -- Choice Escrow v. BancorpSouth

[Post by Jake McGowan]

Choice Escrow and Land Title, LLC v. BancorpSouth Bank, 10-03531 (W.D. Miss. Aug. 20, 2012)

Asharkyu / Shutterstock.com

Last month, we blogged about Patco v. Ocean Bank, where the First Circuit held that the bank may bear the loss of fraudulent ACH transfers because its security procedures were not “commercially reasonable” under the Funds Transfers Act provisions of the UCC. Though the decision left open the question of customer responsibility, for now it belongs in the win column for customers.

But the vast majority of these banking relationships include an agreement where the customer promises to indemnify the bank for a fraudulent wire transfer. It was unclear how these agreements can factor into the analysis--could an indemnity agreement shield a bank from the UCC’s “commercially reasonable” analysis altogether?

A district court for the Western District of Missouri considered this question in Choice Escrow v. BancorpSouth, and held that the UCC provisions preempt indemnity agreements.

Background

Choice Escrow maintained a trust account with BancorpSouth (“BSB”). In March 2010, BSB received a request online to transfer $440,000 out of Choice’s trust account. The third party made the request using Choice Escrow’s login credentials.

Choice Escrow filed claims against BSB under the “Funds Transfers Act” (i.e. the relevant UCC provisions) as adopted by Missouri. BancorpSouth shot back with four counterclaims relating to indemnity agreements signed by Choice Escrow, agreeing to indemnify BSB for any losses, costs, liabilities or expenses.

Funds Transfers Act UCC Provisions Preempt Written Indemnity Agreements

In a close call, the district court held that these ACH fraud matters are governed specifically by the Funds Transfers Act. Arriving at its decision, the court paid special attention to the intent of the UCC drafters:

On one hand, it seems obvious that the drafters of the UCC wanted banking sector parties to be protected from common law negligence claims and to encourage uniformity and consistency. On the other hand, it seems unlikely that the drafters of the UCC wanted to discourage business entities from freely exercising their rights to contract the terms of their relationships

Concluding that the Act displaced the indemnity agreements, the Court granted Choice Escrow’s motion and dismissed Bancorp’s counterclaims.

It’s rare to see a court strike out an agreed-upon contract provision; it’s even more rare when both parties are “sophisticated,” as is the case here. When it happens, it’s always a good idea to look to the policy considerations.

It’s true that these wire fraud cases would be a lot less messy if banks could avoid liability using indemnity clauses. But such “uniformity and consistency” might be unduly harsh on customers if, through these agreements, they were always on the hook regardless of the bank’s actions.

In the same vein, widespread use of indemnity clauses might also reduce banks' motivations to invest a lot in their security infrastructure--especially if they never had to fear liability for these large sums of money. Of course, the banks would still have an incentive to keep their customers’ accounts safe in an Adam Smith “Invisible Hand” sense, but I think the court doesn’t like any movement in that direction because security from wire fraud is such an important goal. With most of these cases, hundreds of thousands (if not millions) of dollars are at stake.

We still don’t know what (if any) duties the customer has in preventing fraud on their online bank accounts. It’s an important question in this case because the hacker got access through Choice Escrow’s account. The court in Patco recommended further hearings on the issue, so we may just have to wait and see.

[Eric's comment: although deal lawyers often spend lots of time drafting and negotiating indemnity clauses, there's widespread suspicion that indemnity clauses rarely work in the field or in court. Another good example here.]

Posted by JakeMcGowan at 07:58 AM | E-Commerce , Licensing/Contracts , Privacy/Security | TrackBack

September 07, 2012

Fight Over Access to Log-in Credentials for Blog Does not Trigger Copyright Preemption – Insynq v. Mann

[Post by Venkat Balasubramani with comments by Eric]

Insynq, Inc. v. Mann, 3:12-cv-05464 RBL (W.D. Wash.; Aug. 29, 2012)

Insynq is an application service provider that “provides virtual desktops and remotely hosts applications for accountants and small business owners.” Mann worked at Insynq and Insynq’s predecessor; her responsibilities included sales, support, and “writing and content development.” She signed an agreement which contained (a seemingly broad) non-compete clause, which prevented her from the following:

(1) compet[ing] for or solicit[ing] business related to an application service provider; (2) own[ing], operat[ing], or participat[ing] in employment with any entity in the business of marketing and selling application service provider business; (3) compet[ing] or solicit[ing] application service provider business from any customer of Insynq; or (4) [using any confidential information of Insynq].

While Mann was employed at Insynq, she started up a few blogs on the side (“bookkeeping in bunny slippers”; “ca4ca”; and “quickbooks in the cloud”). In February 2012, Insynq terminated Mann, and asked her to turn over the log-in credentials for the three blogs. When Mann did not turn them over, Insynq sought and obtained a preliminary injunction requiring Mann to turn over the log-in credentials. Insynq obtained the injunction in state court where it sued, but Mann removed to federal court on the basis that requiring Mann to turn over the log-in credentials triggered copyright preemption.

Insynq moved to remand, and the court granted the motion. The log-in credentials may allow someone to access the blogs and post to the blogs, but this is distinct from the right to display or reproduce the articles, which were the rights protected under the Copyright Act. In fact, Insynq expressed no copyright interest in the articles at all.
__

This dispute is one of many where employer and employee fight over blogs or social media assets post-termination. As Eric notes below, getting the credentials prior to termination would have been prudent.

As to the underlying merits, it’s not entirely clear that Insynq should be able to preclude Mann from blogging on the side, at least not by virtue of the non-compete it had in place. The non-compete ostensibly covers the same type of services that Insynq provides (roughly speaking, bookkeeping services in the cloud), but it’s hard to see how blogging directly competes with this. Insynq could have claimed access to the underlying content under a work-for-hire provision in its employment agreement (assuming it had such a provision in place), but as the court notes, that’s not what Insynq was looking for. I'm not sure exactly what the basis was for requiring Mann to turn over the log-in credentials and the court does not discuss the basis of the state court injunction. (If the non-compete clause is the basis for the injunction, this may preclude Mann from blogging going forward, but this doesn't necessarily mean that Insynq should have control over the blogs.)

As Eric notes, the copyright preemption claim was a stretch. The log-in credentials provide control over the account, and are typically viewed as an intangible property right (similar to domain names). But the content itself is separate, and in the case of a blog, is subject to copyright principles as far as ownership goes.

As always, a clear written agreement is the surest route to avoiding misunderstandings, although even where there is an agreement in place, an agreement may not easily answer the question since use of the platform or account may end up being a blend of personal and professional.
___

Eric's Comments

I don't really understand the copyright preemption doctrines, but the preemption argument here seemed pretty out-there. I know litigators love to make creative arguments, but this seemed more on the crazy side of the crazy/creative divide. I can't imagine the lawyer actually expected the preemption argument to succeed.

If the blogs really were company assets instead of personal blogs, then the company apparently violated the cardinal rule about employee-operated social media accounts: get the login credentials BEFORE terminating the employee.

Posted by Venkat at 03:37 PM | Copyright , Licensing/Contracts

September 05, 2012

Barnes & Noble's Online Contract Formation Process Fails --Nguyen v. Barnes & Noble

[Post by Venkat Balasubramani]

Nguyen v. Barnes & Noble, 12-cv-0812-JST (RNBx) (C.D. Cal.; Aug. 28, 2012)

Plaintiff tried to purchase an HP “TouchPad” tablet that was on sale because the model was being discontinued by HP. According to plaintiff, he went to barnesandnoble[dot]com, put two HP tablets in his shopping cart, put in his credit card information, and proceeded to check out. Although he received email confirmation from B&N that they would ship the two tablets, they later emailed to cancel the order. Thus:

Plaintiff was unable to obtain an HP tablet during the liquidation for the discounted price [and] as a result, plaintiff was forced to rely on substitute tablet technology, which he subsequently purchased . . . at considerable expense.

Quelle horreur...what a tragic and sad story!

Anyway, he sued for himself and on behalf of a putative class, and B&N moved to compel arbitration based on an arbitration clause in its terms of service.

The court notes the familiar standard that its job is only to determine whether there is a valid and enforceable contract that contains an arbitration clause (and whether the dispute falls within the clause). The court notes the difference between so-called ‘browsewrap’ and ‘clickwrap’ agreements, and says that the dispositive issue is notice to consumers.

B&N’s terms fail on the notice front. Citing to Specht and Hines, the court says that B&N cannot definitively show that plaintiff had notice of the terms and assented to them. There was no check-the-box (leakproof) implementation. Moreover, according to the court, B&N did not position “even the notice” of the terms in a place where a website user would see it. Often sites provide notice in places other than just the link at the bottom of the website, but B&N took the latter approach. The checkout screen, for example, did not provide the purchaser of any specific notice that the purchase of products via the B&N website was subject to its terms and conditions (e.g., "Your purchase of products or services through this website is subject to the following terms and conditions. Click here to see a copy of the applicable terms.").

It’s tough to have much sympathy for B&N here. In the context of a purchase and sale transaction where the customer is at a minimum required to enter payment information, there’s zero excuse for not requiring the consumer to check the box and indicate assent to the terms as a condition of completing the transaction.

The broader question of whether terms should be enforced in a setting where there’s no affirmative act required to complete the transaction (such as when you’re just browsing a website) is interesting. (I blogged recently about the Slide dispute where the court sent consumer claims to arbitration. There acceptance of the terms wasn’t at issue.) It's temping to see this case as a pushback on terms of service that contain arbitration clauses. However, it’s more likely an outlier in the sense that B&N’s terms of service implementation was so shoddy that it’s not likely representative of the typical terms of service case. If B&N had provided ample notice, the court would have probably enforced the terms and, as in the Slide and Zynga cases, required the consumer to arbitrate his claims.

Finally, the case hints at one of those classic contract law exam scenarios. Was B&N's advertisement a firm offer? Was B&N's confirmation of the offer acceptance of the offer? And finally, what were the plaintiff's damages from B&N's alleged breach? Could they have sourced an HP TouchPad tabled elsewhere?

Additional coverage:

"Browsewrap fails to bind customer to individual arbitration" (Rebecca Tushnet)
"Barnes & Noble Loses in Court for Lack of Notice on Terms of Service" (Eric Johnson)

Posted by Venkat at 08:12 AM | E-Commerce , Licensing/Contracts

August 27, 2012

Virtual (SuperPoke!) Pet Owners Must Arbitrate Their Claims Against Google and Slide -- Abreu v. Slide

[Post by Venkat Balasubramani]

Abreu v. Slide, Inc., 12 0042 WHA (N.D. Cal.; July 12, 2012)

This is a motion to compel arbitration filed by Google and Slide, the developer of SuperPoke! Pets. As mentioned by Eric in this initial post about the case, SuperPoke! is a game developed by Slide, which was later bought by Google. The game allowed you to care for “virtual pets” and earn coins. You could use these coins to customize the environment for your virtual pets. You could also buy virtual currency which you could use to purchase certain premium items. Users apparently bought a bunch ($6MM worth, according to an earlier filing by Google) of virtual currency before Google ultimately shut the game down. Users sued, alleging that termination of SuperPoke! Pets by Google and Slide violated California consumer protection laws and California common law. Defendants moved to dismiss, or in the alternative to force the consumer-plaintiffs to arbitrate their claims.

Judge Alsup lays out the general standards for enforcement of arbitration agreements, noting the federal policy in favor of arbitration where there is a valid contract. He cites to Concepcion, a Supreme Court case which looked with disfavor on a California statute which imposed higher burdens for enforceability specifically on arbitration agreements. The court’s role is to determine whether there’s a valid and enforceable contract and whether the dispute falls within the parameters of the contract. Here, the terms of use contain an arbitration provision and it clearly applies to the dispute. The remaining question is whether defendants can show that the arbitration clause is unenforceable because it’s unconscionable. No luck on this front.

Plaintiffs attacked the arbitration clause in a variety of ways, but Judge Alsup says many of their challenges do not go to the enforceability of the arbitration provision and are aimed at the terms of service. These challenges (90 day limitation on recovery of monetary damages, a one year statute of limitations) are of no help to plaintiffs. The court turns to the four objections which are focused on the arbitration provision:

Waiver of injunctive relief: The court says that a one-way waiver of injunctive relief may be problematic (even though it doesn’t necessarily go the arbitration provision itself and is more directed overall at the terms of service). In any event, the court says that this is severable.

Filing fee: Plaintiffs complained about the filing fee, arguing that that $775 filing fee would be unduly burdensome. The court says that the actual filing fee is $125 (or $375 at the most) and this can’t be considered excessive.

No attorneys’ fees: Plaintiffs also say that the fact that the arbitration clause does not provide prevailing plaintiffs an opportunity to recover fees makes it unconscionable. The court says that there’s no requirement that an arbitration clause must provide for the recovery of fees.

Informal negotiations requirement: Finally, the court rejects plaintiffs’ argument that the requirement that they enter into “informal negotiations” prior to asserting their claim renders the clause unconscionable. This obviously does not get any play.
___

Ouch. Judge Alsup’s ruling puts this putative class action on ice. Without the possibility of recovering fees, I can’t see the plaintiffs lawyers pursuing this one (although if plaintiffs spent $6MM, maybe this is enough to maintain the interest of the lawyers).

How arbitration clauses in online terms would fare post-Concepcion was an open question. Although there are not enough data points to be sure, the available rulings indicate that these clauses will enjoy robust success. Companies have taken the Supreme Court’s cue and are adding back arbitration provisions into their user agreements, including sometimes adding class action waivers. (See, e.g., eBay.) At least in one instance, plaintiffs tried to attack this type of a change preemptively, but their claims (which were brought against Sony when Sony changed the terms of its PlayStation 3 terms to require arbitration) did not meet with success. (See “Users Can't Sue Sony for Changing Online Terms to Require Arbitration – Fineman v. Sony Network Entertainment.”)

Judge Alsup’s decision to reject plaintiffs’ arguments around the limitation clauses was interesting. A ninety day limitation on money damages and a one year statute of limitations is fairly harsh. Given the widely accepted notion that people don’t read online terms, I question whether other courts would enforce these types of draconian provisions as freely. (The court’s distinction between arguments that go to the terms and those that are focused on the arbitration clause was interesting. Even though the limitations/exculpatory provisions do not speak specifically to arbitration, the net effect is to nuke a plaintiff’s claims. I found this distinction somewhat formalistic.)

It may be that the real action is around procedural unconscionability. As the Qwest, Clearwire, Harris v. Blockbuster, and other cases linked below indicate, a surefire way to challenge an arbitration clause is to challenge formation or notice of the change to require arbitration (or on the basis that it can be changed “at any time, with or without notice”). Companies who change online terms to include arbitration provisions would be wise to dot their i’s and cross their t’s in this regard.

Posted by Venkat at 10:29 AM | E-Commerce , Licensing/Contracts

August 26, 2012

Online Marketplace Not Liable to Buyer for Aborted Private Sale of Facebook Shares -- Facie Libre Associates v. SecondMarket Holdings

[Post by Venkat Balasubramani]

Facie Libre Associates v. SecondMarket Holdings, 2012 N.Y. Misc. Lexis 3914; 2012 NY Slip Op 51545U (Supreme Court of NY; Aug 10, 2012)

SecondMarket operates an “online marketplace website” where shares of privately held companies are bought and sold. Karl Voskuil, a former Facebook employee, wanted to sell some of his Facebook shares prior to Facebook's IPO. He found a willing buyer in two "Facie Libre" entities that were organized to purchase Facebook shares and hold them until they became public. (This WSJ article provides background on the transaction, and also points out that Facie Libre is a latinate rendering of Facebook: "Deal For Facebook Shares Leads To Suit Vs. SecondMarket.")

Voskuil entered into a stock transfer agreement with Facie Libre to sell 75,000 Facebook shares (at $33 a share, a total purchase price of $2,475,000). Under this agreement, Voskuil was required to deliver a legal opinion to Facebook verifying that registration of the shares was not required under the Securities Act of 1933. This document had to be delivered to Facebook within 60 days of notifying Facebook that a shareholder proposed to sell Facebook shares. Separately, SecondMarket entered into an "Intermediary Services Agreement" agreement with Voskuil under which SecondMarket would “design, implement and facilitate” the transaction for $75,000. Facie Libre was not a party to any agreement with SecondMarket.

Fortunately or unfortunately (depending on which side of the transaction you were on), the transaction did not close. The required legal opinion was delivered on March 26, 2010, one day after the 60 day deadline. According to Facie Libre, SecondMarket undertook the obligation to deliver the legal opinion, failed to timely do so, and was not forthcoming about the transaction's status. SecondMarket allegedly only told Facie Libre three months after Facebook informed SecondMarket that the transaction would not close that Facebook did not approve the transaction. Some time after, Voskuil returned the purchase price that Facie Libre had wired to him ($2,400,000). Facie Libre sued SecondMarket alleging various theories relating to the aborted sale. Facie Libre’s primary argument was that SecondMarket was obligated to procure and timely deliver the legal opinion and its failure to do so was a breach.

Website terms: SecondMarket argued that it had an online agreement in place that contained a one year limitations period on when claims could be brought. The court dismisses this defense, saying that although SecondMarket had website terms in place, these were generally applicable to website users and do not supply any relevant terms for a separate transaction such as the Facebook stock sale.

Breach of contract: Facie Libre asserted a claim as a third party beneficiary under the Voskuil/SecondMarket intermediary services agreement. It argued that under this agreement, SecondMarket had an obligation to furnish the legal opinion. The court rejects this argument, saying that nothing in this agreement requires SecondMarket to procure the legal opinion. In fact, the intermediary services agreement expressly says that Voskuil has the obligation to furnish the legal opinion.

Negligence / Breach of Fiduciary Duty: The court also dismisses Facie Libre’s negligence and breach of fiduciary duty claims. As far as negligence, the court says that Facie Libre can’t sue in negligence since the relevant agreements require Voskuil to furnish the legal opinion (SecondMarket had no duty to do so). The breach of fiduciary duty claim fares no better. Facie Libre argued that it “subscribed to SecondMarket’s website and relied on [SecondMarket’s] expertise.” The court says that the parties engaged in an arms-length transaction and Facie Libre’s purported reliance (if any) on SecondMarket’s expertise didn’t establish a fiduciary relationship.

Misrepresentation: The one claim that survives is the misrepresentation claim. The court says that SecondMarket knew the transaction didn’t close and nevertheless strung Facie Libre along. Had Facie Libre known the transaction didn’t close, it would have taken steps to remedy the situation.
__

Oy. I don’t know the economics of who would have lost or gained from any appreciation in the Facebook shares had the transaction closed as planned, but it’s safe to say that given the downward slide in Facebook stock, someone may have actually benefited from the transaction not closing. This probably would be Facie Libre. The WSJ article linked above was written in June 2011, and it notes that at that time, Voskuil retained the shares after the botched sale, and the shares were "worth several times more than they were when he first agreed to sell them to Felix [one of the principals of Facie Libre]." He may have unloaded the shares since then, but if he has not done so, the shares are worth much less today than Facie Libre offered to pay for them. Given that Facie Libre likely didn't lose any money from the sale not having gone through, you wonder why the lack of damages didn't get any play from the court. (I thought this would be worth at least a passing mention, if nothing, to note how quickly fortunes can change.)

This court's conclusion with respect to SecondMarket's website terms argument is right--your agreement to the website terms do not supply contract terms for all aspects of your relationship with the website. Parties have tried this argument before and it typically goes nowhere. On the other hand, given that Facie Libre brought a fiduciary duty argument that seemed premised in part on SecondMarket's website representations, it's interesting that this didn't figure into the discussion of whether the limitations in SecondMarket's website terms could preclude Facie Libre's claims.

Posted by Venkat at 01:10 PM | E-Commerce , Licensing/Contracts

August 14, 2012

No Liability for Takedown Notice that Results in Termination of Facebook Page -- Lown Cos. v. Piggy Paint

[Post by Venkat Balasubramani, with comments from Eric]

Lown Companies v. Piggy Paint, LLC, 1:11-cv-911 (W.D. Mich.; Aug. 9, 2012)

Lown and Piggy Paint are squabbling over “piggy paint” trademarks. Lown has a registration for “PIGGY POLISH,” and alleges that defendants’ “PIGGY PAINT NATURAL AS MUD” brand infringes on Lown’s mark. The court doesn’t explain the reasons for this, but the marks in question are for nail polish products. Pigs and nail polish don’t have a natural association in my mind from a branding standpoint, but I’m no branding expert. [Eric's observation: I'm not sure Venkat is an expert in nail polish, either.]

In response to the trademark infringement claims asserted by Lown, Piggy Paint asserted counterclaims based on Lown’s complaint to Facebook that apparently resulted in the “removal” of Piggy Paint’s Facebook page. Interestingly, Piggy Paint’s Facebook page had some 19,000 fans. The court describes Lown’s complaint as having requested removal of Piggy Paint’s page on the grounds of “copyright infringement.”

Tortious Interference: The court says that Piggy Paint’s counterclaim allegations do not state a tortious interference claim:

Piggy Paint has not shown any valid business expectancy. Although Piggy Paint alleges that it had 19,000 fans of the page, Piggy Paint has not and cannot show that the removal of the facebook page – which did not offer any means of placing orders or doing business – resulted in the loss of any business.

The court also says that there’s no malice on the part of Lown because it acted with “a desire to protect its own mark.”

Conversion: The court also says that there’s no conversion claim. Piggy Paint’s conversion argument was convoluted, and based on the theory that Lown wrongfully “exercised control over [Piggy Paint’s] mark . . . by removing [Piggy Paint’s] page from Facebook.” The obvious problem with this argument is that Facebook and not Lown was the one who removed the page.
__

Not to belittle the products or brands involved, but how in the heck did Piggy Paint amass 19,000 Facebook fans? Anyway, this dispute is a great reminder that brand pages and anything similar on a third party platform are not assets you should ever (ever) bank on. (Twitter caused a media dustup when it suspended then reinstated the account of a British reporter based on a complaint from NBC.) Facebook has its own processes for when and how it responds to complaints, but regardless of whether its reaction was over protective or under protective of rights, it is insulated and can’t be held liable. (See the Complexions case, among others.)

It’s not easy to hold the party who sends the takedown notice liable, either. The court rightly treats the Facebook page as something that doesn’t support a tortious interference claim. The Phonedog case, which is still pending, came to a different conclusion, although the facts were slightly different and the case dealt with Twitter followers. (A part of the ongoing struggle in the courts as to how to treat social media assets. See also Eagle v. Morgan, Maremont v. SF Design Group, and the OMGFacts case.)

Interestingly, the court notes that Lown sent a "copyright" takedown notice. This raises the question of whether Piggy Paint could have asserted a claim under Section 512(f) for sending a wrongful takedown notice. Even assuming that Piggy Paint could have argued that the takedown notice should be covered under Section 512(f), given the high bar for liability under Section 512(f), a mistaken takedown notice would be unlikely to support liability.

In any event, damages would likely be difficult to prove, and plaintiffs don't often win these types of cases. See the Ground Zero museum case, the Pandora jewelry case, among others linked below. Ordonez v. Icon Sky is a rare case where damages were awarded for a takedown request that disrupted someone's web presence. This case and Ordonez may have reached different results because this case was contested and did not involve a default judgment. Another possibility is that the judge gave short shrift to the potential for commerce on a Facebook "fan" page as opposed to a more traditional web presence; or that the Ordonez case involved a model, whose web presence would ostensibly be more important to booking gigs and generating revenue. Either way, this case's result is probably in the mainstream and the Ordonez result seems like an outlier regarding damages for disruption of a web presence.

Other coverage:

Tom O'Toole: Court Says Facebook 'Fans' Don't Translate Into Protected Expectation of Business

Eric's Comments

This is a breezy opinion that isn't likely to persuade other judges. However, the core ruling on the tortious interference claim goes right to the heart of the battle over social media accounts. As Venkat notes, the judge says:

Although Piggy Paint alleges that it had 19,000 "fans" of the page, Piggy Paint has not and cannot show that the removal of the facebook page — which did not offer any means of placing orders or doing business — resulted in the loss of any business

Let's assume this is true and Piggy Paint can't prove any actual lost sales from the page's takedown. Even so, the Facebook page was clearly a major part of Piggy Paint's relationship with its customer base, and the page takedown unquestionably disrupts that relationship and Piggy Paint's ability to keep in touch with its audience. At minimum, the judge was quite tone-deaf to the practical implications of this page's takedown. But if disrupting a communication channel between a business and its fans isn't a legal problem, then a lot of the other social media account battles should fail as well. For example, this thinking moots the Phonedog case because the continued patronage of the account's followers is the only real asset at issue.

Venkat is also right that businesses are constantly at peril that their cyberspace presence on third party websites will simply vanish. For more on this, see my article on 47 USC 230(c)(2) and online account termination. In particular, I'm nervous about all of the businesses heavily investing in their Facebook pages. Don't go crying to the lawyers if those pages go POOF.

Posted by Venkat at 10:51 AM | Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Trademark

Bank Might Bear Loss for Fraudulent Money Transfers Initiated From Its Website--Patco v Ocean Bank (Catch-Up Post)

By Blogging Assistant Jake McGowan (with Venkat's supervision), with a comment from Eric

Patco v. Ocean Bank, 11-2031 (1st Cir. July 3, 2012)

When a scammer siphons money from a customer's online bank account, should the bank or the customer bear the loss? Last year, we blogged about a pair of cases that considered this question and came to differing conclusions, albeit under slightly different portions of the Uniform Commercial Code.

Article 4A of the UCC states that the risk of loss falls on the banks by default, but banks can shift it back to the customer in two ways: (1) by showing the commercial reasonableness of the security procedures it offered, or (2) by showing that the payment was approved in good faith and in compliance with security procedures agreed to by the customer.

In Experi-Metal v. Comerica Bank, a district court in Michigan focused on whether the bank accepted suspicious transfers “in good faith.” The court sided with the customer, finding that Comerica did not act in good faith since it approved the fraudulent wire transfers despite several warning signs. In contrast, in the lower court opinion in Patco v. Ocean Bank, a district court in Maine focused on the other portion of Article 4A: whether the bank’s security procedures were “commercially reasonable.” That district court sided with Ocean Bank, ruling that the security procedures in question were commercially reasonable and thus insulated the bank from liability. Patco appealed the adverse ruling against it.

On July 3, the First Circuit reversed the district court decision and ruled in favor of Patco, holding that Ocean Bank’s online fraud security measures were not “commercially reasonable” under the UCC as codified under Maine law. The court, however, did leave room for Ocean Bank to argue that Patco might have been partially responsible for the loss.

After the First Circuit’s ruling, both this and the Experi-Metal decisions place the risk of loss (or in Patco’s case, proving the adequacy of security measures) on the bank. Still, questions linger how and when banks may successfully shift the risk of loss back to the customer.

Background

Patco was a small business that maintained a business account with Ocean Bank’s predecessor. Ocean Bank (and its predecessor, who Ocean Bank acquired during the time period at issue) used a “Premium” multifactor authentication scheme devised by Jack Henry & Associates to protect customer funds from ACH fraud. Along with passwords and device-specific cookies, Ocean Bank utilized “challenge questions” created by the customer as a last line of defense. The questions could be triggered by transactions with high-risk profiles (e.g., unusual IP address or unusual time of withdrawal) or by a transaction exceeding a specified dollar amount. Ocean Bank controlled what types of transactions would trigger additional security measures.

The ACH fraud that resulted in loss of the funds occurred after the bank decided to lower the dollar amount triggering the extra security steps from $100,000.00 to $1.00, meaning all Patco transactions triggered the “challenge questions” line of defense against ACH fraud. This increased the challenge questions’ vulnerability to key-logging malware, and thus diluted its protective qualities. As Venkat explained in his initial post on this case, the wrongdoers gained access to the account by installing malware on Patco’s computers. The key question was whether the security measures employed by the bank were commercially reasonable.

The First Circuit’s Ruling

“Commercial Reasonableness” and the One-Size-Fits-All Approach

The First Circuit found that the bank’s security procedures must take into account “the circumstances of the customer” known to the bank. In this case, Ocean Bank did not comply with this mandate because it lowered the challenge question dollar-amount trigger to $1.00. The bank claimed that it lowered the amount to combat low-dollar fraud, but the Court didn’t see that as a valid excuse. Patco’s transfers were typically much larger, so the one-size-fits-all approach would have violated the “circumstances of the customer” requirement anyway.

Ocean Bank also tried to satisfy the requirement by trotting out its risk-profiling procedure, which provides a numeric score based on the risk of fraud associated with the circumstances of a particular transaction. But the court quickly dismissed this line of reasoning, pointing out that Ocean Bank failed to act upon the unusually high-risk profile scores for the specific fraudulent transactions in question.

Further, the Court went on to suggest that compliance with federal security guidelines would not necessarily qualify the procedures as “commercially reasonable.” While Ocean Bank’s multifactor authentication scheme complied with federal guidelines, its one-size-fits-all security measures were ineffective for Patco, and therefore were not commercially reasonable. In other words, the scheme has to be geared to work for the particular customer.

Together, these passages raise the already high standard set for “commercially reasonable,” and make it harder for banks to shift the risk of loss in ACH fraud cases.

Customers’ Responsibilities in a “Commercially Unreasonable” Security System

While the court held that Ocean Bank could not prove that its security measures were commercially reasonable—and in fact the court said they were unreasonable—the decision also noted that Patco (the customer) might bear some blame for the loss: “Article 4A does not appear to be a one-way street. Commercial customers have obligations and responsibilities as well[.]” The Court stopped short of stating what those responsibilities might look like, and left those questions for development on remand.

From the perspective of the banks, this passage in the Patco ruling may be a sign that they lost a battle but can win the war. Arguably the most important feature of this decision is that it opens the door for an analysis of the customer's security obligations, even where the bank's security system is “commercially unreasonable.” It is unclear how the court will handle such an analysis; an egregious example of employee negligence regarding passwords or challenge questions may shift liability entirely. For example, even though Ocean Bank’s system was “commercially unreasonable,” Patco may have been partially liable for the breach if its carelessness with a password or user ID led to the breach.

On the other hand, a breach of such an obligation might just be a way for banks to mitigate damages, in a contributory negligence style of defense. Until this question is fleshed out in further decisions, it will be too early for either customers or banks to point to this decision as an emphatic victory.

Two other notes: We’ve blogged ad nauseam about data breach plaintiffs who get kicked out of court for lack of standing (not being able to prove harm). This is an easy standing case for the plaintiff for the simple reason that it suffered out-of-pocket loss. It’s also worth pointing out that the risk of loss rules here apply to commercial accounts. As the court footnotes, Reg Z governs consumer accounts (consumers can more easily shift much of the loss to the bank by default). A final question that remains is whether the bank (or more likely insurance company) can go after the security consultant for its own role in advising the bank regarding its security measures—is “premium” protection a guarantee of commercial reasonableness?

As always, both banks and customers should educate themselves of the latest phishing tactics and try to minimize the potential of ACH fraud. It’s nearly impossible to legislate security. In the same vein, an off-the-shelf anti-fraud prevention program will not necessarily protect you against the type of fraud that occurred in this scenario.
_____

Eric's Comment

Neither litigant looks great in this dispute. Patco allegedly got malwared with a keystroke logger, and now it may be trying to foist the economic consequences of that hack onto the bank. On the other hand, the bank is throwing its customer under the bus, even though the bank transferred money when its own security procedures had flagged a problem. As Jake points out, the consumer rules in these circumstances are more favorable. Otherwise, this case would be incredibly chilling for consumer online banking. Even so, I could see Ocean Bank's corporate customers questioning their banking relationship given Ocean Bank's corner-cutting on security, its security procedure failure and its willingness to fight its customer over losses that the bank could have prevented.

Posted by Venkat at 09:23 AM | E-Commerce , Licensing/Contracts , Privacy/Security

August 13, 2012

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

[Post by Venkat Balasubramani]

In re Hulu Privacy Litigation, C 11-03764 LB (N.D. Cal.; Aug. 10, 2012)

Hulu is facing a putative class action alleging that Hulu improperly disclosed the video viewing choices of its users without obtaining consent. Hulu initially argued that plaintiffs lacked standing. Relying on the Ninth Circuit’s decision in First American Fin’l Corp. v. Edwards, the court said that alleging a violation of a federal statute was sufficient to satisfy Article III standing. Now the court looks at whether the allegations state a claim for 12(b)(6) purposes.

Is Hulu a “video tape service provider”? The VPPA only covers the rental, sale, or delivery of “prerecorded video cassette tapes or similar audiovisual materials.” Hulu argued that this language does not cover online providers. The court disagrees. The court looks to the language of the statute and finds that the phrase “similar audiovisual materials” focuses on the content, not the means of content delivery. While the dictionary definition of the word “material” is inconclusive, and everyone agrees that online delivery wasn’t around when the VPPA was enacted, the court looks to the legislative intent:

Congress was concerned with protecting the confidentiality of private information about viewing preferences regardless of the business model or media format involved. The question is whether the mechanism of delivery here – streaming versus bricks-and-mortar delivery – ends this case at the pleading stage. . . . Given Congress’s concern with protecting consumers’ privacy in an evolving technological world, the court rejects [Hulu’s] argument [that it’s not covered by the statute because the statute does not cover digital distribution].

Other defenses: Hulu raised two other defenses, neither of which the court buys, at least at the 12(b)(6) stage. First, Hulu says that its disclosures fall within the VPPA’s “ordinary course of business” exception. The statute defines ordinary course of business to include “debt collection activities, order fulfillment, request processing, and the transfer of ownership.” Hulu’s disclosures (to Facebook, Doubleclick, QuantCast, Google Analytics, and ScoreCard) do not clearly fall under this definition. No dismissal at the pleading stage based on this defense.

Second, Hulu argued that plaintiffs were not “consumers” as defined by the VPPA. The statute defines consumers as “any renter, purchaser, or subscriber,” and since the proposed class did not involve paying Hulu customers, Hulu argued that they were not consumers. The court disagrees with Hulu, saying that “[i]f Congress wanted to limit the word ‘subscriber’ to ‘paid subscriber,’ it would have said so.”

The VPPA has spawned a lot of litigation recently! Facebook’s ill-fated beacon initiative was the first target, but since then, Netflix, Redbox, and Hulu have all been ensnared in VPPA class actions. Interestingly, someone mentioned that books were initially proposed to be part of the VPPA, but at the FBI’s request, were carved out. [Eric's note: books are now covered in California under the Reader Privacy Act.]

To my knowledge, two of the three issues decided in this ruling have not been previously dealt with: (1) does the VPPA apply to purely online service providers, and (2) does it cover non-paying customers. The court could have probably gone either way on this, and the court's conclusion takes the privacy-friendly approach. As interpreted in this manner, the VPPA applies to a wide range of sites, from YouTube to Vimeo. The scope of the proposed class also shows the reach of the VPPA as construed in this manner. The proposed class encompasses people who visited Hulu.com between March 4, 2011 and July 28, 2011 and who viewed video content. Hulu didn’t actually provide a list to third parties of what videos these individuals viewed. It used certain cookies that respawned and were difficult to delete, and disclosed unique identifiers (e.g., Facebook IDs & Hulu profile identifiers). It’s tough to argue based on the allegations in the complaint that Hulu was guilty of some sort of knowing malfeasance. It used a third party ad network that allegedly engaged in aggressive tracking practices and as a result Hulu is potentially on hook for damages under the VPPA.

I’m somewhat surprised to not see any discussion of the Hulu terms of use. I would expect that, if I register on a free website to view videos, my viewing habits would at a minimum be used for ad targeting. As to why this and more was not disclosed and assented to in the terms of service is a mystery to me. I guess some interpret the VPPA to require consent on a movie-by-movie basis and something other than a term of use-based consent. See this post by Wendy Davis that mentions possible amendments to the VPPA that would tweak these to make sharing easier.

Other coverage:

ReadWriteWeb (Nancy Scola): The Hulu Dilemma: How Private is Your Video Playlist?
Forbes (Kash Hill): Court Case Spells Trouble for Frictionless Sharing of Videos on Facebook

Posted by Venkat at 08:43 AM | E-Commerce , Licensing/Contracts , Marketing , Privacy/Security

August 11, 2012

Breastfeeding Mom Can Sue Video Producer Despite Signing a Blanket Release--Sahoury v. Meredith

By Eric Goldman

Sahoury v. Meredith Corp., 2:11-cv-05180-KSH-PS (D. N.J. Aug. 2, 2012)

Sahoury consented to being video-recorded while breastfeeding for inclusion in an instructional video. She claims that the video producers orally agreed to two conditions: (1) the instructional video would only be shown on cable TV and the Parents magazine website, and (2) the video would not reveal the full name of Sahoury or her baby. However, she signed a blanket written release that didn't reference either promise. She says the release was presented to her after the taping, as she was in a rush to leave. Sahoury alleges that the producers broke both oral promises by posting the video to YouTube with her full name. She then alleges that rogue actors downloaded the video from YouTube and spliced the video of her breastfeeding into pornographic videos featuring a model who looked like her; and the rogue video referenced her full name and was distributed widely, ruining her vanity search results. To combat this, she hired a reputation management service.

Frustrated by the video producers' lack of pursuit against this rogue distribution, Sahoury sued the video producers. In this ruling, the court largely upholds her lawsuit against a motion to dismiss, mostly based on Sahoury's argument that she relied on the oral promises made by the producers. However, the court dismisses her publicity rights claim because using her name in connection with a freely available instructional video doesn't have enough commerciality.

From a legal drafting standpoint, it's interesting that the signed blanket release wasn't dispositive. The release might still work later in the case, but it didn't knock out the case on a motion to dismiss. She basically gets around the release by arguing procedural defects (presented after the video was shot, as she had to leave quickly to get her kid) and the contrary oral promises. Naturally, video/photo producers should never make oral promises to the depicted people that contradict the written releases. Here, it opens the door for the judge's outrage about Sahoury's treatment.

Putting aside the legal issues for a moment, I'm confused because Sahoury's allegations all rest on a questionable factual premise. It appears she thinks that she could avoid being reidentified if only her first name was used, but obviously this is wrong. As we've seen repeatedly, she could be easily reidentified by third parties in the comments or elsewhere online--especially as facial recognition technology improves. And, the ability of pornographers to extract and remix the video was equally possible if the video was on YouTube, on Parents.com or only shown on cable. In other words, by consenting to the production and distribution of a widely available video showing her breast-feeding, she was vulnerable to the porn splicing no matter what. Finally, as we saw in the Bev Stayart cases, a person's name can be splogged into web pages with adult content even if the person has done nothing supporting that association. So from my perspective, Sahoury never had a chance of achieving her putative objectives.

In light of where she is now, what can she do? (beyond reputation management and suing the initial video producers). She could try to go after the rogue video remixer and the various porn sites distributing the video. She would have to rely on privacy claims, as she doesn't own the video's copyright (more on that in a moment). Further privacy litigation against these third parties isn't likely to be productive. The rogue video remixer and porn sites aren't likely to be easy targets--they could be overseas, they are almost certainly judgment-proof, and there are just too many targets--and the privacy claims will be partially undercut by the wide public release of the initial video.

Similarly, legal efforts against search engines to de-index the porn sites linking to her name aren't any more productive. Bev Stayart has shown this is a losing proposition, and 47 USC 230 would also apply to any privacy-based claims.

In contrast to privacy claims, copyright infringement would provide Sahoury with a real cudgel. This is why we're seeing the troubling hack (most recently blogged in Scott v. WorldStarHipHop) of a photo/video subject acquiring the copyright to the visual depiction of them and then turning into a copyright plaintiff. Something like that would be a logical approach for Sahoury here. She can settle up with the initial video producers, get the copyright to the video or at least the portion with her in it, and then send copyright takedown notices not only to the republishing websites but to the search engines as well. I can't really applaud this approach, as it relies on the unwarranted power of copyrights over other legal claims.

Posted by Eric at 10:47 AM | Copyright , Derivative Liability , Licensing/Contracts , Publicity/Privacy Rights , Search Engines | TrackBack

August 06, 2012

Online Marketplace Isn't Liable for Bad Conduct by Merchants It Certifies--Englert v. Alibaba

[Post by Venkat Balasubramani]

Englert v. Alibaba, 11CV1560 RWS (E.D. Miss.; Apr. 27, 2012)

Englert and other plaintiffs purchased products found on alibaba.com. The products included “ExtenZe male enhancement, Vimax,VigRX Plus, Energy Wristband (Power Balance), and Razor Blades Fusion Power." Plaintiffs alleged that the products were counterfeit, or tampered with (some were seized by customs officials prior to delivery). The products were sold by third parties but displayed in a location on alibaba.com that allows third party merchants to display their products or services. Sounds like an easy Section 230 case for Alibaba, so where does it fit in? Alibaba, for a fee, allowed third party suppliers to list themselves as “Gold Suppliers”. As explained by its website:

A Gold Supplier is a paid membership for suppliers on the Alibaba website who have a serious interest in doing business with buyers worldwide . . . Gold Suppliers must complete an authentication and verification process by a third-party security service provider.

Alibaba’s website, however, stated that Alibaba:

disclaimed any warranty, express or implied, and liability whatsoever for any loss howsoever arising from or in reliance upon any information, action, or omission of any of its members on its websites.

Alibaba also had (an apparently leakproof) terms of service which explained that Alibaba is an intermediary, that it’s not responsible for the quality of any products or services, or any information provided by sellers.

The court dismisses plaintiffs’ claims for fraud, negligent misrepresentation, and breach of contract (plaintiffs didn’t contest Alibaba’s request to dismiss the breach of contract claims). The court says that plaintiffs’ claims do not allege any false statements on the part of Alibaba based on conferral of “Gold Supplier” status. The statements only refer to the sellers themselves (e.g., that they have a serious interest in doing business). Plaintiffs argued that this amounted to an implied representation that the products or services offered by “Gold Supplier” sellers are authentic, but the court doesn’t buy this argument. Moreover, the court looks to the terms of service and says that any understanding on the plaintiffs’ part that “Gold Supplier” status means that the underlying products or services would be of a particular quality is undermined by the unequivocal disclaimer of warranties and release of liability in the terms. Plaintiffs thus cannot allege that they relied on any statements from Alibaba, even to the extent the statements are false.

Alibaba kept its endorsement of third party sellers relatively narrow, and included robust disclaimers or warranties in its terms of use, thus nullifying the legal effect of its endorsement. It's a case worth noting from this standpoint, particularly for anyone who operates a marketplace or another ecosystem where an endorsement or rating system becomes important. Not particularly the best result for customers, who may or may not have thought that there was something special about "Gold Suppliers" vs. ordinary suppliers, but the court says in any event that a disclaimer in a leakproof terms of service trumps.

eBay Gets 47 USC 230 Dismissal of Products Liability Claim--Inman v. Technicolor
eBay Denied 230(c)(2) Defense Over Counterfeit Coin Policing
eBay Denied 230 Defense for Its Marketing Representations--Mazur v. eBay

Related:

Jeff Dotty, Choose Your Words Wisely: Affirmative Representations as a Limit on Section 230 Immunity, 6 Wash J.L. Tech. & Arts 259 (2011)

Posted by Venkat at 03:51 PM | Derivative Liability , E-Commerce , Licensing/Contracts , Marketing

July 19, 2012

Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action -- Low v. LinkedIn

[Post by Venkat Balasubramani]

Low v. LinkedIn, 11-CV-01468-LHK (N.D. Cal.; July 12, 2012)

This case involves the fact that LinkedIn put users' unique identifiers into its URLs, allowing advertisers (and others) to associate that unique identifier with users--and, potentially, access the info on their profile pages--when they clicked on a link on LinkedIn. Judge Koh had previously dismissed the case with leave to amend. Low amended his complaint, and the second time around Judge Koh dismisses it with prejudice. Here’s our blog post on the initial dismissal of the lawsuit: LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn.

Standing: citing to Edwards v. First American Corp. and Jewel v. NSA, the court says that plaintiffs have alleged violations of statutory rights as well as (state) constitutional rights and get over the standing hurdle.

Stored Communications Act: Plaintiffs’ claims under the Stored Communications Act claims require the plaintiffs to show that LinkedIn provides either “remote computing services” or “electronic communication services.” The court also says that the analysis looks to whether LinkedIn was acting in this capacity with respect to the particular information that was allegedly wrongfully disclosed. In this case, the court concludes that the LinkedIn was not functioning as a remote computing service with respect to the LinkedIn user ID and URL of the profile pages that the user used to view third party profiles. The unique IDs are created by LinkedIn for its own purposes and are not sent to LinkedIn for storage or processing by plaintiffs.

Invasion of Privacy: The court says that invasion of privacy claims must meet “high standards” for the types of invasion that are actionable—“there must be an egregious breach of the social norms underlying the privacy right.” The court says that disclosure of the LinkedIn ID and the profile page is not the type of information that amounts to a serious invasion. Additionally, although plaintiffs claimed that the information could be used to glean plaintiffs’ browsing history and used to identify plaintiffs, there was no allegation that this actually occurred.

False advertising law: Plaintiffs failed to allege reliance on any purported misrepresentations by LinkedIn. Although one of the named plaintiffs had paid for a premium LinkedIn subscription and satisfied the monetary loss elements, the court still finds that there was no allegation that plaintiffs viewed any representations within LinkedIn’s privacy policy and made a purchasing decision based on these representations.

Breach of contract: Plaintiffs’ breach of contract claims fails because they have not alleged sufficient damages. The sole basis for damages is the loss in value to plaintiffs’ information. The court again reiterates skepticism that this has value in plaintiffs’ hands to begin with, but she says that even if it does, any sort of diminution in value would not be a cognizable form of contract damages.

Other claims: The court also dismisses the claims for conversion (browsing history and personally identifiable information is not property); unjust enrichment (no standalone claim); and negligence (no damages).
__

In his comments to the original post about this case, Eric noted that this was a “low-merit” privacy lawsuit that had little chance of success the second time around. Sure enough, Judge Koh dismantles plaintiffs’ claims and sends them packing.

It’s worth noting that the FTC’s enforcement action against MySpace involved allegations against MySpace that were somewhat similar to the plaintiffs’ allegations against LinkedIn in this case: in both situations, the companies involved allowed third parties to tie the user’s unique identifiers with their public profiles. (See Ed Felten’s blog post on the MySpace settlement--"Syncing and the FTC's MySpace Settlement"):

What made the possible syncing problematic in the case of Myspace was that (1) Myspace enabled ad networks to use Myspace’s Friend ID pseudonym to get personal information about the associated user, and (2) Myspace promised its users that it would not share that personal information with third parties.

The FTC has been increasingly aggressive in its enforcement actions around the privacy practices of online entities. While the court ruled that LinkedIn could not be held liable in a civil lawsuit brought by plaintiffs, it’s an open question as to whether these practices could land it in the crosshairs of the FTC.

Other coverage:

InsidePrivacy: Low Case Against LinkedIn Dismissed In Its Entirety
FourthAmendment.com: N.D.Cal.: LinkedIn not a remote computing service and does not provide electronic communication services, so it can't be sued under SCA

Posted by Venkat at 08:57 AM | Licensing/Contracts , Marketing , Privacy/Security , Publicity/Privacy Rights

June 29, 2012

Photographer's Suit Against Client for Republishing Photos on Facebook Proceeds – Davis v. Tampa Bay Arena

[Post by Venkat Balasubramani with comments by Eric]

Davis v. Tampa Bay Arena, Ltd., 2012 WL 2116136 (M.D. Fla.; June 11, 2012)

This seems like a run-of-the-mill dispute between a photographer and client, but I think it contains some helpful lessons. I have a feeling we will see more of these in the future. Chalk it up to more aggressive copyright enforcement, or an impulse to put out an increasing amount of content, or a combination of the two.

Davis worked from 1998 through 2011 (under various contract arrangements) for Tampa Bay Arena as the in-house photographer photographing events. (For what it's worth, here's what looks like Davis' site.) Davis (smartly) retained ownership of the photographs and licensed them to the arena for limited uses. The agreement in place between the parties allowed for use by the arena in the following ways:

newsletter, advertising, display prints, broadcast, and the venue website.

The arena terminated its relationship with Davis in 2011 but continued to use his photographs. In early 2011, the arena created a Facebook page and posted Davis’ pictures on the page. Apparently Facebook had a feature that allowed users to download photographs at the click of a button, and this feature was available on the arena’s Facebook page. Davis asked the arena to remove the photographs from its Facebook page. The arena demurred, and Davis sued, asserting claims for infringement, conversion, and breach of contract.

Breach of contract: The court declines to dismiss the infringement claim, finding that there is a factual dispute as to whether the arena’s use falls within the permitted uses of the agreement. The court does dismiss the infringement claims based on unregistered photographs (with leave to amend). However, the court declines to dismiss Davis’ claims for statutory damages finding there are factual disputes with respect to the timing of the infringements and the registrations.

Conversion and Breach of Contract: The court also declines to dismiss Davis’ conversion and breach of contract claims. The court does not mention preemption when discussing the conversion claims, but finds that the arena’s retention of the slides is sufficient to support a claim. (Some of the photographs were taken with a digital camera and others were taken in slide format.) The court mentions preemption when dealing with the breach of contract claim, but summarily says that the “extra element” required to support a breach of contract claim (when also bringing a claim for infringement) is satisfied when there is a contract in place. Nevertheless, the court says that Davis alleges breaches that are independent of infringement: (1) adding corporate sponsorships to photographs; (2) refusing to return the photographs; (3) conveying rights to Facebook; (4) failing to give appropriate credit; and (5) using photos for sponsorship purposes.

Unfortunately for the arena, the license provisions cover the "venue website" but do not expressly reference Facebook. This isn’t surprising, given that at the time the parties negotiated the 2008 agreement, Facebook was hardly as ubiquitous as it is now. The idea of creating a Facebook page was probably not even a glimmer in the arena's eye.

The key question will be whether the arena can argue that use of the photos on the Facebook site should fall under “advertising”. This will probably be a tough argument, particularly given that anything posted to Facebook grants Facebook broad license to re-use it (e.g., in sponsored stories) and, equally as important, allows end users (fans) to freely download it. (Recall the dispute--still ongoing--between Agence France Presse and a photographer who made photos of the Haiti earthquake. AFP took the position that photos posted to Twitpic were subject to a broad license. The parties filed cross-motions for summary judgment which are currently pending before the court.) Unless the arena has some blockbuster emails from Davis evincing an understanding that the arena’s use in “advertising” was intended to be broadly construed, this may be a tough one for the arena to win.

A few copyright issues that the case brought to mind:

- when is a breach of a license agreement actionable as infringement versus as a breach of contract (as the court noted in MDY v. Blizzard, when a breach of a condition implicates one of the copyright owner’s exclusive rights, which was probably satisfied here)

- can Davis make out a conversion claim based on retention of the photos? (retention of the slides may suffice for the non-digital photos)

- how about the arena’s argument that Davis can’t exploit the photos without its consent or without the consent of the artists or performers (how will this affect Davis' chances for damages in the event he is limited to actual damages?)

These questions aside, I think this is a good cautionary tale when dealing with freelance photographers. One obvious point from this case is clients/licensees should spell out in advance what their acceptable uses would be, and in the era of social media, it’s worth being expansive, or as general as possible. Something like “the arena can use the photos on its websites or in third party websites or platforms for purposes of advertising or promotion” would have gone a long way here.

The trajectory of the relationship between Davis and the arena is interesting. As recounted in this news story posted to Davis' blog, Davis had a long-standing relationship with the arena. The arena posts the photos to Facebook. Davis complains, then sends a C&D, ultimately leading to termination of the relationship. Davis seemed like he had a sweet gig as an in-house photographer at the arena. Was Davis over-reacting when he asked the arena to remove his photos from its Facebook page? Will his proceeds from the lawsuit make up for the money he loses from the arena's business?
____

Eric's Comments

I've complained before about dealing with freelance photographers. During my stint at Epinions, we got sued only two times--both by freelancer photographers for photos we had obtained from third parties, and in both cases the financial demands were completely untethered from reality. As a result, when I see someone who describes themselves as a "freelance photographer," I just assume their alter ego is "pugnacious plaintiff." If you're negotiating a contract with a freelance photographer, get everything you possibly could ever want into the contract before writing a check. Once the cash moves, any activities not clearly permitted by the contract will cost a boatload more or invite a lawsuit, even if financially irrational. CAVEAT EMPTOR!!!

Personally, I won't deal with freelancer photographers who have unreasonable negotiating positions on copyright. That's a good signal that they are likely to be tendentiously unreasonable in the future too. In fact, in my capacity as HTLI director, I just kiboshed a deal with a photography vendor whose contract was muddled on copyright terms and who didn't back down when we made a reasonable counterproposal. Major red flags. The best news: we found a replacement vendor who was half the price and whose form contract was more reasonable about copyright from the start.

Speaking of financial irrationality, I want to amplify on Venkat's discussion about the relationship. The opinion says that Davis was getting $350 per event, plus $130/hr for events over 4 hours (implying an hourly rate of no less than $87.50/hr for events shorter than 4 hours), and he retained the copyright to the photos and could presumably commercialize those in a variety of ways. Getting paid a decent hourly rate to produce copyrighted material that can be further commercialized without restriction sounds like a pretty sweet gig to me (and that doesn't count the other perks, like the free entrance to cool events and the opportunity to rub shoulders with the rich and famous). Meanwhile, it's no surprise that the arena dumped him overboard when he threatened litigation, so Davis chose to grab for the litigation cash and free up his time for other gigs rather than keep the existing economic arrangement with the arena.

Was that a good economic choice? It's hard to tell, but the opinion does give another clue. David sued on 255 photos, 215 which weren't registered at the time he sued, meaning that at most 40 of the photos could possibly support statutory damages and attorneys' fees. It's not clear from the case if all 40 actually were registered on a timely basis, so we'll have to see if Davis is eligible for any enhanced statutory remedies at all.

I'm going to go on a limb and suggest that the maximum possible damages for the 215 photos will be de minimis. Although Davis might have a standard licensing fee for his photos, which would support a plausible claim for actual damages for these photos, the dollar value can't be very high for the use on a Facebook page. And even if all 40 of the other photos qualify for statutory damages, my guess is that the damages will be more on the $750 side than the $30,000 side (and certainly not the $150,000 side).

So how much could this case be worth in Davis' best-case (but still realistic) scenario? $50k? $100k? Is that maximum potential upside worth chucking a long-term relationship (13 years) with the arena? Only Davis can answer that question, and obviously he has (at least implicitly). I hope he made a wise choice.

Posted by Venkat at 09:19 PM | Copyright , E-Commerce , Licensing/Contracts

June 27, 2012

Court Refuses to Dismiss Claims Against Alleged Twitter-Bot Spammer--Twitter v. Skootle

[Post by Venkat Balasubramani]

Twitter, Inc. v. Skootle Corp., et al., 2012 WL 2375486 (N.D. Cal.; June 22, 2012)

Twitter sued several alleged spammers, including (1) those who provided software for the use of automated account creation and tweeting, and (2) other defendants who actually created automated accounts and sent large amounts of spam tweets.

One of the individual defendants who allegedly created and maintained numerous bot accounts moved to dismiss on the basis of personal jurisdiction, venue, and for failure to state a claim. The court declines to grant his motion.

Subject matter jurisdiction: Twitter has a good faith basis for alleging that the amount in controversy exceeds the jurisdictional threshold for diversity jurisdiction, and the court finds defendant is unable to establish to a legal certainty that the claims do not meet this jurisdictional amount.

Personal jurisdiction: The court easily finds that defendant is subject to personal jurisdiction because he aimed his acts at a California corporation and agreed to its terms of service. Defendant is unable to demonstrate that the exercise of personal jurisdiction is unreasonable. (The court says in a footnote that it's not commenting on the enforceability of forum clauses in "clickwrap" agreements generally, but just that there hasn't been a showing of unreasonableness in this case.)

Venue: The court similarly says that venue is proper under the forum selection clause in Twitter’s agreement and defendant fails to argue with any credible facts as to why litigating the dispute in California would be unduly burdensome.

Failure to state a claim: Defendant argued that Twitter’s sole remedy for a violation of Twitter’s terms of service is to suspend user accounts, but the court says that Twitter’s terms expressly reserve any other available remedy to Twitter. Twitter alleges that creating bot twitter accounts and sending spam tweets was a violation of its terms and it was damaged by defendant’s breach of the terms. At the pleading stage, Twitter easily satisfies its burden.
__

A fairly run of the mill ruling resolving some typical arguments raised by a pro se defendant.

It’s worth noting that Twitter did not assert claims under CAN-SPAM, and the core of its claims are based on a breach of its terms of service. (See my previous posts on CAN-SPAM and social media posts that mention why Facebook posts don’t track neatly to CAN-SPAM: "N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM"; "Facebook Gets Decisive Win Against Pseudo-Competitor Power Ventures -- Facebook v. Power Ventures." The same would be true of tweets.) A noteworthy move by Twitter to not push the envelope on this issue.

The fight that may end up being interesting is the one between Twitter and the defendants who allegedly made available the software used by those who created bot accounts and tweeted. These defendants may have a potential Section 230 defense available, and to establish liability, Twitter will have to show something more than that the software can be used to manage tweets from multiple accounts and automate tweets (functionality shared by many tools that are perceived as “legitimate” by Twitter). (See also "Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse -- Hayes v. SpectorSoft.")

[A final procedural note. The court (separately) issued a show cause order requiring Twitter to demonstrate that joinder is proper. The order notes that there doesn't seem to be a connection between several of the defendants other than the fact that they were all engaged in Twitter-spamming.]

Posted by Venkat at 06:57 PM | E-Commerce , Licensing/Contracts , Spam , Trespass to Chattels

June 14, 2012

University of Alabama Can't Stop Paintings of Famous Crimson Tide Football Moments--University of Alabama v. New Life Art

By guest blogger Deborah Gerhardt

[Eric's introduction: Deborah Gerhardt is a law professor at University of North Carolina. She is part of the 3G team (including myself and Leah Chan Grinvald) working on the trademark policing article I mentioned last week. Deborah helped with an amicus brief in this case. I also signed onto that brief.]

The University of Alabama Board of Trustees v. New Life Art, Inc., No. 09-16412 (11th Cir. June 11, 2012)

Summary: On June 11, 2012, the Eleventh Circuit Court of Appeals elevated Daniel Moore to the rank of art law hero. In 2005, the University of Alabama sued him for breach of contract and trademark infringement. His offense? Daniel Moore had the audacity to include the team uniforms and colors in his paintings depicting famous moments from Alabama football games. The Eleventh Circuit concluded that Moore may continue creating his art without the University’s permission. The opinion states that Daniel Moore has a First Amendment right to include the crimson and white uniforms in his paintings of famous football moments and that this right trumps any trademark rights the team has in its colors.

Background: Since 1979, Daniel Moore has been painting photorealistic scenes of historic moments from Alabama football games. He sometimes spends months drawing, planning and painting a single canvas. Because of the amount of time invested in each work, the originals are only available to fans who can afford to spend thousands of dollars. Moore gives a much wider audience access to his works by selling prints, mugs, t-shirts, and calendars.

Moore is revered among Alabama fans. When I flew from Raleigh to Atlanta to help Moore’s team prepare for the oral argument, the woman sitting next to me on the plane saw the caption on the brief I was reading. She leaned in to share that she and her brothers bought an original Moore for their father. “It hangs behind him in his study—it is his favorite thing.” At a time when most fine art is not celebratory or even representational, Moore gives his fans a unique opportunity to display love for art, the beauty of the human form and University loyalty.

After years of encouraging Moore to paint and sell his work to appreciative Alabama fans, the University decided to claim exclusive trademark rights in the colors crimson and white, even though many other schools--including Harvard, University of Oklahoma and the University of Utah--use the same color combination. In 2002, The University of Alabama told Moore he must have their permission if he wanted to continue illustrating the team colors in his paintings. Moore believed he had a right to keep painting these historic moments accurately, and would not agree to subjugate his artistic freedom to the state university. Since then, Alabama has reportedly spent well over $1.5 million suing this artist. Not surprisingly, the case has been a public relations disaster for Alabama officials, but they continue to pursue it anyway.

Moore had multiple opportunities to settle this case, but he believes that as an artist in the United States, he should have the right to paint subjects that are meaningful to him. He persevered, and undoubtedly paid a fortune to litigate the dispute. The emotional toll should not be discounted either. Moore studied art at Alabama. His wife and children are also Alabama alumni. For years, he was welcomed onto the sidelines at football games so he could take photos that he would use as raw material for his work. The suit must have been a painful experience for his entire family. Still, Moore continued to defend himself and his principles.

For a long time, it seemed that no judge would have the courage to decide the case. The 11th Circuit noted that the case had been assigned to “seven different district court judges.” Many of them seemed intent on forcing a result through repeated rounds of alternative dispute resolution. Finally, District Judge Robert B. Propst split the baby, granting partial summary judgment allowing Moore to continue selling paintings and prints. In the findings of fact, the Court stated that “It is highly unlikely that a purchaser would not know that Moore is the moving force behind the paintings . . . [if trademarks] answer the question `who made it?’. . .the answer is clearly `Moore.’” Despite this finding, in its conclusion of law, the District Court found that “the paintings may create a likelihood of confusion with regard to plaintiff’s said mark.” The Court granted summary judgment to the University on the merchandise, prohibiting Moore from selling reproductions of his art on items typically seen in a museum gift shop, like smaller prints, calendars and mugs.

Eleventh Circuit Oral Argument: Both the University and Moore appealed. The Eleventh Circuit heard oral argument on February 2, 2012. Moore’s counsel, Stephen D. Heninger, is a veteran trial lawyer. He described Daniel Moore as “the Norman Rockwell of college football.” Then, Heninger held up a Sports Illustrated cover to demonstrate the importance of the issue before the court. If the University wins, what prevents it from requiring news organizations to get permission every time they want to take a photo or mention the name of a team?

Heninger wisely ceded five minutes of his argument to Notre Dame Law professor Mark McKenna [Eric's note: Mark has guest blogged here as well]. The Court bombarded him with questions, extending its time with him. McKenna emphasized the importance of applying the Rogers v. Grimaldi, 875 F.2d 994 (2d Cir. 1989) test in which First Amendment interests are balanced against trademark claims. He also explained that trademark law makes it OK to show a brand when the use is to express an idea or create art and not to designate the source for the work. The Eleventh Circuit opinion makes it clear that Mark McKenna’s law professor amicus brief (to which I contributed) and his oral argument were helpful to the Court in sorting through the issues.

Eleventh Circuit Opinion: In a thoughtful opinion written by Circuit Judge Anderson and issued on June 11, 2012, the Court of Appeals handed Daniel Moore a significant victory.

Breach of Contract Claim: Over several years, Moore had agreed to several license agreements with the University of Alabama for specially sponsored items that were sold with a University seal on the frame or packaging. Each of these agreements required Moore to get permission before using a long list of University “indicia” “upon or in connection with” any product. These University agreements read like they were created for T-shirts and caps, not art. Perhaps for this reason, the team colors were on the list of indicia, but the uniforms were not. The University claimed that by signing these agreements, Moore gave up any rights he may have had to use the University symbols in his art without its consent. The District Court had held that Moore did not breach these agreements because “uniforms” did not appear on the long list of indicia. The University appealed this finding because although the uniforms were not on the list, the colors were listed, and the colors did appear in Moore’s paintings.

The University thought it had a strong breach of contract claim. It urged the Eleventh Circuit to decide the entire case based on the language in the form contracts, asserting that the Court did not need to reach its trademark claims. Here, it made a huge tactical error. The University overreached in arguing that the contracts applied to all of Moore’s work, not just the ones subject to the license agreements. Such a reading was possible from the language of the contracts, but it made no sense in the broader context of the dispute. The Eleventh Circuit astutely suggested that the University’s reading of the contract might have made it void on public policy grounds. According to the Alabama interpretation, Moore would have “effectively indentured himself to the University, in that he would need to perpetually obtain permission to paint any historically accurate scenes from Alabama football games.” Being perpetually indentured sounds at worst like slavery—and at best like a covenant not to compete that never ends. Under either scenario, the contract would of course be void on public policy grounds.

The Eleventh Circuit rejected the University’s contract interpretation. It found the language of the license ambiguous. On one hand, the contract suggested that Moore needed permission for any use of the indicia, and other provisions seemed to suggest that that permission was required for branding on a product package but not in the content of a painting, print or calendar. Because the license agreements were ambiguous, the Court looked to how Moore and the University worked together in the days before the dispute to discern the true agreement between the parties. It found that even while the license agreements were in place, Daniel Moore continued to sell other artwork featuring Alabama subjects wearing the crimson tide uniforms. The University proudly displayed many of these unlicensed works on campus. Even though Moore’s work was widely known and admired in the Alabama community, the University never objected to these unlicensed works until 2002. The facts did not reflect the story the Alabama lawyers told the court. Based on the conduct of the parties, the Court concluded that the parties did not intend that Moore would seek permission every time he wanted to include Alabama uniforms in his art. He had painted them too many times with the University’s enthusiastic consent.

Trademark Claim: The opinion also gave Daniel Moore and all artists seeking to show brands in their work a big victory on the trademark claim. The result came as a pleasant surprise. The district court opinion was nearly incoherent, and the Eleventh Circuit could easily have remanded the case for a trial on whether Moore’s use of the marks created a likelihood of confusion among consumers.

Also, Moore’s lawyers had to confront some spectacularly bad precedent-- Boston Hockey v. Dallas Cap & Emblem, 510 F.2d 1004 (5th Cir. 1975), which was binding in the Eleventh Circuit. Instead of applying the typical likelihood of confusion standard for trademark liability, Boston Hockey states that any use of a trademark that “triggers a sale” should result in liability. In the law professor brief, we explained that this precedent means that there could be trademark liability every time a newspaper makes more sales because it uses a team name to report the results of a big game. (I analyze Boston Hockey’s potential chilling of such uses in more detail in my article, Social Media Amplify Consumer Investment in Trademarks). Trademark liability was not meant to be so broad. Still, the Boston Hockey case remains valid precedent in this Circuit, and the panel of judges knew it well. The Boston Hockey case itself (involving use of counterfeit team logos) may have been decided correctly, but the broad standard it articulated goes against the weight of trademark authority, and could have sunk Moore. The subject of the paintings is something that appealed to Moore’s audience.

The University again overreached. It asserted that Boston Hockey was dispositive. Their strategy failed to account for the artistic context. At oral argument, Judge Anderson asked the University’s counsel if his client’s trademarks trumped Daniel Moore’s First Amendment right to paint scenes from football games. The lawyer had no response. This question turned out to be of vital importance. In the opinion, Judge Anderson framed the central issue in the case as follows: “we must decide whether Moore’s First Amendment rights will give way to the University’s trademark rights.”

Even though the tempting simplicity of the Boston Hockey precedent was available, the Eleventh Circuit acknowledged that depicting a trademark in a work of art has First Amendment expressive value that must be balanced against the University’s trademark rights. Daniel Moore makes it very clear that he is the source of his art. Because Moore used the university symbols, such as the uniforms, to “memorialize and enhance a particular play or event in the university’s football history,” the Court found that such use does not violate the Lanham Act. At oral argument, Stephen Heninger and Mark McKenna clarified to the court that showing a brand inside a frame as art is expressive and should be protected by the First Amendment. These uses are very different from uses on a frame or package for art.

The Court noted that there was no evidence Moore made that kind of unauthorized use. After citing Rogers v. Grimaldi, 875 F.2d 994 (2d Cir. 1989) and ETW v. Jireh Publishing Inc. 332 F.3d 915 (6th Cir. 2003), the Eleventh Circuit disregarded Boston Hockey and balanced the artist’s First Amendment rights against the University’s trademark claims. The Court concluded that “the First Amendment interest in artistic expression so clearly outweighs whatever consumer confusion that might exist on these facts that we must necessarily conclude that there has been no violation of the Lanham Act.” It affirmed the District Court’s conclusion that Moore may continue to sell his paintings and prints without the University’s permission. The Eleventh Circuit reversed the trial court’s injunction on the calendars.

The Court reluctantly found that Moore had waived his first amendment and fair use claims by not clearly indicating that these arguments applied to his merchandise (for which he was the appellant) and not merely on his paintings (for which he was the appellee). It remanded this small piece of the case back to the District Court for a factual determination of whether the University acquiesced to Moore’s sales of these items. Perhaps this litigation will continue. The University could also appeal for en banc consideration.

This round elevated Daniel Moore to the status of First Amendment and Art Law hero. It is rare for a private citizen to have the perseverance, resources and courage to fight this kind of battle for a principle that will pave the way for many others. It would have been easy for him to turn away and paint other subjects. By fighting this litigation for nearly a decade, Daniel Moore has preserved his personal freedom to paint the subject that is most meaningful to him. He also prompted the Eleventh Circuit to validate that right in a way that will create a legacy of artistic freedom for others who enrich our lives through art that strengthens our sense of community with shared cultural symbols.

Posted by Eric at 09:14 AM | Licensing/Contracts , Trademark | TrackBack

May 25, 2012

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing--Katz v Pershing

[Post by Venkat Balasubramani]

Katz v. Pershing, 11-1983 (1st Cir.; Feb. 28, 2012)

[This is an old catch up post that fell by the wayside.]

Pershing provides services to brokerage firms, and it makes available a platform (NetExchange Pro) for these firms to access information regarding the accounts of their customers. Katz's brokerage firm was one of those customers. She received a “disclosure statement” alerting her to the provisions of the agreement between her brokerage firm and Pershing. There was no breach as such, but because the disclosure statement advised of the risks of her information being made available through NetExchange Pro, she sued, asserting a variety of state law claims. The district court dismissed the lawsuit on the basis of either Article III or statutory standing. (Here’s my blog post on the trial court ruling: “Massachusetts Court Dismisses Lawsuit Alleging Failure to Adequately Safeguard Personal Information -- Katz v. Pershing.”) The First Circuit affirms.

Contract claims: the court says Katz can’t bring a contract claim because she is not a party to any agreement with Pershing. She tried to argue that she was a third party beneficiary to the agreement between her brokerage firm and Katz, but an express disclaimer of intent to benefit third parties kills her third party beneficiary argument. (See also Balsam v. Tucows, and the other cases mentioned in my blog post.) Katz also says public policy bars enforcement of this no-third party beneficiary provision but the court doesn’t buy the vague public policy argument. She also argued that the disclosure statement creates an implied contract between her and Pershing, but the court says there is no consideration and thus no implied contract.

Consumer Protection Act claims: The court says that she has to show Article III standing as well as that she fits under the category of individuals entitled to assert rights under a particular statute. The court divides her various alleged injuries into two groups and finds both insufficient.

The first category of injury consists of misrepresentation-related injuries: (1) that she overpaid for a product that didn’t have the requisite security measures, and (2) false advertisements induced her to pay too much for her brokerage services. Neither of these suffice because any overpayment is made by her to the brokerage firm. She hasn’t paid Pershing anything. There is also no allegation that any overpayment was tied to the alleged misstatements. Finally, she argued that her brokerage firm paid artificially high prices and passed these costs on to her, but the court rejects this as speculative.

The second type of injury includes “data-security” related claims, which are premised on Massachusetts data security law. She brings the typical litany of arguments that apprehension over the loss of her data caused her harm and required her to purchase identity theft insurance. The court says that the data security statute has two components. First, it directs various government entities to adopt standards for data protection. Second, in the event of a “breach of security,” persons and companies that handle personal information must notify government officials and affected parties. The key problem with Katz’s claim is that she fails to allege that her own information “ha[d] actually been accessed by any unauthorized user.”

The court also says that Katz’s purchase of identity theft insurance is insufficient for a related reason. Her decision to purchase this insurance was to “guard against a possibility, remote at best, that her nonpublic personal information might someday be pilfered.” The court finally addresses her argument that increased risk alone is sufficient harm. Although other courts have acknowledged that increased risk of harm can satisfy standing (citing to Reilly v. Ceridian, Krottner v. Starbucks, and Pisciotta v. Old Nat’l Bancorp), the court says these cases have one thing in common: there was an actual unauthorized access of the plaintiff’s data.

There's not a whole lot to add. Data security plaintiffs have tried to crack the code in a variety of different ways, but courts are unreceptive at best. One of these days, a class of plaintiffs will come along who have suffered out of pocket loss. Until then, expect to see more opinions like this one.

[NB: the opinion is worth reading, but be forewarned, keep a dictionary handy when you read it. I encountered more than a few words that I had to look up.]

Additional coverage:

Rebecca Tushnet: alleged privacy failures don't violate consumer protection law

Prior posts:

Reidentification Theory Doesn't Save Privacy Lawsuit--Steinberg v. CVS Caremark
Another Data Loss Case Tossed on Article III Grounds--Whitaker v. Health Net
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data -- Reilly v. Ceridian
Ikon Office Solutions Had no Duty to Disclose That Office Equipment Retained Data -- Putnam Bank v. Ikon Office Solutions
Mass Ct: ZIP Code is Personal Identification Info Under Credit Card Statute But Plaintiff Must Still Allege Harm -- Tyler v. Michaels Stores

Posted by Venkat at 09:47 AM | Licensing/Contracts , Privacy/Security

May 14, 2012

The Dangerous Meme That Won't Go Away: Using Copyright Assignments to Suppress Unwanted Content--Scott v. WorldStarHipHop

By Eric Goldman

Scott v. WorldStarHipHop, Inc., 2012 WL 1592229 (S.D.N.Y. May 3, 2012)

Copyright law wasn't designed as a privacy enhancing doctrine, but sometimes plaintiffs try to repurpose copyright law anyway. This case is an interesting illustration of how copyright law might be used to reverse-engineer a right to forget, using legal tactics not dissimilar to those advocated (and later renounced) by Medical Justice. As such, this case provides an early warning sign of an emerging attack on publicly available truthful information using copyright law chicanery.

In November 2010, Scott's girlfriend and ex-girlfriend got into fisticuffs in a classroom. Scott joined in the melee and hit his ex-girlfriend multiple times. A classmate, Seymour, videotaped the altercation. Seymour then sent the video to the WorldStar website, which posted the video as "Disgraceful: College Fight In NYC Breaks Out Between A Guy, His Girl & Another Girl In Class! (Man Strong Arm's The Student. Hitting Her With Body Shots)." Unfortunately, the opinion is cryptic about whether Seymour posted the video directly or submitted the video to WorldStar for their posting--it would make a difference to the copyright analysis. The video appears to be offline now.

Then, things get really interesting. In December 2010, Seymour assigned the video's copyright to Scott. The opinion doesn't say why. It could be that Scott paid Seymour for this assignment as a cheap way to get legal control over the video; or it could be that Scott coerced Seymour into transferring the copyright to settle a lawsuit threat. Once armed with the copyright, Scott sent 512(c)(3) takedown notices to the websites hosting or linking to the video. See, e.g., this one to Twitter. Scott sent a defective takedown notice to WorldStar, which didn't respond in 12 days, at which point Scott sued. WorldStar brought a 12(b)(6) motion to dismiss. The court rejects the dismissal motion for the copyright claim and grants it for the publicity rights claim.

Copyright. WorldStar argued that Seymour granted it a license to the video before Seymour's copyright transfer to Scott, and thus Scott's acquisition of the video was subject to the then-existing license. The court rejects this argument because WorldStar didn't adequately show it had the required written license (required by 17 USC 205(e) necessary to withstand a subsequent acquisition).

This reinforces the importance of the facts around how WorldStar obtained the video. The opinion doesn't indicate if Seymour clicked through a mandatory non-leaky clickthrough agreement. If WorldStar used a mandatory non-leaky clickthrough agreement, then I'd argue (per UETA/E-Sign) that in fact there was a written license agreement in effect before the Seymour-Scott transaction. However, for WorldStar's argument to work, the license would need to be irrevocable. Otherwise, even if the license survived the acquisition, Scott can simply revoke the license post-acquisition. So while I think most UGC websites will have a "written" license sufficient to withstand the 205(e) attack, I think most UGC websites also don't have strong enough EULA provisions about retaining UGC once posted to avoid this attack. Note that users' rights to remove the videos they uploaded might be located in either the EULA or privacy policy, so both documents would need to be reviewed to reach a conclusion.

WorldStar also argued that Scott sent a defective 512(c)(3) takedown notice, and thus it never got the requisite knowledge of infringement. However, WorldStar didn't argue that it requested Scott resubmit a compliant notice as possibly required by 512(c) (given the nature of the alleged notice defects), and thus WorldStar can't get a 12(b)(6) dismissal on this point.

Publicity Rights. Scott's New York state publicity rights claim fails because Scott didn't allege WorldStar used the video for advertising purposes, and WorldStar's other activities were protected under the state law's newsworthiness exception. While dismissal is the right outcome, relying on the newsworthiness exception is a little disquieting. The newsworthiness exception applies often in content lawsuits (see, e.g., Parisi v. Sinclair and the trademark case BidZirk v. Smith) but not always. See Fraley v. Facebook as an example of how the newsworthiness exception has its limits. A much better grounds for dismissal would be the lack of commerciality in the video; Seymour had no obvious commercial interest in the video, and WorldStar had no more commercial interest in the video's "editorial content" than an ad-supported newspaper has a commercial interest in its editorial content.

Implications. This lawsuit provides a protocol for folks trying to suppress truthful negative information--acquire the copyrights to the content containing the unwanted information, and then use the newly created threat of copyright infringement to force that information off the Internet. While this is a disconcerting protocol, it probably won't work in all circumstances. For example, the protocol probably works better for visual/aural content than purely textual content because (a) people need to see/hear some things with their own eyes/ears, and (b) it's much easier for others to extract and repeat textual information without running afoul of copyrights. Nevertheless, the post-publication acquisition protocol works even better than Medical Justice's now-retired pre-publication acquisition approach because it doesn't rely on legally dubious pre-assignments of not-yet-extant works, plus it can be activated only in response to specific problematic content. Thus, we need to vigilantly monitor the ecosystem for potential abuses of this protocol.

UGC sites (and especially review sites) could undercut the protocol by restricting users' ability to take down content in response to legal duress. Ripoff Report famously provides its authors with no power to delete their reviews, an aggressive and sometimes questionable move that does avoid the problems identified here. If a blanket restriction on users' editing/deleting of their own content is too strong, UGC sites could limit this attack by restricting editing/deleting if the author assigns/transfers the copyright in the work, i.e., a kind of springing conditional irrevocability to the user's license to the UGC site if the user transfers the copyright. I doubt many UGC sites will undertake such an effort now, but if we see widespread misuse of the protocol, UGC sites should undertake more drastic measures to preserve their sites' integrity.

For more on the social values that this protocol threatens, see my essay on the Regulation of Reputational Information.

UPDATE: The Katz v. Google lawsuit appears to be in the same genre.

Posted by Eric at 09:15 AM | Content Regulation , Copyright , Derivative Liability , Licensing/Contracts , Publicity/Privacy Rights | TrackBack

May 05, 2012

Franchisor Really, Really Unhappy With Franchisee's Co-Promotion With a Topless Bar--Capriotti's v Taylor

By Eric Goldman

Capriotti's Sandwich Shop, Inc. v. Taylor Family Holdings, Inc., 2012 WL 1448514 (D. Del. April 25, 2012). The complaint and exhibits A-D, E-H and I-O. Some background.

Capriotti's is a franchised fast-food sandwich chain, with its signature sandwich being "the Bobbie" with roasted turkey, cranberry sauce and stuffing. I've never been to the chain and it doesn't sound like my kind of place, but they do have a comparatively well-developed (for a fast-food sandwich place) vegetarian menu.

In 2003, Taylor became a Capriotti's franchisee in Las Vegas. The franchise agreement contained standard provisions requiring franchisor pre-approval of any franchisee ad copy.

You'd think that Thanksgiving-in-a-roll would sell itself, but Taylor sought a marketing edge in Las Vegas by appealing to local sensibilities. And what sells better in Vegas than sex appeal? So Taylor hooked up with a local topless bar ("Crazy Horse III") to offer a happy hour special of a sandwich and beer for $5. The ad copy displayed the franchisor's trademarked logo; though the parties disputed if Taylor authorized that or not. Several local publications and blogs shared the promotion with their audiences, such as this post:

“Hey, you like boobs, don't you? Of course you do. You like sandwiches too, right? Now why not put them together.... Apparently Crazy Horse III is teaming up with Capriotti's to offer lap dance enthusiasts six-inch-subs with a beer for five bucks during happy hour from 1 to 7 p.m. daily....”

Capriotti's learned that Taylor had allegedly cooperated with the topless bar on the promotion and sent a breach notice with a 5 day cure period. Feeling that Taylor didn't adequately remedy the situation, Capriotti's then sent a notice to terminate the franchise agreement. Taylor continued operating the franchise without change (although at some point the topless bar stopped the promotion), so Capriotti's sued Taylor in Delaware, and Taylor countersued.

The court doesn't understand why the parties sued in Delaware when both litigants are based in Nevada, so it transfers the case back to Nevada. The court also denies the plaintiff's preliminary injunction request because of the parties' factual disagreements and the unavailability of a key witness (the topless bar manager). These parties should settle, but they'll probably spend hundreds of thousands of dollars on attorneys' fees fighting over the implications of associating sub sandwiches with naked breasts instead.

What remains puzzling to me is why Capriotti's thinks it's worth suing to get Taylor out. Perhaps the association with a topless bar is so irreparably distasteful to Capriotti's that it's worth killing the relationship. The opinion also indicates that other franchisees in the local area were unhappy (jealous?) about the promotion. More likely, there's a backstory that makes the franchisor's litigiousness more explainable. Many franchisors would have gladly looked the other way or simply counseled the franchisee about its behavior going forward. After all, even if Taylor authorized the ad copy without permission, it was in the service of moving more Bobbies.

From the franchisee's perspective, this case is a good reminder that franchisors can be unduly sensitive about lascivious associations. Plus, franchisees shouldn't forget that franchisors may be delighted to have a pretextual excuse to shut down a longtime franchisee. The franchise agreement is the foundational document for the franchisee's business; it needs to be respected at all costs.

Posted by Eric at 08:12 AM | Licensing/Contracts , Marketing , Trademark | TrackBack

May 03, 2012

Comments on the Ninth Circuit's En Banc Ruling in U.S. v. Nosal

[Post by Venkat Balasubramani, with comments from Eric]

US v. Nosal, 2012 WL 1176119 (9th Cir. Apr. 10, 2012)

Nosal was a Korn/Ferry employee who, after his departure, convinced some remaining employees to provide him with confidential information to help him start a competing business. Employees were authorized to access the company's network and information on it, but they were prohibited by the employer’s policy from disclosing confidential information. The key question was whether the employees “exceeded their authorized access,” and whether their access and use of the information constituted a criminal violation of the Computer Fraud and Abuse Act.

The 9th Circuit took the case en banc. In a typically clear and emphatic Judge Kozinski opinion, the Ninth Circuit says that exceeding authorized access to an employer's network does not support a conviction under the CFAA. (Judge Silverman's dissenting opinion is worth checking out as well.) The key distinction is whether the employees accessed data or information that they were totally prohibited from accessing, or whether they misused information that that were otherwise authorized to access. The first scenario supports a CFAA violation, but the second does not.

The parties wrangle over the statute’s wording and construction, and the court sides in favor of the defendant with respect to these arguments. The court notes that the government’s interpretation of the statute would transform everyday online “dalliances,” which arguably violate employer policies by using networks for non-“business purposes,” into federal crimes:

What exactly is a “nonbusiness purpose”? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii?

What swayed the court is that the government’s construction of the statute would expand the scope of the statute far beyond its intended purpose—hacking—and would “make criminals of large groups of people who would have limited reason to suspect that they are committing a federal crime.” Who might these people be? You and me, and every other person who surfs countless websites arguably in technical violation of the applicable terms of service. We use sites that are subject to terms of service but these terms of service are, as the court notes, “vague and generally unknown.” We routinely violate those terms of service:

Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds form their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.

Moreover, websites reserve the right to change terms of service “at any time and without notice.” This means that any use of a website in violation of the terms--that the user may not even have knowledge of--could constitute a federal crime. The court cites to the terms of service of various websites, including Facebook, craigslist, Twitter, Hulu, YouTube, Match.com, Netflix, Pandora, just to name a few. The government came back and said that it would be unlikely that any user would be prosecuted for these violations, but the court cites to US v. Drew and says that if the government has a reason to go after you, its interpretation of the statute allows it to do so.

The day after the Ninth Circuit's ruling in Nosal, the Second Circuit released its opinion in U.S. v. Aleynikov, explaining its rationale for setting aside Aleynikov's conviction under the National Stolen Property Act and the Economic Espionage Act of 1996. Aleynikov was a highly paid programmer who worked for Goldman Sachs. He was lured away by a competing business to develop the competing business's high frequency trading system. Prior to leaving Goldman, he transferred a chunk of the source code that he had developed while at Goldman. The Second Circuit sets aside his conviction, finding that source code alone is not a "product" for purposes of the EEA or a "good, ware, or merchandise" for purposes of the NSPA. Interestingly, Aleynikov was charged with a CFAA violation but the district court dismissed it, relying in part on Brekka. With respect to the CFAA claim, the district court said that because Aleynikov was authorized to access the source code at the time he accessed it, his subsequent misuse is not enough to support a CFAA charge. As it turns out, the government's attempted workarounds to the CFAA, the NSPA and EEA charges, were no more availing.

The Ninth Circuit's Nosal ruling is a big loss for employers, who in recent years have been pushing Computer Fraud and Abuse Act claims in the employment context. The court cites to Lee v. PMSI in a footnote, but there have been countless others. (Prior blog post on this topic: “No Computer Fraud and Abuse Act Violation for Access of Facebook and Personal Email by Employee -- Lee v. PMSI.”) It’s also a big loss for networks who will have a tougher time policing access based on terms of service violations. Facebook most recently went after Power Networks, and although it proceeded under California’s anti-hacking statute, this decision may affect similar lawsuits in the future. (The two statutes are not identical and it’s unclear as to whether a network could prohibit scraping or other unauthorized access.)

There's a key question left somewhat open by the court's opinion. If a network imposes use restrictions and says that users who access the network for improper purposes are not authorized to use the network at all (e.g., "if you provide false information when you register for an account, you are not authorized to access our service" or "you may not access our service via bots or other automated means"), does Nosal leave open the possibility of a CFAA violation in this context? Nosal (and LVRC v Brekka, an earlier Ninth Circuit case) do not appear to preclude this approach.

The Ninth Circuit's approach here diverges from the approaches of other circuit courts. I don't have a sense of whether this is a good candidate for Supreme Court review, but that's a possibility. For what it's worth, there's a draft bill currently pending to "fix" the CFAA. Check out this post from Jennifer Granick as to why the fixes won't be much of a fix: "Draft Bill to "Fix" CFAA Won't."

What steps can employers take post-Nosal? I'd consider the following: (1) make employee policies as explicit as possible, and don't rely on vague notions of fiduciary duties; (2) impose access restrictions that govern the means of access; and (3) password-protect stuff that is truly a trade secret and make it available only on a need-to-know basis. Even these steps don't guarantee a solid foundation for a CFAA claim. At the end of the day, it may be worth looking to other means of protecting your confidential information and restricting competition by employees.

Prior post:

9th Cir: Access of Computer in Violation of Employer's Use Policy Violates Computer Fraud and Abuse Act -- US v. Nosal

Other coverage:

* EFF (press release): Appeals Court Rules That Violating Corporate Policy Is Not a Computer Crime

* Jeff Neuburger: Ninth Circuit Ruling Trimming CFAA Claims for Misappropriation Reminds Employers that Technical Network Security is the First Defense

* Kim Zetter: Code Not Physical Property, Court Rules in Goldman Sachs Espionage Case

* David Kravets: Court Rebukes DOJ, Says Hacking Required to Be Prosecuted as Hacker
______

Eric's Comments

Judge Kozinski's opinion was highly entertaining (as usual) and full of pragmatic realpolitik, but I disagree with Venkat that the opinion was clear. In fact, I remain quite confused by the opinion and what it means for the CFAA. Among the questions I can't confidently answer after the opinion:

* does the en banc's definitional interpretation apply to both civil and criminal CFAA claims, or just criminal prosecutions? There are some reasons to believe the court's opinion would support reading the language the same in civil and criminal contexts. The court says: "Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute." Plus, a number cases endorsed by the majority are civil. However, the majority never clarifies this point, and there is some reason to believe the results aren't 100% extensible to civil cases. For example, the majority opinion repeatedly hammers on CFAA criminality interpretation problems and gives examples of ridiculous CFAA crimes (and doesn't give any countervailing examples of a CFAA civil case). The majority also concludes that criminal prosecutions turn on lenity, a consideration that wouldn't apply in the civil context. Finally, the Lori Drew court treated civil and criminal CFAA suits differently, so arguably that distinction could still crop up in other cases.

* as noted by Venkat, if a company policy says "we condition your access to our network on you not doing XYZ with any data you subsequently acquire," has the company drafted its way around the holding? This workaround should be too facile, but the majority opinion possibly sets up this bypass.

* how can a network operator properly communicate any limits of third party access to their networks? Historically, websites could delimit access for CFAA purposes via "terms of use" that were "browsewraps," i.e., pages that users weren't required to see in order to access the site. The majority's result doesn't depend on terms placement, but it uses some examples of non-clickthrough terms that it seemingly treats as binding. (e.g., "Not only are the terms of service vague and generally unknown—unless you look real hard at the small print at the bottom of a webpage—but website owners retain the right to change the terms at any time and without notice."). In light of its ruling, perhaps terms of use never can delimit server access, so placement of terms is irrelevant, i.e., even if the contract is presented as a clickthrough, it will be irrelevant to the CFAA analysis. But if that's the case, then the opinion has virtually eviscerated all civil CFAA claims in the Ninth Circuit--a good result IMO, but a perhaps unnecessarily overreaching one.

Obviously, future litigation will give us the answers to these questions. But it would have been better if the majority opinion had been clear enough to prevent the sorting-out process that will take place over the next couple of years.

Even with all of its ambiguities, I think the majority reaches a favorable policy outcome, and I for one would love to see the CFAA scale back its scope substantially. That isn't going to happen. The CFAA is one of the statutes Congress keeps "improving" as part of its wars on terror and cybersecurity, so I wonder if this opinion's result will survive Congress' next ham-fisted amendment of the CFAA.

Posted by Venkat at 12:02 PM | Licensing/Contracts , Privacy/Security , Trespass to Chattels

April 25, 2012

Misuse of Family Photograph by Photo Studio Supports Misappropriation Claim--Lee v. Picture People

[Post by Venkat Balasubramani]

Lee v. The Picture People, Inc., K10C-07-002 (RBY) (Del. Sup. Ct.; Mar. 19, 2012)

Plaintiffs had their two year old’s picture taken at The Picture People, a store engaged in the business of family photography. At checkout, the photographer asked plaintiffs if they would consent to use of one of the pictures in a contest the photographer intended to enter. Plaintiffs said no, and declined to execute the consent form that they were presented with. Although this was an in-person transaction, The Picture People’s website had a privacy policy that said The Picture People would keep any information provided by customers in connection with their use of online services secure. About a year later, plaintiffs discovered that The Picture People provided one of the pictures to their child’s day car center for advertising purposes. After plaintiffs complained, The Picture People confirmed that it did not obtain consent to use the picture and advised that it would erase all of the images from its system. Plaintiffs brought suit, alleging a potpourri of claims, on their own behalf as well as on behalf of their child. The Picture People moved for summary judgment on all claims.

Privacy claims: The court denies summary judgment as to the child’s misappropriation claim. The basic elements of appropriation without consent were satisfied. Interestingly, there is no evidence that the daycare center actually utilized the images, and the court focuses on The Picture People’s allegedly improper “distribution” of the images. The court dismisses the child’s intrusion claim, finding that the child (through the parents) consented to be photographed. In any event, the court says that use of the pictures in this manner would not be offensive to the reasonable person. (??) The court also dismisses the false light claim, finding that there was nothing false about the use of the photos. Finally, the court grants summary judgment on the parents’ own tort claim, finding that they cannot directly assert the claims of their child (whose claims proceed anyway), nor could they assert a claim for emotional distress absent physical harm, or a showing that there were in the “zone of danger.” Bottom line: the child’s publicity-rights claims go forward, and the remaining claims, including the parents’ claims in their own right, are dismissed.

IIED claim: The court dismisses the intentional infliction of emotional distress claim, finding that (1) the conduct would not be viewed as outrageous by the reasonable person and (2) in any event, plaintiffs failed to satisfy the pleading requirements for emotional damages from torts (they did not suffer injury and were not in the “zone of danger”).

Warranty claims: The court dismisses plaintiffs’ warranty claims. With respect to express warranties, the court finds that any statements on The Picture People website and in its privacy policy did not relate to the “goods” in question. The court also finds that there is no breach of implied warranties because the implied warranties, if any, relate to the quality of the products (the photographs) and do not impose a warranty regarding the use or misuse of the photographs. Plaintiffs also sought to tack on a breach of the duty of good faith but the court says this does not support an independent cause of action. Plaintiffs’ claims sound more in tort than in contract so the warranty claims fail. The court also dismisses plaintiffs’ claims under Delaware consumer fraud act and a statute that prohibits the knowing or reckless distortion of the terms of a contract. The court says that there is no evidence that The Picture People engaged in any sort of deception, or attempted to obscure or distort the terms of a consumer contract. The Picture People may have misused the photograph, but it didn’t make any representation to plaintiffs otherwise (i.e., there was no deception involved). Neither the privacy policy (which clearly did not speak to use of the photograph) nor the request that plaintiffs sign a consent form turned The Picture People’s alleged misuse of the photograph into a fraudulent or misleading act.

A reminder to parents: when you have photographs of your children taken, you may be called upon to negotiate agreements with personality and publicity rights provisions. The parents in this case smartly declined to sign the waiver, although the waiver probably would not have insulated The Picture People’s alleged conduct in this case.

[Eric's comment: Good grief, you can't even go to the mall anymore without fretting about IP rights.]

Plaintiffs made a valiant effort to rope in The Picture People's privacy policy to bolster their contract and warranty causes of action, but this ended up being a bust. In the online ad-tracking and the Facebook cases, the applicable privacy policies end up being relevant because they arguably covered the information collection and use in question; they may also provide the basis for consent. Neither was the case here. Nevertheless, it’s interesting to see this lawsuit play out similarly to other privacy lawsuits. Publicity rights violations seem to be the most viable cause of action. (See, for example, Fraley v. Facebook, discussed in Eric's blog post here: "Facebook "Sponsored Stories" Publicity Rights Lawsuit Survives Motion to Dismiss--Fraley v. Facebook.") Here, if the evidence ultimately shows that the daycare center never actually used images the question, plaintiffs' claims will get kicked. The remaining causes of action are fairly anemic at best, and in this case ended up being dismissed altogether.

Posted by Venkat at 09:07 AM | Licensing/Contracts , Publicity/Privacy Rights

April 23, 2012

SuperPoke! Pets Virtual Gold Dispute Worth Over $5 Million--Abreu v. Slide

By Eric Goldman

Abreu v. Slide, Inc., 2012 WL 1123367 (N.D. Cal. April 3, 2012). The Justia page.

Google bought Slide, which operated the SuperPoke! Pets online game. Wikipedia has some of the game's history. As part of the gameplay, users could buy virtual gold. Apparently a lot of them did; Google alleges that users bought $6M+ of virtual gold from October 2010 through June 2011. The plaintiffs allege that Slide whipsawed its users. After exhorting users to buy virtual gold, in June 2011 Slide stopped selling virtual gold and wiped out existing gold accounts, but it said the site was ongoing and told subscribing users they could enjoy premium accounts for life. Then, in August 2011, Slide announced a hard stop in 6 months, and Slide actually shut down in March 2012. By shutting down, the plaintiffs allege that Slide improperly wiped out virtual assets worth real money.

I'm torn about the underlying merits of this dispute. I'm sure Google has good explanations for the choices it made, and I staunchly defend the right of virtual world operators to control their environments as they see fit. Still, it's bad for consumer trust and the industry generally for Slide/Google to eliminate virtual assets that people bought with real money without providing some refunds, even if Slide made disclosures up the ying-yang about caveat emptor. We'll get to those more interesting questions later (if the case doesn't settle).

For now, the only issue in this ruling is whether the case stays in federal court or goes back to state court. To stay in federal court under CAFA, the case must meet certain standards, including having an amount in controversy over $5M. Google argues that it clears the threshold because users bought over $6M of virtual gold. The court says this allegation suffices, the plaintiffs can't adequately rebut it, and the case stays in federal court per CAFA.

Both Venkat and I wondered if Google's declaration of the $6M+ number will eventually come back to haunt Google. Neither of us couldn't think of a way it would. I imagine Google is going to argue that consumers got what they paid for, so the fact that there's over $6M in revenues is ultimately irrelevant.

Posted by Eric at 11:37 AM | E-Commerce , Licensing/Contracts , Virtual Worlds | TrackBack

April 19, 2012

Facebook Beats Class Certification in Click Fraud Case

By Eric Goldman

In re Facebook, Inc., PPC Advertising Litigation, 2012 WL 1253182 (N.D.Cal. April 13, 2012)

I don't know what I like less: click fraud, or bogus lawsuits over click fraud. This three-year-old case (see my initial blog post on filing) was questionable from day 1. The advertisers signed up to a contract that clearly told them they had no claim for click fraud. To get around this, the plaintiff canvassed every corner of Facebook's site for innocuous language that could be twisted around tendentiously, and the plaintiffs argued that they weren't suing for bad clicks but instead for invalid "phantom" clicks that never occurred. Judge Fogel, bless his heart, didn't kill the case when he had the chance; instead, he gave the plaintiffs another chance. No matter, as Judge Fogel handed the case off to Judge Hamilton when Judge Fogel relocated to DC, and Judge Hamilton properly shut down the nonsense and denied class certification. The case might still continue individually, but I can't imagine why it would.

The plaintiffs sail through the standard class action analysis on numerosity, commonality and typicality. The plaintiffs hit a small but curable bump on adequacy of representation, but it's embarrassing when the named class representatives admit that the lawyers are the real prime movers in the case (as is far too typical in class actions). The court says:

Fox is also not an adequate class representative for the additional reason that he testified in his deposition that he knows essentially nothing about the case, and indicated that he would defer to counsel in prosecuting this action.

Clients guiding lawyers, or lawyers guiding clients? The legal system assumes the former; the latter is the reality in class actions.

Despite the hiccup on adequacy of representation, the case runs into real trouble on the predominance of common issues. On the contract breach claim, the court summarizes its concerns:

plaintiffs have failed to establish that the terms of the contract that were allegedly breached by Facebook are part of any contract between CPC advertisers and Facebook; have failed to establish that there is any uniform method for distinguishing, on a classwide basis, between “invalid” clicks (at issue in the case) and “fraudulent” clicks (not at issue in the case); and have failed to establish that damages can be calculated on a classwide basis.

Particularly noteworthy is the court's rejection of the plaintiffs' efforts to stitch together various site text to tell the story it wants to tell. This passage about the plaintiffs' efforts to incorporate language from the Glossary into the "contract' is representative of the court's discussion:

Because the Glossary is not referenced in or linked to the “Place Order” page or to the SRR, it is not clear how it can reasonably be considered part of a “uniform written contract.” Not only is it unnecessary for an advertiser to review any material on the Glossary page in order to place an ad, it is also impossible to link directly to the Glossary from the “Click Agreement” or “Place Order” page, or even from the SRR.

Stepping back from the case specifics, the rulings demonstrates that publishers, guided by the right lawyers, should fight back against advertiser class action lawsuits rather than take quick settlements. Recall that both Google and Yahoo settled their click fraud lawsuits before reaching the class certification stage. They may have done so because they wanted class-wide resolution of the issues; but more likely, they were skittish about fighting to the end. Here, unlike Google and Yahoo, Facebook fought class certification rather than settling, and the ruling validates Facebook's decision. Perhaps this ruling will embolden other publishers to stick to their guns when the click fraud lawyers come a-callin'.

Posted by Eric at 09:14 AM | Licensing/Contracts , Marketing | TrackBack

April 16, 2012

Terminating an NFL Player's Endorsement Agreement for Polemic Tweets May Be Contract Breach--Mendenhall v. Hanes

[Post by Venkat Balasubramani, with comments from Eric]

Mendenhall v. Hanesbrands, 2012 WL 1230743 (M.D.N.C.; Apr. 12, 2012)

This case has it all: Twitter, a pro football player, terrorism, Osama bin Laden and contract law geekiness!

Background: Rashard Mendenhall plays professional football as a running back for the Pittsburgh Steelers. Mendenhall entered into an endorsement contract with Hanesbrands, which owns the Champion brand. The agreement between Hanesbrands and Mendenhall had a “morals clause,” which originally said that Hanesbrands could terminate the agreement if Mendenhall was arrested, charged with, or indicted for a felony or a crime involving moral turpitude. This clause was later amended to provide that Hanesbrands could terminate the agreement if, in addition to being charged with or indicted for a crime, Mendenhall:

[Became] involved in any situation or occurrence . . . tending to bring Mendenhall into public disrepute, contempt, scandal, or ridicule, or tending to shock, insult, or offend the majority of the consuming public . . . . [Hanesbrands’] decision on all matters arising under [this section] shall be conclusive.

Mendenhall’s Tweets: Mendenhall is an avid user of Twitter (@R_Mendenhall) and describes himself as a “Conversationalist and Professional Athlete.” [Eric's note: sadly, the conversation stopped pretty much right after Mendelhall sued Hanes; his last post is from July.] In the wake of President Obama’s announcement of Osama bin Laden’s assassination, Mendenhall posted a series of Tweets decrying the joy that people expressed about this incident (a link to the first tweet in the series):

What kind of person celebrates death? It’s amazing how people can HATE a man they never even heard speak. We’ve only heard one side . . .

I only believe in God. I believe we’re ALL his children. And I believe HE is the ONE and ONLY judge.

Those who judge others, will also be judged themselves.

For those of you who said we want to see Bin Laden burn in hell and piss on his ashes, I ask how would God feel about your heart.

There is not an ignorant bone in my body. I just encourage you to #think [nice touch on the hashtag here]

Not surprisingly, Mendenhall’s tweets generated a negative reaction. Mendenhall issued an explanation, saying that he was encouraging people to think; his tweets were meant to “generate conversation.”

Hanesbrands issued a public statement to ESPN distancing itself from Mendenhall’s statements and saying that his statements were inconsistent with the Champion brand. It said it was terminating the endorsement contract. Mendenhall sued, asserting that Hanesbrands’ termination was a breach.

The Court’s analysis: Hanesbrands says the contract vested it with discretion to terminate the agreement, and this decision shouldn’t be second guessed by the court. The court disagrees and says that this discretion is constrained by Hanesbrand’s duty of good faith and fair dealing. (The court doesn’t explicitly say that the contract would suffer from illusoriness if Hanesbrand could terminate it for any reason, but this is the same reasoning we’ve seen in other agreements that give one party a free hand to alter the terms.)

Does Mendenhall get past the good faith hurdle—can he show that Hanesbrands’ actions were unreasonable or in bad faith? At the pleading stage, the court says yes: and points to Hanesbrands initial public statement said that it “disagreed” with Mendenhall’s statements. In contrast, the agreement requires that Mendenhall make a statement that brings him into disrepute or shocks the majority of consuming public.

Hanesbrands responded that there was no dispute Mendenhall’s statements caused a public outcry and this backlash justified its termination of the agreement. The court says there is a factual dispute about the extent of the backlash. Mendenhall submitted evidence that although many people freaked out, he received supportive tweets and some people even changed their minds, thanking Mendenhall for making them think about the situation.

Celebrities and athletes getting into hot water over incendiary tweets that are sent in the heat of the moment. Sound familiar?

I do think there’s more to the story here, though. I don’t deal with morals clauses with much frequency, but it’s interesting to see that even a morals clause has to be constrained by some standard. If the brand reserves for itself the right to freely terminate the contract any time the endorser says something the brand disagrees with, this raises the problem of the contract being illusory.

Unlike the government, which has to comply with First Amendment constraints, private employers and brands can freely restrict the speech of their employees or endorsers. (Employers have to deal with NLRB guidelines, but those were not implicated here.) The challenge is to come up with a standard that doesn’t tie the hands of the brand but at the same time provides some metric that is not totally subjective and does not give the brand unbridled discretion.

Mendenhall’s path to victory will not be an easy one. He has a pretty tough hurdle to prove that either (1) Hanesbrands tolerated his own previous statements and this established some sort of course-of-dealing, or (2) Hanesbrands tolerated similar statements of other endorsers. As to the underlying issue of whether his tweets were offensive to a large segment of the population, the parties will probably both present competing evidence, but Hanesbrands probably has a lot to drawn on from an evidentiary standpoint here. (It's unclear as to whether use of the term "majority" in the agreement will come back to haunt Hanesbrands.)

In the meantime, Tweeters beware. We don't need another cautionary tale to remind us that the ability to instantly publish our often emotional reactions to the current goings on is a double edged sword, but regardless of how it plays out, this case serves that purpose.
_________

Eric's Comments

I love love LOVE this case! It's an instant Contract Law classic. I could see the opinion, or its facts, appearing in Contract Law casebooks and courses throughout the country. In addition to the star power/pro sports angle, it's a rich springboard for intellectual pursuits:

* the value of endorsement contracts. There is significant literature questioning whether endorsement contracts are profitable for advertisers. See, e.g., AdAge, Celebrities in Advertising Are Almost Always a Big Waste of Money. When the endorsement arrangement does work out financially, I wonder if being controversial subtracts, or enhances, the endorser's value? It brings to mind the maxim "there's no such thing as bad press." Did Mendenhall's endorsement become less financially valuable after all of the press coverage he got--or more?

In Tiger Woods' case, it could be argued that Tiger Woods' brand fell so hard so fast that it instantly tainted any other brands it touched. Perhaps that's true, but his case was exceptional because he had manufactured a strong "good guy" brand before the ugly dirt got publicized. Here, I wonder if Rashard had such a strong brand that he had as far to fall...and if not, if the enhanced public recognition he got from the controversy outweighed any negative associations in consumers' minds.

* how to negotiate a morals clause in the Twitter age. When I taught 1L Contracts in 2005, I gave students a three-part skills exercise involving negotiating a morals clause. (See this page for links to the exercises and my writeups). My hypothetical was based on Tiger Woods before we learned about his sexual predilections. Tiger's ultimate fall from grace really closed the circle for those students. Thanks for the extra help with the pedagogy, Tiger!

I thought the skills exercise was effective for a number of reasons, including the fact it required students to think about how to describe normal social interactions in words. Students soon realized how our everyday foibles could have massive financial impact in the context of an endorsement agreement. I hope this lesson served them well as lawyers, because the financial downsides of our foibles applies even to us non-celebrities.

The Twitter overlay puts even more pressure on drafters of morals clauses. I love Twitter, but one of its downsides is that very smart people make ill-advised posts in the heat of the moment. (I'm not saying Rashard's posts were ill-advised--see below).

Recall, for example, how Aflac terminated Gilbert Gottfried for his tweets about the Japanese tsunami--his jokes were insensitive but timely, perhaps the most toxic brew (i.e., the same jokes told a few months later might have been less controversial, but partially because they would be divorced from the context). Or recall Ashton Kutcher's ill-timed and ill-informed remarks about the Penn State sexual abuse scandal, that were enough to temporarily kibosh Kutcher's otherwise irrepressible tweeting and induce him to get a spokesperson to handle tweeting for him.

Inevitably, celebrities' tweeting in near-real-time on current events will result in train wrecks. Without a buffer/editor to insulate the celebrity, the celebrity's direct access to his/her audience + Twitter's low-friction posting + working at Internet speed = trouble. Attorneys representing celebrities negotiating morals clauses should incorporate a "Twitter exception" to the clauses, i.e., give the celebrities a free pass for being themselves on Twitter, because that's what's going to happen no matter what the contract says. This may sound like a clause advertisers would strenuously resist, but perhaps they shouldn't. Twitter is often a big part of the celebrity's flywheel of public visibility and the value the celebrity brings to the contract, so advertisers need to give celebrities breathing room to keep tweeting to keep that flywheel turning and deliver the value sought by the advertiser.

* can endorsement contracts draft around the "implied covenant of good faith and fair dealing"? Recall that the contract clause says "[Hanesbrands’] decision on all matters arising under [this section] shall be conclusive." This raises the issue of whether the implied covenant of good faith and fair dealing can be contractually waived. (Ken Adams has covered that issue several times, somewhat inconclusively: see, e.g., 1, 2, 3). Hanes surely thought it had been waived. If Hanes lacked that unilateral discretion, the contract clause (almost certainly the product of spirited negotiation) raises some interesting evidentiary questions--most obviously, how either party could prove/disprove that Mendenhall did something "tending to shock, insult, or offend the majority of the consuming public." (Emphasis added). Does a party need to do some kind of large-scale sampling survey to establish the "majority" threshold? That sounds expensive.

[UPDATE: Frank Snyder has more to say about the lack of doctrinal novelty in this case.]

* political orthodoxy and terrorism. At the core of this case--superficially about pro football players and sports jerseys--is one of the most burning political and philosophical questions of this decade: was the United States' killing of Osama bin Laden legitimate and ethical? The government's PR machine did a wonderful job of demonizing bin Laden for a decade, so perhaps not surprisingly a consensus/orthodoxy emerged: of course it was justifiable to kill bin Laden because he was the face of evil.

To Mendenhall's credit, he challenged this orthodoxy and prompted some hard questions about the US government's own conduct and our own emotional response to bin Laden's death. One way of reading the court's opinion is that it wanted to know more about Hanes' condemnation of Mendenhall for asking tough and probing questions, however contrarian they may be.

I think it's this extra layer that makes it an especially wonderful teaching case. Getting students to question their assumptions about bin Laden's death, and its implications for an otherwise garden-variety commercial dispute, could yield some powerful pedagogical payoffs.
_________

Venkat's Follow-up Comments

As always, Eric's comments raise a bunch of interesting questions.

The suggestion to build in a "Twitter exception" to a morals clause is a good one, but is sure to encounter stiff resistance from any advertiser or brand. In fact, even raising the issue could send up red-flags and result in pushback. The whole point of a morals clause is for the brand to make the call when things take a short or long-term turn for the worse.

As Eric notes, Mendenhall raised questions about the orthodoxy, and did so in a pretty even-keeled way. Should he take a financial hit because people reacted negatively? For better or worse, this is what being a brand spokesperson is all about. You no longer get to weigh in freely on current affairs and have to be careful about what you say. Everyone pretty much agrees there was strong negative reaction to the tweets. I don't know that it makes much sense to have either side quantify this or conduct an expensive survey. I also don't know whether it makes sense for Hanesbrands to have to meet some numerical threshold to make its case. The tie should go to the brand, and not the athlete or celebrity. (It's worth noting that the data is readily available and it would be fairly easy to categorize every single online reaction to Mendenhall's tweets.)

Unless the trial is scheduled to take place in Berkeley (California), Mendenhall is unlikely to receive any help in front of the jury, who will be colored by their own views in determining whether Mendenhall's tweets were "shocking, insulting, or offensive to a majority of the consuming public."

I wonder what the prospects are for the parties to make up. How likely is it that we see an act of contrition on Mendenhall's part after which the parties resume their relationship? This assumes that Mendenhall is open to this, and it's quite possible that he's not willing to publicly apologize or retract his statements. Judging from his statement in the wake of the controversy, the answer may well be no. On the other hand, maybe Hanesbrands does not need a public apology. Perhaps our memories are, like our attention spans, getting shorter. It's possible that the public may have already forgotten about this incident.

Posted by Venkat at 09:09 AM | Licensing/Contracts , Marketing , Publicity/Privacy Rights , Trademark

April 12, 2012

Lawsuit From Huffington Post Unpaid Contributors Gets the Boot – Tasini v. AOL

[Post by Venkat Balasubramani]

Tasini v. AOL, Inc., 11-CV-2472 (JGK) (S.D.N.Y.; Mar. 30, 2012)

I thought the Huffington Post lawsuit brought by unpaid contributors would present some interesting discussion about the arcane laws governing unpaid internships, but that’s not the case. The bloggers brought an ill-conceived lawsuit that the court smacks down.

The starting point for the court’s discussion is that the group of plaintiffs never expected compensation. Huffington “made clear . . . from the beginning that [Huffington Post] never intended to pay content providers such as plaintiffs for submissions.” There’s no dispute about this. In part through the submissions of Tasini and the other plaintiffs, Huffing Post generated a substantial amount of traffic and was acquired by AOL for around $315 million. Plaintiffs decided they wanted to get a piece of the pie and sued, asserting unjust enrichment and unfair business practices claims.

Unjust enrichment: The court surprisingly spends six pages talking about Plaintiffs’ unjust enrichment claim. Here’s the money quote:

No one forced the plaintiffs to give their work to the Huffington Post for publication and plaintiffs candidly admit that they did not expect compensation. The principles of equity and good conscience do not justify giving the plaintiffs a piece of the [pie] when they never expected to be paid, repeatedly agreed to the same bargain, and went into the arrangement with eyes wide open. . . . Quite simply, the plaintiffs offered a service and the defendants offered exposure in return, and the transaction occurred exactly as advertised. The defendants followed through on their end of the agreed-upon bargain. That the defendants ultimately profited more than the plaintiffs might have expected does not give the plaintiffs a right to change retroactively their clear, up-front agreement. That is an effort to change the rules of the game after the game has been played, and equity and good conscience require no such result.

Ouch.

Deceptive business practices: The court dismisses the unfair business practices claim as well, finding that plaintiffs failed to allege any harm to consumers. The product in question was the content that Huffington Post served to its readers, and Huffington didn’t make any misleading claims about this to the readers. Plaintiffs also tried to premise their unfair business practices claim on various alleged acts by Huffington Post: (1) hiding the amount of page views; (2) stating that traffic attributable to individual articles was unavailable when it was really available; (3) not notifying plaintiffs that their exposure was decreasing over time as additional content was added; (4) presenting Huffington Post as a “free forum . . . for ideas” when it was a product which over time built up substantial value; and (5) dissuading plaintiffs from creating their own websites. (These allegations brought to mind Cammarata v. Bright Imperial: "Free-to-Consumers Ad-Supported Website Isn't Illegally Priced--Cammarata v. Bright Imperial.")

If plaintiffs were country yokels living in the deep woods, or Amazon tribesmen, I could see their argument getting some traction, but they are people who signed up to contribute content. For free. They actively promoted the content through channels such as Facebook and Twitter. They are no strangers to the world of online content creation and distribution. (Indeed, the lead plaintiff sued the New York Times in a case that went to the US Supreme Court in 2001.) It’s not too surprising that the judge finds their arguments unpersuasive.

Eric has posted about numerous cases where bloggers don’t have clean documentation around the underlying relationship. Huffington Post did not have that problem here and since the agreement made clear that there would be no compensation for the articles submitted by these authors, there’s no claim. (Note to self: if someone makes Eric a handsome offer for the blog, I won’t have much success asking for a piece of the pie.)

We don't need a case to tell us, but this case makes the obvious point that blogs and websites can enter into relationships with contributors where no money changes hands.

[Employment lawyers: as always, please clue me in. I'm curious to know how this relates to the brouhaha over unpaid internships. In the meantime, blogs that take in content from unpaid contributors can rest easy. If you have clean documentation in place, you should be good to go.]

Posted by Venkat at 09:46 AM | Licensing/Contracts

April 11, 2012

Parents' Lawsuit Against Apple for In-App Purchases by Minor Children Moves Forward -- In re Apple In-App Purchase Litigation

[Post by Venkat Balasubramani]

In re Apple In-App Purchase Litigation, 5:11-CV-1758 (N.D. Cal.; Mar. 31, 2012)

Facebook recently dealt with a class action over sponsored stories where minors asserted violations of their publicity rights. The court enforced the Facebook terms of service and transferred the dispute to California. ("Facebook's "Browsewrap" Enforced Against Kids--EKD v. Facebook.") Apple is grappling with a lawsuit also involving minors, where parents of minor children argued that Apple’s practice of distributing free apps was misleading because minor children could purchase “game currency” for a short duration after the parents had logged in. The court denies Apple’s motion to dismiss the lawsuit.

The factual allegations are somewhat interesting, and I have to give credit to the plaintiffs’ counsel for their creativity. Plaintiffs argued that Apple distributed free apps, and users of the apps could purchase in-app virtual currency for a short duration (15 minutes) after the password authentication process. Parents supposedly downloaded apps, gave them to their kids, and in this fifteen minute duration, the kids allegedly rang up bills (ranging from $99.99 to $338.72 “at a time”).

Voidability of the contract: Apple argued that although the minors purchased the apps, the relevant contract was the terms of service in place between the parents and Apple and this was a binding, enforceable agreement. The terms of service placed responsibility for unauthorized use of log-in credentials on the end user; therefore, Apple argued it was not responsible for the in-app purchases. The parents argued that each in-app purchase was a separate and voidable contract that may be disaffirmed by the parent or guardian. The court punts on the issue and says that at the pleading stage, the plaintiffs’ arguments should be allowed to proceed. The court footnotes an interesting contract law issue, noting Apple’s argument that a contract cannot exist where an offer is made to one party (the parents) but is accepted by another party (their children) and the consideration is supplied by the original offeree (the parents). Disappointingly for afficianados of contract law, the court does not resolve this issue.

Consumer Legal Remedies Act claim: The Consumer Legal Remedies Act statute prohibits unfair or deceptive acts or practices and looks to what is likely to “mislead a reasonable consumer.” The key question was whether Apple concealed or omitted facts that it had a duty to disclose. Citing to advertising from Apple that billed the “bait Apps” as “’free’ or nominal,” the court says that plaintiffs alleged the requisite misrepresentation by Apple. Two of the plaintiffs testified that they downloaded apps because they were free and gave them to their kids, only to find out later that for fifteen minutes after they had entered their iTunes passwords, their kids could make purchases from within the apps. These allegations were sufficient at the pleading stage.

Unfair Competition Law: Finally, the court also finds that plaintiffs adequately state a claim under California's unfair competition statute. Plaintiffs' allegation that Apple violated their CLRA rights independently states a cause of action under the UCL statute. The court also finds that plaintiffs plausibly state a claim under the substantial injury/benefit test: plaintiffs alleged substantial harm with no countervailing benefit to Apple from Apple’s unfair practices.

Duty of Good Faith/Restitution: Apple gets a mixed result on these two claims. The good faith and fair dealing claim is dismissed because there is no allegation that Apple lacked subjective good faith or that it intended to frustrate the common purpose of the agreement. The restitution claim moves forward, but piggybacks on the contract, CLRA, and UCL claims.

Forming online contracts with minors always struck me as a tricky issue. While most sites get by with a provision in the agreement that the minor has obtained the consent of his or her parent or guardian, as noted in E.K.D. v. Facebook, there’s a potential disaffirmance problem. As Eric mentions in his post on E.K.D., resolution of this issue may depend on whether the benefit has already been conferred on the minor, in which case the minor can’t disaffirm the contract. (See A.V. v. iParadigms, discussed in Eric's post here: "Clickthrough Agreement Binding Against Minors--A.V. v. iParadigms".) So what happens if the minor disaffirms? Can the site cease the allegedly improper conduct on a prospective basis and avoid liability? In this case, the minors surely enjoyed the benefits of their purchases (“game currencies!”); so in order to disaffirm the agreement, they should have to return the currency, which may pose a problem for the parents. (For this reason, my instinct tells me that Apple has the better argument on the disaffirmance issue, but this is just a gut feeling.)

As always, in these cases where plaintiffs challenge Apple’s conduct in the app store, I wonder about the viability of a Section 230 defense. It doesn’t seem as viable in this case as in the typical case since plaintiffs are alleging that Apple made statements that were misleading, but the court doesn’t delve into the details on these statements so it’s tough to tell. Apple's statements may be fairly narrow and not sufficient to get around a Section 230 defense. In any event, I'm curious about Apple's reasons for not asserting a Section 230 defense.

One thing is for sure. The knives of plaintiffs’ lawyers are sharpened when it comes to online litigation. I can see Apple defeating this lawsuit eventually, but the claims themselves surprised me from a factual standpoint. I doubt Apple could have anticipated something like this.

Added: Rebecca Tushnet comments: "What, exactly, was not easy to anticipate about what would happen with "free" games suitable for kids allowing easy in-app purchases (when the phone's been handed over to the kid)?"

Posted by Venkat at 11:19 AM | E-Commerce , Licensing/Contracts , Marketing

April 07, 2012

Actress Suing IMDB Can Assert Claim Based on Privacy Policy – Hoang v. Amazon.com, Inc.

[Post by Venkat Balasubramani]

Hoang v. Amazon.com, Inc. & IMDB.com, Inc., C11-1709MJP (W.D. Wash.; Mar. 30, 2012)

Hoang sued IMDB, alleging that IMDB took information she provided when she paid for her subscription and used this information to derive her birthdate. She alleges IMDB then added her birthdate to her public profile and declined to remove it despite her request. She asserts claims for breach of contract, fraud, along with claims under the Washington Privacy Act and the Washington Consumer Protection Act. (She initially filed a Doe lawsuit and argued that she should be able to proceed pseudonymously, but the court rejected this request. See coverage from Matthew Belloni here: "Actress Suing IMDB Reveals Her Real Name.")

Breach of contract: The court declines to dismiss Hoang’s breach of contract claim, finding that statements in IMDB’s privacy policy could support a claim for breach of contract. What tripped up IMDB? Flowery language in its privacy policy saying that it would use customer information “carefully and sensibly.” While there was a section of the policy which informed users what the information would be used for, it did not encompass the use of information for targeting or using the information provided by customers to obtain other information about them:

You can choose not to provide certain information, but then you might not be able to take advantage of many of our features . . . . IMDB uses the information that you provide for such purposes as responding to your requests, customizing future browsing for you, improving our site, and communicating with you.

Remaining claims: The remaining claims are largely nuked, with one big exception. The court says that Hoang fails to identify any fraudulent statements, and her broad claims about IMDB’s misuse of her information is not sufficient to state a fraud claim. Her claim under the Washington Privacy Act fails as well because this statute covers the interception or recordation of private communications, and Hoang failed to identify any communications intercepted or recorded by IMDB. The one claim which the court did not dismiss which could turn into a problem for IMDB is the Consumer Protection Act claim under Washington law. This allows Hoang to ask for treble damages plus injunctive relief (which may be something IMDB is more worried about).

Quick thoughts:

* Re-identification is risky behavior for companies.

* Finally, a privacy plaintiff who does not have an Article III standing problem! Her damages may not seem like they are the easiest to prove and they may not be astronomical. However, she clearly gets past the Article III hurdle, and if she can get in front of a jury and argue that big bad IMDB (Amazon) played fast and loose with her information, and failed to remove it upon her request, she may find a sympathetic audience.

* Flowery privacy policy language that comes back to haunt a company. This has happened time and time again and is yet another example of a court or agency latching on to flowery language to find an obligation with respect to the use of information. Twitter's language about its security practices came back to haunt it when it was investigated by the FTC: "The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?" Language in RockYou's policy supported both a breach of contract claim and was cited by the FTC in an enforcement action (which recently settled).

* Here's the million dollar question: does Hoang's breach of contract claim require her to show that IMDB obtained information and caused her harm by publicly attaching this information to her profile, or would she have a claim merely based on IMDB's use of her information in a way that is not described in IMDB's privacy policy? The court does not address this issue since Hoang made the allegation that IMDB's public use of her information harmed her. I'm guessing Hoang can't make an argument that IMDB's contractual promises restricted IMDB from using the information she provided as part of the subscription process for any purpose other than to process payment (say for direct marketing or targeting)? This could be a somewhat far-reaching argument, but would run squarely into the Article III problem.

[It's also worth noting that IMDB did not try to force Hoang to arbitrate her claims. IMDB's terms do not contain an arbitration provision. I'm guessing they will consider adding one soon.]

Other coverage:

Eriq Gardner: "Judge Allows Actress Suing IMDb Over Age Revelation to Go Forward on Lawsuit"

Posted by Venkat at 01:24 PM | Licensing/Contracts , Privacy/Security

April 06, 2012

Courts Struggling Needlessly With Online Contracting Practices (Guest Blog Post)

By John Ottaviani

Fteja v. Facebook, Inc., No. 11 Civ 918(RJH), 2012 WL 183896 (S.D.N.Y. Jan 24, 2012)
Jerez v. JD Closeouts, LLC, No. CV-024727-11, 2012 WL 934390 (N.Y. Civ. Ct. March 20, 2012)

For over a decade, I have been advising clients and teaching seminars about strategies for making sure online contracts are enforceable. It's not rocket science. You just have to take traditional contract principles and apply them online. Yet, businesses (and courts) are still struggling with how to do this properly. Given that the consequences of not being able to enforce a contract can be disastrous for a business, you would think that they would take the time to get things right on their websites.

Two recent cases illustrate the problems that the courts are having in determining whether a contract was made in the first place. In one case, the court decided that it would enforce a contract that was accepted when the user clicked a "Sign Up" box, immediately below which was a hyperlink to the terms and conditions. In the other case, the court refused to enforce an agreement where the terms were accessible only after several clicks through some hard-to-find and less-than-obvious links.

Fjeta v. Facebook (See Eric's blog post on this case)

In the Fjeta case, Fteja brought a lawsuit against Facebook, claiming that Facebook discriminated against him and disabled his account improperly because he is a Muslim. Although Facebook's Terms of Use require that lawsuits be brought in a state or federal court located in Santa Clara County, California, Mr. Fteja brought the suit in the New York state courts. Facebook removed the suit to the federal district court in Manhattan, and then moved to transfer the case to California, arguing that the Terms of Use constitute a binding and enforceable contract.

One would expect that Facebook has a good sign-up process in place, although the process described by the court is different from the one currently in place on its website. According to the court, the user is asked to fill out several fields containing personal and contact information, then click a button that reads "Sign Up." After clicking this initial "sign up" button, the user sees another page entitled "Security Check" that requires the user to re-enter a series of letters and numbers displayed on the page. Below the box where the user enters the information, the page displays a second "Sign Up" button similar to the button the user clicked on the initial page. The following sentence appears immediately below that button: "By clicking Sign Up, you are indicating that you have read and agree to the "Terms of Service." The phrase "Terms of Service" is underlined and is linked to another page with the Terms.

[John's Note: Facebook may have changed its Sign Up protocol in the interim. Now, the initial "Sign Up" button is immediately below the following sentence: "By clicking Sign Up, you agree to our Terms and that you have read and understand our Data Use Policy." The phrases "Terms" and "Data Use Policy" are linked to the applicable provisions.]

Although this method of obtaining assent has been upheld in a number of cases, the hyperlink to the Terms of Use gave Judge Holwell reason to pause. Because the terms of use were not displayed on the same page as the "Sign Up" button, but were only available through the link, the judge likened Facebook's Terms of Use to a "browsewrap" agreement, where the terms and conditions are posted on the website as a hyperlink at the bottom of the screen. But then he reasoned that the terms of use were still more like a "click-wrap" agreement, because the user had to "Sign Up" and affirmatively click the button to manifest agreement to the Terms of Use. Eventually, the judge concluded that the link to the terms of use is no different than having terms and conditions printed on the reverse side of a cruise ticket or a paper contract, found that Facebook's terms were enforceable, and ordered the case transferred to California. But he took a long, meandering and unneccesary route to get there . . . he would have been better off sticking to traditional contract principles and following the analysis below.

Jerez v. JD Closeouts

This case involves a dispute over the purchase of 50,000 pairs of white tube socks. Mr. Jerez, a New York resident, apparantly was unhappy with his $7,146 purchase of the tube socks, and sought a refund in the New York courts. JD Closeouts argued that the suit should have been brought in Florida, because of the forum selection clause in its Terms of Sale. According to the decision, the website's "Terms of Sale" containing the forum selection clause were found by clicking a link on its "About Us" page.

Here, the court refused to enforce the forum selection clause. After reviewing a number of cases enforcing and refusing to enforce online terms and conditions (including the Fjeta case above), the court found that this case was more like the situation in Specht v. Netscape Communications Corp., "where 'submerged' website provisions were found insufficient to bind the company's customers." The court found that in this case the existence of the forum selection clause was not "reasonably communicated" to the buyer through a printed contract, a confirming letter agreement incorporating the terms by reference, or a "click-through" acceptance of hyperlinked terms and conditions. Because the forum selection clause was buried and submerged on a webpage that could only be found by clicking on an inconspicuous link on the seller's "About Us" page, the court refused to enforce the forum selection clause.

Analysis

Both courts seem to have reached the correct result. Facebook could have been a little safer by having the terms and conditions on the same page as the "Sign Up" button rather than a hyperlink. But the practice of disclosing the terms through a hyperlink is not uncommon, and so long as the hyperlink reasonably lets the purchaser know that there are terms and conditions that he or she should read, then courts will generally find an enforceable contract in this situation. The terms in the Jerez case were just too obscure and hard to find. Even a seasoned Internet contract attorney like me would not necessarily think to look on the "About Us' page for terms and conditions if they are not otherwise mentioned on a website.

The judge in the Facebook case seemed to have a hard time classifying the contract as a "click-wrap," a "browse-wrap," or a hybrid. In actuality, he need not have spent so much time, because the same contract formation rules apply no matter the classification.

Several colleagues and I wrote a paper a few years ago entitled “Browse-Wrap Agreements: Validity of Implied Assent in Electronic Form Agreements” (59 Business Lawyer 279 (2003)), in which we set forth a four-part test for courts to use in determining whether a user has validly assented to the terms of a browse-wrap agreement: (1) the user is provided with adequate notice of the existence of the proposed terms; (2) the user has a meaningful opportunity to review the terms; (3) the User is provided with adequate notice that the taking of a specified action manifests assent to the terms; and (4) the user takes the action specified in the notice. Subsequently, we have determined that the test applies not only to browse-wrap agreements, but is applicable to determining valid assent for ALL agreements, whether on-line or in the physical world.

While the two court decisions discussed above did not cite our article or explicitly use our test, maybe they will do so in the future if the decisions are appealed. It would help cut through a lot of the confusion caused by trying to categorize a practice as a "click wrap" or a "browse wrap" or something else. There is simply no need to make a distinction for purposes of determining whether an enforceable contract has been created.

(Originally posted at the Business + Intellectual Property + Internet Law blog.)

Posted by John Ottaviani at 09:10 AM | Licensing/Contracts | TrackBack

April 02, 2012

Users Can't Sue Sony for Changing Online Terms to Require Arbitration – Fineman v. Sony Network Entertainment

[Post by Venkat Balasubramani]

Fineman v. Sony Network Entertainment, C 11-05680 SI (N.D. Cal.; Feb. 9, 2012)

In a move that caused a stir among consumer activists and others, Sony revised its EULA in September 2011 requiring PlayStation 3 users to choose between agreeing to submit dispute to arbitration (on an individual basis) or foregoing the right to access the “Sony PlayStation Network.” Plaintiff filed a putative class action alleging unfair competition and contract claims against Sony based on Sony’s imposition of the revised terms. The court rejects plaintiff’s claims.

The court says that a claim under California's unfair competition law requires a plaintiff to prove economic injury in the form of the loss of “money or property” to which the plaintiff is entitled. The diminution of a future property interest has been found to be sufficient by courts. The court nevertheless says that the two property rights plaintiff argued Sony deprived him of are insufficient: (1) the loss of the right to pursue class action claims outside of arbitration against Sony; and (2) the loss of access to the PlayStation Network.

With respect to loss of access to the PlayStation Network, the court says that plaintiff gave this up voluntarily when he made the choice to agree to the revised terms. The court also finds acceptance of the arbitration provision to be insufficient to support a UCL claim. While plaintiff may become embroiled in a dispute with Sony at some point in the future and arbitration may yield less in the way of money damages than litigation, at the present time plaintiff cannot allege that he has been economically harmed by Sony’s imposition of the arbitration clause. (In a footnote, the court distinguishes Fraley v. Facebook, where the court declined to dismiss plaintiffs’ claim that Facebook failed to compensate them for exploiting their publicity rights.)

Plaintiff also made an argument that imposition of revised terms by Sony devalued his PlayStation3 (i.e., he bought it expecting access to the PlayStation Network and now Sony is imposing an “additional charge” to access that network). This argument received little or no attention from the court. Plaintiff did not make a contractual argument as had the plaintiffs in some recent cases that Sony’s reservation of the right to modify the contract at will rendered the contract terms illusory or was a breach of the original agreement. (See Lebowitz v. Dow Jones: “No Breach of Contract Claim from Mid-Stream Change of WSJ Online Pricing.”) The court does note that plaintiff actually accepted the revised terms so he had continued access to the PlayStation Network—perhaps it would have viewed this argument differently if the plaintiff had rejected the new terms.

Finally, plaintiff made an argument that Sony breached its implied covenant of good faith and fair dealing. The court says this is basically a disguised breach of contract claim and, because plaintiff acknowledged he was not bringing a breach of contract claim, the court dismisses this claim as well.

[Plaintiff amended his claims to assert a claim for injunctive relief but the court dismisses this without prejudice for lack of jurisdiction. Plaintiff can pursue this claim in state court.]
__

Sony's move to require arbitration of disputes was in response to the Supreme Court's decision in AT&T v. Concepcion, which said the Federal Arbitration Act preempted state laws which treated arbitration agreements unfavorably. Courts appear willing to uphold arbitration provisions in the wake of Concepcion. (See Swift v. Zynga for a recent example where a court forced a consumer to arbitrate disputes based on terms of use which included an arbitration provision.) We can expect to see more companies taking this route. The dismissal of Fineman's claims shows that it won't be easy to challenge these types of changes proactively.

It's interesting that the court didn't take a rigorous look at whether Sony's revised terms affected the underlying economic deal between Sony and the end users. Did Sony advertise access to the PSN network as part of the PS3? Was it reasonable for users to expect continued access on the terms that they initially signed up for? How about the loss of any data or virtual property that plaintiff would have forfeited had he declined continued access to the network? The court's discussion is fairly cursory on these issues.

On the other hand, even when a paid service is involved, courts are sympathetic to the needs of companies to revise terms. For example, the court recently approved Dow Jones' change to WSJ online pricing, finding that plaintiff did not state a claim for breach of contract since the contract allowed for a change in terms: "No Breach of Contract Claim from Mid-Stream Change of WSJ Online Pricing."

Although California's Consumer Legal Remedies Act provides for a limited cause of action when unsoncionable terms are included in consumer contracts, Fineman did not argue that the terms were unconscionable. The court acknowledges that whether the arbitration clause is enforceable is not an issue that is before the court. If someone down the road wants to challenge enforcement of the terms based on their unconscionability, that possibility is still open. These challenges face a high bar, and this dispute will probably end up being a persuasive argument for why the revised terms were not procedurally unconscionable. Someone could also challenge the agreement on the basis that it's illusory and allowed Sony to revise it at will. (See Harris v. Blockbuster and my recent post on mixed rulings on the Qwest arbitration clauses.) However, given that Sony gave users an explicit choice and was upfront about it, I think that type of challenge would be a long shot.

Posted by Venkat at 02:55 PM | E-Commerce , Licensing/Contracts , Virtual Worlds

March 23, 2012

Qwest Gets Mixed Rulings on Contract Arbitration Issue—Grosvenor v. Qwest & Vernon v. Qwest

[Post by Venkat Balasubramani]

I recently blogged about Kwan v. Clearwire, which involved Clearwire’s efforts to force arbitration of a consumer dispute. The court in that case looked at Clearwire’s contracting practices and made an initial ruling that customers could not be forced to arbitrate their disputes because of a failure in the contracting process. (There will probably be additional proceedings around the arbitration issue in that case.) Qwest has been involved in class action litigation over its early termination fees and other practices, and courts recently issued rulings in two cases which address similar contracting issues. Both rulings are interesting and instructive because they tackle fundamental contract law questions.

Grosvenor v. Qwest, 09-cv-02848-MSK-KMT (D. Col.; Feb. 23, 2012) [pdf]:

Grosvenor subscribed to Qwest in 2006 and received a disk containing software to activate the service. The install window contained a link to the applicable terms and contained a check-the-box indicating assent to the terms. Grosvenor had to click on “I Accept” in order to proceed with the installation. The only problem was that the install window did not contain the actual terms. Worse yet, it did not even contain a link to the terms. The terms were two links away.

The court says that requiring a user to click through a couple of links in order to view the terms does not as a matter of law pose a bar to contract formation. However, there is another problem:

the fact that a user must navigate a web page in order to ascertain terms of an offer is particularly difficult where the software being installed is the means by which the internet can be accessed.

D’oh! The court says that the record is bereft of facts indicating that Grosvenor already had internet access at the time he signed up for Qwest and thus he probably had “no way of accessing the terms of Qwest’s agreements until he completed installation of the software, and completion of the software installation would not occur until Mr. Grosvenor manifested his acceptance of the terms or [sic] the agreement." Because of this flaw, the court says that the check-the-box presentation of the terms at the time of install probably does not create an enforceable contract.

Qwest also argued that after Grosvenor signed up, he received a “Welcome Letter” that Qwest sent to everyone who signed up. The subscriber letter does a better of job of directing Grosvenor to the operative terms, so the court says this solves the problem of Grosvenor having to dig around. Also, because it was a paper letter sent after Grosvenor obtained internet access, it addresses the problem with the issues which undermined the online terms. Additionally, the court says that because the letter advised users that they should cancel their service in 30 days if they did not agree to the terms, users have the comfort of making their decision in a leisurely manner. The court says that Grosvenor entered into a contract with Qwest in 2006 because he assented to the terms in the letter.

Grosvenor’s underlying qualm with Qwest was over Qwest’s alleged failure to honor a “price for life” guarantee and he argued that this was not part of the original deal—this was something Qwest implemented as part of a service upgrade. The court expresses some skepticism as to whether the upgrade constituted a new agreement but in any event says that because Qwest sent Grosvenor a second welcome letter relating to the upgrade, Grosvenor assented to any new terms. Net result: Qwest and Grosvenor entered into a contract and this contract contained an arbitration clause.

Although the court finds that Grosvenor agreed to Qwest's terms, Grosvenor argued that Qwest's subscriber agreement was illusory because Qwest included a provision that it could modify terms of the agreement at its discretion. Qwest had a Harris v. Blockbuster problem. (See “Stop Saying "We Can Amend This Agreement Whenever We Want"!--Harris v. Blockbuster.”) In Harris, the court invalidated an agreement because the agreement said Blockbuster could amend it at any time and did not have to provide notice to the customer. In Harris, the modified terms were effective upon use of the service by the customer. Qwest had a similar provision in its subscriber agreement saying that Qwest would “modify the Service and/or any of the terms and conditions of [the] Agreement . . . and [changes became] effective upon posting to www.qwest.com/legal.” Other than some precedent that’s unfavorable to Qwest (and binding on the district court) the court says that there’s one big problem to Qwest’s argument that Grosvenor assented to the modified terms by continuing to use the service: Grosvenor had to access the service in order to view the modified terms, and because he had no opportunity to review the terms without continuing to use the service he had no meaningful right to reject the terms.

The court says that the arbitration clause is illusory and unenforceable.

Vernon v. Qwest, 09-cv-01840-RBJ-CBS (D. Col.; Mar. 8, 2012):

Vernor is a companion case but heard by a different judge in the same district. Plaintiffs asserted claims on behalf of a putative class, alleging that Qwest’s imposition of Early Termination Fees was improper. The named plaintiffs all signed up for slightly different offerings from Qwest.

The first question was whether plaintiffs had entered into enforceable agreements with Qwest. The court runs through the “browsewrap” / “clickwrap” taxonomy, and also mentions “hybrid arrangements,” where the terms presented to the customer do not appear in the same screen as the accept button—i.e., the customer must click through a hyperlink to read the terms (citing Fteja v. Facebook and Swift v. Zynga). (See Judge Can't Decide if Facebook's User Agreement is a Browsewrap, But He Enforces It Anyways--Fteja v. Facebook and Zynga Wins Arbitration Ruling on "Special Offer" Class Claims Based on Concepcion -- Swift v. Zynga for posts on these cases.) The court says that assent may be gleaned “from the totality of the circumstances,” and in this case plaintiffs had “reasonable notice” of the terms, so the terms are enforceable. As in Grosvenor, the court looks to the “welcome letter” sent by Qwest and says that this is enough to put customers on notice of the terms.

As a backup argument, plaintiffs also asserted that the arbitration clause was illusory because (as in Grosvenor) Qwest reserved the right to revise the agreement at any time. This court comes to a different conclusion than Gorsvenor and finds that the agreement is not illusory. The agreement said that Qwest can revise the terms at any time and revised terms were effective on posting. However, the agreement contained an exception for when a revision “results in a material and adverse economic impact” to the customer. Where there is a "material adverse economic impact," the agreement required 30 days notice. Based on this, the court says that the agreement does not give Qwest “the unfettered right” to make changes to it and therefore there is no illusory agreement problem. (See the Dow Jones case I blogged about for a similar result: "No Breach of Contract Claim from Mid-Stream Change of WSJ Online Pricing – Lebowitz v. Dow Jones.")

Plaintiffs made two other arguments that didn’t get much traction with the court: (1) that the agreement was unsoncsionable and (2) that Qwest waived its right to insist on arbitration.

It's depressing to see companies not tie up loose ends on their online contracting processes. It immediately makes the customer's claims seem more sympathetic--if the company can't get the contract right, chances are it's going to botch the customer service. It's possible that Qwest had some reason for not presenting the subscriber agreement in the box itself at the time of install, but it better have a compelling reason for not doing so. As a result, the court has to go through judicial contortions to enforce the agreement. The court enforces the agreement due to the fact that the terms were communicated via a letter to the customer. Courts continue to see mail as a legally sufficient form of notice and I wonder whether people in the modern era are likely to read mailings they receive from company's like Qwest. (I know I would recycle it immediately.) Also, there's an FTC rule that governs mailings for free products or services, perhaps it wasn't enough of a colorable issue for plaintiffs to have raised, but I was surprised to not see a footnote from the court on this issue. If there's no agreement as a result of the online terms, Qwest's mailer is ostensibly an offer and I wondered whether offers via mail had to comply with certain requirements.

The illusory agreement issue is one to watch as well. Contracts will continue to come under fire because they include a provision saying one party can change the terms at will. It's an understandable lawyerly instinct to include this in an agreement, but I would resist this impulse! In one of the two cases, Qwest skated past the illusory agreement challenge, but the fact that one of the two judges was willing to strike down the agreement illustrates how risky it can be to include this provision in an agreement.

Previous posts:

Vendor Fails to Form Either an Online or Paper Contract With Customers--Kwan v. Clearwire
Zynga Wins Arbitration Ruling on "Special Offer" Class Claims Based on Concepcion -- Swift v. Zynga
Judge Can't Decide if Facebook's User Agreement is a Browsewrap, But He Enforces It Anyways--Fteja v. Facebook
Stop Saying "We Can Amend This Agreement Whenever We Want"!--Harris v. Blockbuster
Facebook's "Browsewrap" Enforced Against Kids--EKD v. Facebook

Posted by Venkat at 02:10 PM | E-Commerce , Licensing/Contracts

March 22, 2012

No Breach of Contract Claim from Mid-Stream Change of WSJ Online Pricing – Lebowitz v. Dow Jones

[Post by Venkat Balasubramani]

Lebowitz v. Dow Jones & Co., 06 Civ. 2198 (MGC) (S.D.N.Y.; Mar. 12, 2012)

Dow Jones operates WSJ Online. Historically, it offered WSJ Online subscribers access to WSJ Online and Barron’s Online. At some point, Dow Jones decided to spin-off Barron’s. It gave existing subscribers the choice between accessing Barron’s instead of WSJ Online or accessing WSJ Online and paying a separate fee (pro-rated and up to a maximum of $20) to access Barron’s.

Plaintiffs brought a putative class action, arguing that a mid-stream change in the subscription price was a breach of the subscriber agreement. Alternatively, plaintiffs argued that if the agreement was interpreted to allow Dow Jones to unilaterally change the price this would render the contract illusory. The contract provision allowed Dow Jones to:

change the fees and charges then in effect, or add new fees or charges, by giving [subscribers] notice in advance.

The court disagrees, noting that contractual provisions which allow unilateral changes are not illusory as long as the right to make these changes are constrained in some manner. Looking to case law in New York, the court says that requiring an obligor to exercise its discretion in a reasonable manner or a manner evincing good faith sufficiently constrains the obligor’s discretion. The court says this is the case here:

there is no evidence that Dow Jones used the discontinuance provision to deprive plaintiffs of an unreasonably large part of WSJ Online’s content, and there is no reason to interpret this provision as permitting such extreme behavior. Dow Jones acted reasonably, and therefore this provison of the subscriber agreement is not illusory.

Plaintiffs also argued that Dow Jones failed to give advance notice of the price change and this constituted a breach. Dow Jones had provided notice via a “pop-up” box, which indicated that it was conveying an “IMPORTANT NOTICE TO READERS.” This box appeared on each homepage. When users clicked on this box, a notice appeared which informed subscribers of the spin-off and the fact that the pricing would be changing.

There have been a slew of disputes involving contracts which one party says they can modify at any time. Harris v. Blockbuster presented this problem and Eric’s advice was on point: “STOP PUTTING CLAUSES INTO YOUR CONTRACTS THAT SAY YOU CAN AMEND THE CONTRACT AT ANY TIME IN YOUR SOLE DISCRETION BY POSTING THE REVISED TERMS TO THE WEBSITE” It doesn’t look like companies have heeded this advice and thus continue to struggle with arguments from consumers that this type of a provision renders contract illusory. Dow Jones dodged a bullet here, and although I’ll leave the contract law 101 deep dive to others, the result here did not comport with basic common sense and equity. It’s as if you sign up to on a month-long plan to purchase a particular type of combo meal deal at McDonald’s and halfway through they come along and change up the combination. Rather than forcing customers to pick between WSJ Online or Barron’s going forward, Dow Jones could have just refunded a portion of the subscription fees. The court’s decision deprives plaintiffs of this choice. It wasn't clear from the opinion, but it seemed like the decision was made just to separate the two subscriptions--the order did not discuss some compelling reason (other than subscriptions) why Dow Jones made the decision.

Another interesting part of the dispute was how Dow Jones dealt with notice. Dow Jones has to provide subscribers notice in order for the revised terms to be effective. This is another problem area for companies. (See Eric’s post on the Douglas v. Talk America case, where the Ninth Circuit struck down a contract amendment due to failed notice: “Ninth Circuit Strikes Down Contract Amendment Without Notice--Douglas v. Talk America.” Some suggestions as to notice are discussed in that post.) The court here spends two sentences on the adequacy of notice via a pop-up box. The pop-up box method of notice would work in many cases, but it was surprising to see the court ignore the details of the notification here. I suspect other courts would not always be so approving of notice via this method, absent consideration of other facts, such as the size of the box and the overall user experience.

Previous posts:

Posted by Venkat at 06:03 AM | E-Commerce , Licensing/Contracts , Marketing

March 16, 2012

Facebook's "Browsewrap" Enforced Against Kids--EKD v. Facebook

By Eric Goldman

E.K.D. v. Facebook, Inc., 3:12-cv-01216-JCS (S.D. Ill. March 8, 2012). The complaint.

This opinion reaches two interesting conclusions. First, it says children-users can't disaffirm Facebook's terms of service (TOS) so long as they keep using the site. Second, it says the children-users are bound to Facebook's TOS even though the court thinks it's a browsewrap. Neither ruling is unprecedented, but both rulings represent a very favorable bounce for Facebook. Yet, for reasons I'll address in a moment, I'm not 100% clear why Facebook wanted this outcome.

Background. This is one of at least three publicity rights lawsuits brought over Facebook's Sponsored Stories. EKD was filed in the Southern District of Illinois. The other two I know of are JN v. Facebook (in EDNY) and Fraley v. Facebook (in N.D. Cal.). JN and EKD both involved children-users of Facebook as plaintiffs. The JN case was voluntarily dismissed last August. A related case, Cohen v. Facebook, related to Facebook's use of users' names/photos in Facebook's "friend finder" service. In October, Facebook won the Cohen case for lack of cognizable injury. In contrast, in December, in Fraley v. Facebook, the plaintiffs made substantial headway by surviving Facebook's motion to dismiss on Article III, 47 USC 230 and other grounds. [An update on the Fraley case: the court granted Fraley's request to drop out of the case. See 2012 U.S. Dist. LEXIS 34477 (N.D. Cal. March 13, 2012)].

In the EKD/Dawes case, Facebook sought to transfer the venue from S.D. Ill. to N.D. Cal. To do so, it needed the court to uphold the venue selection clause in its user agreement/TOS.

Disaffirmance. The court first addresses whether kids can be bound by Facebook's TOS under any circumstance due to the infancy doctrine, which says contracts with kids are generally voidable by the kids. The court says that kids can't have it both ways--either the contract applies in total or they must disaffirm it in total. Here, the kids haven't disaffirmed it totally because:

Plaintiffs have used and continue to use facebook.com. The Court concludes that Plaintiffs cannot disaffirm the forum-selection clause in Facebook’s TOS, although Plaintiffs were minors when they entered the agreement containing the clause.

This brings to mind the uncited AV v. iParadigms case, the leading kids-and-online-contract case to date. That case involved the plagiarism detection service Turnitin, whose contract with students purportedly let Turnitin retain copies of kids' papers in its database for future precedent checks. The court there said that the kids had received the "benefit" of Turnitin's service (i.e., it had already completed the plagiarism detection on their papers), so there was no way for kids subsequently to unwind the contract completely.

The EKD case differs because the court leaves open the possibility that the kids could void the contract by deleting their Facebook accounts. At the same time, deleting the account wouldn't help these particular plaintiffs because then Facebook would stop showing their names and photos in Sponsored Stories. It remains to be seen if other minor plaintiffs can take advantage of the hole this case doesn't address.

FWIW, kids and online contracts is a hot topic in the academic literature. See, e.g., From the Mouths of Babes: Protecting Child Authors from Themselves by Julie Cromer Young and CyberInfants by Cheryl Preston. I believe Farnaz Alemi has a forthcoming paper on the topic too. The authors of these papers can rest easy about any possible preemption from the opinion; I can't imagine this opinion resolves the issue dispositively.

Binding Nature of the TOS. Having established that the kids are capable of being bound to the Facebook TOS, the court then turns to whether the plaintiffs in fact assented to the TOS. The judge really makes a hash here. The court makes the unqualified statement that "Facebook’s TOS, including the forum-selection clause at issue, are contained in a so-called 'browsewrap agreement.'" This is just an unmitigated misunderstanding of what constitutes a browsewrap, reminding us of the intractable semantic ambiguity of that phrase. See the effectively identical error made in the uncited Fteja v. Facebook ruling from a couple months ago. Indeed, the court proves it knows that Facebook's TOS isn't a browsewrap. Later, the opinion says "persons wishing to join facebook.com must attest that they have read Facebook’s TOS, which are made available through a hyperlink." JUDGES: PLEASE PLEASE PLEASE RETIRE THE PHRASE BROWSEWRAP PERMANENTLY. It's not helping your analysis one bit.

Having made the factual error of calling the TOS a browsewrap, the judge makes a doctrinal error to cover up the factual error by concluding that browsewraps are enforceable. UGH. The court says "the validity of a browsewrap contract hinges on whether the website provided reasonable notice of the terms of the contract," which Facebook did by presenting the TOS as a clickthrough (the language quoted above) and because the TOS is linked in Facebook's footer on every page. Whether or not the users actually read the TOS becomes irrelevant because they had constructive notice.

After it determined the agreement is enforceable, the court says the venue selection clause is reasonable. Get this: the court then chides the plaintiffs for bitching about the venue selection clause's reasonableness because the "time for Plaintiffs to have considered whether the forum-selection clause in Facebook’s TOS would terribly disadvantage them was when they agreed to the TOS."

WHAT? First, the plaintiffs are minors, so by definition they lack legal sophistication to understand and then negotiate a standard form contract with a company that basically never replies to individual emails. Second, the court just said it was a browsewrap, which by definition means that they never "agreed" to it. COME ON.

Don't get me wrong, the judge got to the right policy result. Facebook shouldn't be dragged all over the country by lawsuits from minors. But the judge's doctrinal contortions to reach this result are painful.

Venue Transfer. Having concluded that the venue selection clause is valid and enforceable, the court then effectuates its provisions by transferring the case to Facebook's home court as the clause specifies.

Implications of the Transfer. Hey litigator friends, I could use your help assessing Facebook's move here. (I did ask Facebook for comments, but it declined). Facebook already had an adverse ruling in the highly similar Fraley case. Yet, instead of trying to get a more favorable result in a different circuit with potentially different law, Facebook has transferred this case into the same district where it suffered the interlocutory loss. Is this a good move or a puzzling one? On the one hand, by putting both cases in the same circuit, it increases the likelihood that a win in one will knock out the other (even if that win has to occur on appeal). On the other hand, it took the case out of a venue with uncertain outcome and put it into a venue where it knows it has a fight on its hands. So, litigator friends, does it make sense for Facebook to put all of the eggs in one basket, or should it have diversified its risks? If you email me, let me know if I can quote your email in an update to this post.

A timing note: Facebook filed the venue transfer motion a few weeks before the Fraley decision came out. However, surely it could have withdrawn the motion after that point if it had wanted to, and I doubt EKD would have resisted.

In an email, Venkat responded to my question:

Northern District of California judges see a ton of disputes involving Facebook, and they're probably viewed as somewhat more sophisticated in dealing with Facebook terms and privacy/publicity issues. Also, from an administrative/housekeeping standpoint, Facebook must feel more comfortable there so this may slightly weigh in favor of trying to proceed in California. From a substantive standpoint I can't think of any compelling reason to go there after getting bad precedent in a similar case. (I wonder how the statutes vary as far as the scope of substantive rights they provide. It's surprising this wasn't a bigger issue in the transfer discussion. I realize the classes may be sliced up depending on the type of rights they assert, but CA law provides for more favorable publicity rights in general?).

UPDATE: Rebecca emailed me: "Isn't the incredibly broad scope of Illinois RoP law of importance in the venue, even with a favorable choice of law clause substantively? I'd expect Illinois courts to be more RoP-friendly."

Posted by Eric at 01:38 PM | Licensing/Contracts , Publicity/Privacy Rights | TrackBack

March 07, 2012

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]

[Post by Venkat Balasubramani]

In re Facebook Privacy Litigation, 10-02389 (N.D. Cal.; Nov. 22, 2011)

In re Zynga Privacy Litigation, 10-04680 (N.D. Cal.; Nov. 22, 2011)

These decisions are several months old, but they remain worth mentioning despite the fact they are well past their "blog-by" date. The court recently rejected plaintiffs’ motion to amend the judgment as to Facebook, so the cases are still active.

Facebook and Zynga scored an initial win last May against putative class action claims arising out of alleged data leakage from Facebook to its advertisers. The court expressed some skepticism about plaintiffs’ claims but gave plaintiffs a chance to amend their complaint. My blog post on the court’s earlier ruling: “Facebook Scores Initial Win Against Privacy Plaintiffs Over Data Leakage Claims -- In re Facebook Privacy Litigation.” This time around the court grants Facebook’s and Zynga’s motions to dismiss with prejudice. Plaintiffs appealed the ruling in the Zynga case to the Ninth Circuit. (See the link to the Justia page.) With respect to the Facebook dismissal, plaintiffs requested the correct to amend or alter the judgment, but the court refused this request.

Claims Against Facebook

Stored Communications Act

On the Stored Communications Act claim, the court says that the complaint contains inconsistent allegations regarding whether the communications in question were requests to connect to specific advertisements or whether Facebook acted as a “remote computing service” provider under the SCA:

On the one hand, Plaintiffs allege that the communications at issue in this case were requests to be connected to specific advertisements; that the requests were addressed to advertisers; and that Defendant merely acted as the "intermediary" for those communications.... On the other hand, Plaintiffs contend that Defendant acted as [a remote computing service ("RCS")] provider for purposes of Plaintiffs' claim under the SCA....

Analyzing claims under this statute leaves my head spinning, but the court ruling looks similar to its earlier conclusion (and reminds me of the court's analysis in the DoubleClick case). Suffice it to say that the court was not excited about plaintiffs' claims either the first or the second (or third) time around. Plaintiffs sought to further detail their claims in their request to amend the court's judgment, but the court says no to this. Whatever the merits of the plaintiffs' SCA claims, their pleadings were not apparently a model of clarity.

California Penal Code sec. 502

This statute creates a cause of action against someone who introduces a “computer contaminant” into the plaintiff’s computer or computer system. Plaintiffs' own allegations admitted that the “referrer header” (which plaintiffs allege Facebook improperly disclosed to advertisers) is a “standard web browser function provided by web browsers since . . . 1996.” The court says that this admission dooms plaintiffs' claims under section 502 since any allegedly improper transmission occurred as a result of the browser’s “normal operation” rather than any contaminant allegedly introduced by Facebook. (See also Amazon v. Del Vecchio.) Section 502 was the same section Facebook relied on when it sued Power.com, although Facebook relied on a different part of the statute. It did not come to pass in this case, among other reasons because Facebook relied on a different part of the statute, but this made me think of Eric’s frequent admonition about considering blowback from overzealous enforcement efforts.

Breach of Contract and Fraud

Plaintiffs sought to rely on the “personal information as property” theory to support their breach of contract claim. The court squarely rejects this argument. The court also rejects the fraud claim for lack of damages.

Claims Against Zynga

The court resolved the Stored Communications Act against Zynga on the same basis as against Facebook. Plaintiffs’ breach of contract claim against Zynga also suffered the same fate as the breach of contract claim against Facebook. With respect to Zynga, plaintiffs alleged that they were paying customers, but the court finds that any payments by plaintiffs were in exchange for virtual currency, and plaintiffs failed to allege that they did not receive the virtual currency which they paid for. Thus, the fact that plaintiffs were paying customers does not change the analysis. Plaintiffs also brought a breach of good faith claim against Zynga, but the court finds that these were merely re-packaged breach of contract claims and suffered from the same deficiencies.
__

It’s worth distinguishing data leakage claims from claims where Facebook is allegedly using likenesses or photographs of end users to promote itself or products or services. (See Eric’s discussion of Fraley v. Facebook: Facebook "Sponsored Stories" Publicity Rights Lawsuit Survives Motion to Dismiss--Fraley v. Facebook.) These claims have a much greater chance of proceeding, even if they do not succeed on the merits.

Unlike publicity rights claims, data leakage claims have routinely been kicked out of court, whether on the basis of standing or on the merits. Even appeal courts have been unfriendly towards these claims. I thought that the latest wave of privacy lawsuits could end up being salvaged or revived by a friendly appeals court decision, but I’m starting to think the chances of this are slim.

You have to give Facebook credit for staving off the numerous privacy lawsuits. Other than the Beacon lawsuit (the settlement approval of which is still on appeal to the 9th Circuit) and the publicity rights lawsuit which Eric blogged about in December, there have not been any other privacy plaintiff wins against Facebook. Maybe people should consider taking Facebook to small claims court? On the other hand, if they have been unable to get traction in different courts with different versions of their claims, this is a strong indicator that there's no "there" there. It seems like Facebook is fast and loose with its privacy practices, but it's another matter entirely as to whether Facebook's practices create liability under existing statutes. Of course, Facebook will still have to deal with the watchful eye of the FTC, but enforcement efforts by private plaintiffs look like a dead end.

Posted by Venkat at 09:05 AM | Licensing/Contracts , Privacy/Security , Trespass to Chattels

February 28, 2012

Reidentification Theory Doesn't Save Privacy Lawsuit--Steinberg v. CVS Caremark

By Eric Goldman

Steinberg v. CVS Caremark Corp., 2012 WL 507807 (E.D. Pa. Feb. 16, 2012)

CVS Caremark provided consumer data to pharma companies and data brokers. The plaintiffs alleged that the data transfers violated CVS's privacy policies, but CVS apparently disclosed only "de-identified" data as contemplated by HIPAA. Plaintiffs couldn't sue under HIPAA, both because CVS complied with HIPAA and because HIPAA doesn't enable a private cause of action for these violations. Although these facts implicate Sorrell v. IMS, that case didn't come up because the plaintiffs didn't sue under an analogous statute specifically pharmaceutical data transfers.

Instead, the plaintiffs sued under Pennsylvania's consumer protection act, claiming that CVS made material misrepresentations in its privacy policies about its data handling. The court dismisses the suit--with prejudice!--on two principal grounds.

First, it says that CVS told the truth in its privacy policies:

The plaintiffs do not allege that the defendants disclose Protected Health Information to third parties. Rather, they disclose de-identified information, which (a) federal regulations do not prohibit; and (b) is consistent with the defendants' statements that they safeguard information that "may identify" consumers.

To salvage the situation, the plaintiffs' lawyer tried to argue that the de-identified information could be re-identified by recipients, but apparently the plaintiffs' lawyer couldn't make the argument very cogently:

Although they admit that the information the defendants disclose to third parties is de-identified within the meaning of HIPAA, the plaintiffs have argued that it can be "re-identified." There is no such contention in the CAC, and plaintiffs' counsel admitted that the basis for such an argument comes from a single journal article and would take the form of expert testimony that a re-identification risk exists with respect to de-identified information generally, not as to the plaintiffs in this case.

It seems pretty clear that the lawyer didn't fully understand re-identification--at least, not well enough to explain how it might trump CVS's privacy promises. Thus, the court never really gets to the merits of the re-identification theory, but clearly it did not pique the judge's interest. Presumably the "single journal article" referenced is Paul Ohm's Broken Promises of Privacy article. Looks like Paul missed out on a potentially lucrative expert gig.

Second, the court rejects the consumer protection claim on two different standing grounds:

1) the named plaintiff didn't suffer any cognizable loss. The best the plaintiffs' lawyer could do was claim "the loss of the value of his demographic information, or the loss of an opportunity to pay less for his prescriptions with the understanding that the defendants would be profiting from the sale of his information." These types of losses have flopped repeatedly before, and they do so again (citing, among others, LaCourt, JetBlue and Low v. LinkedIn).

2) the named plaintiff didn't allege justifiably reliance on CVS's representations. To get around this specific requirement in Pennsylvania law, Plaintiffs tried to allege that CVS was a fiduciary; that goes nowhere.

The unjust enrichment claim fails because there was no expectation that the information provided to CVS would be compensated. The intrusion into seclusion claim fails because the plaintiffs voluntarily provided their data to CVS.

As we've already seen, privacy plaintiffs' lawyers are avid readers of the privacy scholarly literature, looking for new theories to help them grind their axes. Privacy scholars should be gratified by this practitioner attention. As we know, most law review articles never get read (my mom won't even read mine). As this case illustrates, privacy plaintiffs' lawyers may build their entire cases around the academic literature. Personally, I think this fact means privacy scholars need to ensure that their articles are ready for the rough-and-tumble world of profit-seeking class action litigation. It would be irresponsible for a privacy scholar to toss out a half-baked academic thought about new ways of suing over privacy, knowing that the plaintiffs' bar is looking for fresh meat--anything--to get past 12(b)(6) motions irrespective of the case's true merit. I'm not accusing Paul Ohm's article of being half-baked (far from it, it's one of the most interesting articles I've read in years); but I couldn't be as complimentary towards some of the other privacy scholarship I see, and I hope the thought of being potentially responsible for lots of wasted litigation activity will encourage all privacy scholars to honestly reflect on the social merits of their arguments.

Although the re-identification theory doesn't go anywhere in this case, arguably CVS dodged a bullet. Ever since I read Paul's paper, I have been recommending that companies stop making PII/non-PII distinctions in their privacy policies. It was instantly clear to me from reading Paul's paper that plaintiffs could attack a privacy policy's promise not to disclose "PII" using a reidentification theory because we don't reliably know which bits of data can be used to uniquely identify individuals. Indeed, the language CVS used (it wouldn't disclose information that "may identify" consumers) was especially dangerous, because any bit of information, in combination with the right set of other data, has the theoretical capacity to uniquely identify individuals. The plaintiffs' lawyer in this case was sniffing around the issue but didn't nail it; but other cases--especially after goofy rulings like Pineda treating zip codes as PII--will raise the issue better and pose significant danger to defendants. This case is a warning sign that CVS, and everyone else, should carefully reexamine the PII/non-PII distinctions in their privacy policies.

Posted by Eric at 11:57 AM | Licensing/Contracts , Privacy/Security , Publicity/Privacy Rights | TrackBack

February 01, 2012

Vendor Fails to Form Either an Online or Paper Contract With Customers--Kwan v. Clearwire

[Post by Venkat Balasubramani]

Kwan v. Clearwire Corp., C09-1392JLR (W.D.Wash.; Jan. 3, 2012)

Professor Goldman blogged recently about a case involving Facebook where the court enforced Facebook’s terms of use and based on a venue clause in Facebook’s terms transferred a dispute from New York to California. The court delved into (and seemed to get bogged down in) the distinctions between clickwrap and browsewrap agreements while eventually concluding that the plaintiff was apprised of the terms (or should have been) so there was no reason not to enforce the contract. Kwan v. Clearwire doesn’t involve strictly online terms, but Clearwire was not so lucky. It botched its terms of use (judging from the court’s order it also botched its customer service efforts). End result: it can’t summarily move the dispute to arbitration and has to undergo discovery around whether its customers agreed to the terms. The court was fairly skeptical of Clearwire’s position, so its chances of success on the arbitration front don’t seem great.

Background

Kwan brought a lawsuit aginst Clearwire and collection agents for Clearwire alleging that she was harassed by Clearwire and its debt collectors in an effort to reach a Clearwire customer (which wasn’t her). Among other claims, she asserted claims under the TCPA, the Fair Debt Collections Practices Act, and Washington’s Consumer Protection Statute. Her complaint was amended to add Brown and Reasonover, both of whom tried Clearwire services for a short time (or judging by the complaint, attempted to try Clearwire out for a trial period but with little success). The Clearwire terms contained a class action waiver and an arbitration clause, and Clearwire sought to have the dispute arbitrated pursuant to the Clearwire terms.

Brown signed up for a 14 day trial of Clearwire. She received a confirmation email from Clearwire one week prior to receiving her modem. She tried to connect her modem but was unsuccessful, and she alleged that she was not required to click any sort of acknowledgement before trying to connect her modem. She called Clearwire to cancel her service, but was persuaded by Clearwire to renew her trial period. Clearwire had a service technician check on Brown’s modem. The technician arrived while Brown was at work and Brown’s roommate left the technician alone to try to get the modem working. After the technician left, she tried to get the modem working, and it still would not work properly. According to Brown, she discovered that “use of her microwave interfered with her modem signal.” She tried to cancel her service, and after going back and forth with Clewrwire, Clearwire finally agreed that she could cancel her service. Clearwire sent her shipping labels to return the modem, but according to her, by the time she received the shipping labels from Clearwire, the labels had “expired.” This prompted another round of back-and-forth with Clearwire's customer service. Ultimately, she was able to return the modem to Clewarwire.

Reasonover’s experience with Clearwire wasn’t much better. She signed up for a seven day trial period and, because she was not at home when Clearwire shipped the package, Federal Express held it for her. She was unable to pick up the modem within her trial period, so she was worried about being able to cancel. When she plugged in the mdoem, she was only able to obtain “one green bar,” and this too from an “inconvenient location in her house.” Before connecting to the internet, she was presented with an “I accept” screen for Clearwire’s terms, but she bailed. Apparently, Clearwire told her that she could not cancel her serivce. She had some less-than-friendly exchanges with Clearwire, and she reported Clearwire’s actions to her credit card. Ultimately she alleges she paid for the modem (Clearwire disputes this).

Discussion

The court notes that the Federal Arbitration Act provides for arbitration of disputes that are subject to arbitration clauses. While the FAA sets forth a policy in favor of arbitration, it first requires a determination of whether the parties entered into an agreement to arbitrate their dispute. And that’s the hitch for Clearwire.

The court canvasses the law on browsewrap and clickwrap agreements (citing to Specht, Register v. Verio, Hines v. Overstock, and Southwest Airlines v. Boardfirst, among other cases). While Washington courts have not upheld the enforceability of clickwrap or browsewrap agreements, the court notes that shrinkwrap agreements are enforceable under Washington law. The prevailing case in Washington relied on Hill v. Gateway and ProCD v. Zeidenberg, and in both of these cases, “the terms and conditions at issue were included with the product purchased by the consumer.” This is consistent with the court’s inquiry in Specht as to whether the customer had notice of the contractual terms.

The court holds that, on the record before it, Clearwire is not entitled to enforce its arbitration clause. Clearwire pointed to the email confirmation which it sent to customers, but the court notes that the confirmation email did not contain a direct link to Clearwire’s terms—the link pointed to Clearwire’s home page, and Brown would have to “negotiate her way through two more hyperlinks” in order to arrive at Clearwire terms. Clearwire also argued that Brown was aware of the terms and used the product in question. With respect to this argument, the court says:

The breadcrumbs left by Clearwire to lead Ms. Brown to its TOS did not constitute sufficient or reasonably conspicuous notice of the TOS.

In any event, the court notes that Brown returned the modem.

Clearwire fared no better against Reasonover’s claims. It could not rely on the terms on its website because Reasonover testified that she “abandoned the page.” It also could not rely on the confirmation email which it sent because the email did not contain a readily accessible link to the terms—as with the facts with respect to Brown, Reasonover would have had to click through a couple of different links to arrive at Clearwire’s terms. Finally, Clearwire relied on the material that it had sent with the modem. These materials unfortunately suffered from the same flaws:

At the bottom of one of the pages included in the modem packaging was a reference to the TOS and to where the TOS could be located on [Clearwire’s] website. The statement actually contain[ed] two different hyperlinks. Neither link . . . immediately display[ed] the TOS.

D’oh.

As a final bonus, the court also denied the request to arbitrate filed by the collection agency, finding that there was a dispute as to whether it was an agent (with a close relationship to Clearwire) that could enforce the terms, or an arms-length independent contractor, who would not. (citing Swift v. Zynga)
__

Apart from the numerous alleged customer service debacles detailed in the complaint, Clearwire dropped the ball in several ways.

First, it did not have a ‘leakproof’ clickwrap agreement that users had to agree to before they activated the modem or signed on. Clearwire could have forced its users to scroll through and click on an “I agree” button as a prerequisite to activating the modem. (This may not have helped with respect to Brown’s claims since a technician activated the modem, but I assume this was an aberration. Most users probabaly plugged in the modem and signed on without the help of a technician—Clearwire could have forced them to click through and agree to terms.)

Second, to the extent it tried to rely on paper terms which it sent to customers along with the modems, it could have at least included the terms themselves as part of the package. I get the feeling the judge in this case would have worked hard to find a way around enforcing the terms in this scenario, but it would have been harder. (Again, the fact that the customers returned the modems would have affected the analysis. They could have argued that their acceptance of the terms was premised on them keeping the modems and since they didn’t they should not be bound by the terms.)

Finally, there’s the email debacle. I’m not sure the email would have helped since it came after the fact and would be categorized in the same manner as paper terms (i.e., if the customer returns the item, they can argue they should not be bound by the terms). But the email did not even include the terms!

This decision is largely consistent with previous online contracting cases. If you can't easily show the court that the terms were readily accessible, you're going to have a long road to travel down. It also demonstrates that if you can make a compelling case to the court that there's something inequitable afoot (whether in the form of seriously egregious, one-sided terms, or botched customer service, as was alleged in this case) courts will work to find a way around enforcing terms that they may otherwise enforce.

Posted by Venkat at 10:07 AM | Licensing/Contracts

January 30, 2012

Judge Can't Decide if Facebook's User Agreement is a Browsewrap, But He Enforces It Anyways--Fteja v. Facebook

By Eric Goldman

Fteja v. Facebook, Inc.,2012 WL 183896 (S.D.N.Y. Jan. 24, 2012). Fteja's initial "complaint" (filed as an order to show cause).

If I could waive a magic wand, I'd retire the phrases "clickwrap" and "browsewrap." Those terms trace their lineage to a radically different technology--plastic shrinkwrap on physical products--and, as a result, they never developed clean or precise definitions in the online world. This opinion is much more prolix than necessary because the court couldn't figure out what either term meant and therefore couldn't decide how to apply the precedent. Fortunately, the court gets to the right place eventually.

Fteja claims that Facebook terminated his Facebook account improperly because it discriminated against him as a Muslim. Facebook will win this lawsuit eventually; see, e.g., my paper about online user account terminations and 47 USC 230(c)(2) and Young v. Facebook.

For now, after removing the case from New York state court to federal court, Facebook sought to transfer the case to its home court in California. Facebook invoked the venue selection clause in its user agreement (its "Terms of Use"). Facebook uses a mandatory non-leaky clickthrough agreement where the terms are hyperlinked from the clickthrough page. (The language says: “By clicking Sign Up, you are indicating that you have read and agree to the Terms of Service," where the words Terms of Service are a hyperlink). This user interaction should have made it an easy case. This formation process (mandatory clickthrough with hyperlinked terms) has been upheld in dozens of cases. Indeed, buried in his overlong discussion, the judge says "Fteja was informed of the consequences of his assenting click and he was shown, immediately below, where to click to understand those consequences. That was enough."

Yet, the judge launches into an extended discourse about the philosophy of online contracts. Overly troubled by the hyperlinked presentation of the actual terms, the court reaches this awkward classification:

Facebook's Terms of Use are somewhat like a browsewrap agreement in that the terms are only visible via a hyperlink, but also somewhat like a clickwrap agreement in that the user must do something else—click “Sign Up”—to assent to the hyperlinked terms. Yet, unlike some clickwrap agreements, the user can click to assent whether or not the user has been presented with the terms.

The judge then snarks about social media exceptionalism:

it is tempting to infer from the power with which the social network has revolutionized how we interact that Facebook has done the same to the law of contract that has been so critical to managing that interaction in a free society. But not even Facebook is so powerful.

(Don't underestimate Facebook, your honor. It is changing our brains).

Despite all the navel-gazing, the judge realizes:

There is no reason why that outcome should be different because Facebook's Terms of Use appear on another screen rather than another sheet of paper....The mechanics of the internet surely remain unfamiliar, even obtuse to many people. But it is not too much to expect that an internet user whose social networking was so prolific that losing Facebook access allegedly caused him mental anguish would understand that the hyperlinked phrase “Terms of Use” is really a sign that says “Click Here for Terms of Use.” So understood, at least for those to whom the internet is in an indispensable part of daily life, clicking the hyperlinked phrase is the twenty-first century equivalent of turning over the cruise ticket. In both cases, the consumer is prompted to examine terms of sale that are located somewhere else. Whether or not the consumer bothers to look is irrelevant.

Having convinced himself that Facebook's venue selection clause is enforceable, the judge then concludes that transfer is proper. All of the relevant evidence is at Facebook's headquarters, Fteja's witnesses don't appear to be near NYC, the alleged contract breach means the "locus of operative facts" took place in California, and Fteja's medical condition ("Ménière's disease") won't keep him off airplanes.

Some related posts:

* Court Disregards Check-the-Box Agreement and Doesn't Enforce Venue Clause -- Dunstan v. comScore
* Forum Selection Clause in "Submerged" Terms of Service Presumptively Unenforceable -- Hoffman v. Supplements Togo
* Anti-Scraping Lawsuit Largely Gutted--Cvent v. Eventbrite
* Interesting Database Scraping Case Survives Summary Judgment--Snap-On Business Solutions v. O'Neil
* Clickthrough Agreement With Acknowledgement Checkbox Enforced--Scherillo v. Dun & Bradstreet
* Contract Formed Even If Customer Never Received It--Schwartz v. Comcast
* Ticketmaster Wins Big Injunction in Hannah Montana Case, But Did the Public Interest Get Screwed?--Ticketmaster v. RMG

Posted by Eric at 09:25 AM | Licensing/Contracts | TrackBack

January 20, 2012

Google Gets Significant Win in AdWords/Parked Domains Case

By Eric Goldman

In re Google AdWords Litigation, 2012 WL 28068 (N.D. Cal. Jan. 5, 2012)

Google defeated class certification in an AdWords-related case over Google's placement of ads on parked domains. This almost certainly ends this case in practice, as few if any advertisers will find it worth continuing the case on their own. This ruling also takes us closer to the end of litigation wars over parked domains.

The advertisers sued Google for placing AdWords ads on parked domains and error pages and not adequately disclosing these facts.

The court finds standing under both California UCL/FAL and Article III based the named plaintiffs' allegations that they bought advertising they wouldn't have bought if they knew where Google was going to put it. This was also good enough to confer standing for the unnamed plaintiffs; the court says that "where one class representative in a UCL or FAL class action has already established Article III standing, the court need not analyze the standing of unnamed class members."

The court also finds numerosity, typicality, adequacy, and commonality (on the question of “whether Google’s alleged omissions were misleading to a reasonable AdWords customer”). However, the court rejects class certification on predominance grounds. Even though there are common legal questions among the advertisers, their idiosyncratic factual questions are more important than the common legal questions. Specifically, because only some advertisers were financially harmed by Google's placement of ads on parked domains and error pages, the court would have to investigate each advertiser's results to determine if restitution were appropriate. Further, because each click was auctioned off and sold for a constantly changing price, it would be hard to calculate the "but for" pricing that advertisers would have paid. Plus, not every advertiser is seeking click conversion; presumably (although not articulated in the court's opinion) some advertisers compute their bids on the branding value of ads. The court thus concludes this discussion by saying "any effort to determine what advertisers “would have paid” under a different set of circumstances requires a complex and highly individualized analysis of advertiser behavior for each particular ad that was placed."

To fix this problem, advertisers' counsel suggested a variety of restitution formulae that relied on blanket assumptions applicable to all advertisers. The court rejects these categorical approaches, saying "[s]ince the purpose of restitution is to return class members to status quo, the amount of restitution due must account for the benefits received from ads placed on parked domains and error pages." This too requires a per-advertiser assessment.

Google continues to make substantial progress cleaning up its AdWords litigation docket. Recently, it got rid of Woods v. Google over click fraud and improper pricing discounts; it defeated class certification in FPX v. Google over trademark triggering; and the Ninth Circuit upheld its settlement of the CLRB Hanson case. Even so, it's also clear that litigation forays by advertisers will be a perennial aspect of Google's life going forward; partially due to Google's occasional corner-cutting, but mostly due to advertisers' wish that they could get unlimited traffic at no cost. Then again, the plaintiffs' bar will be sharing some of that joy with Facebook too.

This lawsuit was just one of several lawsuits over the legitimacy of parked domains. I've criticized Google before for its AdSense for Domains program, which fosters an ecosystem that motivates questionable domain name registrant behavior while providing little if any real value to consumers. From my perspective, it's pathetically anachronistic that Google still offers its parked domain program--what is this, 2004? Time for Google to grow up a little more.

While I think it's sad Google can't wean itself from the questionable revenues it derives from its parked domains program, I think it's even sadder to see plaintiffs trying to attack the parked domains ecosystems using proxy defendants like intermediate service providers rather than just going after the domain name owners directly. See, e.g., Vulcan Golf v. Google; In re Yahoo; uBid v. GoDaddy; etc. Let's hope this ruling discourages plaintiffs from bringing future proxy battles over parked domains.

Posted by Eric at 09:24 AM | Domain Names , Licensing/Contracts , Marketing , Search Engines | TrackBack

December 28, 2011

Another Set of Parties Duel Over Social Media Contacts -- Eagle v. Sawabeh

[Post by Venkat Balasubramani]

Eagle v. Morgan, 11-4303 (E.D. Pa.; Dec. 22, 2011)

Background: Dr. Linda Eagle, who holds a Ph.D. in communication and psychology, teamed up with Clifford Brody and founded Edcomm. They were later joined by Davi Shapp. Eagle maintains a reputation in the field of “banking training,” and has “cultivated relationships with thousands of individuals and organizations.” In October 2010, Sawabeh Information Services entered into an agreement with Eagle, Brody, and Shapp to purchase Edcomm. Sawabeh proposed to retain the three as executives, but abruptly terminated them in June 2011. This prompted a flurry of litigation.

The Lawsuits: Eagle sued the principal of Sawabeh and others working in concert with them (in Pennsylvania), alleging that defendants improperly accessed and continued to use Eagle’s LinkedIn account. Defendants turned around and asserted counterclaims, alleging that Eagle misappropriated a telephone number that had been assigned to Edcomm and improperly caused AT&T to transfer this number to Eagle personally. Defendants also asserted that Eagle misappropriated a laptop, as well as the LinkedIn “connections” associated with Eagle’s LinkedIn account (which defendants allege was maintained by Edcomm for the Edcomm's benefit).

In a separate lawsuit (in the Southern District of New York), Sawabeh asserted securities fraud and breach of contract claims against Eagle, Brody, and Shapp, alleging that the principals failed to disclose Edcomm’s obligation to make a substantial severance payment to Brody, and further failed to disclose that Edcomm transferred all of its IP to Brody in an earlier transaction. In this lawsuit, the court recently denied a motion to dismiss brought by defendants. (Sawabeh v. Brody, et al., 11-civ-4164 (S.D.N.Y.; Dec. 16, 2011).) [For some unknown reason, the courts don't seem to have a problem with the maintenance of two separate lawsuits arising out of the same transaction. I would have thought that consolidation was a no-brainer here.]

The parties have widely divergent views on the background facts, so it's hard to assess the viability of the claims. For example, Edcomm alleges that it created and maintained LinkedIn accounts for its employees, and as a matter of policy, employees were expected to turn over their LinkedIn accounts when they left Edcomm. Eagle disagrees, but also has to contend with a very unhelpful fact: Eagle committed the ultimate no-no and provided her LinkedIn password to someone at Edcomm.

(For what it’s worth, this looks like the account in question. The court entered a TRO prohibiting defendants from accessing the LinkedIn account. The order expired of its own accord, and none of the filings in the docket reflect any additional action by the parties with respect to this issue. Although it’s hard to tell, judging from the account, it looks like Eagle continues to use the account and defendants likely agreed to not interfere with this usage.)

Motion for Judgment on the Pleadings as to the Counterclaims:

Computer Fraud and Abuse Act: The CFAA claim was premised on Eagle’s alleged improper access of Edcomm’s AT&T account and misappropriation of Edcomm’s number. The claim is somewhat strange in that it doesn’t really identify what computer Eagle gained “unauthorized access” to. The court seizes on this and says that, in simpler terms, the counterclaims allege Eagle walked into an AT&T store and convinced AT&T to transfer Edcomm’s number to her--this does not involve the "access" of any computers. Along the way, the court also tackles the issue of whether Edcomm sufficiently alleges damages, and whether Eagle’s access was truly “without authorization” because she was once an employee of Edcomm and ostensibly had authorization to access the account. As to damages, the court says that Edcomm’s allegation that it suffered loss of business relationships as a result of Eagle’s transfer of the number does not count towards the jurisdictional threshold (“Nothing in these allegations avers any loss related to the impairment or damage to a computer or computer system, any remedial costs of investigating or repairing computer damage, or costs incurred while the computers were inoperable.").

Trade Secrets: The trade secret claim had a fatal weakness in that it was premised on information that obviously was not a trade secret: (1) the AT&T account information, and (2) the identities of clients and instructors. Eagle persuasively argued that Edcomm’s website disclosed the identity of more than 1,000 clients and the instructor identities were publicly available on their LinkedIn profiles. The court also says that the AT&T account information could not be a trade secret because it doesn’t have any “independent economic value” that would be of use to competitors. The arguably valuable asset in question is the telephone number, and there’s nothing secret about this.

Conversion: The conversion claim was premised on Eagle’s retention of a laptop allegedly belonging to Edcomm. The court allows this claim to proceed.

Misappropriation: The misappropriation claim can either be misappropriation of a trade secret or misappropriation of an “idea.” The court says that the misappropriation based on trade secrets must fail based on the court’s conclusion that Edcomm failed to specify any protectable trade secrets. The court however declines to dismiss the “misappropriation of an idea” claim. The parties had conflicting allegations as to whose investment generated the content on the LinkedIn account. Given these conflicting allegations, the court declines to grant judgment on the pleadings on the misappropriation claim.

Tortious Interference: The court dismisses the remaining claims. Edcomm asserted that Eagle interfered with the contract between AT&T and Edcomm, but the court says that Edcomm failed to adequately allege specific intent and damages. Eagle cared about the number, and the contractual relationship between AT&T and Edcomm was incidental to the number (it's unclear this was terminated anyway). Edcomm also argued that Eagle interfered with relationships with prospective clients, but the court dismisses this claim on the basis that Edcomm’s allegations were speculative. Edcomm failed to point to “one potential contract that would . . . have materialized” absent Eagle’s alleged interference. (The court declines to dismiss an unfair competition claim but this claim piggybacks on the misappropriation claim.)
__

The dispute raises interesting issues, and as with PhoneDog, OMGFacts, and Maremont cases, illustrate the difficulty of neatly categorizing social networking accounts and the goodwill in those accounts. The obvious question is whether the parties had an agreement addressing Eagle’s competitive efforts and use of her contacts. Judging by the fact that the parties did not mention any contractual terms, it’s fair to say that there was no written agreement dealing with Eagle’s competitive activities. This is somewhat surprising, given that Edcomm was acquired, and to the extent the the key assets in the acquisition were human resources, the parties should have had an agreement in place addressing Eagle's post-acquisition competitive activities.

It looks like the vagaries of Pennsylvania law may have made it harder to bring a conversion claim based on the phone number (the court footnotes that conversion claims are limited to tangible personal property), but at least one court has held that phone numbers can be subject to conversion claims. (Can a Telephone Number Be the Subject of a Conversion Claim?, discussing Staton Holdings, Inc. v. First Data Corp, 2010 U.S. Dist. LEXIS 48688 (N.D. Tex. May 11, 2010).) Given the current rules on phone number portability, to the extent they are freely transferable, it seems like phone numbers are increasingly similar to domain names, which can form the basis of conversion claims.

The fight over the LinkedIn account was probably the most interesting, but there is little discussion about the fact that LinkedIn terms restrict usage of log-in credentials to the person who created the account. (Eagle's sharing, and Edcomm's access likley violated LinkedIn's terms, as a technical matter.) Also, LinkedIn distinguishes between “company accounts” and “personal accounts.” Personal accounts seem by design to be akin to resumes, and while it makes sense for someone to be restricted from exploiting their contacts for competitive purposes, the personal accounts don’t lend themselves to use by the company. Neither the court nor the parties focuses on this. As an afterthought, my instinct is that parties are often misdirecting their energies with fights over “who owns contacts.” Contacts are personal, and particularly in the social networking context, I would think it would be difficult for one person to take advantage of another person’s contacts. I could see Edcomm sending out a spam message to Eagle’s LinkedIn contacts, announcing that Eagle is no longer with the company and prospective customers should contact Edcomm directly, but apart from this, is it really realistic for Edcomm to continue to exploit Eagle’s contacts?

Although it's tough to say since the case is at the initial stages, the lawsuit in Pennsylvania seems like a small part of the overall dispute, which includes the litigation in the Southern District of New York. In the Southern District case, Sawbeh alleges fraud on the part of Eagle and her cohorts; if the fraud and misrepresentation claims are successful, they will likely dwarf the effect of the battle over the LinkedIn contacts and phone number. Any victory that is achieved in the Pennsylvania litigation may turn out to be pyrrhic, depending on how the New York litigation pans out.

Posted by Venkat at 10:52 AM | Licensing/Contracts , Trade Secrets , Trespass to Chattels

December 19, 2011

Facebook "Sponsored Stories" Publicity Rights Lawsuit Survives Motion to Dismiss--Fraley v. Facebook

By Eric Goldman

Fraley v. Facebook, Inc., 2011 WL 6303898 (N.D. Cal. Dec. 16, 2012)

Because Facebook does so many things that aren't in users' interests, their "Sponsored Stories" program barely registers. Nevertheless, Sponsored Stories demonstrates why many people are burned out on Facebook. Facebook collects user preferences through its semantically ambiguous "like" button and then uses that data to show ads to the users' friends with a seeming endorsement. Using my preferences does little to advance my relationship with my friends, but the implicit endorsement is designed to get my friends to investigate the ads, increasing the advertiser's credibility and Facebook's profits. So Sponsored Stories creates a zero-sum game: I as a user probably don't get any value from the public presentation of my implicit endorsement (if anything, it might hurt my position with my friends), but Facebook and its advertisers benefit from it.

My response to Facebook's rollout of Sponsored Stories was swift and decisive: I don't "like" any businesses on Facebook or do any other activities on Facebook that I believe can trigger a Sponsored Story. (I would also categorically opt-out of being a part of Sponsored Stories if Facebook actually let me decide what I want to share with my friends, but Facebook doesn't). Instead, if I want to make a commercial recommendation to my friends--something I do occasionally--I just share it directly in my status report. That way, I control the message I deliver to my friends, instead of letting Facebook or advertisers control how they communicate my interest to my friends. And the zero-sum nature of Facebook's offering drives a deeper wedge into my relationship with Facebook, making me less willing to use Facebook generally and more receptive to alternatives.

To me, this marketplace response is adequate. To plaintiffs' lawyers, however, Sponsored Stories gives another reason for a litigation fiesta. Remarkably, unlike so many other "privacy" lawsuits against Internet companies, this lawsuit survives the motion to dismiss--dramatically increasing the odds that Facebook will be writing a check for this so-called "feature."

This is a rich and interesting opinion by Judge Koh that has something for everyone to "like" (or dislike). Some of the highlights:

Article III Standing

In a ruling that bucks a mini-trend, Judge Koh upholds the case from an Article III standing challenge. She says that violation of a statutory right (in this case, California's publicity rights statute) automatically satisfies the actual harm requirement of Article III standing. The plaintiffs also satisfied the "particularized" and "concrete" requirements of Article III by explaining how the Sponsored Stories feature used their information.

She explicitly distinguishes numerous defense-side Article III wins (including her own recent iPhone application litigation and Low v. LinkedIn decisions) by noting the particular nature of the plaintiffs' publicity rights claim. In this case, unlike the others, the plaintiffs are claiming that their endorsement had commercial value to help sell goods to others, compared to the situation in the prior cases where the commercial value of a user's data came from theoretically improved marketing to the user him/herself. She says:

Plaintiffs here do not allege that their personal browsing histories have economic value to advertisers wishing to target advertisements at Plaintiffs themselves, nor that their demographic information has economic value for general marketing and analytics purposes. Rather, they allege that their individual, personalized endorsement of products, services, and brands to their friends and acquaintances has concrete, provable value in the economy at large, which can be measured by the additional profit Facebook earns from selling Sponsored Stories compared to its sale of regular advertisements.

She says later:

Plaintiffs assert that they have a tangible property interest in their personal endorsement of Facebook advertisers’ products to their Facebook Friends, and that Facebook has been unlawfully profiting from the nonconsensual exploitation of Plaintiffs’ statutory right of publicity. Thus, in the same way that celebrities suffer economic harm when their likeness is misappropriated for another’s commercial gain without compensation, Plaintiffs allege that they have been injured by Facebook’s failure to compensate them for the use of their personal endorsements because “[i]n essence, Plaintiffs are celebrities—to their friends.”

Clearly, Judge Koh is making a tricky intellectual move, and I bet it's going to make some privacy advocates unhappy. There is unquestionably a street value to data about a person to improve the marketing to that person, just as there is unquestionably commercial value in gaining an endorsement from a consumer. It's awkward to recognize one value and not the other. (Of course, in many of the precedent cases, there was only the possibility of data leakage; there wasn't actually a showing that any marketer had bought the leaked data for commercial reuse).

However, Judge Koh's fancy footwork rips open only a very small hole in the Article III jurisprudence. Her exception only applies where there's a statutory publicity rights claim, and only when the defendant made a commercially-motivated endorsement. I'm sure we'll see plaintiffs advance claims to take advantage of this ruling, but few plaintiffs will be able to style their claims accordingly.

In another tricky intellectual move, Judge Koh distinguishes Cohen v. Facebook, which dismissed a publicity rights claim based on Facebook's "Friend Finder" service, because this case showed a more direct connection between the friend's endorsement and the commercial value derived by Facebook. She also implies the lawyers did a better job here than in Cohen. I didn't fully understand this distinction other than Judge Koh's desire to reach a different result without disturbing the Cohen precedent.

47 USC 230

Facebook's 230 defense is tricky. First, it seeks to invoke the defense against a publicity rights claim, which the 9th Circuit said was possible in Perfect 10 v. ccBill in a controversial statutory reading that has been rejected by every other court outside the Ninth Circuit. Judge Koh doesn't touch that issue.

Second, Facebook seeks 230 protection for the ad copy it created automatically. The ad is based on a user action, the "Like," plus various pieces of user content, but Facebook assembles it all into a package that the user never sees, blesses or necessarily even wants. We've had some other cases upholding 230 when a service provider is so intimately involved with creating the final content, such as the Carafano case, but Facebook is clearly playing at the edge of the statutory immunity.

Judge Koh rules that Facebook is over that line and doesn't get the immunity. Unfortunately, she does so by saying that Facebook is partially the information content provider of the ads in question. She references the dispositive allegations:

Plaintiffs allege that Facebook creates content by deceptively mistranslating members’ actions, such as clicking on a ‘Like’ button on a company’s page, into the words “Plaintiff likes [Brand],” and further combining that text with Plaintiff’s photograph, the company’s logo, and the label “Sponsored Story.” ... Plaintiffs allege that they themselves have no control over whether to post a particular company’s name or logo, and that Facebook maintains sole control over whether to display a Sponsored Story at all.

Personally, I'd be much more sympathetic to Facebook's position if users had the specific ability to "like" a business page without simultaneously authorizing the Sponsored Story. Because Facebook's controls are insufficiently granular, Facebook automatically interprets a "like" as both a statement of user attitudes and as a green light to create the Sponsored Story. In contrast, imagine that when a user "liked" a business page, Facebook prepared the ad copy for the Sponsored Story, presented it to the user, and asked the user if the user wanted to publish the ad copy to his/her friends. At this point, I would feel much more strongly that the ad copy really was the user's words. Naturally, Facebook doesn't give users this level of control over the words being put into their mouths.

On the other hand, consider an alternative example where a website both publishes UGC on its site and then syndicates the content to third party sites. It's my position that the website gets 230 for both acts of publication, even if the user never expressly green-lighted the syndication (so long as the user-to-website license permitted the syndication). See, e.g., Prickett v. infoUSA. Based on Judge Koh's explication, I'm not exactly sure why Facebook crossed the 230 line while some of these other situations probably don't.

Facebook responded that its activities didn't make it a content provider but just represented traditional editorial functions. The court rejects the argument, citing this allegation:

Plaintiffs allege not only that Facebook rearranged text and images provided by members, but moreover that by grouping such content in a particular way with third-party logos, Facebook transformed the character of Plaintiffs’ words, photographs, and actions into a commercial endorsement to which they did not consent.

In the context of this case, I see her point. Sadly, the opinion's wording will give false hope to a slew of plaintiffs who will argue that the website's presentation of third party content constituted some type of unauthorized endorsement. It will take a few cases to burst the plaintiffs' bubbles about a new exception to 230.

The Statutory Publicity Rights Claim (CA Civil Code 3344)

Facebook took a few cracks at the claim, all of which were unsuccessful:

Newsworthiness. The publicity rights statute does not restrict using someone's personality "in connection with any news." This is a backdoor First Amendment defense, as what constitutes news tracks First Amendment jurisprudence on "matters of public interest." This defense seemed like a hail-mary for Facebook--a user "liking" a page is clearly "new" information to the marketplace, but it's not "news" in either the traditional or First Amendment sense. The court seems unimpressed, saying that even if a user "liking" a commercial product is news to that user's social network, using that information commercially drops out of the exception. I wasn't persuaded by the judge's distinction here, but then again Facebook's argument about what constituted "news" was obviously tendentious.

I was a little disappointed that Judge Koh sidestepped some interesting lurking issues about what is "news" in the modern environment, where all of us are publishers to our local communities and we as publishers can have significant clout in a small community. Some academic literature in the 1990s discussed these issues in the Internet context, but it might be worth revisiting as a paper topic. Judge Koh also sidestepped the intellectually interesting issue of whether opinions about marketplace goods are "newsworthy," something that I strongly believe to be the case in the context of anti-SLAPP laws.

Consent. Facebook argued that users consented to Sponsored Stories as part of its terms of use. The plaintiffs retorted that Sponsored Stories didn't exist when they signed up, so they couldn't have consented to it. The court says there's a factual dispute which prevents a motion to dismiss.

Injury. Facebook argued that non-celebrities have to show economic injury as part of their 3344 prima facie case. The court rejects this distinction, saying "[i]n a society dominated by reality television shows, YouTube, Twitter, and online social networking sites, the distinction between a “celebrity” and a “non-celebrity” seems to be an increasingly arbitrary one." Furthermore, the plaintiffs did allege injury by showing that their endorsements were valuable to Facebook, which helps distinguish this case from the Cohen "Friend Finder" precedent. I liked this quote:

While traditionally, advertisers had little incentive to exploit a non-celebrity’s likeness because such endorsement would carry little weight in the economy at large, Plaintiffs’ allegations suggest that advertisers’ ability to conduct targeted marketing has now made friend endorsements “a valuable marketing tool,” just as celebrity endorsements have always been so considered.

For more on this point, see my Online Word of Mouth paper.

Unfair Competition Law (UCL)

Normally, we'd expect the UCL claim to be tossed because the plaintiffs can't make the required showing that they lost "money or property." Numerous Internet privacy cases have reached that conclusion. Judge Koh makes the same intellectual move she did with Article III standing, saying that publicity rights are different than other privacy torts. She says: "[t]o the extent Plaintiffs allege they can prove that their endorsement of commercial products to their Facebook Friends has concrete, quantifiable value for which they are entitled to compensation, the Court finds that Plaintiffs have properly alleged loss of money or property for purposes of establishing standing under the UCL." I wonder if plaintiffs can make that showing because there's no existing market for consumer-to-consumer endorsements, but it's enough to survive the motion to dismiss. In particular, she says California's statutory damages for publicity rights violations aren't enough to demonstrate the value of the endorsements.

Judge Koh also concludes that plaintiffs properly alleged that Facebook's activities were unlawful, unfair and fraudulent (in the latter case, because Facebook allegedly overclaimed users' abilities to opt-out of Sponsored Stories).

Unjust Enrichment

Recent caselaw makes it even clearer that there's no separate cause of action for unjust enrichment; instead, it's just a synonym for restitution. As a result, the court tosses this claim.

Conclusion

This is not a good ruling for Facebook, but I can't really feel too sorry for it. Facebook has been playing fast-and-loose with the law in many different contexts (see, e.g., its FTC bust), and Sponsored Stories is no different. Before rolling it out, Facebook surely knew that the Sponsored Stories offering was on murky legal ground. It can't be surprised that it didn't get an easy dismissal.

Even so, if it gets that far, Facebook may yet win this case. Judge Koh has made it clear that she's a tough customer, but Facebook has plenty of power to its remaining arguments. Nevertheless, I'm reasonably confident it won't get that far. Given the importance of maximizing ad revenues and its desire to clean up legal issues in advance of an IPO, it seems more likely that Facebook will cut a deal with plaintiffs' counsel. I imagine Facebook might try to do a settlement like the Facebook Beacon settlement that results in minimal restrictive covenants, a chunk of money into the lawyers' hands, and a chunk of money that doesn't get into users' hands but instead goes into something like Facebook's privacy foundation.

UPDATE: Facebook is blazing ahead with its Sponsored Stories offering, moving the Sponsored Stories module into the newsfeed instead of on the side. (And with almost-invisible disclosure that it's an ad). Surely this means Facebook plans to win this lawsuit or to settle up. I'm voting the latter.

Posted by Eric at 09:10 AM | Licensing/Contracts , Marketing , Publicity/Privacy Rights | TrackBack

November 21, 2011

Can A Copyright Be Assigned By Email?--Hermosilla v. Coca-Cola

By John Ottaviani with comments from Venkat and Eric

Vergara Hermosilla v. The Coca Cola Company, No. 11-11317 (11th Cir. Nov. 3, 2011).

Can a copyright be assigned by an exchange of emails? Section 204(a) of the Copyright Act provides that a transfer of copyright ownership is not valid unless an instrument of conveyance, or a note or memorandum of the transfer, is in writing and signed by the owner of the rights conveyed or by such owner’s duly authorized agent. The 11th Circuit has recently affirmed a lower court’s decision that an exchange of emails was sufficient to constitute a contract to assign a copyright. The court’s decision, however, does not seem to adequately address whether the email exchange satisfies the “writing” requirement in Section 204.

Background

The dispute arises out of Coca Cola’s worldwide marketing campaign for the 2010 FIFA World Cup soccer tournament. As part of its advertising campaign, Coca Cola enlisted recording artist K’Naan to create a new version of his song “Wavin’ Flag,” and called the new version the “Celebration Mix.” Coca Cola had certain lyrics in the “Celebration Mix” adapted and sung in different languages by local artists and K’Naan. In 2009, Coca Cola contacted Jose Puig, a representative of Universal Music Latin America, to produce a Spanish version of the Celebration Mix. The Spanish lyrics were to be sung by David Bisbal, a Spanish language singer. Puig was referred to the plaintiff, Rafael Vergara Hermosilla, in November 2009. Vergara adapted the Celebration Mix into Spanish, and subsequently delivered the Spanish lyrics to Puig in December 2009. A dispute later arose over Vergara’s compensation for the adaptation.

Puig and Vergara negotiated a settlement. After a phone conversation about the terms of the deal, Vergara wrote this email:

[B]ecause I am a man of my word and honor, that is not moved by economic motives, my only request is the my credits are respected as producer and adapter of the Spanish version (that every time the name of any composer of this version appears, my name appears as adapter), and obviously, the credits for the production that are detailed in the invoice sent for this production, which I have detailed below.

For the adaption, you may consider it a work for hire with no economic compensation to that respect. I believe what’s legal is a dollar.

I hope this leaves clear what my work was and what my good intentions were from the beginning.

The next day, Puig responded by email to Vergara to the effect that “You can count on the credits on the track. I am resending you the contract.”

Puig subsequently sent draft contracts confirming the assignment, but inadvertently omitted the provisions that would give Vergara the credits. So Vergara rejected what he characterized as his “proposal” and filed a lawsuit in the Southern District of Florida to enjoin Coca Cola from using the Spanish version of the Celebration Mix without giving him proper credit.

After initially enjoining Coca Cola in May 2010 from disseminating the Spanish version of the Celebration Mix without giving credit to Vergara as the adapter, in February 2011 the District Court granted a summary judgment in favor of Coca Cola. The district court found that the e-mail exchange constituted an assignment by Vergara of his copyright in the adapted lyrics. The court characterized the exchange of emails as an offer and acceptance, “and at that moment the deal was made irrevocable.” The court determined that Puig’s sending of formal contracts that did not reflect all of the terms of the earlier emails was not a “counteroffer which is labeled as an acceptance, but adds new terms” (which typically is not binding under Restatement (Second) of Contracts §59), but was an offer to modify an existing contract. Although Vergara rejected this offer, the court found that this did not impact the initial agreement to assign the copyright.

In a brief aside, the district court also recognized that Section 204 of the Copyright Act requires a signed writing for a conveyance. However, the district court simply noted without discussion that “Courts have found emails to constitute signed writings.” (citing Lemel v. Mattel, Inc., 394 F.3rd 1355 (Fed. Cir. 2005) and the federal E-Sign Act).

11th Circuit Decision

The 11th Circuit opinion is relatively short and to the point. After reciting the facts, the 11th Circuit found that, under Florida law, “the record established without dispute that Vergara assigned his copyright interests to Universal.” The court used a traditional contract analysis to characterize Vergara’s e-mail as an offer and Puig’s e-mail as an unconditional acceptance, which together were effective to create a contract.

Discussion

Unfortunately, while the 11th Circuit found that the e-mail exchange constituted a binding contract under Florida law, the court did not address whether the e-mail exchange constituted a “writing” for purposes of Section 204 of the Copyright Act. Prior to the adoption of the E-Sign law, courts differed as to whether an e-mail exchange would satisfy the writing requirements of Section 204. Section 7001(a)(2) of the federal E-Sign Act, which was enacted in 2000, provides in relevant part that “a contract relating to [a transaction in or affecting interstate or foreign commerce] may not be denied legal effect, validly or enforceable solely because an electronic signature or an electronic record was used in its formation.”

Few courts have addressed what consitutes a "writing" for purposes of E-Sign. Earlier this year, the Arkansas Supreme Court found that a waiver of coverage in an online insurance application constitutes a "writing" for purposes of the Arkansas insurance law requirng such waivers to be in writing. In 2010, the federal district court in Colorado found that an e-mail summary of a settlement meeting could consitute a "writing" for purposes of the Colorado Statute of Frauds, but that the summary could not be enforced as a contract because it was written by an administrative assistant and was not "subscribed by the party to be charged."

But does E-Sign apply to transactions involving transfers of copyrights? Professor Nimmer notes that “[n]othing about the ESIGN Act overtly mentions copyrights in particular or other federal enactments in general.” He further notes that E-Sign does purport to apply “to any transaction in or affecting interstate or foreign commerce,” with some exceptions. It remains to be seem, then whether courts will treat e-mail as having sufficient formalities to satisfy the writing requirement in Section 204 of the Copyright Act.

The 11th Circuit decision also ignored the fact that Vergara’s email characterized the adaptation as a “work made for hire.” Would the decision have come out any differently if analyzed under the “work made for hire” provisions? Probably not. Under Section 101 of the Copyright Act, certain works qualify as a work made for hire if “the parties expressly agree in a written instrument signed by them that the work shall be considered a work made for hire.” The court did not discuss the question whether the adaptation qualified as one of these specially ordered works (at best it might be viewed as a part of an audio visual work, or as a translation, but probably not). Even if the adaptation did qualify as a work that could potentially be a “work made for hire,” does the exchange of emails constitute “a written instrument signed by them?” I find it harder to classify the exchange of e-mails as an “instrument’ within the meaning of the work made for hire definition. This may be why the 11th Circuit decided the issue on contract grounds, but it would have been nice to have some analysis of this issue.
_________

Comment from Venkat:

This is a great post by John that delves into the interplay between the federal ESIGN Act and the Copyright Act. I wonder whether an email disclaimer would have affected the analysis. There’s been a lot written on the efficacy and the desirability of email disclaimers in other contexts, but I wonder if an email disclaimer that said

Nothing in this email is intended as an offer and the author disclaims any intention to make an offer or create an enforceable agreement through any email messages. Any agreement with the author of this email must be in a signed paper document!

would have protected Hermosilla? I’m guessing the court would have said that Hermosilla’s unequivocal intent to reach an agreement trumped anything in an email disclaimer. It may not have been useful here, but it would be useful in other contexts, such as where people exchange email messages in an attempt to settle a dispute and one party tries to use an email along the way to say that the parties reached a settlement and tries to enforce a settlement on this basis. I’m not a fan of email disclaimers, but this type of a disclaimer may be worth exploring.
_________

Eric's comments.

To me, the legal doctrine in this case seems pretty straightforward. If the parties formed a contract or did a proper contract amendment, the fact that the contract was made via email should satisfy the Section 204 "writing" requirement per E-SIGN/UETA. After all, Section 204 is a statute of fraud, and E-SIGN/UETA were designed to say that emails satisfy the statute of frauds. See, e.g., the many real estate cases reaching this result and John E. Theuman, Satisfaction of Statute of Frauds by E-Mail, 110 A.L.R.5th 27 (2003). I don't see any reason why copyright law would be handled differently under E-SIGN or UETA. My analysis is the same for the "work for hire" statute of fraud.

For me, the harder part is whether the email exchange properly formed a contract/contract amendment and, if it did, if Coca-Cola (or its assignor) violated one of the contractual conditions such that their failure to perform negated the contract. If this situation didn't have a whiff of the content creator changing his mind with venal intent, I think other courts might have been more sympathetic on that point.

Posted by John Ottaviani at 08:50 AM | Copyright , E-Commerce , Licensing/Contracts | TrackBack

November 10, 2011

Courts Says Employer's Lawsuit Against Ex-Employee Over Retention and Use of Twitter Account can Proceed--PhoneDog v. Kravitz

[Post by Venkat Balasubramani]

PhoneDog v. Kravitz, 2011 WL 5415612 (N.D. Ca.; Nov. 8, 2011)

Another day, another post-employment dispute over a social media account.

In this case, Noah Kravitz worked for PhoneDog, which is an "interactive mobile news and reviews web resource." Kravitz worked as a reviewer and video blogger. He used the "@PhoneDog_Noah" twitter account, and it amassed approximately seventeen thousand followers. When he left, PhoneDog asked for the account "back" but he demurred, instead changing the account handle from @PhoneDog_Noah to "@noahkravitz". PhoneDog sued, asserting claims for (1) misappropriation of trade secrets, (2) interference with economic advantage; and (3) conversion.

Trade secret claim: Kravitz argued that there was no "trade secret" information, because the followers of the account are not secret and are publicly discernable. The passwords he argued merely allow an individual logging on to the account to view the publicly known follower information. He also argued that PhoneDog did not adequately safeguard the password information and treat is a trade secret. The court punts on the issue and says:

PhoneDog has sufficiently described the subject matter of the trade secret with sufficient particularity and has alleged that, despite its demand that Mr. Kravitz relinquish use of the password and Account, he has refused to do so. At this stage, these allegations are sufficient to state a claim. Further, to the extent that Mr. Kravitz has challenged whether the password and Account followers are trade secrets and whether Mr. Kravitz's conduct constitutes misappropriation requires consideration of evidence beyond the scope of the pleading.

Economic advantage claim: The court rejects the interference with economic advantage claim, saying that PhoneDog's allegations were muddled on this issue. It was unclear as to whether PhoneDog was saying Kravitz interfered with PhoneDog's relationship with account followers or with its subscribers or consumers more generally. The court also says PhoneDog failed to connect the dots with respect to any harm based on advertiser relationships, or even any economic harm generally. [I hope PhoneDog was not making a claim based on its vicarious relationship with followers of the @PhoneDog_Noah Twitter account--we all know how tenuous social media relationships are!]

Conversion: The court declines to dismiss the conversion claim, saying that PhoneDog alleged it had the right to possession over the account, and "the nature of that claim is at the core of this lawsuit and cannot be determined on the present record."

This is the scenario that many people speculated about when Rick Sanchez left CNN--would Sanchez get to keep his Twitter account? ("Who 'Owns' A Twitter Account: Employer Or Employee?") Sanchez ultimately kept the account and changed the name. (See: "Ex-CNN anchor Sanchez keeps his Twitter account, changes the name.") I don't think this decision does much to move the needle either way, as it punts on the bulk of the issues.

I end up somewhat skeptical on both of PhoneDog's remaining claims.

Was the password really a trade secret? Is an account's follower list a trade secret? Social media account information does not fit nicely within the trade secret box. "Customer lists" historically were a classic trade secret, but when customer lists are now published publicly and capable of being mined, does that concept go away? Even if the list were public, could anyone "download" the list? Could Noah have contacted the list any other way than through the account that he's supposed to turn over? What if Noah had posted a "goodbye" tweet saying "follow me at [new account name]"? With respect to the conversion issue, the court's analysis was disappointingly brief. It's interesting that, in this case, PhoneDog has its own Twitter account and this particular account was one set up specifically for Kravitz--it's not as if he took the company's one and only Twitter account. One other claim you often see discussed in this context is a trademark-based claim. Kravitz likely averted these by changing the name of the account, and presumably removing any PhoneDog branding elements.

The takeaway is to have a written agreement that governs this issue! I blogged about a case last month where a court resolved a social media/account ownership issue in favor of the employer, relying on a written agreement. ("Ex-Employee Converted Social Media/Website Passwords by Keeping Them From Her Employer--Ardis Health v. Nankivell.")

A somewhat interesting aspect of the dispute arose over the value of the Twitter account and followers, which was relevant to the issue of whether PhoneDog's claim for damages got over the $75,000 hurdle. (It had to satisfy the $75,000 jurisdictional threshold for diversity jurisdiction.) PhoneDog said it suffered $340,000 in damages. The account had 17,000 followers, "which according to industry standards, are each valued at $2.50." [I must admit that this caused an eyeroll.] PhoneDog said this translated into a monthly damage amount of $42,500 "for each month that [Kravitz] used the account." Kravitz on the other hand said that Twitter followers have discretion to subscribe or unsubscribe and therefore this valuation was suspect. He also argued that the value in any Twitter account "comes from . . . efforts in posting tweets and [an] individual's interest in following . . . not from the account itself." According to him, there's no evidence that an account even with a significant number of followers has any ongoing value. The court does not resolve this issue, instead finding that PhoneDog alleged enough to get over the $75,000 jurisdictional threshold. These arguments really made me wonder whether the parties were spending money on the dispute in excess of the assets they were fighting over. As in many business break ups, emotions tend to run high. This was surely a contributing factor. This case has mediation written all over it.

Posted by Venkat at 07:13 AM | Licensing/Contracts , Trade Secrets , Trespass to Chattels

November 04, 2011

Stebbins' Lawsuit Against Google Dismissed as "Frivolous"--Stebbins v. Google

By Eric Goldman

Stebbins v. Google, Inc., 2011 WL 5150879 (N.D. Cal. Oct. 27, 2011). Stebbins' motion to confirm arbitration award (the equivalent of his complaint in this case).

Arkansas resident David Stebbins appears to be cranking up a one-man pro se/pro per litigation machine based on mockably tendentious legal arguments and outrageous damages claims ($500B in this and other cases). Last Spring, I blogged about his unsuccessful lawsuit against Walmart, which tried some too-clever legal arguments that ended up failing resoundingly.

In a separate set of actions, Stebbins sued Microsoft and Google based on an almost-too-bizarre-to-explain legal theory. It goes something like this: YouTube's contract allows unilateral modification (which, crucially, only lets YouTube unilaterally modify the contract, a point Stebbins didn't internalize), so Stebbins emailed a modification of the contract terms to YouTube that included an arbitration clause and an "I automatically win the arbitration if you don't respond" clause. He then disputed YouTube's handling of his account, sent them a proposal to arbitrate the dispute for $500B, and declared himself the arbitration winner (without an actual arbitration) when YouTube didn't respond in time. He then filed a federal claim to enforce the arbitration judgment even though there wasn't a judgment since there was no arbitration proceeding.

The magistrate judge recommended dismissing the claim as frivolous, but Stebbins didn't consent to proceeding before a magistrate. So the case goes to Judge Koh and, in a straight-laced opinion, she reaches the same result. She says:

there was no actual arbitration. That is to say, no arbitrator or arbitration panel actually awarded a judgment. Thus, there has been no arbitration proceeding and no award "made pursuant to [an] arbitration."

The court goes on to label Stebbins' filings "frivolous," "indisputably meritless" and "clearly baseless," concluding:

Plaintiff's claim is based on an indisputably meritless legal theory. Additionally...[i]t is fundamentally contradictory for Plaintiff to assert the existence of an arbitration award on the basis of a contract clause that states that no arbitration proceeding is to take place, and no award need be entered.

As I've suggested before, tendentious online contract formation claims do not fare well in courts. Even if the plaintiff can stitch together a theory of contract formation, judges quickly cut through any hyper-formalism to reach sensible results. If your contract formation theory depends on overly formalistic interpretations of contract law, don't be surprised if it will fail in court.

Posted by Eric at 12:45 PM | Licensing/Contracts , Search Engines | TrackBack

November 02, 2011

Yahoo Partially Defeats Lawsuit Over Wrongful Account Termination--Buza v. Yahoo

By Eric Goldman

Buza v. Yahoo, Inc., 2011 WL 5041174 (N.D. Cal. Oct. 24, 2011). The complaint.

Buza claims Yahoo terminated two GeoCities accounts related to his advocacy efforts. Buza is proceeding pro se, which is typical for user lawsuits over wrongful account termination. He sued Yahoo in state court. Yahoo tried to remove to federal court. In this ruling, Judge Seeborg dismisses the federal claims and sends the others back to state court. I'm sure Yahoo wished Judge Seeborg had cleaned out the case entirely, but I bet Yahoo will get there soon enough.

Buza claimed that Yahoo violated his First Amendment rights. As I explain in my article on wrongful account termination, plaintiffs often invoke the Constitution to get around any statutory immunities, but Constitutional claims routinely go nowhere. It's 100% clear that privately owned online service providers like Yahoo aren't state actors and therefore aren't restricted by the Constitution. The court says:

Buza's response that Yahoo!'s services should be seen as a "public forum" in which the guarantees of the First Amendment apply is not tenable under federal law. As a private actor, Yahoo! has every right to control the content of material on its servers, and appearing on websites that it hosts.

Similar recent cases in this vein include Young v. Facebook, Estavillo v. Sony and Jayne v. Google Founders.

Buza also brought an ECPA/SCA (18 USC 2701) claim for unlawful access to stored communications. The court dismisses because the restrictions don't apply to the service provider's access of those communications.

Having disposed of the federal claims, Judge Seeborg sends the case back to state court to deal with the remaining claims, which include a violation of California's state constitution, "intellectual property," trespass to chattels and breach of contract. The judge expresses some skepticism about some of these claims, but having decided he could quickly clean his docket of the case, he doesn't go any further than necessary to send the case back to state court.

My understanding is that Yahoo didn't raise a 47 USC 230(c)(2) defense, the federal immunity for service providers' filtering decisions. I explore this point in detail in ">my recent 230(c)(2) article. 230(c)(2) can't trump federal constitutional claims, but it should (?) trump state constitutional claims. 230(c)(2) doesn't apply to IP claims per a statutory exclusion, but the Ninth Circuit in Perfect 10 v. ccBill said that 230 trumps state IP claims (the judge says no federal IPs are at issue). The immunity likely trumps the trespass to chattels claim, although I don't recall seeing that issue tested before. And I explain in my article, 230(c)(2) could very well trump the contract breach claim. (This judge could have also disposed of the contract claim based on express terms giving Yahoo the power to pull the plug on websites, but the state court judge will have do that).

Because the immunity is a federal statute, it would have been appropriate for the federal court to interpret its application to the state claims before remanding. This discussion suggests that had the immunity been raised, Judge Seeborg might have completely ended the case on 230(c)(2) grounds without sending anything back to state court.

Posted by Eric at 09:33 AM | Derivative Liability , Licensing/Contracts , Privacy/Security , Trespass to Chattels | TrackBack

October 19, 2011

Court Rejects Copyright Misuse Defense Against Apple and Affirms License Restrictions in OS X License Agreement -- Apple v. Psystar

[Post by Venkat Balasubramani]

Apple Inc. v. Psystar Corp., 10-15113 (9th Cir. Sept. 28, 2011) [pdf]

This is a dispute over whether Apple can enforce a restriction in its software license agreements which requires end users to run the Mac OS only on Apple computers. Short answer: yes.

Psystar sold "Open Computers," which were originally called "OpenMacs," and intended as cheaper alternatives for Apple computers. In order to allow these machines to run the Mac OS, Psystar "purchased" (licensed) a copy of the Mac OS X, installed this copy on a Mac computer, downloaded various updates, then made a copy of the software and transferred it to a non-Apple computer. Psystar then "added its own bootloader and kernel extensions to the software" on the non-Apple computer and this copy became the "master image." Psystar shipped "Open Computers" with a copy of the "master image" installed, but it also shipped an unopened copy of the Mac OS X which Psystar had purchased from a third party vendor.

Apple sued, alleging breach of contract, direct and contributory copyright infringement, trademark and trade dress infringement, and unfair competition claims. It also added a DMCA claim to the mix. Psystar counterclaimed, alleging copyright misuse. The district court found Psystar infringed and entered an injunction against it. Psystar asserted an antitrust counterclaim, but that claim was dismissed and Psystar didn't appeal that dismissal. Psystar also did not appeal the copyright infringement ruling.

Psystar argued that the language in the SLA which barred the use of OS X on non-Apple computers "impermissibly extend[ed] the reach of Apple's copyright."

The court starts by noting that the sale versus license distinction (most recently affirmed by the court last year in Vernor v. Autodesk) is "well established." According to the court, this distinction "has caused the use of software licensing agreements to flourish and become the preferred form of software transactions." Psystar argued that Apple sold, rather than licensed, its software to Psystar, but the court spends less than a page explaining that Apple makes its copies of OS X available as a license and not a sale.

The court focuses on the misuse defense. Copyright misuse is an affirmative defense to a claim for copyright infringement, and it was borrowed by courts from patent law. While the Ninth Circuit has recognized the misuse doctrine, it notes that it has been applied "sparingly." The purpose of the defense is to "prevent . . . holders of copyright from leveraging their limited monopoly to allow them control of areas outside the monopoly." The court says it upheld the defense in only one case and there the licensor prevented the licensee from using any other competing product. In another case (Triad Systems v. Southeastern Exp.), misuse was asserted as a defense against a claim of infringement against a service provider who made copies in the course of performing maintenance on the software. The court rejected the misuse defense and held that the service provider infringed when it made copies in the course of performing maintenance. Although a key part of Triad had been legislatively overruled by an amendment to section 117(c), the Ninth Circuit in this case reaffirmed Triad's holding that a license restriction only constitutes misuse when it expressly limits use with a competing product.

Psystar looked to a Fifth Circuit misuse case (Alcatel USA v. DGI Technologies) where the license agreement allowed for use of the software "only in conjunction with [licensor]-manufactured hardware." The court distinguishes Alcatel on the basis that, unlike the licensing agreement there, the OS X license agreement only restricted the use of Apple's software to its computers--third parties were free to develop operating systems for use on Apple computers.
__

This is a big win for Apple and one that, as Evan notes, "solidifies Apple’s approach to enforcing a controlled, closed ecosystem for the distribution of software used for Macs and iDevices."

It's a win for software companies as well as it provides a resounding endorsement of Vernor. I keep wondering how Vernor v. Autodesk is going to play out. The court here does not spend much time debating the license versus sale issue, notwithstanding the fact that the software here was licensed to a less sophisticated consumer than in Vernor and there was no mention of possession, which was central in Vernor. In fact, there have been a few district court cases addressing the license versus sale issue post-Vernor, but in none of the cases did courts spend much time debating the issue of whether the transaction was a sale or license. Psystar appears to confirm that Vernor effectively shut the door on the use of the first sale doctrine in the software context (once the shrink-wrap comes off).

The case is also a significant limitation of the copyright misuse defense. This defense rarely gets play anyway, but the court's reading of it is narrow. The court notes that in order to constitute misuse, a limitation in a license agreement must "restrict [a] competitor's ability to develop [competing] software." In the Fifth Circuit case, Alcatel similarly argued that it only mattered whether there was an express limitation, but the Fifth Circuit rejected that argument, finding it key that the competitor "was effectively prevented from developing its product" because it did not have the freedom to test its systems with Alcatel's software. Alcatel did not look only to the express terms of the licensing agreement, but that's what the court does in this case. There's no discussion in this case of whether the limitations in the license agreement effectively limit the development of an alternative operating system.

There was also zero discussion of the effect of Apple's copy control mechanisms. Although the district court concluded that Psystar's use of "decryption software to obtain access to [the] operating system violated the DMCA," there's really no mention of this issue in the Ninth Circuit opinion.

I'm not sure what to make of the fact that Psystar did not appeal the copyright infringement ruling. I wonder if Psystar was thinking about making an argument that Psystar clients bought a copy of the OS X, so the shipment of the pre-installed version of the OS X was not an infringing distribution because it was merely an archival or back-up copy that the purchaser could have made him or herself. The fact that the transaction is deemed a license and not a sale put the kibosh on this argument. (See the MDY v. Blizzard case where the court held that section 117 was not available to licensees: "Ninth Circuit's Mixed Opinion in Glider/WoW Bot Case".) I don't think Psystar had a clean argument under section 117 anyway, given that the language of this section only applies to "exact copies," and the two versions of the OS X differed slightly.

I wonder if the result would have been different if Psystar merely distributed the pre-packaged version of the OS X and separately distributed the software components which the end user could use to install and run the OS X on whatever machine they desired? The limitation in the license agreement was fairly broad, and I wonder if the italicized portion could have more effectively supported a misuse argument:

This License allows you to install, use and run one (1) copy of the Apple Software on a single-Apple-labeled computer at a time. You agree not to install, use or run the Apple Software on any non-Apple labeled computer, or to enable others to do so.

Other coverage:

Evan Brown: Ninth Circuit: Apple did not engage in copyright misuse by restricting OS X to Apple hardware
Ars Technica: Appeals court: Apple can continue to restrict OS X to Mac hardware

Topically related posts:

Ninth Circuit's Mixed Opinion in Glider/WoW Bot Case -- MDY Industries v. Blizzard
Software Vendor Trumps First Sale Doctrine via License--Vernor v. Autodesk

Posted by Venkat at 09:08 AM | Copyright , Licensing/Contracts

October 18, 2011

Lawsuit Against Google Over Invalid Clicks and Special Partner Advertising Dismissed -- Woods v. Google

[Post by Venkat Balasubramani with comments from Eric]

Woods v. Google, 5:10-cv-1263-JF (N.D. Cal.; Aug 10, 2011)

This is an advertiser vs. Google lawsuit where the plaintiff argued on behalf of a putative class that (1) he was improperly charged by Google for "invalid clicks," (2) he did not receive a "smart pricing" discount that Google allegedly promised to all of its advertisers, and (3) Google entered into deals with "special partners" allowing the special partners "to place advertisements in ways that are prohibited to other . . . publishers." Here is Eric's recap of the complaint: "Another Advertiser Class Action Lawsuit Filed Against Google--Woods v. Google."

Invalid clicks: The crux of the "invalid clicks" claim was that generally applicable Google policies, FAQs, and explanations, state that invalid clicks are prohibited, and advertisers would not be charged for invalid clicks. Woods argued that these policy statements were incorporated into the contract. According to the court, there are several problems with this argument. First, the agreement in place states that the advertiser's sole remedy is to seek a refund, and in order to do so, the advertiser must raise the issue within 60 days. Woods did not allege that he did either of these.

Second, whether a click is "invalid" is (according to the documentation cited by plaintiff) something that Google will determine (those clicks "that [Google] suspects may constitute click fraud"). According to the court, this means that Google was vested with discretion in determining whether a click was invalid, and there was no allegation in the complaint that Google "acted beyond its discretion" in administering this policy.

The final overarching problem with Woods's claim with respect to invalid clicks is that Woods cited to documentation outside the agreement and argued that statements made in the documentation was incorporated (as contractual terms) into the agreement. The court walks through the placement of the various statements and concludes that Google's "policy statements" regarding invalid clicks is not incorporated into the AdWords agreement. The AdWords agreement contained a statement that the "program" was "subject to all applicable Google and Partner policies, including without limitation, the Editorial Guidelines, Google Privacy Policy, and Trademark Guidelines, and Google and Partner ad specification requirements." Notwithstanding this "clear and unequivocal" statement of intent to incorporate "all applicable Google policies," the court declines to find that the policies are incorporated into the agreement because the "invalid clicks policy" which plaintiff pointed to was not "known or easily available to the contracting parties."

Special Partner sweetheart deals: Woods alleged that Google allowed its special partners to generate clicks in a way that its regular customers were not allowed to, but the court does not give this argument much credence.

"Smart Pricing" discount: Woods made a similar argument with respect to the smart pricing discount, arguing that language in the "Adwords Help Center" indicated that Google "promised to apply its Smart Pricing discount to all advertisements generated from its Adsense publishers." He did not argue that the help center language was expressly incorporated. He pointed to sections in the agreement which stated that the program was subject to "all Google policies," and a statement in the agreement that payment was to be made by advertisers "in accordance with the payment terms in the . . . Program FAQ." The court accepts Google's argument that the reference to the "Program FAQ" in the agreement was intended to only incorporate terms relating to payment options and not any terms which relate to how Google calculates the charges. The court also holds that even if the Adwords Help Center language is deemed to be incorporated into the agreement, the complaint is value about what Google's obligations were exactly to apply the smart pricing discount to all advertisements.

Breach of the duty of good faith: The court acknowledges that Woods can bring an action for the breach of the duty of good faith "irrespective of whether [Google] breached its contractual obligations directly." Notwithstanding, the court notes that Woods failed to allege that "Google deprived Woods of a benefit to which he was entitled under the Agreement." The court says that Google is vested with "wide latitude" in administering its Adwords program, but at the same time, this discretion is not unlimited: Google must carry out its responsibilities in good faith. Woods's vague allegations of a conspiracy between Google and its Special Partners are insufficient in the court's view to suggest bad faith.

Unfair competition, false advertising, and fraudulent business practices claims: Finally, the court also pokes holes in the legal elements of Woods's unfair competition and false advertising claims. It states that unless Woods can show that he had a legal right to the smart pricing discounts and to not be charged for invalid clicks (so-called "Banned Ad Implementations") he can't show any cognizable injury. The fraud claims do not satisfy Rule 9(b)'s particularity requirement.

Finally, the court questions whether Woods has standing to bring misrepresentation claims. The Adwords Agreement expressly indicates that the contracting parties have not relied on any outside statements or promises in entering into the agreement. Woods argues that UCL liability may exist where a party to a contract makes "contradictory or misleading representations in order to obfuscate or obscure the actual terms of the contract." The court rejects this argument:

the issue is whether 'a reasonable jury could find' that Woods was reasonable in relying upon the extraneous statements notwithstanding an unambiguous disclaimer . . . [i]n light of Woods's sophistication as an attorney and the complaint's lack of particularity with respect to the statements that were alleged to have induced his reliance, the Court concludes that Woods has not alleged facts sufficient to support such a claim.

It's disheartening to see lawyer-plaintiffs get no love in the courts!

Seriously, Google nicely dodged a bullet here. As online agreements have become "longer and more byzantine," and often cross reference other terms and policies, the possibilities of online agreement circuits getting crossed increases. (We recently saw GoDaddy be deprived of an easy contractual defense due to a cross-reference gaffe: "GoDaddy Mis-Manages Its User Agreements.") While the court rejects Woods's claims on the merits, it also made clear that the various policies and FAQs referenced in Google's agreement were not incorporated and made a part of the contract terms.

There is some tension inherent in Google saying that it is the sole arbiter of what constitutes a valid click. I sense an illusory contract term lurking in the background here. What is an "invalid click"? The court ends up saying that it's whatever Google says it is. The court does pay lip service to the fact that Google's discretion is not unbounded in this regard, but you don't get the sense that Woods will be able to allege any sort of bad faith sufficient to get the court's attention here.

Woods made a valiant effort to argue that whatever the metric was for determining an invalid click, Google did not apply it equally across the board, but the court gives this argument little or no credence. This was one of the more intriguing aspects of Woods' claims, but the court expresses serious reluctance to allow Woods' claims to move forward and allow Woods discovery into Google's business practices in this area. (This would have been a big hassle for Google and I'm sure it's breathing a sigh of relief for not having to respond to Woods' discovery.)

The court gives Woods leave to amend. Let's see if his amended complaint adds any clarity to the allegations.

[This case languished in the blogging queue. In the time between when it was added to the "to blog" list and I actually wrote this blog post, Woods already filed an amended complaint and Google filed a motion to dismiss. You can access those documents here (amended complaint) and here (motion to dismiss).]

__________

Eric's Comments:

I can't believe people are still suing Google for click fraud, especially after Google buttoned up its legal agreements to prevent further click fraud suits. Then again, Judge Fogel recently let a click fraud lawsuit against Facebook keep going when he probably shouldn't have. This one won't get that far. [However, Judge Fogel is giving up his docket for an administrative appointment in DC, so perhaps the successor judge who inherits this case will be more receptive.]

I think the best part of this opinion is when Judge Fogel rejects the plaintiffs' efforts to cut-and-paste various statements from Google's support materials to manufacture a purported contract breach. The plaintiffs worked really hard to find contrary statements from Google's website as an end-run around the contract's plain language (plain, in the sense that it says plaintiffs should lose). Judge Fogel has none of it:

The complaint refers to more than a dozen pages in both the AdWords Help Center and AdSense Help Center that allegedly identify Google’s obligations under the invalid clicks policy, including a video clip and an expert report from another lawsuit, both of which are linked to the AdWords Help Center.(See Compl. ¶¶ 77-93.) The fact that statements about invalid clicks are spread across a variety of pages in a variety of formats make it difficult to identify the terms of any actual and unambiguous contractual obligations. This stands in sharp contrast to other Google policies,which include clear terms.

I think it's become de rigeur in the plaintiff community to slice-and-dice every public statement a company has ever made through its entire history, looking for anything that could be construed as false. But when the contract makes it really, really clear that Google isn't on the hook for click fraud, it would take a really strong and prominent contrary statement to trump it. The plaintiffs apparently fell far short of finding such a smoking gun, and the slicing-and-dicing just made them look silly. Note to plaintiffs: if you have to work that hard to find snippets that purportedly trump the plain language of a contract, you're probably overthinking things. My recommendation is to let such complaints go, although I know you won't heed that advice.

I do agree with Venkat that websites should try to consolidate their sprawling expanse of legal T&Cs documents. As the number of these documents grows, the odds grow exponentially that at least one of the linkages will fail. I bet Google would benefit from putting its legal T&Cs on a strict diet and chopping the number of words in half (or more). This would streamline the documents and perhaps make it easier to consolidate documents.

Venkat also notes that the named plaintiff, Woods, is an attorney. I used to keep a running count of all of the lawyer-as-plaintiff lawsuits against Google. For reasons I've never understood, Google's run-ins with lawyers-as-plaintiffs seem disproportionately frequent. (Please email me if you have any hypotheses). And, even more embarrassing for the legal profession, the lawyer-as-plaintiff cases seems to fare especially poorly against Google, usually getting soundly thumped.

Posted by Venkat at 09:09 AM | Licensing/Contracts , Marketing , Search Engines

October 15, 2011

Q3 2011 Quick Links, Part 5

By Eric Goldman

See the other quick links posts in this series:

* Q3 2011 Quick Links, Part 4
* Q3 2011 Quick Links, Part 3
* Q3 2011 Quick Links, Part 2 (Trademarks/Domain Names Edition)
* Q3 2011 Quick Links, Part 1 (Copyright Edition)

Trade Secrets

* Congressional proposal to add a private cause of action to the federal Economic Espionage Act. David Almeling supports the general idea. My take from an email list:

I don't understand the incremental value of a federal private cause of action beyond the current state laws for the described situations. I also wonder if this is the beginning of the end for federal deference to state regulation of trade secrets. If the amendment get adopted, it would be entirely logical to see the restrictions relaxed over time to make it into a general-purpose private right of action for any trade secret misappropriation. For an analogous regulation, see the significant expansion of the CFAA over the past quarter-century, and especially the growing number of cases involving CFAA violations because former employees continued to access their former employees' hardware (and, presumably, misappropriate trade secrets).

* Mattel's lawsuit against MGA over the Bratz dolls has gone sour for Mattel in a big way. It was hit with another $225M in damages, bringing the amount it owes MGA to $310M. Oops.

* Probation for two individuals in the first lost iPhone prosecution, but no charges against Gizmodo. Yet, somehow, Apple apparently lost yet another "priceless" iPhone prototype at a bar.

Patents

* Bessen et al, The Private and Social Costs of Patent Trolls:

In the past, non-practicing entities (NPEs) — firms that license patents without producing goods — have facilitated technology markets and increased rents for small inventors. Is this also true for today’s NPEs? Or are they “patent trolls” who opportunistically litigate over software patents with unpredictable boundaries? Using stock market event studies around patent lawsuit filings, we find that NPE lawsuits are associated with half a trillion dollars of lost wealth to defendants from 1990 through 2010, mostly from technology companies. Moreover, very little of this loss represents a transfer to small inventors. Instead, it implies reduced innovation incentives.

* Joe Mullin is blogging again on patent matters, especially NPE issues! From his blog, check out his co-blogger's post on Innovatio, which is sending licensing demands to hundreds of companies who are offering industry-standard wi-fi to consumers.

E-Commerce

* After tossing its CA affiliates aside like rag dolls, Amazon and CA struck a deal on sales taxes that reinstated its CA affiliates (1, 2).

* Businesses using Groupons may be getting lower Yelp reviews.

* Dan Ariely deconstructs online retailers and websites to show how they are using psychological forces to get us to do what they want.

* Earll v. eBay, 5:11-cv-00262-JF (N.D. Cal. Sept. 7, 2011). eBay could be exposed to claims under the Disabled Persons Act and the Unruh Act.

* Foley v. JetBlue Airways (N.D. Cal. Aug. 3, 2011). Federal aviation law preempts California law regarding disability accessibility to airline website.

* Weinstein v. eBay. StubHub wins an anti-scalping case under New York law.

* NYT: Good example of how a properly managed consumer review website can improve marketplaces.

Contracts

* David Stebbins is at it again. He sued Google to enforce his purported $500 billion arbitration win. The magistrate recommended dismissing the case as frivolous. Stebbins sued Microsoft too; see the long interview with him and a link to his video.

* Davis v. Avvo, 8:10-cv-02352-JDW-TBM (M.D. Fla. Sept. 13, 2011). Forum selection clause in Avvo’s user agreement upheld.

* Fusha v. Delta Airlines (D. Md. Aug. 30, 2011). Venue selection clause in check-the-box user agreement upheld.

* TradeComet.com LLC v. Google, Inc., 2011 WL 3100388 (2nd Cir. July 26, 2011): "a district court is not required to enforce a forum selection clause only by transferring a case pursuant to § 1404(a) when that clause specifies that suit may be brought in an alternative federal forum. Rather, in such circumstances, a defendant may seek to enforce a forum selection clause under Rule 12(b)."

A separate summary order upheld the applicability of Google's forum selection clause against TradeComet. The court says Google's clause doesn't overreach because "Google unquestionably holds a ‘special interest’ in making sure that it is not subject to suit in numerous different fora for claims arising from its agreements with over a million advertisers."

* Marso v. United Parcel Service, Inc., No. 09 CVS 2582 (N.C. App. Ct. Sept. 20, 2011). UPS required customers to go through a mandatory clickthrough agreement on computers in its store, but...

plaintiff asserts that defendant's employee entered the information into the computer, and that "[n]o one advised [plaintiff], orally or in writing, about any UPS Tariff, waybill, or service guide," or advised him that he could request a copy of the same….plaintiff suggests by his argument that he did not assent to the terms of service identified in the UPS Tariff, which would limit defendant's liability for the fraudulent cashier's check collected by defendant upon delivery of plaintiff's package to Mr. Thompson, and instead asserts that he formed an oral contract with defendant's employee which obligated defendant to be liable to plaintiff for $12,145.00 without limitation. Thus, there appears to be a genuine issue as to whether plaintiff assented to be bound by the limiting terms of the UPS Tariff, and whether defendant presented plaintiff with actual or constructive notice of the terms set forth by the UPS Tariff.

* Truong v. eBay, Inc., 2011 WL 3716999 (Cal. App. Ct. Aug. 24, 2011). This is a busted eBay Motors transaction where eBay warned the winning buyer not to complete the transaction and the seller sued for tortious interference with contract:

eBay raised the immunity provision of the federal Communications Decency Act (47 U.S.C. § 230). As appellant pointed out to the trial court, and as that court ruled, the pertinent provision of that statute makes the law applicable to an action taken by an internet service provider to restrict access to or availability of material that is obscene, harassing, “or otherwise objectionable.” The conduct alleged against eBay was not editing or policing content of items posted on its marketplace, but interfering with a contract. (See 47 U.S.C. § 230(c)(2)(A).) eBay does not urge this ground in its respondent’s brief.

* Added to my RSS feed: The Tech Contracts Blog by David Tollen.

Miscellaneous

* ABA Journal on electronic service of notice.

* James Grimmelmann's Internet Law casebook.

* On TWiL in late August, I discussed privacy and MP3Tunes with Denise Howell, Evan Brown and David Snead. The recording.

* Top 15 most popular "Damn You Auto Correct" postings of all time. Hilarious.

* Good news: I will receive the 2011 "IP Vanguard Award" (in the Academic/Public Policy category) from the California State Bar's IP Section.

Posted by Eric at 07:02 AM | E-Commerce , Licensing/Contracts , Patents , Trade Secrets | TrackBack

October 14, 2011

Court Disregards Check-the-Box Agreement and Doesn't Enforce Venue Clause -- Dunstan v. comScore

[Post by Venkat Balasubramani with additional comments from Eric]

Dunstan v. comScore, Inc., 11-cv-05807 (N.D. Ill. Oct. 7, 2011)

Plaintiffs sued comScore, alleging that comScore improperly obtained and misused plaintiff's personal information, after plaintiffs downloaded and used comScore's software. comScore sought to have the lawsuit transferred to Virginia, which was the forum specified in a forum-selection clause in the software terms of use/EULA. The court denies comScore's motion.

A comScore Vice President testified that "before a user can install comScore software," a customer must "click the box acknowledging" that the customer read and agreed to the terms. Plaintiffs, on the other hand, alleged that the forum-selection clause was not "apparent" when they downloaded the software. They also alleged that the terms of service were "obscured" during the installation process. From the court's order, it seems like plaintiffs did not deny that they checked the box. The court resolves the apparent factual dispute as follows:

the court declines to infer that clicking a box acknowledging that a user has read an agreement indicates that the agreement was reasonably available to the user, particularly when the plaintiffs have alleged that the hyperlink to the agreement was obscured.

Whoa. Let's take another look at this sentence. The court is saying that just because a user checked a box acknowledging the user had read the agreement, this does not mean that the court can infer that the user was able to read the agreement. (???)

comScore cited to several cases where courts enforced "click-through" agreements, including Specht v. Netscape. The court says that none of the cases involved an allegation of an obscured hyperlink. According to the court, Specht acknowledged the possibility that "a click-through agreement is not enforceable if its terms are not reasonably apparent to the user." The court goes on to note:

it is not reasonable to expect a user casually downloading free software to search for such an agreement if it is not immediately available and obvious where to obtain it. As the Second Circuit noted, 'when products are 'free' and users are invited to download them in the absence of reasonably conspicuous notice that they are about to bind themselves to contract terms, the transactional circumstances cannot be fully analogized to those in the paper world of arm's-length bargaining.' [U]nder the circumstances alleged here, including that the location of the license agreement was not readily apparent, the court concludes that the forum-selection clause was not reasonably communicated to the plaintiffs . . . .

This is definitely a double-take-worthy decision. The court relies on Specht v. Netscape, but Specht is a browsewrap case, where the user did not have to indicate assent to the terms before downloading the software. Given the circumstances (free download) and the fact that the terms were not in an obvious location, the court in Specht declined to enforce the terms.

There's an easy way to solve the problem presented by Specht: have a mechanism to require the user to unequivocally indicate assent to the terms before downloading the software. Courts have upheld this type of contract formation because there is no ambiguity as to the user's assent to the terms, and this was the type of agreement comScore had in place here. The consumer cannot say that he or she did not read the terms because prior to downloading, the user has to indicate that they read the terms. (See for example Feldman v. Google, which Eric discusses in this blog post: "Google Adwords Contract Upheld (Again)".)

It's tough to understate the importance of certainty in online contracting and the predictability of online agreement enforceability. They're among the cornerstones of online commerce. Courts struggled with the enforceability of browsewrap terms, but check the box terms are widely acknowledged to be enforceable; at least there should be no bar as to mutual assent and basic contract formation. I'm not sure whether the formation process or the court went astray here (see Eric's comments below regarding the former--he makes good points regarding implementation). If there were no issues with the UI implementation or the browser, then the court's decision is off base.

[Interestingly, comScore did not argue that the dispute is subject to arbitration, which tends to indicate that the agreement did not have an arbitration clause.]

______

Eric's comments

I have a couple theories about what went wrong here. Theory #1 is that the judge was overly willing to accept a plaintiff's bald factual assertion that comScore didn't adequately present the contract. (The judge says, "At this stage, however, the court must take the plaintiffs’ word for it."). As Venkat indicates, judges have to do a little more gatekeeping than this, because plaintiffs will assert this defect in every lawsuit. If all it takes to survive a motion to dismiss is the plaintiff's bald assertion, the contracts are nearly worthless.

Theory #2 is that comScore didn't do its formation process properly. I think there is truth to this theory even if comScore went "by the book" and used what seemed like a mandatory non-leaky clickthrough agreement. It's the responsibility of software vendors/website vendors to present the contract in such an unambiguous/can't-miss-it process that NO ONE--plaintiffs' lawyers, judges, Grandma--could possibly fail to see it. The fact that the judge gave the plaintiffs the benefit of the doubt is prima facie evidence that comScore failed to do this well enough.

The case might remind us of two key lessons for lawyers advising companies implementing user agreements:

1) I don't care how brilliantly you draft your user agreement. It's also your job as a lawyer to advise your clients HOW to form the contract and to ensure they follow your advice. If your brilliant contract isn't properly formed, who cares what it says?

2) You need to look at the UI implementation across multiple browsers with a variety of settings. Even if your browser renders the agreement formation process just fine, another browser may chunk the display. This is even more crucial in the mobile environment, where UIs are even more constrained.

Posted by Venkat at 12:55 PM | Adware/Spyware , Licensing/Contracts , Privacy/Security

October 07, 2011

Massachusetts Court Dismisses Lawsuit Alleging Failure to Adequately Safeguard Personal Information -- Katz v. Pershing

[Post by Venkat Balasubramani]

Katz v. Pershing, LLC, 10-12227-RGS (D. Mass. Aug 23, 2011)

Background: Katz maintained an account at National Planning Corporation, an "introducing firm" for which Pershing provides brokerage clearing services. Pershing's services are provided on a proprietary exchange known as "NetExchange Pro," and this platform allows firms and their customers to access account information, stock quotes, etc. Katz alleged that up to 100,000 users have electronic access to customers' non-public personal information, including social security numbers, taxpayer identification numbers, and bank account numbers. Katz alleged that the security deficiencies rendered this information susceptible to being compromised. She claimed that NPC paid Pershing fees to protect the data and these fees were passed on by NPC to Katz and other putative class members.

She filed a lawsuit bringing claims under the Massachusetts deceptive trade practices statute, breach of contract, negligence, and unjust enrichment. Pershing initially moved to dismiss and the court granted the motion before Katz had an opportunity to respond. Katz filed a motion to reconsider. On reconsideration, the court dismisses the case.

Discussion: The court dismisses the based on standing (lack or jurisdiction) and on the merits.

Standing: Pershing argued that Katz did not allege that any of her protected data was actually compromised. The court agrees, noting that several cases have dismissed data loss claims on Article III standing grounds, finding that the increased risk of identity theft is insufficient to create standing. Katz argued that her claims were distinguishable from the other increased risk cases because she brought claims under Massachusetts statutes and for breach of contract.

Massachusetts Data breach statute: The court pointed out that Katz's claims under the Massachusetts unfair trade practices statute needed a statutory predicate--some statute or policy which was enacted for the benefit of the public which the defendant failed to comply with. Katz argued that here, Pershing failed to comply with Massachusetts' data breach statute, which was enacted in the wake of the well-publicized TJX data breach. The court rejects this argument, finding that the data breach statute defines a "breach of security" to include an "unauthorized acquisition or unauthorized use" of encrypted data. While breaches that create a substantial risk of identity theft trigger the statute, there must be a breach in the first place, and there was none alleged by Katz here. There was a second problem with Katz's argument. The Massachusetts data breach statute does not provide for a private cause of action. The statute is intended to be enforced by the attorney general. Therefore, Katz's claim of unfair trade practice based on a violation of the Massachusetts data breach statute fails.

Breach of contract claim: The court rejects Katz's breach of contract claim because it is based on the agreement between NPC and Pershing, and Katz argued that she was an intended third party beneficiary to this agreement. The court pointed to language in the NPC-Pershing agreement which states that the agreement was "not intended to confer any benefits on third-parties including, but not limited to, customers of [NPC]." Katz argued that the contract was superseded by marketing representations made by Pershing, but the NPC-Pershing agreement contained an integration clause, and Katz could not introduce additional terms to vary the agreement. The court also rejects Katz's implied contract claim because it was not supported by valid consideration. If, as Katz alleged, Pershing promised to NPC to safeguard Katz's personal information, "any alleged promise to Katz to do the same would not amount to valid consideration."

Unjust enrichment: The court also rejects Katz's claim for unjust enrichment on the basis that Katz did not allege that she conferred a specific benefit on Pershing or that Pershing was ever aware of this benefit.
__

Courts have rejected claims from data breach plaintiffs where the plaintiffs have not suffered any out of pocket loss. Here, the plaintiff sued before the breach even occurred, and the court rejects the claims. Out of necessity, plaintiffs have gotten creative and tried every angle imaginable, but so far they have had no luck.

As in the Ikon Solutions case, the plaintiff in this case tried to rely on the data breach statute but the court found that it was inapplicable. To my knowledge, no state has enacted a data breach statute which provides for a private cause of action or damages. The Massachusetts statute primarily requires notification of an alleged breach. The court's two conclusions with respect to the data breach statute are not surprising, but they are significant.

Posted by Venkat at 01:36 PM | Licensing/Contracts , Privacy/Security

October 06, 2011

GoDaddy Mismanages Its User Agreements--Crabb v. GoDaddy

By Eric Goldman

Crabb v. GoDaddy.com, Inc., 2:10-cv-00940-NVW (D. Ariz. Sept. 27, 2011)

As online user agreements become longer and more byzantine, it's become common for a "master" user agreement to incorporate numerous other documents by reference. For example, stylistically, many websites put the user agreement and the privacy policy into two separate documents and then incorporate the privacy policy into the user agreement by reference. In most cases, the privacy policy doesn't have to exist separate from the user agreement; but it's so common nowadays that I bet many websites don't consider any other approaches.

Having legal terms sprinkled throughout different documents on the site is legally acceptable if--and only if--the documents link together properly. The flagship online contracts case, Specht v. Netscape, is a good example of how this linking process can fail (it would have been trivially easy for the drafters to cross-link the EULAs in that case). Here, GoDaddy gets a hard lesson in its failure to properly cross-reference documents, and its mistake could lead to a cash payment.

This case is another lawsuit against a registrar for parking ads on undeveloped domain names. Personally, I think it's scummy of registrars to do this because it sets up significant conflicts of interest between registrars and registrants. But if the registrant is told that their undeveloped domain name will be used for ad parking and the registrant can avoid this outcome, then caveat emptor, and may the best registrar win in the marketplace.

In this case, GoDaddy claims it told registrants about the ad parking in its "Universal Terms of Service," which purported to incorporate by reference a "Parked Page Service Agreement." However, the cross-reference in the TOS said the parking agreement applied "only to customers who have purchased those referenced Services." But the registrants didn't "purchase" the ad parking service; rather, GoDaddy imposed it on them for free (or, more precisely, against their will). With the botched cross-reference, the contracts the registrants actually agreed to didn't adequately disclose the ad parking. As a result, GoDaddy can't claim the registrants contractually authorized the parking. GoDaddy still has plenty of other defenses, but it must sting to lose its preferred defense--especially when it had complete control over the situation. WHOOPS.

Posted by Eric at 01:46 PM | Domain Names , Licensing/Contracts | TrackBack

October 03, 2011

New Essay on 47 USC 230(c)(2)

By Eric Goldman

I have posted a new essay, Online User Account Termination and 47 U.S.C. §230(c)(2), to SSRN. I wrote this essay as a contribution to a virtual world symposium at UC Irvine, and it will be published in the UC Irvine Law Review.

The essay generally argues that 47 USC 230(c)(2) permits online providers, including virtual world operators, to terminate user accounts without liability. Academic commentators frequently ignore or fail to consider Section 230(c)(2)'s immunity when discussing user account terminations, so the essay tries to elevate Section 230(c)(2)'s profile in the discussions, especially for the virtual world community. To me, Section 230(c)(2)'s applicability to account terminations is clear, but the story is complicated and perhaps not free from controversy. In addition to explaining the nuts-and-bolts, I offer a brief theoretical defense of the immunity.

I believe this essay is the first law review article exclusively on 47 USC 230(c)(2), the overlooked and undertheorized sibling of Section 230(c)(1). (FWIW, I have another, much larger article in process on Section 230(c)(1) that I hope to complete next semester.) If I've missed a 230(c)(2)-specific article, please please please let me know. For that reason alone, I'm quite excited about this essay.

I'm also excited about this essay because it culminates a topic I've been contemplating since I began blogging--the implications of virtual world proprietors' rights to terminate for convenience. See, e.g., this post--one of my first on the blog--from 6 1/2 years ago. After all these years, I'm glad to finally organize my thoughts more completely.

The essay is in draft form, so I would gratefully welcome your comments.
________

The abstract:

An online provider’s termination of a user’s online account can be a major-and potentially even life-changing-event for the user. Account termination exiles the user from a virtual place the user wanted to be; termination disrupts any social network relationship ties in that venue, and prevents the user from sending or receiving messages there; and the user loses any virtual assets in the account, which could be anything from archived emails to accumulated game assets. The effects of account termination are especially acute in virtual worlds, where dedicated users may be spending a majority of their waking hours or have aggregated substantial in-game wealth. However, the problem arises in all online environments (including email, social networking and web hosting) where account termination disrupts investments made by users.

Because of the potentially significant consequences from online user account termination, user-rights advocates, especially in the virtual world context, have sought legal restrictions on online providers’ discretion to terminate users. However, these efforts are largely misdirected because of 47 U.S.C. §230(c)(2) (“Section 230(c)(2)”), a federal statutory immunity. This essay, written in conjunction with an April 2011 symposium at UC Irvine entitled "Governing the Magic Circle: Regulation of Virtual Worlds," explains Section 230(c)(2)’s role in immunizing online providers’ decisions to terminate user accounts. It also explains why this immunity is sound policy.

Posted by Eric at 09:10 AM | Derivative Liability , Internet History , Licensing/Contracts , Virtual Worlds | TrackBack

September 21, 2011

Bad SEO Advice May Support Negligence Claim--D'Agostino v. Appliances Buy Phone

By Eric Goldman

D'Agostino v. Appliances Buy Phone, Inc., 2011 WL 4345674 (D.N.J. Sept. 15, 2011). One iteration of the complaint.

This is a confusing dispute, so I'm just going to focus on a few aspects. Based on the court's description, it appears that D'Agostino helped Appliances Buy Phones (a baffling TM, but we'll call them ABP) build an e-commerce site in 2003. In 2009, the parties allegedly agreed to have D'Agostino build a second website ("Appliance4Sale") that was more SEO-optimized, and D'Agostino would get a cut of the revenue from the second site. Allegedly, D'Agostino indexed the second site in Google Products and started generating some sales; but subsequently ABP put the kibosh on sales through the second site, and then Google hit the sites with a duplicate content penalty that dried up traffic to the second site, so ABP shut it down to revitalize the indexing of the first site. ABP allegedly didn't pay D'Agostino for his development work on the second site, even though he claimed to spend 1,000-2,000 hours working on the site. On a pro se basis, D'Agostino sued ABP and its principals as well as Google.

The most interesting ruling relates to the counterclaim by ABP's principal, Sigman. Sigman brought counterclaims against D'Agostino for a violation of New Jersey Consumer Fraud Act, negligence and contract breach. The court refuses motions to dismiss the three counterclaims.

On the NJCFA claim, Sigman claimed "Plaintiff knowingly created the Second Website that threatened the existence of the First Website and profitability of ABP." On the negligence claim, Sigman argued that D'Agostino claimed to be an SEO expert but negligently triggered a duplicate content penalty. Finally, Sigman claimed that D'Agostino breached their contract by "jeopardizing defendant’s website, violating Google policies, and causing the interruption of defendant’s enterprise."

Now, if someone selling SEO services wasn't aware of Google's duplicate content rules, that would be a big problem. At the same time, those rules can be pretty arcane, so I could see how even well-meaning SEOs could run into unexpected duplicate content problems, especially if a site were engaged in aggressive grey-hat activities (which may or may not describe the sites involved in this litigation).

This particular judge appears to be a very cautious judge; so cautious that he might refuse a motion to dismiss even when it's warranted just to give a pro se plaintiff more time and space to develop the case. Thus, it's possible/probable that Sigman's counterclaim won't do as well at later stages in the case. Even so, this ruling has to be disconcerting to the SEO community. Combined with the Roger Cleveland case, where the vendor providing (among other things) SEO services got tagged with a big contributory trademark infringement damages award, it seems like the risks of being in the SEO consulting business keep going up.

I'm not 100% clear on D'Agostino's claims still standing against Google, but Google invoked its forum selection clause in one of its agreements to try to get out of New Jersey. (It's not clear which agreement applied, although the court references Google's Merchant Center Terms). We've had a long string of cases upholding Google's forum selection clauses, but here the court waffles on its application to D'Agostino. The court says that even if D'Agostino registered the second website with Google, he may have done so as ABP's agent, in which case he's not a party to the contract. This sounds wrong on two fronts. First, the second website appears to have been a joint endeavor of D'Agostino and ABP, so he may very well have been a party; and even if he was acting as an agent, then he should be bound equally with the principal. The court rejects Google's motion without prejudice, which means Google may still be able to transfer the case if it can show facts binding D'Agostino to the contract, but for now Google's still stuck in New Jersey.

Just yesterday, regarding the Ground Zero Museum Workshop v. Wilson case, I wrote:

Hey people, when you have vendors help run your website, PLEASE dot your i's and cross your t's. When the shit hits the fan and the contract isn't in place or clear enough, the resulting litigation fusillade can destroy your life.

This is another example where the contracts weren't air-tight enough to cut short a murky litigation. In fact, the basic architecture of this business deal--giving the SEO financial interest in the second website but still running the first website--seemed fraught with conflicts from inception. The structure apparently put the two different websites in competition with each other (because there were different economic payoffs associated with each site), so perhaps a falling-out was inevitable.

Posted by Eric at 06:55 AM | Licensing/Contracts , Search Engines | TrackBack

September 20, 2011

Web Vendor Dispute Gets Ugly--Ground Zero Museum v. Wilson

By Eric Goldman

Ground Zero Museum Workshop v. Wilson, 2011 WL 3758582 (D. Md. Aug. 24, 2011)

Disputes like these make me wonder if we can't find some way to get along. Suson runs a non-profit museum focused on the September 11 tragedy. Wilson runs an Internet shopping cart service. Wilson offered to help Suson with the museum website by adding shopping functionality. Wilson also helped Suson get free web hosting from a third party vendor, A-1 Hosting. Then, over what seemed to be a minor thing, the relationship soured in 2009. Wilson turned off the shopping cart functionality and reverted the website back to a prior version; Suson claims Wilson also took down the museum website. Wilson subsequently complained that the museum website continued to use his IP, and he sent an ineffectual takedown notice to A-1 Hosting. Wilson also allegedly badmouthed the museum to A-1 Hosting, allegedly causing them to stop providing free hosting. Wilson also set up a quasi-gripe site, cam-scam.com (now down), and allegedly a fake MySpace page, that said or implied unflattering things about Suson.

From a relatively simple commercial dispute involving a non-profit enterprise comes a cascade of litigation, including complaints and countersuits. I could seriously write my entire Internet Law exam from this situation. It touches on almost every topic I cover in class. This isn't the worst breakup I've seen, but it appears that the parties are using litigation as a sledgehammer, especially given the low dollars and stakes at issue.

1201 Circumvention. Suson claims Wilson committed a 1201 circumvention by administratively logging into the museum website and making changes in excess of his authorization. The court rejects this claim, saying "using a password or security code to access a copyrighted work, even without authorization, does not constitute 'circumvention' under the DMCA" and citing to several other cases (including the IMS and Egilman cases). The court also says that even though Wilson resigned his technical role, his continued login to the website was authorized until Suson changed the password. Finally, disabling the shopping cart wasn't a circumvention because the functionality lived on Wilson's site, not Suson's.

Computer Fraud & Abuse Act. The CFAA claim fails on summary judgment because "Plaintiffs have produced no evidence to back up their assertion that Wilson damaged the website or that his actions caused at least $5,000 in economic damages in one year." The only allegation of harm is that Wilson "stripped the metatags" (whatever that means) when he reverted the website back to the prior version, and the court can't make heads or tails of that. Suson also hired an SEO to redo the metatags for $8k, but the court can't consider this evidence either because it wasn't properly authenticated and the payments took place over more than one year (and thus perhaps didn't trigger the $5k/year CFAA threshold).

Trespass to Chattels. This was a very confused discussion. The court says the "chattel identified in Plaintiffs' trespass claim is the GZM website, or alternatively specific webpages within the site. Plaintiffs contend that Wilson deprived GZM of possession of its website and damaged the chattel by inserting a redirect command." This seems to conflate access to a virtual asset (the web page) and use of a tangible asset, the computer server. The court focuses on the virtual asset, but that should be impossible to "trespass," or any trespass claim should be preempted by copyright law. Reinforcing the court doesn't understand what it's talking about by lumping together three very disparate items, the court continues:

Although websites are not tangible property in the traditional sense, courts in Maryland, New York, and elsewhere have been willing to recognize claims for conversion or trespass to chattels involving certain digital things, such as websites and domain names and computer networks.

The court then cites cases finding conversion of domain names and a "website," plus the Cyber Promotions case where the court was clearly talking about trespass of the physical server. On this basis, the court says that copyright law doesn't preempt the trespass to chattels claim. Too bad the court couldn't make a more fine-grained distinction between tangible and intangible assets, because the trespass of an intangible asset claim should be preempted by copyright law.

The court then further finds a prima facie trespass to chattel because Wilson dispossessed Suson of the "current" website when he reverted to the older website version. However, whether Wilson acted with the requisite scienter has to go to the jury. Wilson's response that he co-owed the copyright in pieces of the website isn't availing; even if true, he can't dispossess his co-owners of their rights.

Note the unexpected result here: the CFAA claim failed and the common law trespass to chattels claim survived. How often do you see that? But this result occurs only because the court mixes its metaphors and treats the website owner's lack of virtual access to administrate the website as a physical dispossession.

Defamation. Because of the nature of the virtual interactions, the court struggles with deciding which law applies to the defamation claim. The court says:

Applying lex locus delicti is inconclusive because the websites Wilson created were accessible on the Internet from any location and the record on summary judgment does not identify the location of A1-Hosting or the unidentified third parties when they received the emails with alleged defamatory statements, so the exact place of publication for these statements is unknown.

The court finally decides that New York law applies because "Suson lives in New York, the museum is located there, and the bulk of Plaintiffs' business activities take place there. In addition, the alleged defamatory statements relate to Plaintiffs' business operations in New York. Accordingly, the brunt of the damage to Plaintiffs' reputation or business interests will be experienced in New York, and New York has the most significant relationship to the alleged defamation."

The court rejects defamation against all of the allegedly defamatory statements. If you're an Internet defamation junkie, it's worth reading the opinion.

Tortious Interference. This claim, based on Wilson's communications to A-1 Hosting, fails because Wilson didn't do anything improper.

512(f) Bogus Takedown Claim. Wilson didn't violate 512(f) because his takedown notice to A-1 Hosting was ineffectual. The court doesn't cite the Amaretto v. Ozimals opinion which reached an identical conclusion.

Copyright Co-Owner Counterclaim. The court lets Wilson plead that he made such contributions to the museum website that he became a co-owner, and therefore he is entitled to an accounting of profits. This is why you never let anyone modify your website code without a written agreement spelling out their rights.

Related Disputes. This is just the latest blog post on website co-ventures gone horribly awry. Other posts in the series:

* Holding on to a Domain Name to Gain Leverage in a Business Dispute Can Constitute Cybersquatting -- DSPT Int'l v. Nahum
* Web Developer Didn't "Convert" Website--Conwell v. Gray Loon
* Taking Intangible Electronic Files is Criminal Fraud--NM v. Kirby
* Cautionary Tale of Website Co-Ownership--Mikhlyn v. Bove
* Another Cautionary Tale of Joint Website Ownership--TEG v. Phelps

Hey people, when you have vendors help run your website, PLEASE dot your i's and cross your t's. When the shit hits the fan and the contract isn't in place or clear enough, the resulting litigation fusillade can destroy your life.

Posted by Eric at 06:19 AM | Content Regulation , Copyright , Licensing/Contracts , Trespass to Chattels | TrackBack

September 06, 2011

Court Invalidates Agreement Governing Toyota's Online Prank Contest -- Duick v. Toyota

[Post by Venkat Balasubramani]

Duick v. Toyota, B224839 (Ca Ct. App.; Aug. 31, 2011)

Toyota and Saatchi & Saatchi ran a marketing campaign where a visitor to the Toyota Matrix website could designate a separate person who would receive prank emails and messages. Here is how the court describes the campaign and Duick's (the plaintiff) experience:

During the campaign, any visitor to the Toyota Matrix website ("player 1") could designate another person ("player 2") for participation in the Your Other You "interactive experience." Player 2 would then receive an email purportedly from player 1, inviting player 2 to click a hyperlink that was in some manner "identified with Toyota." The link would direct player 2 to a web page entitled "Personality Evaluation."

....

[Duick played the role of player 2, and] later began to receive emails from an individual identifying himself as "Sebastian Bowler." The text of the first email reads, "Amber mate! Coming 2 Los Angeles Gonna lay low at your place for a bit. Till it all blows over. Bringing Trigger." Duick received another email from Bowler the following day, accurately stating her previous home address, describing it as a "Nice place to hide out," and advising her that "Trigger don't throw up much anymore, but put some newspaper down in case." . . . . Additional emails from Bowler to Duick over the next few days purported to describe his cross-country journey by car to visit her, including photos and videos of his travels and references to his efforts to evade law enforcement . . . . The final email included a link to a video revealing that Bowler was a fictional character and that the entire sequence of emails was an elaborate prank, all part of an advertising campaign for the Toyota Matrix.

The whole thing sounds clever in a Blair Witch Project sort of way, but I'm guessing neither Toyota or Saatchi & Saatchi spent much energy having their legal departments review the contest. Even a fairly risk-tolerant legal department would have flagged this as a marketing campaign that has the potential to go south, regardless of the technical legality of it.

Anyway, Duick asserted claims for emotional distress, negligence, and false advertising. She sought the respectable sum of $10,000,000 in damages. [I can just picture Duick's lawyer mimicking Dr. Evil from Austin Powers when he or she is talking with Duick about what damages figure to include in the complaint.] Defendants moved to compel arbitration. The court rejects their request. Not only does the court reject defendants' request to compel arbitration, the court nukes the entire set of contest terms.

The court says that Duick was duped as to the nature of the agreement:

A person in the role of player 2, such as Duick, could not access the terms and conditions without first clicking "Begin" on a webpage entitled "Personality Evaluation," created by defendants. The terms and conditions themselves were entitled 'Personality Evaluation Terms and Conditions.' Defendants thereby led Duick to believe that she was going to participate in a personality evaluation and nothing more. In particular, a reasonable reader in Duick's position would not have known that she was signing up to be the target of a prank.

Here is what the online terms said:

You have been invited by someone who has indicated that he/she knows you to participate in Your Other You. Your Other You is a website provided by [Toyota] that offers you . . . an interactive experience. . . . If you review and agree to the Terms and Conditions detailed below . . . you may participate in a 5 day digital experience through Your Other You. . . . You may receive email messages, phone calls and/or text messages during the 5-day experience. . . .You understand that by agreeing to these Terms, you are agreeing to receive emails, phone calls and text messages from Toyota during the 5-day experience of Your Other You.

The online terms contained language that alerted Duick to future email messages "from Toyota," but she would reasonably expect these to be mundane messages about a purported 'Personality Evaluation'--i.e., the fact that she agreed to receive emails, phone calls and texts does not amount to consent for receiving "frightening or disturbing messages" from some unidentified third party. The court notes that there was probably a way for the terms to be drafted to avoid the issue, but then again that would probably defeat the contest's purpose.

Michael Anderson's post provides some detail about the campaign and asks some good questions ("Prank Marketing and the Toyota Matrix: How Far Is Too Far?"):

When you employ a viral mechanism to promote the game, how overtly should it indicate the game’s fictionality? How much information do you disclose about the nature of the campaign? Finally, how do you allow for players to opt-out if they no longer wish to continue the experience?

Where one person can sign another person up to participate in the game, you would be well-advised to indicate the game's fictionality as overtly as possible. The terms provided to the so-called 'player 2' should be clear and accurate. Don't count on the court to add additional terms to the terms of use based on context. Providing a robust and simple-to-use opt-out also sounds like an excellent idea, although I'm not sure it would save this type of a contest. Duick did not assert claims under the TCPA for unsolicited text messages, but she and other participants of the contest who received text messages could assert those claims.

Duick still faces the Herculean challenge of proving up her damages, but she has to feel good about avoiding arbitration.

Other coverage:

Deceptive terms and conditions void contract in entirety

Posted by Venkat at 04:29 PM | Licensing/Contracts , Marketing

August 24, 2011

Mixed DMCA Online Safe Harbor Ruling in Cloud-Based Music Locker Case--Capitol v. MP3Tunes

By Eric Goldman

Capitol Records, Inc. v. MP3Tunes, LLC, 2011 WL 3667335 (SDNY Aug. 22, 2011).

Background. This case involves MP3Tunes.com and Sideload.com. MP3Tunes is a music storage locker. Small lockers are free, but more storage is available at a price. The system doesn't store redundant copies; if the system recognizes an identical bit stream coming from a second user, it just records the hashtag. Sideload is a music search engine that lets users find free music on the Internet. (It was also a browser plug-in). If users find a music file they like, they can "sideload" the music file into their MP3Tunes' locker as a personal archive copy. MP3Tunes' database tracks the sources of these personally archived files.

Due to other issues being addressed in prior proceedings, this ruling primarily focuses on the applicability of the 17 USC 512 safe harbor. This court expressly interprets 512(d), the safe harbor for linking to infringing content--one of the rare opinions to do so. Like most 512 rulings, this ruling is lengthy and detailed, reflecting the fact that the plaintiff contested a long list of safe harbor elements. As I recently mentioned, god bless the pithy 47 USC 230 immunity and the short opinions it produces.

Result. The net effect is that most of MP3Tunes' operations got a 512 safe harbor defense, but it is contributorily liable for any infringing sideloaded files it didn't remove following a takedown notice, and MP3Tunes' CEO (the persistent Michael Robertson) may be personally liable for any infringing files he personally loaded into his locker. These rulings leave the defendants on the hook for potentially millions in damages. Other questions, such as liability for employees' uploads, were rolled over to trial. Because of this mixed ruling, both sides issued public statements touting their wins. As I'll explain momentarily, both sides also earn some brickbats from me.

Some of the post-ruling punditry has suggested this ruling provides a roadmap for other cloud-based music lockers, including the offerings from Apple, Amazon and Google. While that's partially true, the guidance is limited at best due to the fact-specific nature of the ruling. Perhaps the best news for the other services is that lockers may not have to store redundant copies of user-uploaded files to qualify for a Cablevision defense (see the EFF post for more on this). However, as the Zediva ruling recently showed, it remains uncertain how broadly other courts will read the Cablevision case. Otherwise, I think this case mostly tells us things we already knew but that copyright owners refuse to believe.

Out of this dense and slightly inscrutable ruling, some of the points that I found most interesting:

Bogus Takedown Notices (Yet Again...) EMI sent MP3Tunes overbroad takedown notices. The court says EMI affiliates "provided a list of EMI artists and demanded that MP3Tunes 'remove all of EMI's copyrighted works, even those not specifically identified.'" This was in 2007, NINE YEARS after the DMCA came into effect. Seriously, guys? 512(c)(3) isn't that complicated, and major copyright owners that send notices vastly in excess of 512(c)(3) look like greedy or clueless SOBs.

With the hope that we can avoid future SOBness, here's an offer I extend to any and all major copyright owners. I will happily give you a FREE tutorial on how to draft proper 512(c)(3) takedown notices so that you don't look as asinine as EMI looked here. I'm not worried about these trainings being too much of a drain on my time--they should only take about FIVE MINUTES and involve a variation of RTFM.

Needless to say, the court wasn't impressed by EMI's overreaching takedown notuices. It reminds EMI that a proper 512(c)(3) takedown notice requires the copyright owner to provide sufficient information to locate the infringing files (cite to Wolk v. Photobucket).

MP3Tunes' Takedown Policy. MP3Tunes took the puzzling position that, in response to the overreaching 512(c)(3) notices, it only had to remove specified links from Sideload and not any files downloaded from those URLs into personal lockers--even though MP3Tunes kept the source URLs in its database and could therefore trace those files. Now, if the users had downloaded the files to their hard drives, that wouldn't be MP3Tunes' issue--though, to be clear, the users probably don't have a fair use defense if the files are actually infringing (see, e.g,. the BMG v. Gonzalez case). However, as a cloud service provider, MP3Tunes needs to respond to 512(c)(3) notices when they meet the statutory requirements, even if the locker is supposed to be the user's "private" space. MP3Tunes loses the 512 safe harbor for these files because EMI's 512(c)(3) notices provided adequate information for MP3Tunes to locate the files, and the court says MP3Tunes is contributorily liable for these infringements. MP3Tunes argued a Sony defense that its lockers had substantial non-infringing uses, but the court says Sony applies only to products, not services.

It's unclear how this discussion applies to other cloud-based music lockers. The court distinguishes Viacom v. YouTube because Viacom could easily search YouTube for infringements--which isn't possible with private cloud-based lockers (just as it isn't possible with user hard drives). The court also asserts that any other lockers letting users "sideload" from the Internet must trace URL source and disable all files from that URL in response to a 512(c)(3) notice. But what if the music locker allows users to upload files from their hard drives and don't allow those to be searched? The opinion seems to deliberately avoid addressing that situation. [A related unresolved Q: how copyright owners can find private YouTube videos. I've posted a few myself for use in my Advertising Law course.]

The court dismisses MP3Tunes' seemingly overstated concerns about its liability to users for disabling files in their "private" lockers. MP3Tunes' user agreement expressly allowed this, as I would expect every other cloud service providers' user agreements to do.

Even so, it's 100% clear that cloud storage is different from hard drive storage, and some users are going to get quite a surprise when they learn that third parties can zap files from their cloud storage. (Recall the hubbub over Amazon's zapping of books from Kindle). If Congress weren't so dysfunctional, this would be a good place for a statutory fix. It would make a nice complement to the Digital Due Process initiative to fix the ECPA's application to the cloud.

It's worth noting that users weren't represented in this litigation and had no ability to show that their uses were fair, notwithstanding BMG v. Gonzalez and similar cases. If cloud-based music lockers simply pull the trigger on 512(c)(3) notices on an "ex parte" basis (i.e., without any input from the affected users), their fair use rights become effectively irrelevant unless the sites honor users' putback notices. I think it's critical for cloud-based music lockers enabling "private" lockers to address how they will deal with 512(c)(3) notices and if they will honor 512(g) putback notices. I'd welcome your thoughts on ways that we collectively can monitor cloud service providers' policies and practices on this topic.

Repeat Infringer Policy. MP3Tunes had an adequate repeat infringer policy because, among other things, its users weren't "blatant infringers" (they were just downloading files for personal use and may not have known better) and "MP3Tunes does not purposely blind itself to its users' identities and activities."

Red Flags of Infringement. I continue to assert that "red flags of infringement" is no longer possible given copyright owners' widespread practices of freely seeding their content on the Internet as marketing. EMI did that too. Indeed, the court says "EMI executives concede that internet users, including MP3tunes' users and executives, have no way of knowing for sure whether free songs on the internet are unauthorized." The court further dismisses EMI's mockable argument that the terms "free," "mp3" and "file-sharing" automatically confer red flags knowledge. EMI's takedown notices that didn't comply with 512(c)(3) didn't contribute to any red flags knowledge either.

Vicarious Infringement Standards. The court rejects that the sideloading feature contributed to "financial benefit" because, even if it was a "draw," it had non-infringing uses, and MP3Tunes didn't charge for its usage. MP3Tunes lacked the requisite "control" because it was a cloud storage solution.

Public Performance. EMI argued that MP3Tunes publicly performed the files in users' lockers. MP3Tunes responded with a Cablevision defense. The court explains that MP3Tunes doesn't deliver files from a "master copy" (even though redundant copies aren't made) but instead "uses a standard data compression algorithm that eliminates redundant digital data" and therefore preserves exact digital copies. Thus, MP3Tunes wasn't publicly performing. I didn't understand the technological distinction the court was making, but I didn't find it persuasive at all. The court also distinguished Cablevision because it couldn't qualify for 512, while MP3Tunes does.

DMCA's Applicability to pre-72 Sound Recordings. FN1 says that 512 applies to pre-1972 sound recordings:

The Court agrees with Defendants that the plain meaning of the statutory language makes the DMCA safe harbors applicable to both state and federal copyright claims. Thus, the DMCA applies to sound recordings fixed prior to February 15, 1972.

I believe this is the first ruling reaching this conclusion (am I forgetting one?). The court didn't offer any citations or analysis in support of this conclusion, and I anticipate this issue will continue to be litigated fiercely.

Reminder: in case you missed it, I recently caught up on 4 months worth of online copyright rulings, including several addressing the same or similar issues as this case.

Other comments on this ruling: Techdirt, EFF, CNET News.com

Posted by Eric at 02:26 PM | Copyright , Derivative Liability , Licensing/Contracts , Privacy/Security | TrackBack

August 22, 2011

Deep Packet Inspection Lawsuits: NebuAd Partner ISP Wins Summary Judgment -- Kirch v. Embarq

[Post by Venkat Balasubramani with comments from Eric]

Kirch v. Embarq, 10-2047-JAR (D. Kan. Aug. 19, 2011)

The fallout from Nebuad's ill-fated deep packet inspection continues to percolate through the courts. Plaintiffs sued NebuAd and ISPs in the same forum in Northern California, but the ISPs were dismissed on jurisdictional grounds, requiring plaintiffs to pursue them through local lawsuits. NebuAd reportedly shut down, but lawyers recently announced a settlement over claims against NebuAd. (See: "NebuAd Settles Lawsuit Over Behavioral Targeting Tests.") Interestingly, the $2.4M from the proposed settlement will go to public interest organizations and the lawyers--there's no class payout, and just small payments to the named plaintiffs. This is fairly typical in privacy lawsuits, but settlements like these have elicited a few challenges, most prominently in Facebook's Beacon settlement (which is currently on appeal to the Ninth Circuit).

This particular case is one of the end users' cases against ISPs. They brought claims for violation of the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, invasion of privacy and trespass to chattels. They voluntarily dismissed the invasion of privacy, trespass and CFAA claims. This left the ECPA claim. (The court says the claims were dismissed pursuant to "stipulation," but does not get into detail as to whether there was any settlement associated with this dismissal.)

No derivative liability: The court found for summary judgment purposes that Embarq did not have access to the contents of user communications. Embarq admittedly facilitated NebuAd's tracking and targeting, but this is not enough for plaintiffs to hold Embarq liable:

As plaintiffs' expert testified, Embarq's role was to install the NebuAd device so as to furnish the UTA connection to NebuAd. In other words, the NebuAd device . . . goes into place, then all of the raw data that flows through Embarq is directed to that device, where NebuAd does the analysis and, apparently, separates out the Port 80 traffic. Moreover, plaintiffs cite no authority that Embarq's access to the raw data that flowed through its network constitutes a violation of the ECPA, which requires an entity to actually acquire the contents of those communications. There is nothing in the record that Embarq itself acquired the contents of any communications as they flowed through its network; instead, plaintiffs' theory rests on the notion that the NebuAd System extracted the contents of the communications. Plaintiffs' assertion that Embarq 'endeavored to intercept' communications falls short of creating civil liability under the ECPA, which creates liability for actual interception.

Plaintiffs pointed to the contractual relationship between Embarq and NebuAd as a basis for holding Embarq indirectly liable. The court says clearly that the "civil liability provision of the ECPA . . . does not provide for secondary liability."

User consent: The court also grants Embarq summary judgment on the basis that to the extent there was improper interception, the users consented to it. Embarq's "activation agreement" pointed to its privacy policy and said Embarq could revise it. Prior to deployment of NebuAd, Embarq posted a new paragraph in its privacy policy entitled "preference advertising." This paragraph informed subscribers that:

Embarq may use information such as the websites you visit or online searches that you conduct to deliver or facilitate the delivery of targeted advertisements. The delivery of these advertisements will be based on anonymous surfing behavior and will not include users' names, email addresses, telephone numbers, or any other Personally Identifiable Information.
You may choose to opt out of this preference advertising service. By opting out, you will continue to receive advertisements as normal; but these advertisements will be less relevant and less useful to you. If you would like to opt out, click here. (embarq.com/options)

Subscribers were given an opportunity to opt-out by clicking on a link. Plaintiffs made three arguments as to why this consent should not be viewed as being effective, but the court summarily rejects them all, relying in part on Mortensen v. Bresnan: (1) the scope of the disclosure was inadequate and did not identify NebuAd; (2) the notice was not conspicuous enough; and (3) the opt-out mechanism was insufficient.
__

The NebuAd deep packet inspection idea was ill-fated, but it's interesting to see the litigation play out as it has. NebuAd's insurers settled for a relatively small amount. The claims against the individual ISPs are struggling, and when you throw requests to compel arbitration based on the Supreme Court's decision in Concepcion into the mix, it's going to end up being a long road for plaintiffs.

I'm not sure I can think of a principled reason for this, but I've always viewed deep packet inspection as something that crossed the line. But under existing privacy laws, it's not easy to hold ISPs who partnered with NebuAd liable. Privacy plaintiffs continue to push the envelope but they are repeatedly rebuffed by the courts. As Eric notes, the statutes under which plaintiffs assert causes of action in privacy class actions are convoluted, confusing, and in need of a much-anticipated revamp.

As with the flash cookie cases, I'm curious about the FTC's role in the regulatory quagmire. I would think they could have a significant effect in the area if they came in and took type of action they took against the likes of Google and Twitter against the players in this space. Maybe I'm missing something or there are institutional factors at play (or activities going on behind the scenes), but it certainly seems like the FTC has extracted a large quantity of blood in some situations but is ineffectual or slow to act in others.

Previous posts on NebuAd:

Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues
NebuAd Deep Packet Inspection Lawsuits Sputter -- Deering v. CenturyTel & Green v. Cable One

Additional coverage:

Wendy Davis: "Embarq Wins Privacy Suit Stemming From NebuAd Tests"
__

Eric's comments

1) For sake of completeness, I note that a 47 USC 230 defense wouldn't have helped Embarq against the derivative ECPA claim because 230's immunity expressly excludes ECPA claims. See 47 USC 230(e)(4). Thus, this case failed on the prima facie elements. The court says confidently (cites omitted):

The civil liability provision of the ECPA, however, does not provide for secondary liability, as liability attaches only to the party that actually intercepted a communication. As numerous courts have consistently held, a defendant does not “intercept” a communication merely by allowing or enabling, or even directing, another party to intercept communications.

2) The court's conclusion about consent is interesting:

plaintiffs were required to agree to the terms of the Activation Agreement in order to use Embarq’s Internet service; that Agreement incorporated the terms of the Privacy Policy, which informed subscribers that their de-identified data could be shared with third parties; that Agreement informed subscribers that the terms could be changed at any time through posting a new policy at Embarq’s website; and Embarq modified those terms in advance of the NebuAd test to add a paragraph regarding preference advertising, with an opt-out mechanism.

This summary, very much in line with the Mortensen case, shows an extreme judicial deference to Embarq's contract--both in terms of letting broad opaque language serve as user "consent" and letting Embarq unilaterally amend the contract to add new and different terms. We've seen other courts push back on both practices, so I wouldn't recommend Embarq's approach as an industry best practice. It seems especially odd that courts have been so deferential on consent issues given the inherent disagreeability of NebuAd's DPI practices.

3) Along with last week's Bose v. Interclick ruling, chalk this up as another plaintiff loss in a privacy case that most people probably thought was a slam dunk. So many of the pending privacy lawsuits are filed solely because defendants will pay to avoid the adjudication costs of defending their practices under poorly drafted statutes, not because there's any fundamental merit to the cases. We desperately need a complete rewrite of the CFAA and ECPA simply to put them in English so that everyone has a better sense of which cases are meritorious from the outset.

4) An interesting factoid: NebuAd paid less than $30k to Embarq for the trial period. Note to future IAPs who want to experiment with potentially privacy-invasive technologies: it isn't a good financial deal for you! Or, at minimum, get the vendor's insurer to stand behind the vendor's indemnity clause so that you won't spend many multiples of the associated revenue defending yourself when the vendor goes belly-up.

Posted by Venkat at 04:27 PM | Derivative Liability , Licensing/Contracts , Privacy/Security

August 09, 2011

Zynga Wins Arbitration Ruling on "Special Offer" Class Claims Based on Concepcion -- Swift v. Zynga

[Post by Venkat Balasubramani with comments from Eric]

Swift v. Zynga, 2011 WL 3419499 (N.D. Cal.; August 4, 2011)

The US Supreme Court decided AT&T Mobility v. Concepcion earlier this year, and a question left open in that decision is how the Federal Arbitration Act's preemption of state laws which disfavor arbitration clauses would play out in the online context. Most people thought that this decision would allow internet companies to push consumer claims into arbitration through provisions in relevant terms of use agreements, and a recent ruling involving Zynga seems to confirm this.

Background: Swift alleged that she accepted "special offers" while playing Zynga's Facebook apps. She argued that the special offers were misleading, and sued Zynga as well as two of its advertising partners. The lawsuit was originally filed in late 2009 and amended in February 2010. Following the Supreme Court's decision in Concepcion, Zynga moved to compel arbitration and to stay the litigation in light of the Supreme Court's ruling.

Plaintiff received the allegedly misleading offers through Zynga's "YoVille" app, which during the relevant time period contained the following arbitration provision:

You agree that any suit . . . arising out of or relating to these Terms of Use or any of the transactions contemplated herein or related to the Service or any contests or services thereon . . . shall be resolved solely by binding arbitration before a sole arbitrator under the rules and regulations of the American Arbitration Association ("AAA"); provided, however that notwithstanding the parties' decision to resolve any and all disputes arising under these Terms of use through arbitration, Zynga may bring an action in any court of applicable jurisdiction to protect its intellectual property rights or to seek to obtain injunctive relief or other equitable [sic] from a court to enforce the provisions of these Terms of Use or to enforce the decision of the arbitrator. The arbitration will be held in San Francisco.

This agreement was silent as to whether the claims could be aggregated. The terms were presented to Swift when she first decided to start playing the game via a link under a button titled "allow access," which provided notice that the application would access Swift's Facebook profile information. Under the "allow access" button, the app presented the following text:

By proceeding, you are allowing YoVille to access your information and you are agreeing to the Facebook' terms of service in your use of YoVille. By using YoVille, you also agree to the YoVille Terms of Service.

In August 2009 Zynga implemented a "Universal TOS," which contained terms that were different from the YoVille Terms of Service. As relevant to the present dispute, these terms required arbitration on an individual basis, and excluded disputes relating to "theft, piracy, invasion of privacy" from their scope. [I'm not sure what Zynga's rationale is for excluding privacy-related claims from the arbitration clause, but this could end up being relevant to the growing number of privacy lawsuits against Zynga.]

Discussion:

Was there a binding agreement requiring arbitration? Swift argued that she did not assent to the YoVille terms because the terms were not presented in a leakproof manner--i.e., she could access the application without affirmatively representing that she agreed to the terms. Swift relied on Specht v. Netscape and Hines v. Overstock for the proposition that "submerged" terms cannot be enforced by an online merchant. The court disagreed and held that Specht and Hines were distinguishable. In both cases, the consumer would have to hunt around to find the terms, whereas in this case, the terms were presented right underneath the button which allowed Swift to access the application. The court pointed to the fact that Swift did not affirmatively put forth any evidence that she did not read or agree to the terms. The court also pointed to Register v. Verio, where the Second Circuit enforced the online terms and rejected Specht's implication that an "I agree" button was a prerequisite to enforcing online terms.

Did plaintiff's claims fall within the arbitration clause? Swift argued that since claims involving "theft" were excluded from the arbitration clause, her claims were not subject to arbitration. The court doesn't treat this argument very seriously, noting that the "complaint against Zynga cannot reasonably be construed as including a claim for "theft," and therefore the complaint is not expressly exempted from the arbitration clause."

Did Zynga waive the right to arbitrate its claims? Swift also argued that Zynga waived the right to arbitrate its claims, by never raising the issue of arbitration and litigating the case for over a year and a half before raising the issue of arbitration. She also pointed to a clause in the universal terms which said that if the bar on class arbitrations is found to be unenforceable, then the dispute will be litigated. She brought up a variety of arguments in support of this claim (e.g., Zynga acted inconsistently with its right to compel arbitration; she will be prejudiced) but the court rejects all of these arguments. Because Zynga could not have compelled arbitration pre-Concepcion, and since no court found the arbitration clause unenforceable--thus requiring the parties to proceed in court--nothing stops Zynga from seeking to compel arbitration based on Concepcion. In the court's view, because:

Zynga acted promptly following the change in the law by ceasing litigation activity and moving to compel . . . it acted consistently with its rights.

Are the Universal Terms unenforceable because they are unconscionable? Plaintiff raised an unconscionability argument but seems to have pursued it in a lackluster manner. The court notes that "Plaintiff presented no evidence that might support [its procedural unconscionability argument]."

How about the third parties? The non-Zynga defendants tried to latch on to Zynga's request to compel arbitration but they were not so lucky. They argued that the definition of "Zynga Parties" in the limitation of liability section of the terms was broad, and thus they should be able to invoke the arbitration clause. However, the arbitration clause did not mention "Zynga parties," and the court concludes that the two sections have to be read separately. They also argued that as "agents" they should be entitled to enforce the arbitration clause, but the court sides with the plaintiff on this issue, noting that although initially plaintiff labeled these defendants as "agents" after conducting some discovery, she called them independent contractors. Finally, these defendants argued that they were third party beneficiaries. Citing to Balsam v. Tucows, the court rejects this argument as well.

The End Result: After concluding that Zynga is entitled to invoke the arbitration clause and the other defendants are not, the court nevertheless stays the lawsuit as to the non-Zynga defendants and orders the claims with respect to Zynga to be arbitrated. In response to the ruling, Swift decided to dismiss her claims with Zynga with prejudice so she could proceed against the non-Zynga defendants in court. This means Zynga is off the hook.
___

To come back to the initial question, as a result of Concepcion, a lot of online disputes--particularly class actions--are going to end up in arbitration instead of the courts. Even if a dispute has been pending for awhile, a defendant who has the option available is going to push for arbitration. This makes me wonder whether online terms typically contain arbitration clauses which bar class claims or whether companies and their lawyers shied away from those terms in response to decisions which struck down arbitration clauses which barred class claims? Including a class action bar runs the risk of the entire agreement being invalidated, so you certainly can't fault a company for not including this provision in online terms. Going forward, I wonder if online terms will become even more one-sided--since companies have greater assurances that arbitration clauses will be enforced, will this cause them to load up agreements with more onerous terms?

The argument over whether there was a meeting of the minds as to the online terms was interesting, but Zynga's placement of the terms (in a location where plaintiff could not credibly claim she did not read them before she clicked "allow access") made the "I didn't read the terms of use" argument difficult to make. Nevertheless, I still like the idea of having a box that users check that says "by checking this box, I am saying that I have read and agree to the terms." There's a minor distinction between a user clicking "allow access" or installing the application and actually having to check a box saying he or she read and agreed to the terms. I like the insurance that the latter approach provides, but as this decision indicates, it's not essential. Also, from the decision, it seemed that Swift did not access the app from her mobile device, but if she did, I wondered how this would affect the court's analysis of whether she had imputed knowledge of and agreement to the terms.

Second, there is virtually no discussion in the order of how Zynga amended its terms to substitute the "Universal Terms" for the "YoVille Terms" which Swift initially agreed to. The court summarily notes that the initial terms contained provisions to the effect that Zynga "had the right to change the terms at any time" and "use after notice of [a] change in terms constitutes acceptance of the changes." The court surprisingly does not delve into the issue of what notice Zynga attempted to provide Swift (if any) or any of the other circumstances behind the revisions of the terms (or the substitution of the Universal Terms for the YoVille Terms). As mentioned in this post about Roling v. E-Trade Securities, it's pretty risky to include a provision in the agreement that says "we can amend this agreement any time and the revised version is effective after posting." In this day and age, particularly where there may be some ability to message the end user or post messages that the end user will have a tough time arguing they did not read or see, there is no reason to play with fire with respect to this issue. I don't know why companies continue to do it. (The agreement did say that it's effective after "posting" which is better than nothing.)

Given the Court's decision in Concepcion that laws which disfavor arbitration conflict with the Federal Arbitration Act, I wonder if the focus of disputes around the arbitrability of online terms will shift from substantive to procedural? Swift did not appear to make much of an argument as to procedural unconscionability, so it's unclear how much traction this type of argument will get in other cases. Cases poking holes in forum selection and arbitration clauses have focused on both. (See, e.g., Bragg v. Linden Research, Inc., 487 F. Supp. 2d 593 (E.D. Pa. 2007).) Concepcion just speaks to arbitration clauses so there's still some room for consumer plaintiffs to argue unconscionability if they are presented with an extreme set of terms (e.g., terms that are on-sided as to forum, costs, disclaimers). It will be interesting to see how courts resolve these arguments and whether consumer plaintiffs are able to use these as an end run around Concepcion. I think this is an important unresolved question at this point, and would caution against loading up online terms with overly one-sided provisions in response to Concepcion.

Zynga has to be happy about this ruling. As a result of invoking the arbitration clause, it got the plaintiff to dismiss her claims with prejudice against Zynga.

Eric's Comments

As this case illustrates, the Supreme Court's Concepcion decision could be a potential game-changer for online user agreements. Even so, I believe that today's best practices are:

1) A mandatory non-leaky clickthrough formation procedure.
2) Mandatory venue in vendor's home court with an arbitration option. See the discussion in Evans v. Linden.
3) No use of arbitration as a waiver of class action rights. Concepcion suggests that more aggressive arbitration clauses, including those that preclude consolidated arbitration, might work. This would be terrific news for vendors if true, but I'll believe it when I see more rulings than this one, especially given that this court basically punted on unconscionability. There are strong public policy norms working against an arbitration clause or other contract provision that prevents class formation.
4) Contract amendments take effect only when users are actually given notice of the amendment. See the Ninth Circuit's Douglas case for the minimum steps required. An opt-in is legally stronger but has a number of procedural problems.
5) Irrespective of the contract language, users are in fact given actual notice of any amendments.

Zynga may have cut corners on some of these fronts but got a favorable bounce in court. Kudos to them and their lawyers. Still, based on the precedents, I wouldn't anticipate the next defendant with identical facts will be so fortunate. Because of the low odds of a repeat victory, I don't recommend any changes to the best practices based on this opinion.

This opinion deals with contract formation for Facebook apps, and its reasoning could extend to Facebook Connect as well (which has a different UI, I believe). (I vaguely recall a prior case on contract formation via Facebook Connect before but now I can't remember it--any help?) The opinion provides some reason for optimism about contract formation procedures by the many apps/websites who rely on Facebook's existing user registrations instead of creating direct user account registrations. In this case, notice that the dialog box apparently treated an "allow" as "yes" to four different issues--if the user wanted to proceed, if the user wanted Facebook to transfer its info to YoVille, if the user agreed to the applicability of Facebook's TOS, and if the user agreed to the YoVille user agreement. That's a lot of work from one dialog box acting as an interstitial to the user's destination. This court gives the participating app effectively a free pass, saying:

Zynga persuasively counters that the dialogue box in question is Facebook’s standard dialogue box presented to users wishing to access any number of Facebook applications, and Zynga followed the norm for Facebook applications and was not attempting to hide its terms of service.

(An aside: I've always been troubled by Facebook Connect because participating websites put Facebook in total control of their user relationships. Should Facebook's winds shift capriciously, Facebook could easily lock out the participating website's entire registered userbase. After-the-fact antitrust claims won't resuscitate the dead businesses. Websites, listen carefully: if you put all of your registered user eggs in the Facebook Connect basket, you may get a jumpstart on your registered users but don't expect my sympathy if all the eggs break.)

An unfortunate collateral consequence of this ruling and the resulting Zynga dismissal: with Zynga out of the case, we may not get any further clarification to fix the troubling Swift v. Zynga ruling on 47 USC 230. AdKnowledge (which the opinion repeatedly spell-check corrected into "Acknowledge"--whoops) is still a defendant in this case, so perhaps they will push 47 USC 230 further. Otherwise, we'll just cross our fingers that the prior 230 ruling is an aberration that most other judges will smartly ignore or distinguish.

Posted by Venkat at 09:07 AM | E-Commerce , Licensing/Contracts

August 08, 2011

Google Gets Default Injunction Against AdWord Gamers--Google v. Jackman

By Eric Goldman

Google v. Jackman, 2011 WL 3267907 (N.D. Cal. July 28, 2011)

This is a default ruling, so the facts are based on Google's allegations. The defendants ran AdWords campaigns for online pharmacies that sold anabolic steroids. This broke Google's rules in two ways: first, Google didn't permit the advertising of anabolic steroids; and second, the advertised pharmacies weren't certified by Google's mandatory certification program (VIPPS, "the National Association of Boards of Pharmacy’s Verified Internet Pharmacy Practice Sites"). The defendants further evaded Google's crackdown efforts by misspelling terms and opening up new bogus accounts. Google eventually cleaned out the defendants' ads through its manual "sweeps."

Without the defendants around to defend themselves, Google easily won its case. The court upheld the venue selection clause in Google's TOS and that the defendants' ads breached the TOS. As for remedies, Google dropped its claim for money damages, and the court grants the following injunction:

Defendants Gina Wyant, Gregory Gavin and Amanda Odell, and their agents, representatives, successors, assigns, and any persons in active concert or participation with them are immediately and permanently enjoined from advertising or attempting to advertise through Google’s AdWords advertising network, without regard to contact name, address, or email address and without regard to what URL or website is advertised.

From time to time, Google goes on the offensive against folks it thinks are trying to game it. You may recall Google v. Auction Experts International, 1-04-CV-030560 (Cal. Superior Ct. 2005) in which Google sued an alleged click fraudster and won a $75k default judgment; and United States v. Michael Anthony Bradley, CR 04 20108 (N.D. Cal. indicted June 23, 2004), a prosecution over alleged threats to help spammers defraud Google if the defendant didn't get $100k (that case ultimately fizzled out). Google's efforts to get tough against its spammers have typically struck me as publicity stunts. Default injunctions and dropped prosecutions don't do anything to scare the bad guys, but they intended to persuade third parties that Google will fight for its site's integrity.

In this case, no doubt Google wanted to show the DOJ that it really hates illegal pharma ads enough to "bust" the bad guys. This enforcement effort may have some value in working out a deal to reduce its half-billion dollar exposure. As a result, we won't really know if Google won this case until we see the terms of its DOJ deal.

Posted by Eric at 03:50 PM | Licensing/Contracts , Marketing , Search Engines | TrackBack

August 04, 2011

Idea Submission Case Revived Against MySpace--Riggs v. MySpace

By Eric Goldman

Riggs v. MySpace, Inc., 2011 WL 3020543 (9th Cir. July 25, 2011)

Riggs created a popular MySpace page, only to have MySpace delete it twice. Not pleased by that turn of events, for years Riggs has been doggedly pursuing a lawsuit against MySpace pro se. Two years ago, the district court unceremoniously bounced her lawsuit relying, in part, on a novel reading of 47 USC 230(c)(1). The Ninth Circuit upheld the 230 ruling on appeal:

The district court properly dismissed Riggs’s negligence and gross negligence claims, arising from MySpace’s decisions to delete Riggs’s user profiles on its social networking website yet not delete other profiles Riggs alleged were created by celebrity imposters, because these claims were precluded by section 230(c)(1) of the Communications Decency Act. See Fair Hous. Council of San Fernando Valley v. Roommates.com, LLC, 521 F.3d 1157, 1170-71 (9th Cir. 2008) (en banc) (“[A]ny activity that can be boiled down to deciding whether to exclude material that third parties seek to post online is perforce immune under section 230.”).

Another Roommates.com citation for the defense. But, as I explain in my prior blog post, I think this should have been a 230(c)(2) dismissal, not a 230(c)(1) dismissal.

The court also rejected her claim for “promissory fraud breach of contract claim” (whatever that means) for lack of cognizable damages.

However, in an unexpected turn, the court revived her idea submission claim (an implied-in-fact contract breach) "because Riggs alleged in her First Amended Complaint at paragraph 120 that she told the News Corporation’s executive’s assistant that she wanted to “sell” her ideas before she disclosed them." That's a pretty weak allegation made to a person who may lack proper authority to promise anything, so the court seemed mighty generous to Riggs in reviving the case. Nevertheless, this is consistent with California's amorphous idea submission doctrines. They can be a nice end-run to survive motions to dismiss because, by definition, the parties are likely to dispute the facts in an implied-in-fact contract. Sadly, the Ninth Circuit recently expanded the idea submission doctrines in the Larry Montz case (mentioned here), so expect more weak idea submission claims to get further in litigation than they should.

Although the idea submission claim wasn't really a workaround to 47 USC 230, I think this case bears some parallels to Barnes v. Yahoo. In both cases, 47 USC 230 emphatically closed some doors to plaintiffs, but squishy state law doctrines opened other doors for the plaintiffs. It's a good reminder why 47 USC 230 works so well. Because it has so few exceptions, it ends cases cold. Fluffy doctrines like promissory estoppel and implied-in-fact contracts make it hard for judges to cleanly end cases early.

Eriq Gardner's story on the case.

Posted by Eric at 05:18 PM | Derivative Liability , Licensing/Contracts , Trade Secrets | TrackBack

July 03, 2011

Job Posting to LinkedIn Group Doesn't Violate Non-Solicitation Clause -- Enhanced Network Solutions v. Hypersonic Technologies

[Post by Venkat Balasubramani]

Enhanced Network Solutions Group v. Hypersonic Technologies Corp., 2011 WL 2582870 (Ind. Ct. App. June 30, 2011)

Enhanced developed software, and had a relationship with Hypersonic, which modified existing software. The two companies often jointly bid on projects together. They were parties to an agreement which contained the following non-solicitation clause:

Employee Protection. During the term of this Agreement and for a period of twelve (12) months from the date of effective date of its termination, unless mutually agreed to in writing otherwise the Parties . . . shall refrain from soliciting or inducing, or attempting to solicit or induce, any employee of the other Party in any manner that may reasonably be expected to bring about the termination of said employee toward that end . . . .

Some time after Enhanced and Hypersonic unsuccessfully bid on a project, Hypersonic posted an open position for an outside sales representative to "its LinkedIn webportal" (which the court describes as "a social internet site that connects businesses and people"). As the court describes it:

The LinkedIn job posting was available for viewing by the people who belonged to a certain public group within LinkedIn.

An Enhanced employee saw the posting and informed the President of Hypersonic that he was interested. After this, the employee met with Hypersonic's owner and hammered out a deal. Hypersonic then filed a complaint for declaratory relief regarding the enforceability of the agreement between Hypersonic and Enhanced. (There must have been some sabre-rattling obviously that prompted the filing of the complaint by Hypersonic.) The trial court concludes that Hypersonic did not violate the non-solicitation clause by posting the opening on LinkedIn. The appeals court affirms.

The court looks to the dictionary definitions of the relevant terms ("solicit" and "induce") and concludes that Hypersonic did not solicit or induce the Enhanced employee to terminate his relationship with Enhanced:

[t]he record clearly supports that [the employee] made the initial contact with Hypersonic after reading the job posting on a publicly available portal of LinkedIn. In other words, [the employee] solicited Hypersonic.

The court notes that the agreement precludes Hypersonic from soliciting applications, but nothing prevents Hypersonic from talking to Enhanced employees if they reach out to Hypersonic. The court concluded that this is what occurred here. In a footnote, the court also notes that the agreement could have been drafted more broadly to prevent Hypersonic from considering applications regardless of who initially solicited the contact.

This case raises the interesting question of when an online communication is one-to-one communication as opposed to a posting that is directed to the world at-large. It reminds me of the lawyer ethics question of whether a keyword targeted advertisement (in response to a catastrophic occurrence) can be a "solicitation" to a prospective client. (See Erik Turkewitz's post which discusses this issue in the context of New York's anti-solicitation rule: "New York’s Anti-Solicitation Rule Allows For Ethics Laundering and Must Be Modified.") Posts to social networking sites can fall into either category, but with increasing personalization, it's become more difficult to slot them in the appropriate box.

The court doesn't dig deep into the issue of whether the post was made in a way that it would be restricted to a small group or whether the sender would know in advance who the post was initially sent to. The court sates that the post was made to a "publicly available portal of LinkedIn," but also mentions that the post was for viewing by people "who belonged to a certain public group." My understanding is that LinkedIn group owners have to approve membership in the group. If the court determined that Hypersonic approved membership in the group, and knew in advance that Enhanced employees were a part of this group, I wonder if this would have changed the court's thinking. The court also doesn't discuss whether the post was made in a manner that Hypersonic would have "reasonably . . . expected" to bring about the termination of the employee's relationship with Enhanced.

I'm sure we will see many more courts address this type of a non-solicitation question over time. As far as I know, this is the first ruling that deals with this question. A previous case addressing the question of whether recruiters violated their non-compete clause by "connecting" (on LinkedIn) with candidates who were in discussions with their previous employer settled quietly. Here's Evan Brown's initial post on the case: "Nefarious LinkedIn use finally makes it to the courts." Here is a copy of the stipulated permanent injunction, which imposes broad restrictions on the defendants' solicitation of certain customers, but interestingly does not mention LinkedIn.

UPDATE: Ken Adams' thoughts on the case.

Posted by Venkat at 02:44 PM | Licensing/Contracts , Marketing

June 29, 2011

Court Dismisses Misappropriation Claims Against Facebook Over Its Friend Finder Service -- Cohen v. Facebook

[Post by Venkat Balasubramani]

Cohen v. Facebook, C 10-5282 RS (N.D. Cal. June 28, 2011)

There are a slew of publicity rights lawsuits pending against Facebook. This one alleged that Facebook misappropriated the names and likenesses of Facebook users by suggesting to Facebook users that their friends had utilized the "Friend Finder" service. (Ironically, Facebook's friend finder service looks similar to the service Power.com offered and which Facebook is trying to shut down.) Plaintiff brought a putative class action, alleging state law misappropriation, Lanham Act, and unfair competition claims.

Facebook's user agreement: Facebook argued that the consent contained in Facebook's terms of use barred plaintiff's claims. Facebook argued that its terms contained a broad license that was limited only by privacy settings for particular types of content:

For content that is covered by intellectual property rights, like photos and videos ('IP content'), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free license to use any IP content that you post on or in connection with Facebook ("IP License").

According to Facebook, an end user's name and profile picture have no privacy settings and therefore there were no limitations on the clause quoted above (i.e., no limitations on Facebook's right to use end user photos and user names). Judge Seeborg, disagreed, noting that:

a more natural reading of the provision is that it gives Facebook a worldwide license to reproduce any pictures or text posted by a user, subject to any privacy settings, that would insulate it from any copyright claims by the user, whether or not the reproduction was made on 'Facebook'.

Facebook also argued that its users had no expectation of privacy in their name or profile picture, but the court notes that this does not bar a user claim for publicity rights. It's one thing to disclose a person's name and it's another to use it for endorsement purposes. Although the discussion is slightly confusing, the court's conclusion was that it's not totally clear that Facebook's terms freely allow Facebook to exploit a user's publicity or personality rights in this manner. The court also noted that there was nothing in the terms which ostensibly allowed Facebook to disclose to other users what services a particular user utilized. [Ouch! I think the conclusion is debatable, and despite Facebook's clunky user agreements, the quoted language is broad. To be on the safe side, if I were Facebook, I would expressly reference publicity and personality rights.]

Plaintiff did not sufficiently allege injury: In order to make out a claim for misappropriation of publicity rights, the plaintiff has to allege injury. Although plaintiff included a conclusory allegation in the complaint that she "suffered injury-in-fact," plaintiff did not allege any harm whatsoever. Injury to feelings is sufficient to assert a publicity rights claim, but plaintiff failed to allege this. Plaintiff argued that she was entitled to statutory damages even absent a showing of harm, but the court disagreed. Under the case law, a plaintiff who suffers no economic loss but suffers emotional harm may be entitled to the minimum damages amount, but plaintiff failed to allege that she suffered any "mental anguish" as a result of Facebook's alleged misappropriation.

Plaintiff's lack of commercial interest in her name undermines Lanham Claim: With respect to the Lanham Act claim, the court held that plaintiff had to allege some "commercial interest" in his or her name in order to assert a Lanham Act Claim. While the plaintiff need not be in "actual competition" with Facebook, the plaintiff had to have some "economic interest" in her name "akin to that of a trademark holder." Plaintiff argued that she had a commercial interest (at least within the group of her Facebook friends) but the court rejects this argument.

Unfair competition: Plaintiff's unfair competition claims was derivative of her publicity rights claims and therefore were dismissed. The court also adds that apart from the injury issue, plaintiff is not likely to be able to show that she has lost "money or other property." The remedies available via a section 17200 action have been sharply limited in recent years, and if a plaintiff cannot show that Facebook wrongly took money or property belonging to plaintiff, he or she will be out of luck. The fact that Facebook offers a free service to end users makes section 17200 claims useless for anything other than prospective injunctive relief. (One or two cases have recognized that personal information can constitute "property," but the court does not discuss that possibility here. See "Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff".)
__

I'd characterize this as a partial win for both sides. Judge Seeborg's view that the Facebook end user agreement did not bar the misappropriation claims has to make Facebook nervous. On the other hand, if plaintiffs are going to have to show that they suffered "mental anguish" as a result of Facebook's use of their names and profile photos and they have an economic interest in their names, these present obvious barriers. [I can just imagine Facebook's investigators trolling the internet for examples of use by plaintiffs of their own photos and names on other sites or on Facebook, to show that plaintiffs did not really exert any control over use of their names and photos by third party websites.]

Facebook may also have an opportunity to argue that the claims are not amenable to resolution on a class-wide basis, given that individual facts may affect the determination of whether a particular user suffered "mental anguish" as a result of Facebook's use of plaintiffs' photos and user names.

Of course, the reality is that this is a cobbled together class action based on allegations of harm that are tenuous at best. The result may be different if plaintiff alleged that Facebook used plaintiff's name and likeness to advertise third party products or services or even promote something outside the Facebook ecosystem, but telling someone's Facebook's friends that they used the "friend finder" services sounds like a weak publicity rights claim at best.

Plaintiff may be able to amend and get past another motion to dismiss, but this lawsuit will probably be shuttled to the dustbin of internet privacy lawsuits in short order.

Posted by Venkat at 03:14 PM | Licensing/Contracts , Marketing , Publicity/Privacy Rights

June 15, 2011

Righthaven Benchslapped in Ruling Saying It Lacks Standing--Righthaven v. Democratic Underground

By Eric Goldman

Righthaven LLC v. Democratic Underground, LLC, 2:10-cv-01356-RLH-GWF (D. Nev. June 14, 2011)

This is another stinging defeat for Righthaven. The judge emphatically rejects Righthaven's substantive arguments about its copyright assignment from Stephens Media and harshly criticizes Righthaven's procedural conduct.

Regarding the assignment, the court focuses on the contract's effect: it was designed to give Righthaven only the right to sue and get the resulting cash, but Stephens Media retained all other control over the copyrighted asset. Thus, Stephens Media never assigned any portion of a Section 106 copyright right.

The opinion indicates that Stephens Media and Righthaven could fix this by giving Righthaven more control over the asset. I believe the contract amendment tried to do that, but it may not have gone far enough. Judge Hunt intimates as much, saying he "expresses doubt that these seemingly cosmetic adjustments change the nature and practical effect of the SAA." I remain skeptical that Stephens Media wants to give up enough control to Righthaven to satisfy the standing requirements.

The judge then indicates that Righthaven can't fix the existing contract defect for the existing litigation because standing is measured when the complaint is filed. This could lead to dismissal of all pending Review-Journal litigation and, depending on the exact wording of the MediaNews contract, possibly the Denver Post litigation as well.

If Righthaven can't get this opinion reversed on appeal and other judges defer to this opinion on the standing question (which I think it likely), Righthaven may be back at square one with its entire business. Thus, I assume Righthaven will appeal this decision. However, this is a pretty well-constructed opinion, so Righthaven will have an uphill battle overturning it on appeal. I wonder if the other pending cases will go on hold until an appeal is resolved.

Democratic Underground's declaratory judgment suit of non-infringement also survives dismissal. In doing so, the judge cites an unnecessarily inflammatory editorial posted by former Las Vegas Review-Journal publisher Sherman Frederick, who threatened to introduce his “little friend called Righthaven” to people who republished Las Vegas Review-Journal content. This quote invokes a famous line from the climatic scene in the film Scarface, where Al Pacino's "little friend" was an M-16A1 machine gun with a grenade launcher. I have always been baffled by the implicit symbolism of Frederick's analogy. Did he really mean to analogize Righthaven to a murderous weapon used by a drug lord to mow down his rivals in an ultimately futile last-stand?

In addition to the adverse substantive ruling, the judge criticized Righthaven unusually harshly in this opinion. The "high"lights:

* the judge rejects Righthaven's basic substantive argument as "flagrantly false—to the point that the claim is disingenuous, if not outright deceitful."
* the judge emphatically rejects Righthaven's attempt to argue that other judges had already upheld the copyright assignment, saying that "at best, this argument is disingenuous." Righthaven took the very aggressive position of citing one of the judge's earlier rulings back to him--and he seemed pretty angry that Righthaven sandbagged him in the prior ruling and then tried to estop him.
* the judge summarizes the overall ruling by saying "the Court believes that Righthaven has made multiple inaccurate and likely dishonest statements to the Court."
* the judge then goes on to lambaste Righthaven for not identifying Stephens Media as an interested party in the lawsuit, calling that omission "brazen" and "egregious."

The judge requires Righthaven to explain why the judge should not order sanctions. Given the tenor of this opinion, it seems like a sanctions order is inevitable. The opinion also hints that Democratic Underground may get its attorneys' fees. All told, this case is probably going to cost Righthaven dearly. And after a ruling like this, Righthaven's entire enterprise is on the ropes.

Other coverage from EFF (rightly touting its success) and Steve Green/Las Vegas Sun. In a rare move, the Las Vegas Review-Journal covered its own story, and it quotes some reactions from Righthaven. You can read it at http://www.lvrj.com/news/federal-judge-rules-las-vegas-firm-can-t-sue-over-copyright-infringement-123882024.html -- but do you even want to give them an extra page impression?

My prior blog posts on Righthaven:
* Another Defense-Favorable Righthaven Ruling--Righthaven v. Choudhry
* Republishing Entire Newspaper Story is Fair Use--Righthaven v. CIO
* Blogger Wins Fair Use Defense...On a Motion to Dismiss!--Righthaven v. Realty One

Posted by Eric at 06:28 AM | Copyright , Licensing/Contracts | TrackBack

June 05, 2011

Forum Selection Clause in "Submerged" Terms of Service Presumptively Unenforceable -- Hoffman v. Supplements Togo

[Post by Venkat Balasubramani]

Hoffman v. Supplements Togo Mgmt. LLC, A-5022-09T3 (N.J. Ct. App.; May 13, 2011)

Plaintiff who happened to be a lawyer brought putative class claims against Supplements Togo, alleging that the "Erection MD" "dietary supplement" sold via defendants' website was not as performance enhancing as promised. The trial court dismissed the lawsuit, among other things, on the basis of a forum selection clause contained in the website's online terms. The appeals court reverses, finding that the forum selection clause was buried on the website and thus not presumptively enforceable.

Background: The background facts are somewhat interesting, but do not turn out to be particularly relevant to the court's analysis. As the court notes, the plaintiff has brought other lawsuits against online retailers asserting consumer protection violations. Defendants are a group of related companies which were started in the early 1980s by a weightlifting enthusiast. (The precise nature of the entities is unclear, but the court presumes a relationship between the various entities.) Defendants sold "Erection MD" in a bottle form for $59.99 per bottle. Their website said that Erection MD consisted of a proprietary blend, and promised numerous benefits from taking this product. The website also contained a disclaimer which stated that the information on the website "reflects the opinion of . . . staff and should not be interpreted as medical advice."

Plaintiff ordered one of these bottles, did not allege that he tried them out, but brought suit, arguing that defendants' representations regarding the product violated New Jersey's consumer protection laws. He argued that defendants were required under this law to substantiate claims regarding the "safety, performance, availability, efficiency, quality or price" of any advertised merchandise, and that defendants' failure to have any such substantiation renders their marketing practices a per se violation of the statute.

The trial court found that plaintiff:

made a conscious decision to order the product thereby manifesting both an agreement to purchase the product at the price offered and an acceptance of all relevant terms including that all litigation would be in Nevada.

The trial court also found that plaintiff failed to adequately allege damages--i.e., plaintiff did not allege that he used the product or that he asked for his money back. The trial court relied in part on the fact that plaintiff was "an experienced attorney" and "a repeat litigator in the field of Consumer Act Fraud Claims."

Discussion: The court ultimately reverses on the forum selection issue and its opinion contains a fairly useful summary of the basic principles at play:

as . . . internet transactions have become more prevalent, so too have legal disputes proliferated over the contractual rights created in cyberspace between buyers and sellers. The present case exemplifies such a modern-day dispute, raising the question of whether the presentation of the forum selection clause on defendants' website suffices, as a matter of law, to bind internet purchasers of defendants' merchandise. To resolve that issue in this contemporary setting, we consult basic and long-standing principles of law and jurisdiction.

The court notes that in order to be bound by a forum selection clause (or any other online contractual term) "there must have been a meeting of minds of the parties." Forum selection clauses are enforceable when they are presented "in a fair and forthright fashion." Where the online consumer must view the contractual term in order to complete the transaction, the term will be valid and enforceable. There is no particular placement necessary for a forum selection clause--the only requirement is that the party against whom the clause is sought to be enforced must have "reasonable notice." The court contrasted the clause in Caspi v. Microsoft, where the consumer had to click "I Agree" in order to complete the transaction, with Specht v. Netscape. in Specht, the online agreement contained an arbitration clause, but the clause "was located well below an icon inviting subscribers to download" the program. The Second Circuit found that the arbitration clause at issue in Specht was unenforceable because the plaintiffs were not provided "reasonable notice." The court in this case also distinguishes between "clickwrap" agreements (where users manifest assent by clicking "I Agree") with "browsewrap agreements, where the users ostensibly agree with online terms merely by browsing. The agreement in this case can be characterized as a browsewrap.

Here, the available evidence showed that consumers could complete the transaction without viewing the forum selection clause. In fact, the court found that:

the forum selection clause was unreasonably masked from the view of prospective purchasers because of its circuitous mode of presentation.

The court does not credit defendants' argument that plaintiff should have reasonably looked in to the applicable terms, and also does not take into account plaintiff's sophistication or experience in determining that the forum selection clause was unreasonably buried. On the other hand, the court also rejects plaintiff's argument that in order to be enforceable, the website had to have some affirmative manifestation of assent (other than completing the transaction). In the end the court states that the forum selection clause is "presumptively unenforceable," but also that defendants can overcome this presumption if they can show that plaintiff actually read and agreed to the terms.

___

The dust has long settled--online agreements are ordinarily enforceable. This case is a useful reminder that traditional contract principles still apply, and as a website, you should do everything you can to preempt the "I did not read the terms and could not agree to them" argument. In particular, as a merchant, there is no real excuse for not doing this. Consumers have to take certain steps to complete the transaction, and a simple check the box at the penultimate stage that says "I have read and agreed to the terms" should do the trick. This was the result in Feldman v. Google, where Google had a "leak proof" end user agreement ("Google AdWords Contract Upheld (Again)"): At the bottom of the webpage, viewable without scrolling down, was a box and the words, “Yes, I agree to the above terms and conditions.” The advertiser had to have clicked on this box in order to proceed to the next step. If the advertiser did not click on “Yes, I agree ...” and instead tried to click the “Continue” button at the bottom of the webpage, the advertiser would have been returned to the same page and could not advance to the next step. If the advertiser did not agree to the AdWords contract, he could not activate his account, place any ads, or incur any charges. Plaintiff had an account activated. He placed ads and charges were incurred.

This was also the result in Scherillo v. Dun & Bradstreet, where the court rejected the plaintiff's far-fetched argument as to why the agreement in that case was not "leak proof," even though there was a box which plaintiff had to check in order to complete the registration. ("Clickthrough Agreement With Acknowledgement Checkbox Enforced.")

There's some question as to whether particular clauses need to be highlighted, and the court's opinion here is not crystal clear as to whether forum selection clauses are more closely scrutinized in their presentation. (I think the answer is no, but there was some ambivalence in the court's opinion.) At the end of the day, the key is to make sure that no clause is buried. If the agreement was presented in a leak proof fashion in this case, I'm not sure it would have mattered either way. The plaintiff's argument would have received the same chilly reception as it did in Feldman. The argument that "although I'm a lawyer I didn't actually read the agreement" does not tend to resonate.

Posted by Venkat at 11:15 AM | Licensing/Contracts

June 04, 2011

NebuAd Deep Packet Inspection Lawsuits Sputter -- Deering v. CenturyTel & Green v. Cable One

[Post by Venkat Balasubramani]

The alleged monitoring and use of ISP subscribers' internet activity for advertisement targeting purposes by NebuAd spawned a slew of class actions. NebuAd shut down, leaving plaintiffs to go after the individual ISPs who partnered with NebuAd. ("Turning Out The Lights: NebuAd.") Plaintiffs have not had much luck with their claims against the ISPs.

In Mortensen v. Bresnan, the court dismissed the ECPA and state law privacy claims but left the Computer Fraud and Abuse Act claims intact. ("Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues.") As an update to that case, the court ruled that the claims were not subject to arbitration, but the defendant-ISP moved for reconsideration of this ruling in light of AT&T Mobility LLC v. Concepcion, the recent Supreme Court case where the Court held that the Federal Arbitration Act preempts state law unconscionability arguments which are applied disproportionately to invalidate arbitration agreements. You can access the motion for reconsideration here.

Deering v. Centurytel, Inc.: In Deering, the court came to the same conclusion as it did in Bresnan, dismissing the privacy and ECPA claims on the basis of the end user agreement. The court notes that as in Bresnan, the ISP here:

also provided notice of the NebuAd agreement. Specifically, an email to its subscribers was sent informing them that the Privacy Policy had been updated and providing a link to the updated Privacy Policy. Under the heading, "Online Advertising and Third Party Ad Servers," CenturyTel customers were notified that "CenturyTel partners with a third party to deliver or facilitate delivery of advertisements to our users while they are surfing the web. This delivery of advertisements may be facilitated by the serving of ad tags outside the publisher's existing HTML code. These advertisements will be based on those users [sic] anonymous surfing behavior while they are online." . . . CenturyTel customers were further notified of their right to opt out of receiving targeted advertisements by clicking on an imbedded link. The "Online Advertising and Third Party Ad Servers" section also contained a link to NebuAd's website.

I'm a little stumped by the court's reliance on the language in the privacy policy. The court cites to CenturyTel's privacy policy which at the time said that:

personal information collected [by CenturyTel] may include, without limitation, name, address, telephone number, personal computer specifications, e-mail address, user IDs and passwords, billing and transaction information, credit card information, and contact preferences.

It looks like this describes information collected by CenturyTel, as well as information provided to CenturyTel by its users. But it still doesn't come out and say that CenturyTel or a third party track the contents of users' communications. As described by the court, the policy also had standard "cookies and web beacons" language which made clear that CenturyTel used cookies and web beacons to target. This would put users on notice that their clickstream would be used for targeting purposes, but would not alert them to the fact that their traffic is being routed through a third party server or that the contents of their web surfing activity would be exposed to a third party (which is what NebuAd is accused of doing).

CenturyTel sent an email to its users alerting them of an update to CenturyTel's privacy policy, but the email only said that "advertisements will be based on . . . [the] anonymous surfing behavior" of end users." The court does not cite to the NebuAd agreement, but nothing in the CenturyTel disclosures look like they clearly state that the contents of users' communications would be viewable and accessible by a third party. The use of "anonymous surfing" language if anything would tend to minimize the effect of any disclosures in the NebuAd agreement or would create a conflict between the two. How exactly NebuAd was monitoring and targeting is not clear, but the disclosure could have certainly been much clearer, and the court doesn't delve into the details here.

More than anything, this ruling seems to reflect the court's antipathy towards privacy class actions or the motivations behind them. The subtext of the ruling is that there is no "there" there. The notice provided by the ISPs and NebuAd may not have been perfect, but the court had to be influenced by the fact that the plaintiffs were told about some monitoring and given the ability to opt-out. No one took advantage of this or alleged that they followed up.

The court also has harsh words for plaintiff's counsel, finding that it is "telling, and somewhat troubling" that the plaintiff did not mention the Bresnan case, "even though the same lawyers appear to have filed very similar complaints in these cases."

Green v. Cable One: In addition to Bresnan and CenturyTel there's another NebuAd case where plaintiff's claim went sideways (this happened in late February and I missed it at the time). In Green v. Cable One, plaintiff brought claims against Cable One based on alleged monitoring by NebuAd. According to a post at Wildman Harrold, here's what happened next:

Plaintiff filed a motion for class certification in August 2010. Cable One served a demand to copy and inspect plaintiff’s computer. The plaintiff then voluntarily dismissed with prejudice three of the four claims that depended upon allegations of harm/damage, leaving only the claim for violations of the ECPA remaining. (Dkt 43, October 2010). On November 9, 2010, the named plaintiff Green was deposed. During that deposition, he testified that he only accessed his Cable One account from one computer/IP address located in Alabama. Cable One’s records revealed that the Internet subscription had been canceled for that home address on November 19, 2007, one day before the NebuAd ad serving technology went into use by Cable One.

Cable One filed a motion to dismiss for lack of standing. In response, plaintiff filed a "non-opposition" with a curious explanation:

Plaintiff conferred with Defendants in effort to reach a stipulation on the Motion to Dismiss in an effort to minimize the use of judicial resources. Defendants requested the Plaintiffs file a Notice of Non-Opposition instead. Therefore, Plaintiff submits this Notice of Non-Opposition to Defendant's Motion to Dismiss.

Say what? The fact that the named plaintiff dismissed a chunk of the claims in response to a request to inspect plaintiff's computer is telling. The fact that plaintiff agreed to dismiss the claims in their entirety when Cable One argued that plaintiff cancelled his Cable One subscription the day before NebuAd filtering was implemented just demonstrates that (assuming what Cable One says its true), there was no way that plaintiff could have suffered any harm as a result of the alleged filtering. This points in the direction that courts' skepticism towards these lawsuits may be entirely warranted.

Posted by Venkat at 01:10 PM | Licensing/Contracts , Privacy/Security

June 01, 2011

Updates on DoctoredReviews.com and Medical Justice

By Eric Goldman

You may recall our April launch of DoctoredReviews.com, a website explaining why Medical Justice's form agreement, the "Mutual Agreement to Maintain Privacy," was a bad deal for doctors, patients and review websites. See a list of the media coverage on the site's launch.

Since then, there have been three developments of interest.

First, Timothy B. Lee at Ars Technica covered his experiences with a dentist who asked him to sign the Mutual Agreement to Maintain Privacy and what happened when he balked at signing (predictably, there was no negotiation, and he was booted from the office). The entire article is a great read, but this line especially caught my eye: "we began to wonder if Medical Justice was taking advantage of medical professionals' lack of sophistication about the law." Watching the doctor community's response to our site launch, I had been wondering the same thing. Doctors and other healthcare professionals are very scared of the combination of privacy laws and unfettered consumer reviews; and Medical Justice has a several year headstart in (mis?)educating them about the law. It's clear that our advocacy site alone isn't enough to do the necessary counter-education.

Timothy also hammers on how Medical Justice has been backpedaling about the efficacy of the Mutual Agreement to Maintain Privacy. Medical Justice publicly claims that the agreement is principally useful for dealing with reviews from the doctors' competitors or ex-employees or other fraudsters. This is a baffling argument because (as Timothy points out) those folks undoubtedly haven't signed the Mutual Agreement to Maintain Privacy, so doctors can neither assert a breach of the agreement nor the assigned copyrights in those reviews. (And asserting copyright to the review websites could lead to 512(f) claims). There is a massive logic disconnect between the purported goals of the Mutual Agreement to Maintain Privacy and the legal effect of the contracts. For an outfit that was clever enough to develop a way to hack 47 USC 230 through a copyright workaround, the response that the agreement should be used only against people who haven't signed it is so oddly sophomoric that it makes me wonder about the sincerity of the proffered explanation.

Timothy followed up his initial story with a postscript. In it, the dentist who claimed he'd never enforced the Mutual Agreement to Maintain Privacy backpedaled and admitted that he had, in fact, help drive a negative review off the Internet. On the plus side, the dentist publicly acknowledged that the Mutual Agreement to Maintain Privacy wasn't a good deal for him, and he said he wouldn't renew with Medical Justice. Hey doctors and other healthcare professionals, I hope you took note.

Second, John Swapceinski of RateMDs made a post entitled "Medical Justice planting glowing reviews on RateMDs.com." Apparently, John saw some early activity from a new Medical Justice offering called the "Review Builder Program" that Medical Justice claims will help patients leave reviews from doctors' offices. Timothy at Ars Technica has plenty of sharp words about the program and the possibility of Medical Justice duplicity.

Third, we are working on Phase 2 of the DoctoredReviews project, during which we identified another doctrinal oddity: doctors, based on their purported copyright ownership, can obtain and send 512(h) expedited subpoena requests in an effort to unmask the review author--in a process that is outside of public view and without any substantive judicial oversight. Obviously, review websites can (and should) push back on these subpoenas, but I have some reason to believe that the Mutual Agreement to Maintain Privacy's purported copyright assignment is producing unmaskings that would not occur if supervised in a court of law. I'm adding this attack on privacy to the taxonomy of abusive takedown practices I'm developing.

Posted by Eric at 02:18 PM | Content Regulation , Copyright , Derivative Liability , Licensing/Contracts , Privacy/Security | TrackBack

May 26, 2011

Online Insurance Application Constitutes “Writing” for Purposes of Waiving Insurance Coverage for Medical Benefits--Barwick v. GEICO

By John Ottaviani

Barwick v. Government Employee Insurance Co., Inc., 2011 Ark. 128 (March 31, 2011) [link]

Although 47 states, the District of Columbia, Puerto Rico and the Virgin Islands have adopted the Uniform Electronic Transaction Act (UETA), we have had very few cases discussing or interpreting UETA. Here, we have a case where the court is asked whether a waiver in an online insurance application is a “writing” for purposes of a state insurance law that requires coverage waivers to be in writing.

The facts are fairly simple. In 2009, a woman (who subsequently married the plaintiff) purchased automobile insurance coverage online at GEICO’s website. In the online application, the woman rejected coverage for medical benefits as permitted under Arkansas law. The online form bore the woman’s electronic signature. In a discovery deposition, the woman also acknowledged that she completed the form on the website, that she did not select the coverage for medical benefits, and that she signed the application electronically.

The lower state court granted summary judgment to GEICO and dismissed the husband’s claim for medical benefits. On appeal, the husband argued that the electronic application containing his wife’s electronic signature did not meet the requirement that a rejection of coverage be “in writing” under the terms of Arkansas Code Annotated Section 23-89-203 (Repl. 2004). The husband argued that because a general statute does not apply when a specific one governs the subject matter, the insurance statute requirement that the waiver of coverage be “in writing”, takes precedence over the more general provisions in the UETA. He also argued that pressing a computer button did not constitute a “writing” for purposes of waiving coverage.

The Arkansas Supreme Court reviewed the history of UETA and noted that Arkansas had adopted UETA in 2001 to facilitate electronic transactions. The court found that the online application was an “electronic record” under UETA. The Court also found that there was no conflict between the insurance statute and UETA, and that the two provisions can be read “harmoniously” to mean that an electronic record can fulfill the requirement of written rejection for coverage. As a result, the Arkansas Supreme Court affirmed the lower court’s grant of summary judgment to GEICO.

A few thoughts:

• The court’s analysis is straightforward and correct. One would think that the legal issue is obvious, but there have been very few cases interpreting UETA to date (perhaps because the statute is so simple?). UETA was drafted so that the state legislators did not have to amend the numerous statutory requirements for “writings” in each statute. Instead, UETA provides a global approach that a record or signature may not be denied legal effect or enforceability solely because it is in electronic form, and a contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation. But it’s nice to now have a case to point to when a client questions the validity of online agreements.

• GEICO also argued that the plaintiff should be estopped from questioning the validity of the electronic waiver of coverage, because he is also seeking to benefit from the insurance policy obtained throughout the online application. Because the court dismissed the appeal on the UETA grounds, it did not need to address the estoppel argument.

• There do not seem to be any evidence issues in this case. The woman in question did not deny that she completed the online application and affixed an electronic signature. She also gave a deposition testimony that she completed the form on the website, that she and did not select coverage for medical benefits, and that she signed the application electronically. Query whether or not the court would have denied summary judgment if any of these facts had been in dispute.

• Unlike the court in Colorado last year, the Arkansas Supreme court correctly determined that EUTA, and not the federal Electronics Signatures In Global and National Commerce Act (commonly known as “E-Sign”), applies to this case. E-Sign has a peculiar “reverse preemption”. E-Sign governs in the absence of a state law or in states that made modifications to UETA that are inconsistent with E-Sign. In effect, Congress forces a state to adopt UETA in a uniform manner, by providing that the state version of UETA controls over E-Sign if UETA is adopted without modification. Here, Arkansas appears to have adopted UETA without any significant modifications, so UETA’s provisions should govern questions of contract formation and enforceability in Arkansas.

See also this brief post on a Federal Circuit UETA case.

Posted by John Ottaviani at 07:00 PM | E-Commerce , Licensing/Contracts | TrackBack

May 25, 2011

Ohio Appeals Court: GoDaddy can be Held Liable for Wrongly Transferring Control Over Domain Name and Email Accounts -- Eysoldt v. ProScan

[Post by Venkat Balasubramani]

Eysoldt v. GoDaddy, et al., C-100528 (Ohio Ct. App.; May 18, 2011)

Actions against registrars for allowing domain names to be wrongly transferred have been relatively rare. Members of the Eysoldt family brought claims against GoDaddy alleging these types of claims. A jury ruled in their favor and the Ohio Court of Appeals declined to set aside the verdict.

Jeff Eysoldt registered Eysoldt.com through GoDaddy. He used this account for personal purposes--he stored photos and used it for email, and he allowed other family members to do so. He also registered and managed a domain name for his sister's business through this account. Separately, he entered into a business arrangement with ProScan, and the parties sought to build out a website which would promote cosmetic surgery centers. As part of this project with ProScan, he registered Myrejuvenate.com and placed this domain name in the same GoDaddy account as his personal domain name and his sister's domain name.

The relationship between Eysoldt and ProScan soured, and ProScan sought control of the domain name and the website. One of the ProScan executives called GoDaddy directly. GoDaddy's customer service representative saw that the domain name was registered under Eysoldt's name but "verified" the account information with the ProScan executive by confirming the method of payment and account number used to pay.

GoDaddy gave ProScan control over the Myrejuvenate.com domain name. Unfortunately, it also gave ProScan control over the other domain names and associated email accounts in Eysoldt's GoDaddy account. Eysoldt contacted GoDaddy to fix the problem, but he was told he had to fill out a verification form and fax this along with his drivers license. He did this, but GoDaddy responded to him that his face was not legible in the copy of the drivers license. The ProScan executive also contacted GoDaddy and asked that the domain names other than Myrejuvenate.com be transferred back to Eysoldt, but this too was unsuccessful.

Ultimately, Eysoldt sued GoDaddy. He sued ProScan as well but settled with them. The jury ruled in favor of the Eysoldt and awarded him $50,000 ($20,000 for invasion of privacy and $30,000 for conversion). Two other Eysoldt family members were awarded $10,000 each ($7,000 for invasion of privacy and $3,000 for conversion). (Here is a link to the verdict form.)

GoDaddy made several technical arguments on appeal and the court rejects them all.

Economic Loss doctrine: GoDaddy argued that Eysoldt's claims were barred by the economic loss rule, but the court says that this rule only applies to negligence claims and not to intentional torts.

Conversion: GoDaddy argued that a domain name cannot form the basis for a conversion action because it is intangible property. The court says (citing to CRS Recovery, Inc. v. Claxton) that times have changed. A domain name is readily identifiable and can be converted. GoDaddy also argued that the family members could not assert conversion claims because they testified that they lacked any ownership interest in the accounts. On this point, the court ruled that there was sufficient evidence from which a jury could conclude that GoDaddy converted the "conditional email and private communications [of the family members] that were contained in the GoDaddy account."

Invasion of Privacy: Finally, GoDaddy argued that there was insufficient evidence to support an invasion of privacy claim because there was no evidence that GoDaddy accessed the email accounts. The court rejects this argument also, noting that Eysoldt testified that someone had accessed the emails. According to the court, the harm flowed from the disclosure and not the misuse of the emails. In any event, the court cites to the fact that GoDaddy took control of personal emails, websites, and communications and just handed them over to a third party.

---

GoDaddy had a pretty tough argument here given the facts. To treat a domain name as anything other than valuable third party property would be a mistake by registrars. There was some confusion early on as to whether domain names are contract rights (which do not support conversion claims) instead of property, but courts have long moved on from this question. (See Kremen v. Cohen, CRS v. Claxton, Office Depot v. Zuccarini, Bosh v. Zavala, etc.) I'm surprised GoDaddy didn't raise an argument based on waivers or limitations of liability contained in its end user agreement, but the opinion does not discuss them.

The court's conclusion regarding the invasion of privacy claim is worth noting because the court did not take the approach numerous courts have taken in data breach cases and require any showing of out-of-pocket loss. The likely explanation for this is that the plaintiff here asserted claims under the "intrusion" theory, where the harm flows from the mere disclosure, rather than the misuse, of data, but this should require a showing that the accounts contained information that was of an intimate nature. The court alludes to this in describing what type of information was contained in these email accounts, but does not come out and explicitly state this or cite to any specific information which would support a claim of intrusion.

The court's conclusion that the other family members could recover for conversion also glosses over a few nuances. The sister had a domain name registered through GoDaddy, but the court does not connect the dots on how giving Proscan control over the GoDaddy account translates into a conversion claim for the other family members. The court instead focuses on the email accounts and notes:

[w]hile Jill and Mark [the other family members] acknowledged that the account was registered to Jeff, the evidence showed that each of them had email accounts set up within Jeff's account. Additionally, Jeff and Jill had created content for Jill's website for her business, Good Karma Cookies. When Go Daddy gave control of the account to Wallace and ProScan, Jill could not access her website. Likewise, Jill and Mark could not access their email accounts. Thus, as the trial court stated, 'there was sufficient evidence produced at trial that would support the jury finding that GoDaddy converted the conditional and private email communications of Mark and Jill Eysoldt that were contained in the GoDaddy account.'

The court's focus on control over email accounts and content does not square well with the cases which say that domain names can be converted because they are freely transferable and can be bought and sold. Under the court's approach, a registrar could be found liable for terminating access to an email or hosting account, and this sounds problematic.

[Eric's comment: indeed, I read this opinion as hinting that any cloud service provider could "convert" a user account's to the extent that service provider "wrongfully" "cuts off" the user's access to his/her own intangible files. I don't think the court means to go there, but holding that GoDaddy converted the emails (as opposed to the domain names) naturally leads to a very dark place.]

It's clear that courts are not reluctant to impose some sort of obligation on the part of registrars to guard against identity theft. Registrars may need to adopt authentication procedures as rigorous as the procedures that banks use to authenticate bank accounts. Of course, even this approach is not infallible, and not easy to implement, given that much of the customer service interaction between a registrar takes place over the phone. Another suggestion is for registrars to respond promptly to any claims by customers of domain name theft. Sending a canned response from customer service when a customer frantically emails saying that his or her domain name has been stolen is not going to look good in the eyes of the fact-finder.

I'm struck at how often people register business and personal domain names in the same account, and how often the web-person ends up registering the domain name for a project in his or her account, rather than in the name of the entity, or a separate account which both joint ventures have control over. The domain name as a bank account analogy is useful here, and if you are part of a joint venture, think about whether you would want to give your co-venturers sole control over the bank account.

Posted by Venkat at 09:20 AM | Domain Names , Internet History , Licensing/Contracts , Publicity/Privacy Rights

May 23, 2011

College Course Description Aggregator Loses First Round in Fight Against Competitor in Scraping Case -- CollegeSource v. AcademyOne

[Post by Venkat Balasubramani with comments by Eric]

CollegeSource, Inc. v. AcademyOne, Inc., 10-3542 (E.D. Pa.; Apr. 22, 2011)

This is a scraping case between CollegeSource and its competitor AcademyOne. It looks like it's part of a long running dispute between the parties. AcademyOne previously brought cybersquatting and false advertising claims against CollegeSource and lost. CollegeSource separately sued AcademyOne for a violation of its terms of use in California. The court dismissed on the basis of lack of personal jurisdiction and CollegeSource appealed the dismissal to the Ninth Circuit. CollegeSource then re-filed the same lawsuit in Pennsylvania, and a ruling from that court is the subject of this blog post. That's a lot of litigation over pdf copies of college course catalogs!

Background: CollegeSource digitizes course catalogs and descriptions and makes them available online in pdf form. It also slaps a splash page, logo, and its terms of service on the pdfs which it creates. AcademyOne is also in the business of providing information regarding college course descriptions. The parties also both offer services which "evaluate the transferability" of college courses, but those particular services were not directly at issue in this dispute.

AcademyOne tried to license the pdf versions of CollegeSource's catalogs, and CollegeSource refused. AcademyOne then crawled the web to obtain this information from other sources, including the colleges directly, but in the process, ended up copying and posting on its own site course catalogs which bore CollegeSource's logos and terms of use. CollegeSource in turn sent AcademyOne a cease and desist letter, which AcademyOne largely complied with. AcademyOne received the letter in 2007 and removed the CollegeSource catalogs by mid-2007. AcademyOne also put in place safeguards to make sure CollegeSource's pdfs did not end up on AcademyOne's site again.

Despite these safeguards, two of the CollegeSource course catalog pdfs ended up on AcademyOne's site. In response, in July 2010, CollegeSource sued. It moved for a TRO which was denied. Around the time the lawsuit was filed, AcademyOne's CEO sent Freedom of Information Act (FOIA) requests to various colleges, seeking the details of agreements between the colleges and CollegeSource, to the extent those agreements existed. The letter said that the information was sought in the context of a pending copyright dispute.

In December 2010, CollegeSource moved for a preliminary injunction. It asserted that it was entitled to an injunction based on its breach of contract and unjust enrichment claims, and based on false advertising premised on statements in the letters sent to colleges by AcademyOne.

Breach of contract and unjust enrichment: Although CollegeSource asserted copyright claims in its cease and desist letter, in the lawsuit, it relies on AcademyOne's alleged breaches of its terms of use. It would not have been able to claim copyrights in the course descriptions since these are likely factual in nature, and it did not create the course descriptions in the first place. With respect to CollegeSource's breach of contract claims, the court finds that CollegeSource is not likely to be able to show irreparable harm for breaches of its terms of use and thus isn't entitled to an injunction. The court notes that AcademyOne took steps to comply with any takedown requests and instituted safeguards to make sure no CollegeSource course catalogs ended up on AcademyOne's website again.

False advertising: The crux of CollegeSource's false advertising claim at this stage was centered around a letter sent by Academysource to various colleges. The letter sought copies of any agreements in place between the college and CollegeSource:

[that would] grant [] CollegeSource . . . the authorization to create and claim a derivative copyright of [the academic institution's] printed or digital catalog for [2006-2010]; limit the rights of distribution of the electronic version located on their website; archive the file; add their logo and Terms of Use to the front of each catalog and charge for access to the catalog.

CollegeSource claimed that the letter is false because it stated that it was sent in connection with copyright claims asserted in the lawsuit. The court says that there is nothing literally false about referencing copyright claims since that's the subtext of CollegeSource's claims. Ultimately CollegeSource sought control of the catalogs. The court also addressed CollegeSource's argument that the letter had the tendency to deceive and resulted in at least one institution requesting that CollegeSource remove its catalogs from CollegeSource's website. The court notes that there's no evidence as to the precise reason for the college's request.

This is a dangerous dispute for CollegeSource. The idea that it should be able to somehow claim exclusive rights in college course descriptions is crazy. Once the institutions realize that this is what CollegeSource is doing with the course catalogs and descriptions they provide to CollegeSource, there is a high likelihood that many of them will tell CollegeSource to stop this practice. There's not much room to claim copyright in course descriptions, and in any event, CollegeSource's attempt to slap its logo and terms of use on the pdf copies of the descriptions looks like a naked rights grab which the colleges are not going to be happy with. This is almost similar to a city claiming copyright in its ordinance. It's worse. It's as if a public citizen or a corporation does this after slapping a logo and terms of use on a pdf version of it. Using a breach of contract claim to get around an ineffectual copyright claim can work in some circumstances, but courts will rightly be skeptical. (The court does not address the copyright preemption argument but I think there's one lurking in the background, since the conduct CollegeSource is complaining of is the copying its materials by AcademyOne.)

The false advertising claim was extremely tenuous. It was sent in the context of a public records request in the middle of a dispute. I'm surprised there's not a claim of privilege (or a SLAPP exception) that would have protected AcademyOne's statements. Maybe it's a jurisdictional quirk but I imagine in some jurisdictions, CollegeSource's false advertising claims would have been slapped out of court.

More on this case from Rebecca.
__________

Eric's comments

I've hinted at the issue before, but let me put my philosophy on the table explicitly: it is extremely dangerous for aggregators to bring IP enforcement actions. The enforcement lawsuits can directly backfire (see, e.g., the Barclay's v. theflyonthewall lawsuit) because the plaintiff ends up talking out of both sides of its mouth: it says X isn't permissible when we're the rightsholders, but X is permissible when we're the aggregator. At best, that kind of duplicity never impresses judges. Further, even if the enforcement lawsuit doesn't lead to a direct form of collateral estoppel, it has the potential to create adverse legal precedent. For these reasons, plus the risk Venkat identified about educational institutions cutting off CollegeSource, it seems like an unnecessarily high-risk move for CollegeSource to bring this iteration of the lawsuits.

Having said that, AcademyOne's experience reiterates the potential problems with scraping. Inevitably, scraping will gather up legally risky content; and as this case shows, that's true even if the scraper institutes procedures designed to screen out that content. This particular ruling is good news for AcademyOne, but scraping remains a legally ambiguous proposition.

Posted by Venkat at 09:10 AM | Copyright , Licensing/Contracts , Marketing

May 21, 2011

Another Unhappy Facebook User's Lawsuit Tossed--Kamango v. Facebook

By Eric Goldman

Kamango v. Facebook, 2011 WL 1899561 (N.D.N.Y. April 19, 2011). The judge approved the magistrate order on May 19, 2011. See Kamango v. Facebook, 2011 WL 1899277 (N.D.N.Y. May 19, 2011). The initial complaint.

Kamango claims that Facebook blocked (terminated?) his account for spamming friend requests. He claims the account block violated his right to express himself and be free from bias. The magistrate tossed the case as frivolous (using the standard applicable to pro per cases), and the judge upheld the dismissal even after Kamango objected. Because both opinions are appropriately efficient, there isn't much detail to explore, but the judge does note "Plaintiff’s claim under the First Amendment is futile because the First Amendment applies only to governmental action (and he has alleged no facts plausibly suggesting such governmental action)."

No matter how much we might question Facebook's policies, the lesson from Young v. Facebook plus this one is clear: stop suing Facebook for account terminations!

Posted by Eric at 11:12 AM | Content Regulation , Licensing/Contracts | TrackBack

May 20, 2011

Another Ruling that the Americans with Disabilities Act Doesn't Apply to Websites--Ouellette v. Viacom

By Eric Goldman

Ouellette v. Viacom: The magistrate report: 2011 WL 1882780 (D. Mont. March 31, 2011). The judge's approval of the magistrate's report: 2011 WL 1883190 (D. Mont. May 17, 2011). The original complaint (he filed an amended complaint that served as the basis of these rulings).

[Note: this lawsuit is gossip-worthy because the plaintiff named YouTube and Viacom as co-defendants, leading to the possibility that they might work together on a joint defense despite their bitter feud in Viacom v. YouTube.]

Just yesterday, I blogged about Young v. Facebook, in which Judge Fogel held that Facebook wasn't covered by the Americans with Disabilities Act because it wasn't a physical place. In this unrelated ruling (there were no cross-citations between the opinion), YouTube and MySpace get a virtually identical ruling. Perhaps we will see enough precedent develop that websites aren't covered by the ADA to suppress further plaintiffs forays. Today's rulings also have some interesting discussion about the application of 17 USC 512's safe harbors to a user whose content is removed.

Plaintiff filed this lawsuit pro se and in pro per. Trying to summarize, it appears his main allegations are that YouTube and MySpace wrongfully removed his videos in response to allegedly bogus takedown notices from Viacom and other content owners. Because of his pro per status, the court does an initial screen to determine if the claims are frivolous. In February, the court determined that Claim I, the "DMCA" claim, wasn't frivolous--presumably, a 512(f) claim against the content owners for a bogus copyright takedown notice.

The two rulings prompting this post--the magistrate report and judge's approval--dismiss the other claims as frivolous, including the rejection of:

* a claim that the defendants violated his fair use rights. The court says that fair use is a defense, not a cause of action.
* a 512(f) claim against the defendants other than the content owners. Even though 512(f) could apply generally, the plaintiff never alleged any actual misrepresentations made by the specified defendants.
* claims that YouTube's contract had an improper venue clause (even if true, Google let the case proceed in Missoula, so the clause wasn't used) and that the contract let third parties harass him, to which the magistrate says "Under the facts alleged by Ouellette, however, Google and YouTube cannot be liable for the conduct of any third party."

After breezing through those claims, the magistrate takes a little more time with the ADA claim. The plaintiff is dyslexic. The magistrate summarizes his contention: "he alleges those Defendants discriminated against him based on his reading disability, and deprived him of access to their internet services and their “online theater”—a “place of public accommodation” governed by the ADA." Citing the AccessNow v. Southwest Airlines case, the magistrate says "an internet website, by itself, is not an actual place, or a physical, concrete structure that would qualify as a place of public accommodation under the ADA." Similar to the discussion in yesterday's Young v. Facebook ruling, the magistrate responded:

His allegations fail to identify any actual, physical place where Defendants' services are made available, and fail to assert any connection between the internet websites he sought to access, and any actual, physical structure or facility through which Defendants' services could be accessed or provided. To the contrary, Ouellette alleges only that Defendants' conduct has impeded his access to certain internet websites

In approving the magistrate report, the judge rejects the plaintiff's objection that a website's servers are the requisite physical place:

Neither a website nor its servers are “actual, physical places where goods or services are open to the public,” putting them within the ambit of the ADA. Weyer v. Twentieth Cent. Fox Film Corp., 198 F.3d 1104, 1114 (9th Cir.2000). The public access production facility might amount to such a place, but there is no nexus between the websites and Ouellette's inability to access that physical place.

The magistrate also rejects the plaintiff's attempts to turn 17 USC 512 into an affirmative cause of action. As I read it, the plaintiff argued that the defendants' failure to follow the notice-and-takedown and counter-notice/putback provisions of 512 creates an affirmative cause of action for a user who posted the affected content. This claim is putatively separate from the 512(f) claim, which I believe is the only affirmative cause of action in 512; in my opinion, the remainder of 512 is all a safe harbor. The magistrate (approved by the judge without substantive comment) rejects the plaintiff's argument:

Ouellette's reliance on the takedown and counter notice safe-harbor procedures in the DMCA is misplaced. The Defendants' alleged compliance, or non-compliance with the procedures does not provide a basis for liability. Defendants' liability to Ouellette, if any, could only be imposed under existing principles of law independent of the DMCA's procedural requirements. Ouellette's allegations, however, do not invoke any independent theory of liability. Therefore, his claims founded upon the DMCA should be dismissed.

I'd be more excited about these rulings if it didn't involve a pro per plaintiff, because then they might be more persuasive to other judges. Nevertheless, these rulings are a useful warning to future plaintiffs that it's frivolous to argue that websites are governed by the ADA and that failure to follow the notice-takedown-counternotice-putback procedures in 512 creates a cause of action.

Posted by Eric at 07:35 AM | Content Regulation , Copyright , Derivative Liability , Licensing/Contracts | TrackBack

May 19, 2011

Facebook User Loses Lawsuit Over Account Termination--Young v. Facebook

By Eric Goldman

Young v. Facebook, Inc., 2011 U.S. Dist. LEXIS 52711 (N.D. Cal. May 17, 2011). My post on Judge Fogel's Nov. 2010 dismissal of this case with leave to amend. Karen's lawsuit-related website.

I respect people of conviction, especially when they persevere in the face of long odds. Karen Young is such a person. After Facebook terminated her account, she drove across the country to try to get answers from Facebook in person--and after a very brief return home, stayed in the Bay Area to get results from Facebook (via litigation or otherwise) over her terminated account. Indeed, she dropped by my office a few months ago (unscheduled) to talk about her case. I told her in person that she should go back home because it didn't make sense to put her life on hold fighting Facebook. A woman of conviction, she has held fast. Nevertheless, after this ruling, perhaps she will decide to end her vigil.

Young has bipolar disorder. She sued Facebook for ADA violations for failing to provide adequate customer support to individuals with mental disabilities. The court rules that the ADA is inapplicable to Facebook because it's a website, not a physical place. The court says:

Despite its frequent use of terms such as "posts" and "walls," Facebook operates only in cyberspace, and is thus is not a "place of public accommodation" as construed by the Ninth Circuit. While Facebook's physical headquarters obviously is a physical space, it is not a place where the online services to which Young claims she was denied access are offered to the public.

To get around this, Young argued that some other circuits have directly or impliedly extended the ADA to virtual places. Judge Fogel rejects this as inapplicable in the Ninth Circuit. Young also invoked Judge Patel's troubling opinion in NFB v. Target, arguing that (like Target) Facebook had the requisite "nexus" to a physical place because it sells gift cards in physical retail stores. This argument fails because Facebook doesn't own or control those physical outlets.

The related state claims also fail. The Disabled Persons' Act claim fails for the same reasons as the ADA claim. The Unruh Act claim fails because Young was griping that Facebook's customer support was too hard for someone in her condition to navigate, but she didn't show that Facebook treated bipolar individuals discimrinatorily or that Facebook's policies targets disabled individuals.

Young's breach of contract claim fails because Young never specifically identified a breach, and her negligence claim fails because he didn't allege any source of a duty. Judge Fogel also shuts down the implied good faith obligation bypass. In his prior ruling, he left open the door, saying "[i]t is at least conceivable that arbitrary or bad faith termination of user accounts, or even termination of user accounts with no explanation at all, could implicate the implied covenant of good faith and fair dealing." Young doesn't clear this threshold because the only evidence she cited--Facebook's termination email--expressly explained Facebook's reasons for the termination. (The opinion doesn't tie this knot, but it seems that those expressed reasons didn't show bad faith). Although this isn't expressly connected to the Smith v. TRUSTe ruling, it's interesting that this is the second judge in a few months interested in whether the website told users why they are getting ousted. This is in conspicuous contrast to the pressures coming from Barnes v. Yahoo for websites to tell users less, not more, to avoid promissory estoppel arguments.

The opinion concludes with a little advice for Facebook:

The Court is not without sympathy for Young's plight. Young was understandably frustrated that she could not discuss the termination of her account with a live person, and both this frustration and the loss of her access to Facebook's social network had a particularly acute impact on Young because of her bipolar condition. As customer service functions increasingly are handed over to automated systems, it is important that service providers, such as Facebook, understand the implications that such practices can have for the less sophisticated and more vulnerable. However, because Young's amended complaint does not state a cognizable legal basis upon which relief may be granted, it must be dismissed. Because the amended complaint fails to address many of the issues identified by the Court in its previous order, and because it appears that there is no realistic possibility that further amendment could cure the deficiencies in Young's pleadings, leave to amend will be denied.

A few observations about this result:

* the opinion doesn't mention 47 USC 230(c)(2), although I think the immunity might very well apply to some or all of Young's claims. I will have more to say about that in an upcoming UC Irvine Law Review article.

* whether or not 47 USC 230(c)(2) applies, it almost never makes sense for a user to sue a website over account termination. Those lawsuits are almost always a huge waste of time and money.

* Even though the ADA and related state statutes do not apply to websites, websites often can and should voluntarily do more to accommodate users with various physical and mental challenges. Not only is that often a smart business decision, it's often the right thing to do.

UPDATE: Facebook emailed me the following statement: "We want Facebook to be available to everyone, including people with unique needs, and have worked hard to create tools and resources to educate people about our service and its rules. While we're pleased with the court's decision, we'll continue to invest in this area."

Posted by Eric at 01:29 PM | Content Regulation , Licensing/Contracts | TrackBack

May 18, 2011

Thoughts on the Lawsuit Over the @OMGFacts Twitter Account -- Deck v. Spartz, Inc.

[Post by Venkat Balasubramani]

Deck v. Spartz, Inc., 2:11-cv-01123-JAM-DAD (E.D. Ca.; Apr. 26, 2011) (Complaint) (Agreement)

An Associated Press story reports on the lawsuit over the @OMGFacts Twitter account. (Here's a link to the story with comments from Professor Goldman.)

Background: @OMGFacts is a Twitter account which was created by Adorian Deck. It rose to prominence in 2010. As alleged in the complaint:

In September 2009, [Deck] created a Twitter feed [@OMGFacts]. The feed retrieved and republished titillating, sometimes trivial, factual tidbits about such subjects as celebrities, pop culture, world history and commerce. The feed quickly amassed more than 300,000 followers, including many celebrities. It became the 18th most active Twitter trend in 2009, and remained among the top ten trending terms until January 2010.

Most interesting about this dispute is that Deck was a high school student and a minor when he created the account.

Deck was allegedly approached by Emerson Spartz, who ostensibly agreed to help Deck capitalize on this success. The two entered into an agreement which provided that Deck, who was labeled as a "contractor" in the agreement, would be entitled to 30% of the revenues from the OMGFacts YouTube channel and 100% of the revenues from the sales any "OMG Facts" t-shirts. Under the agreement, Spartz agreed to promote the sale of these t-shirts and deal with the OMG Facts YouTube channel. The agreement also provided that any "documents or records or creations . . . which are made by [Deck]" would be owned by Spartz's company. The agreement also had copyright assignment provisions which purported to assign to Spartz's company "any copyright in any existing or future works . . ." that are created by Deck. The duration of the agreement was one year. Deck had limited termination rights under the agreement, but Spartz's company could extend the term for 10 additional one-year periods.

Complaint: The complaint says that Spartz breached. It alleges:

[Deck has] received less than $100 in compensation from Spartz, and has received no account or other disclosure of the revenues associated with the YouTube channel.

The complaint also alleges false designation of origin and false advertising claims, and it asks for recission of the agreement.
__

Some initial observations about the lawsuit and agreement.

First, with respect to ownership, the agreement focuses on the content. The blogosphere has tackled ad nasuem the issue of whether or not you can copyright a Tweet and who owns the content in a Twitter feed. The complaint contains a small concession or two that could end up being harmful to Deck's copyright claims - it says that the feed consists of "factual tidbits" which are "retrieved and republished" by Deck through the Twitter feed. Small bits of content are not easily the subjects of copyright protection, and if they are factual in nature that raises the bar for copyrightability. If Deck did not come up with the content himself and merely republished content found elsewhere, this also poses a barrier. Still, maybe Deck can argue that the compilation as a whole should be protected. (The agreement also speaks to the Twitter account itself and states that Deck has to keep Spartz apprised of the passwords for the @OMGFacts Twitter account.)

However, as the Associated Press article points out, this lawsuit is not about the content of the Twitter account at all or even over the ownership of it. The core of the dispute is over the @OMGFacts (or OMG Facts) brand, even though the complaint does not expressly alleged a claim for trademark infringement. Unfortunately, the agreement says very little about trademark rights. (Here is a link to the .pdf version of the agreement.) Spartz will argue that he was the one who commercialized the brand in the first place and therefore should own any trademark rights. On the other hand, the agreement provided that Deck will deal with all aspects of the shirt sales and retain 100% of the revenues from it, so Deck may still argue that he was the one who truly commercialized it. Deck can also argue that the hundreds of thousands of followers which he amassed prior to Spartz coming into the picture demonstrate that he already had a brand and had built up common law rights in @OMGFacts and "OMG Facts."

This of course raises the issue of whether someone can establish trademark rights by putting out a Twitter feed. In recent trademark disputes, companies have argued about whether their use on Facebook or Twitter is sufficient to establish trademark rights. Those cases have presented situations where companies have included stray references to products or services on their Twitter feeds, and none of the cases to date approach a situation where someone has amassed a substantial following on Twitter. (The Boathouse v. Tigerlogic dispute over the "POST POST" mark for "social search services" touches on this: "Social Search Services Duel Over "Post Post" Mark -- Boathouse Group v. TigerLogic.")

The equities obviously favor Deck. The agreement is very one-sided and contains an Indiana forum selection clause. When you take into consideration Deck's minority status, I can see a factfinder poking the agreement so full of holes that it becomes the contractual equivalent of swiss cheese. The agreement acknowledges Deck's minority status and includes Deck's mother as a signatory, but given the novelty of the subject matter of the agreement, you can't fault Deck's mother for not negotiating for a clearer and less one-sided agreement--to the extent she even took the agreement seriously. Deck also asks for recission of the contract, citing to a California Code section 6710 which looks like it allows minors to disaffirm contracts they enter into, except as provided by other statutes. I'm not familiar with any statutory exceptions to this rule that restrict the ability of minors to disaffirm contracts, but there must be some limitations on a minor's ability to disaffirm an agreement which the parent or guardian reviews and signs. Either way, even if the court does not end up rescinding the agreement, the agreement does not offer Spartz a definitive win. Nothing in the agreement says that Spartz owns the trademark rights, or even that he or his company have a license to use the marks.

A final comment on the agreement. It's easy to second-guess an agreement after the fact, but joint venture agreements should always deal with trademark rights, and should also provide for some sort of procedure for ownership of the trademark rights when the agreement falls apart. Some sort of formal wind-down procedure is optimal. This is discussed in Professor Goldman's article on Co-Blogging Law, which specifically talks about trademark rights.

Additional coverage:
Hollywood, Esq. (Eriq Gardner): "Teen Who Created OMGFacts Twitter Feed Sues, Claiming Swindle"
Ben Kerschberg (Forbes): "Twitter Brands, @OMGFacts, and an Allegedly “Predatory” Contract"
Emerson Spartz (the defendant): "OMG Fact: There are two sides to every story"

Posted by Venkat at 09:34 AM | Copyright , Licensing/Contracts , Trademark

May 13, 2011

Facebook Scores Initial Win Against Privacy Plaintiffs Over Data Leakage Claims -- In re Facebook Privacy Litigation

[Post by Venkat Balasubramani]

In re Facebook Privacy Litigation, 2011 WL 2039995 (N.D. Cal.; May 12, 2011)

There are so many recent privacy class actions out there, it's become tough to keep track of them all. One of the early lawsuits against Facebook was consolidated in the Northern District of California, in front of Judge Ware. In an order issued yesterday, Judge Ware granted Facebook's motion to dismiss the complaint. Although he granted leave to amend on certain counts, he certainly expressed some skepticism about the overall merits of the case.

As the court summarizes them, the facts boil down to Facebook's transmission to third-party advertisers of the user ID or "username" of Facebook users who clicked on advertisements. This started "no later than February 2010 and ... continued until May 21, 2010." The transmission of this information forms the basis of putative class action claims for violations of the Stored Communications Act and the Electronic Communications Privacy Act, California's anti-hacking law, and a slew of state law claims.

Standing: The court first tackles Facebook's argument that plaintiffs lack Article III standing because they have not suffered "injury in fact." Because plaintiffs have alleged violations under a statute which "can be understood as granting persons in the plaintiff's position a right to judicial relief," the court finds that plaintiffs have standing to sue.

Wiretap Act/Stored Communications Act: With respect to plaintiffs' claims under the Wiretap Act and the Stored Communications Act, court says that:

there are two possible ways to understand Plaintiffs' allegations. On the first view, Plaintiffs alleged that when a user of Defendant's website clicks on an advertisement banner displayed on that website, that click constitutes an electronic communication from the user to Defendant. Under this interpretation, the content of the user's communication with Defendant is a request that Defendant "send [a further] electronic communication to [an] advertiser." On the second view, Plaintiffs allege that when a user of Defendant's website clicks on an advertisement banner, that click constitutes an electronic communication from the user to the advertiser. Under this interpretation, Plaintiffs are merely "asking [Facebook]" to pass the communication along to its intended recipient, who is the advertiser.

The court finds that neither approach states a claim under the Wiretap Act. Citing to the language of the statute, the court notes that it restricts entities who provide electronic communication services from divulging the contents of any communication, other than a communication "to such person or entity or an agent thereof." Similarly, the statute restricts a provider from divulging the content of a communication to any person or entity "other than an addressee or intended recipient of such communication."

The court arrives at a similar conclusion under the Stored Communications Act, which contains an exception for disclosure where the "addressee or intended recipient" consents to the disclosure.

Unfair Competition Claim: The unfair competition claim requires plaintiffs to have "lost money or other property as a result of the unfair competition." The court finds that "personal information" does not constitute "property" for purposes of California's unfair competition law. Plaintiffs cited to the AOL data search case (Does v. AOL, LLC) for the proposition that "personal information" can be property for this purpose, but the court points to a significant difference between the two cases: plaintiffs in the AOL case paid fees for the service. In contrast, plaintiffs in this case used Facebook's service for free. The court footnotes plaintiffs' argument that personal information "constitutes currency" as not being supported by any case law. The unfair competition law claims are dismissed with prejudice.

California Penal Code sec. 502: Plaintiffs brought claims under California anti-hacking statute. This was most recently construed in Facebook v. Power.com, where the same judge said that the words "without permission" should be interpreted to require circumvention of some technological measure and not just access in violation of a website or service terms of use. The court finds that plaintiffs failed to allege that Facebook bypassed any technical barriers in transmitting plaintiffs' personal information. The court dismisses these claims with prejudice, but gives plaintiffs leave to re-allege the claim under subsection (c)(8) of the statute, which covers the introduction of "any computer contaminant into any computer."

Consumer Legal Remedies Act: The court finds that this only applies to individuals who "purchase or lease" goods or services for personal or household use. Plaintiffs have not paid any money to use Facebook. Plaintiffs relied on their "personal information is currency" argument, but the court doesn't give it the slightest credit. This claim is dismissed with prejudice.

Contract Claim: The contract claims fail for lack of any allegation of "actual damages." The court will allow plaintiffs to amend to "allege specific facts showing appreciable and actual damages in support of their claim."

Fraud: No luck on the fraud claim either. Plaintiffs fail to allege reliance on any alleged fraudulent misrepresentations. The court grants leave to allege reliance.

Unjust Enrichment: The court says plaintiffs cannot simultaneously pursue an unjust enrichment claim while simultaneously pursuing a contract claim. This claim is also dismissed with prejudice.

Plaintiffs have one more chance with respect to several of these claims, but the court is pretty unimpressed with the lawsuit overall. In the last paragraph of the court's recitation of the facts, it notes plaintiffs "suffered injury." This looks like the judicial version of using air quotes.

I'm somewhat surprised at how easy the court's conclusions seemed on the ECPA and SCA claims. The court's conclusion on these issues is similar to the conclusion from the Doubleclick lawsuit over cookies from 2001 (In re Doubleclick). With respect to California penal code section 502, I don't see how the transmission of information states a claim under this statute. There have not been many rulings construing this statute, but it looks like the Power.com ruling will certainly be a meaningful hurdle for claims under this statute.

The interesting part of the lawsuit is the treatment of personal information as "property." The court is extremely skeptical of this theory. There was speculation as to whether acceptance of the classification of personal information as property for standing purposes would empower privacy plaintiffs when it came to the merits. Only a few results are in, but so far this does not seem to be the case. (See the discussion of Claridge v. RockYou, where this theory seems to have first been given credit for standing purposes: "Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff.") A lawsuit over flash cookies was recently dismissed for lack of actual harm, and the court in that case also expressed skepticism over the "personal information as valuable property" theory. (See Professor Goldman's post on that case: "Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media.") I don't know if there was a hearing on this particular motion, but if there was, I can see the judge taking off his glasses, looking down at plaintiffs' counsel and giving the "you can't be serious here" look. At least, that's the tone of the order. It's also worth noting that plaintiffs who are subscribers of free services will have challenges bringing claims under some of the state statutes because they are not paying customers. Whatever the viability of the "personal information as valuable property" theory for other causes of action, courts do not appear very willing to treat personal information as the equivalent of money, in order to turn an otherwise free service into a paid service.

I'm with Professor Goldman on these lawsuits. I have a really tough time seeing the harm here. Maybe there's an example out there of a company finding out the identity of someone on Facebook who clicked on their banner ads, and all sorts of real-life negative consequences that flow from this. This sounds implausible enough that plaintiffs should have made some sort of attempt to explain why this is the case or provide an example or two. Judging from the court's order, plaintiffs didn't bother doing this, or did not do so effectively. I haven't even read any newspaper articles which points to any compelling examples of real world harm that resulted from this disclosure of information by Facebook.

Plaintiffs get another chance for some of the claims, but it looks like they have a judge who is going to take a serious look at their claims. It's going to be a long road for these plaintiffs.

Posted by Venkat at 10:09 AM | Licensing/Contracts , Privacy/Security , Trespass to Chattels

May 10, 2011

Twitpic Modifies Terms and Claims Exclusive Rights to Distribute Photos Uploaded to Twitpic

[Post by Venkat Balasubramani]

I posted about the dispute between a photographer and Agence France-Presse over images AFP allegedly downloaded via Twitpic and used without permission. AFP argued that the license terms of Twitter or Twitpic authorized its use of the photos in question. A court rejected that argument. Twitpic has now modified its user agreement to address some of the issues raised by the dispute. The revised terms which were modified on May 4, 2011 would not alter the result between AFP and Morel, but they contain some interesting tidbits. However, the terms are fairly confusing and do not offer much certainty for users or for Twitpic.

Twitpic purports to be the sole point of distribution for photos uploaded to Twitpic: The revised Twitpic terms state that users who upload content:

may not grant permission to photographic agencies, photographic libraries, media organizations, news organizations, entertainment organizations, media libraries, or media agencies to retrieve from Twitpic for distribution, license, or any other use, content you have uploaded to Twitpic.

So this means that if you upload content to Twitpic, you can't license it to third parties?

Use of content within the ecosystem: If you "publish" content uploaded to Twitpic for personal and noncommercial purposes, "you are required to link back to the original content page on Twitpic and attribute credit to Twitpic as the source where you have taken the content." In order to publish content for any commercial purpose or for distribution:

beyond the acceptable Twitter 'retweet' which links back to the original content page on Twitpic . . . you are required to obtain permission from Twitpic in advance of said usage and attribute credit to Twitpic as the source where you have obtained the content.

The terms also provide that "[n]o user may grant a third party permission to copy or save content that has been uploaded to Twitpic." [Does this include the user who originally uploaded the content?]

Retention of ownership: After saying that you will not be able to control the distribution of content uploaded to Twitpic, the terms say that "[y]ou retain all ownership rights to Content uploaded to Twitpic," but grant Twitpic a broad, non-exclusive [??] license to exploit the content "in connection with the [Twitpic] service and Twitpic's (and its successors' and affiliates') business . . . "

I'm confused by these terms. On the one hand, Twitpic looks like it wants to be the exclusive point of distribution for content uploaded to Twitpic. On the other hand, it is telling users that they retain "all ownership rights" in photos they upload to Twitpic. To top it all off, the terms state that if you delete any content you upload to Twitpic, the licenses granted to Twitpic terminate.

People have often raised the alarm over ownership of content posted to networks and services. Much of this seemed like paranoia, based on the broad license any intermediary or service would want granted to it. In this instance, it looks like Twitpic is making a power grab, albeit a potentially ineffectual one.

This terms were confusing enough to make me think twice about uploading anything other than throwaway photos to the service, at least until it cleans up it terms.

Update: After initially revising the terms on the May 4, 2011, Twitpic revised its terms again on May 10, 2011, and removed the paragraph which said users could not grant permission "to retrieve from Twitpic" photos from distribution. (See "Your content, your copyrights" (TwitPic Blog); "Twitpic changes its terms of service".) It’s clunky to say the least, but this language arguably applied only to distribution of photos that are "retrieved" from Twitpic. Also, Twitpic looks like it’s distributing photos uploaded to its service. World Entertainment News Network recently announced (after the second round of changes to Twitpic's terms) that WENN entered into a deal with Twitpic which "will give WENN exclusive rights to sell images posted on the TwitPic service." (See British Journal of Photography (May 11, 2011): "TwitPic signs controversial deal with celebrity photo agency.")

Related: "Stars Gain Control of Online Images" (NYT):

While most people on Twitter use a service like TwitPic, Yfrog or Plixi to share photos with their friends and followers, for celebrities, these services can come with strings attached, as they gain ownership rights to uploaded photos and can sell ads alongside them. A company called WhoSay — a little-known start-up with a clientele that is anything but little known — offers similar services, but grants ownership of the images to the stars themselves.

Previous posts:

Court Rejects Agence France-Presse's Attempt to Claim License to Haiti Earthquake Photos Through Twitter/Twitpic Terms of Service
Agence France-Presse Claims Twitter's Terms of Use Authorize Its Use of Photographs Posted to TwitPic

(h/t) Oliver Platz

Posted by Venkat at 12:38 PM | Copyright , Licensing/Contracts

April 26, 2011

Acknowledging Receipt of an Email Doesn't Form a Contract--Stebbins v. Wal-Mart

By Eric Goldman

Stebbins v. Wal-Mart Stores Arkansas, LLC, 2011 WL 1519390 (W.D. Ark. April 14, 2011). Lawsuits like these tend to be associated with repeat users of the judicial process; see the Justia Arkansas page for other lawsuits possibly from this plaintiff.

From the complaint allegations: Stebbins has Asperger's. He applied for a job at Wal-Mart and took a computerized assessment, which he says disproportionately hinders applicants with Asperger's. Despite having "failed" the assessment, he believes there were jobs at Wal-Mart that he could perform, such as janitor or night shelf-stocker. The case doesn't say it explicitly, but I infer Wal-Mart nevertheless dinged his job application.

Stebbins emailed Wal-Mart customer care with the following:

Notice to companies

My name is David Anthony Stebbins, and I live in Harrison, AR. I am sending a link to this webpage to various companies to put you on notice. If you contact me in any way, shape, or form, you hereby acknowledge that you have read, understand, and agree to be legally bound by the terms below.

...

You hereby agree that you, as well as any principal or employer that you are acting on behalf of, will initially attempt to settle all legal disputes, even those not relating to this contract by semi-binding arbitration using the services of www.net-arb.com, where you are bound but I am not.

(You can see the full contract at Stebbins' MySpace page, although recognize that visiting the page might create an extra degree of legal risk. This web page would make an excellent exam Q. Among other contract formation techniques, the terms say "This [contract] will also take effect if I attempt to contact you, and, upon hearing my name, you do not cease communications with me on the spot." Among the contract's terms: "You hereby agree to never: * Interrupt me when I am speaking, for all eternity. * Hang up on me in any phone call, for all eternity. * Block my attempts to communicate with you, for any reason, for all eternity. * Ask me a question that I have previously answered, for all eternity. * Demonstrate any rudeness, annoyance, or disrespect, however petty, against me, for all eternity." The "for all eternity" duration raises some interesting questions about post-mortem breach and enforcement. I also liked this line: "If you even so much as attempt to litigate a case with me, even if that attempt is unsuccessful, you automatically loose that case.")

OK, back to the lawsuit. Wal-Mart's customer care sent an apparently canned reply to Stebbins' email suggesting he contact a different department. Stebbins followed up with this email:

On November 8, 2010, I sent you a formal contract offer, via email. The email stated that, if you initiate communications with me, or if I initiate communications with you, and you entertain said attempt to communicate, you are bound by that contract.

You accepted that offer on November 11, 2010, when I purchased a gallon of milk from you, using a paper check. This check had my name and street address on it, so you knew who I was. Also, your employees asked me to see my ID, and I showed them my driver's license, so you had every opportunity to know who I was, then....

So, now, we must hold all legal disputes via arbitration, whether you like it or not!

Consistent with another provision of his purported contract on MySpace, Stebbins now asserts "since Wal–Mart did not accept the arbitration invitation within twenty-four hours of receiving it, he automatically wins regardless of the merits of the case and is entitled to an award of six-hundred billion dollars."

(Not that it really matters, but Wal-Mart's market capitalization today is $186B. Perhaps Stebbins would have found more litigation success if he had kept his damage request south of 100% of Wal-Mart's market cap. 3X its value was probably too much to ask for.)

Needless to say, Stebbins' attempted contract formation failed. In an unwaveringly straight-laced opinion, the court says:

Plaintiff maintains Wal–Mart accepted the contract by its “act” of replying to his e-mail....The e-mails from Plaintiff are self-serving documents that did not form the basis for any conduct or performance on Wal–Mart's part....In this case, Wal–Mart performed no act. It merely replied to two e-mails by directing the Plaintiff to the correct department. It performed no service and Plaintiff made no promise.

This result reminded me of the tactic used by Suzanne Shell, initially covered in a John Ottaviani blog post. She placed a notice on her website that popped up whenever anyone (including a robot) visited it, purporting to bind visitors simply by visiting her site. A court ultimately rejected this contract formation process. Contract-like terms buried in email footers are similarly ineffective (see also this post).

I like this ruling because it's a good reminder for everyone (especially contracts students prepping for their imminent finals) that courts tend to reject overly formalistic/tendentious approaches to contract formation. A contract does not exist simply because you can see things that you claim are an offer or acceptance. Ultimately, there needs to be a manifestation of assent to bind a party to a contract. A canned reply from a CSR should not manifest such assent, even if it was purportedly bargained for.

Having said that, I wonder if companies would benefit from training their CSRs not to reply to any email that purports to create some obligation simply by replying to the inquiry. I know that a non-response can be a harsh remedy, but companies have already learned the importance of not being too responsive from the Barnes v. Yahoo case. Here, Wal-Mart might have been better off simply deleting an email that contained the threat of contract formation simply by replying. (Of course, Stebbins probably would have still asserted contract formation from his purchase of a gallon of milk, paid by check). As counter-intuitive as it may seem for people in the business of providing customer service, this may be a situation where silence was golden.

Posted by Eric at 02:51 PM | Licensing/Contracts | TrackBack

April 25, 2011

Google Wins Lawsuit Over Unhappy Google Search Appliance Installation--Market America v. Google

By Eric Goldman

Market America, Inc. v. Google, Inc., 2011 WL 1485616 (D. Del. April 19, 2011)

I blogged about this case last year. Market America retained Google and its system integrator LTech to install a Google Search Appliance to support Market America's network. This installation did not go as planned, and eventually it led to this lawsuit. In the prior ruling from August, Google and LTech knocked out a big chunk of the case.

This ruling addresses some remaining consumer protection law claims. It turns out that the claims aren't tenable under the contract's governing law of Delaware, while Market America believed the claims were extra-contractual and should be governed by North Carolina law (Market America's home state). The court concludes that the contract's governing law clause applies to these additional claims, so it grants Google and LTech judgment on the pleadings.

Google's success in this lawsuit is a good outcome legally, but its failure to achieve a successful install for Market America is a less happy result.

Posted by Eric at 08:17 PM | Licensing/Contracts , Marketing | TrackBack

April 19, 2011

Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe

By Eric Goldman

I've been so behind that it's taken me until now to blog these cases from last month. All three opinions involve the same basic fact pattern: a bulk emailer gets blocked by an email service provider (relying in part on third party filtering/blocking services) and sues to undo the block. These claims are largely preempted by 47 USC 230(c)(2), and the courts mostly get to the right place with the immunity (although not without small points of drama). The aggressive plaintiffs also assert claims not covered by 47 USC 230(c)(2), but these mostly don't go anywhere either. The lesson is pretty clear: if an email service provider blocks your email, the courts aren't going to help you out.

Holomaxx Technologies v. Microsoft Corp., 2011 WL 865278 (N.D. Cal. March 11, 2011), and
Holomaxx Technologies v. Yahoo, Inc., CV-10-4926-JF (N.D. Cal. March 11, 2011). Venkat's excellent prior blog post on the complaints. These rulings are substantially identical, so I'll discuss them together except where they diverge.

Holomaxx is a bulk email sender upset because Yahoo and Microsoft are blocking its emails based both on IP address blocks and reputation scores (including those provided by third parties). We've heard this refrain before in many cases over the years, and the law is pretty clear about this. Email service providers can't be obligated to carry emails they don't want to carry. There are a number of legal doctrines that help reach this conclusion, but the most salient one is 47 USC 230(c)(2), the immunity for filtering decisions.

In response to Holomaxx's lawsuit over the block, Microsoft and Yahoo interposed the 230(c)(2) defense on a 12(b)(6) motion to dismiss. Holomaxx objected that 230(c)(2) is an affirmative defense and not appropriate response for a 12(b)(6) dismissal motion. This is the issue that vexed the Ninth Circuit in the Barnes v. Yahoo case until they fixed the opinion. In this case, Judge Fogel properly concludes that 230(c)(2) can support a 12(b)(6) motion to dismiss. (He reached the same conclusion in Goddard v. Google).

Holomaxx then argued that 230(c)(2) does not prevent blocking of legitimate email because such a block doesn't fit within 230(c)(2)'s "otherwise objectionable" language. The judge says:

No court has articulated specific, objective criteria to be used in assessing whether a provider’s subjective determination of what is “objectionable” is protected by § 230(c)(2).

And Judge Fogel isn't going to be the first. Instead, he sidesteps the issue, holding that the service providers could deem the emails "harassing" because, even if Holomaxx had a 0.1% error rate, as it claimed in the Yahoo case, that still netted 2M bad emails/year. Therefore, the filtering decisions fit within the other statutory language in 230(c)(2). This is a cute intellectual move which potentially expands the scope of 230(c)(2) by reading "harassing" broadly.

Holomaxx also attacks the "good faith" requirement of 230(c)(2), but does so in a generalized way. The judge rejects the argument, saying (in the Yahoo case):

Holomaxx alleges no facts in support of its conclusory claim that Yahoo!’s filtering program is faulty, nor does it identify an objective industry standard that Yahoo! fails to meet. While it suggests that Yahoo! is “using cheap and ineffective technologies to avoid the expense of appropriately tracking and eliminating only spam email,” it offers no factual support for these allegations. Nor does Holomaxx cite any legal authority for its claim that Yahoo! has a duty to discuss in detail the particular reasons for blocking Holomaxx’s communications or to provide a remedy for such blocking. Indeed, imposing such a duty would be inconsistent with the intent of Congress to “remove disincentives for the development and utilization of blocking and filtering technologies.”

The Microsoft opinion's text is similar. Holomaxx gets another chance to marshal better allegations, but I'm guessing they won't be able to do so.

The court rejects the ECPA claim (which 230(c)(2) doesn’t immunize) because Holomaxx didn't explain clearly enough how the email service provider "intercepted," "used" or "disclosed" Holomaxx's email or how the ESP improperly accessed stored communications. The 17200 claim (which I think should be preempted by 230(c)(2), although that issue isn't discussed) also fails for lack of Holomaxx's specificity. A Microsoft-only defamation claim doesn't survive either:

Holomaxx alleges, on information and belief, that Microsoft "informed Dragon Networks in writing" that it had blocked all IP addresses originating from Dragon Networks because "certain of Holomaxx's .78 addresses had been rejected 'for policy reasons,' and were blocked manually 'or for spamming.'" Holomaxx does not explain how the alleged statement was defamatory or produce a copy of the alleged defamatory correspondence between Microsoft and Dragon Networks. Nor does it explain how the alleged communication amounts to "a statement of fact that is false."

As a result, the judge dismisses the lawsuit but with leave to amend.

Smith v. Trusted Universal Standards in Electronic Transactions, Inc. (d/b/a TRUSTe, Inc.), 2011 U.S. Dist. LEXIS 26757 (D. N.J. March 15, 2011).

Like Holomaxx, Smith sends a lot of email through Comcast. Comcast blocked his outgoing email twice. The first time, Comcast pointed to Microsoft's Frontbridge/Exchange Hosted Services (EHS) quarantine system. The second time, Comcast pointed to Cisco's IronPort/Senderbase blocklist. Smith sued all three entities (and others). Last year, the court rejected a 12(b)(6) motion to dismiss based on 47 USC 230(c)(2).

Ten months later, after presumably lots of wasted effort, the court converts Cisco's and Microsoft's 12(b)(6) motions into a summary judgment motion and grants the dismissal on 230(c)(2) grounds. I'm sure the defendants appreciate the dismissal, but I'm sure they would have been even more appreciative if the court had reached the result on the last go-around. The court still can't let the case go with respect to Comcast, however.

Cisco/SenderBase gets the 230(c)(2) defense as a blocklist provider. This may sound easy, but the statutory drafting makes the court’s analysis more arduous than it ought to be.

Cisco's senderbase.com website constitutes an ICS. This makes Cisco a "user" of an ICS because it uses its website to publish the blocklist. It is also a provider of an ICS because it runs the website. This is the issue that tripped up the court in the last ruling, and although it got to the right result, I don't think the court has fully wrapped its head around the statutory language. I read the court's discussion at least 6 times, and I couldn't make it make sense. Just know that a blocklist provider probably is both a provider and user of an ICS, so this element is met.

The blocklist easily satisfies the requirements of 230(c)(2)(B). As the court notes (citing Zango v. Kaspersky), whether material is "objectionable" is measured subjectively. Thus, the court dismisses Cisco, noting:

The Court notes that Plaintiff's breach of contract and defamation claims are dismissed because they specifically relate to Cisco's SenderBase service. Plaintiff defamation claim is based upon the fact that Cisco publishes IP scores. Plaintiff's breach of contract claim is based on the fact that Cisco refused to provide Plaintiff with the information that it used to calculate the reputation score for the IP address assigned to Plaintiff by Comcast.

Microsoft's EHS quarantine operates in the cloud by routing all email through its servers, which screen out emails based on its blocklist (as modified by customers' parameters). This should be even easier to qualify as a provider/user of an ICS. The court's discussion on this point doesn't make any sense either, but it reached the right result. As with Cisco, the court says the blocklist qualifies for 230(c)(2)(B) and the contract breach claim fails for the same reason.

Comcast doesn't get so lucky. The court once again finds that Comcast could have acted in "bad faith" which could disqualify it from 230(c)(2) coverage:

the Court finds that a reasonable jury could conclude that Comcast acted in bad faith when it failed to respond to Plaintiff's repeated requests for an explanation why it continually blocked Plaintiff's outgoing email...the Court is not convinced that an internet service provider acts in good faith when it simply ignores a subscriber's request for information concerning an allegedly improper email blockage...there is no reason why Comcast could not articulate its immunity (or provide another rationale for the blockage) when asked to do so by a paying customer.

Whoa. Hold on a sec. The court is saying that online providers have to provide explanations to their customers for their back-end choices. First, that's not in the statute. Second, Judge Fogel expressly rejected this argument in his Holomaxx rulings. Third, the court’s position is ridiculous. Being legally obligated to explain business decisions to affected customers would add an extra layer of expense/hassle to everyday business decisions, and the explanations will just become additional grist for the plaintiff's mill (see, e.g., Barnes v. Yahoo and the resulting incentives to tell customers less, not more). I'm 99%+ confident that an appellate court would reverse this judge on this point. I think he went off the rails. As a result, I don't plan to advise clients that they have to provide explanations for their blocking decisions, and I don't recommend you advise otherwise.

Although Comcast doesn't get the 230(c)(2) immunity, the court still ends up granting it summary judgment on all of the claims. There's some interesting discussion there too.

The court rejects Smith's ECPA claims and the substantively identical state claims. Cisco doesn't actually intercept emails, and Microsoft quarantines emails with its customers' consent.

Smith's contract breach and promissory estoppel claims against Comcast fail because Comcast didn't make any promises it failed to keep and because Smith was using a personal account for unpermitted commercial activities. (To me, this is facially inconsistent with any argument that Comcast had bad faith for 230(c)(2) purposes, but the court ignores that implicit contradiction).

Smith's NJ Consumer Fraud Act claim against Comcast also fails because he can't show fraud or ascertainable loss (because he only alleged that he lost time). The court dismisses a couple other claims, too.

Posted by Eric at 11:04 AM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam | TrackBack

April 18, 2011

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou

[Post by Venkat Balasubramani with comments from Eric]

Claridge v. RockYou, 2011 WL 1361588 (N.D. Cal.; Apr. 11, 2011)

RockYou is a developer and publisher of applications for use with Facebook, MySpace, hi5, and Bebo. RockYou's applications allow users to share photos, write text on a friend's page, or play games with other users. In order to sign up, users are asked to provide an email address and create a password. Users may also be required to provide their social network user name and passwords. RockYou displays advertisements on the apps. RockYou claims to have "more than 130 million unique customers using its application on a monthly basis."

RockYou was alerted to an alleged security problem with its SQL database in late December 2009 by an online security firm. Plaintiff claims that RockYou failed to act quickly enough to address this problem, and as a result

at least one confirmed hacker known as 'igigi' accessed RockYou's database, and in the process accessed and copied the email and social networking login credentials of at least 32 million registered RockYou users.

Plaintiff sued RockYou in a putative class action, alleging a slew of claims: breach of contract, the Stored Communications Act, negligence, California's anti-hacking statute, and California's unfair competition and consumer protection statutes.

Standing: RockYou argued that plaintiff lacked standing - i.e., that the unauthorized access of plaintiff's login credentials did not cause plaintiff any "concrete, tangible, non-speculative harm." In response, plaintiff argued that:

[RockYou's] customers, including plaintiff, 'pay' for the products and services they 'buy' from [RockYou] by providing their PII, and that the PII constitutes valuable property that is exchanged not only for [RockYou's] products and services, but also in exchange for [RockYou's] promise to employ commercially reasonable methods to safeguard the PII.

The court agreed with plaintiff and found that plaintiff alleged an injury in fact sufficient to confer standing. The court noted that the case law is mixed on the question of whether data breach plaintiffs have standing to sue. The court recognized the novel context in which the claims arose:

the unauthorized disclosure of personal information via the Internet - is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.

Although the court expressed "doubts about the plaintiff's ultimate ability to prove [plaintiff's] damages theory," the court declines to dismiss on the basis of standing.

Contract Claims: The court initially rejects RockYou's request to dismiss the contract claims (based on a breach of RockYou's privacy policy) on the basis that plaintiff did not lose anything of value. For pleading purposes,

plaintiff . . . sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified 'value' and/or property right inherent in the PII.

RockYou argued that the privacy policy terms expressly provided that it could not be held liable for any unauthorized third party access to users' personal information, but the court disagrees, citing to RockYou's privacy policy. The policy disclaims liability where a third party accesses user information contained in RockYou's "secure servers," but the court notes that RockYou's servers were not in fact secure. The court also cites to flowery language in RockYou's privacy policy to the effect that RockYou takes "commercially reasonable . . . safeguards" to protect user information.

Consumer Protection Claims: Plaintiff loses on his California consumer protection act claims. With respect to his claim under California's unfair competition law, one of the two requirements is that the plaintiff has to have lost "money or other property" in order to bring a claim. The court holds that the UCL's standing requirements are stricter than Article III standing requirements, and require the plaintiff to have paid money or "parted with some particular item of property he formerly possessed." The court does not buy plaintiff's novel theory that plaintiff's "PII constitutes 'currency'" under the statute. No luck for plaintiff under the UCL.

Similarly, the court rejects plaintiff's claim under the California Consumer Legal Remedies Act, because the statute only applies to plaintiffs who "purchase or lease" goods or services for "personal, family, or household purposes." Here, plaintiff has not purchased or leased any goods or services.
__

Plaintiff's other claims received mixed results. The court dismissed the Computer Fraud and Abuse Act claim with leave to amend (plaintiff admitted that it cited the wrong statutory provision), found that RockYou was not liable under California's anti-hacking statute (section 502), and found that plaintiff adequately stated a negligence claim.

Data breach cases have uniformly rejected the claims of plaintiffs who have not actually lost any money out of pocket. Some cases have done so on the merits, and other cases have done so on the basis of standing (some cases, such as Krottner v. Starbucks, have rejected the claims on the merits but have expressly found standing). The big question is whether this ruling moves the needle in any way. I'm inclined to say no, but the way in which the plaintiff cast his claim and the court characterized it is interesting.

The privacy policy / breach of contract analysis was also interesting. There is case law expressing skepticism as to whether a privacy policy is even a contract that can support a breach of contract action ("When Does a Privacy Policy Breach Support a Breach of Contract Claim?"), but courts lately don't think twice about analyzing privacy policy claims under the breach of contract framework. Companies (for whatever reason) continue to include flowery language in their privacy policies that courts latch on to when putting them on the hook for privacy foibles.

Eric's comments

There is a lot to dislike about this opinion.

First, RockYou's privacy policy promised "RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information..." This is industry-standard fluff language in a privacy policy. I bet we could find tens of thousands of privacy policies with similar language. I believe the prevailing view among lawyers is that this language couldn't be actionable. It doesn't promise security or integrity; it just promises the company will deploy *some* safeguards. Further, the efforts are only supposed to be "commercially reasonable"--language which many lawyers believe is equivalent to "we'll try."

Here, the plaintiff attacks the language by arguing that RockYou didn't encrypt its data. Now, I recommend to clients that they encrypt their databases of user data in all circumstances, but is it commercially unreasonable to do so? The defendant doesn't get the decisive win it expected on that point. (The plaintiff also asserts that the defendant was derelict in patching a security flaw that allowed the bad guys to do an SQL injection attack, so the two arguments may have reinforced each other enough to convince the judge there may be something to this case). As Venkat suggests, it's time to cut the fluffy language from privacy policies. Courts and plaintiffs are overresponding to it.

Second, the court's decision not to use Article III standing to kick out the case was unfortunate. Although I am sympathetic that Article III standing dismissals are harsh on plaintiffs--they never get a chance to say anything--the doctrine has been very useful at squelching unmeritorious privacy cases early. This case is effectively indistinguishable from the other cases where Article III standing has been used; it's a garden-variety security breach with no known tangible consequences (other than lawyers looking for a little gravy). Based on the precedent, an Article III standing dismissal would have been a logical outcome.

The court's acquiescence to the plaintiff's argument ("defendant’s customers, including plaintiff, “pay” for the products and services they “buy”from defendant by providing their PII, and that the PII constitutes valuable property") smacks of the old academic debates in the late 1990s/early 2000s about whether personal data should be propertized. It was a weird debate because many of the academics who oppose copyright doctrinal expansion were simultaneously advocating for increased propertization of personal data as a privacy/anti-advertising technique. Personally, I had hoped all of those theories had been lost in the dustbins of history. Instead, this court moves in that direction. Privacy advocates might rejoice, but be careful what you wish for.

The court's embrace of a "novel" theory is especially frustrating because the court goes on to say that it has doubts about the plaintiffs' ability to prove damages in the end. So instead of doing the socially optimal thing--killing a meritless lawsuit early--the court embraces a theory likely to fuel privacy advocates to bring other meritless cases; while keeping this case open may very well cause both parties to spend a lot of money only to kill a meritless case later. This may be a situation where the judge is being just a bit too careful.

Third, assuming that personal data is "property," this isn't a situation where the vendor sold the data or misused it for advertising. Instead, there was no impairment to the users' "property right"; it was a security breach. So this is a particularly poor case for the personal-data-as-property meme.

One small piece of good news from this opinion: the court interprets California Penal Code Sec. 502 narrowly and effectively prevents the plaintiffs from converting it into a sword to be used against companies that get hacked. We don't have many Penal Code 502 rulings, but most of the extant rulings read the statute pretty broadly. I'm glad to see the court was more circumspect on that point.

Posted by Venkat at 09:19 AM | Internet History , Licensing/Contracts , Marketing , Privacy/Security , Trespass to Chattels | TrackBack

March 29, 2011

Court Rules That Instant Message Conversation Modified the Terms of a Written Contract -- CX Digital v. Smoking Everywhere

[Post by Venkat Balasubramani with a few comments from Eric]

CX Digital Media, Inc. v. Smoking Everywhere, Inc., 09-62020-CIV-Altonga (S.D. Fl.; Mar. 23, 2011)

As contract cases go, this one is interesting. It's more than interesting, it's awesome! The court held that an instant message exchange effectively modified a written agreement which contained a "no-oral modification clause." This resulted in a judgment in favor of a marketing agency against the seller of electronic cigarettes to the tune of $1,235,655 (along with fees, costs, and interest)!

Smoking Everywhere sells e-cigarettes through its website. It contracted with CX Digital, which ran an affiliate marketing network. CX's affiliates run websites or campaigns and, when they refer a sale to CX's clients, CX is paid a referral fee by the client (and CX pays a portion to its affiliates). Smoking Everywhere and CX signed an insertion order under which CX would get paid $45 per "sale" of "Gold E-Cigarette Kit Free-Trials." Sale was specifically defined as filling out a one page registration form and submitting credit card information. The insertion order contained a limit of 200 sales per day.

The parties signed the insertion order in August 2009. In August, CX generated 670 sales. It invoiced Smoking Everywhere $25,150 for these sales. It was never paid for this invoice. In early September, the parties have an instant message conversation which covered a variety of topics. CX asks Smoking about removing the 200 sale per day limit:

[CX] (2:50:08 PM): We can do 2000 orders/day by Friday if I have your blessing

[CX] (2:52:13 PM): those 2000 leads are going to be generated by our best affiliate and he's legit

[Smoking Everywhere]: is available (3:42:42): I am away from my computer right now

[CX] (4:07:57 PM): And I want the AOR when we make your offer #1 on the network

[Smoking Everywhere] (4:43:09 PM): NO LIMIT

[CX] (4:43:21 PM): awesome!

In September, CX's referrals went through the roof and it was referring an average of 1,244 sales per day. The parties had some discussions and quibbles about whether CX was referring potential sales to the correct version of Smoking Everywhere's landing page. (Apparently, an older version of the site promoted e-cigarettes as a smoking cessation device as recommended by doctors, and Smoking Everywhere changed this practice. The written agreement referred to the old version of the site.) Smoking Everywhere did not pay the August invoice, and CX put the Smoking Everywhere campaign on hold. When Smoking Everywhere declined to pay CX's August and September invoices, CX sued. Following a bench trial, the court rules for CX.

Modification of the Agreement: One of the key issues was whether CX could invoice Smoking Everywhere for the multitude of referrals, despite the 200 sales per day limit in the insertion order. The other issue was whether CX was entitled to the referral fees despite sending referrals to a link other than the one listed in the insertion order. There was a final issue as to whether the sales were fraudulently procured.

The issue of fraudulent sales: Smoking Everywhere tried to argue that many of the sales were "fraudulent," but the insertion order contained language that was favorable to CX on this point. Smoking Everywhere would be relieved of its obligation to pay for sales only if it provided documentation "beyond a reasonable doubt" within five days of the sale, with time being "of the essence." Smoking Everywhere failed to procure this evidence so it lost its fraud argument.

Whether traffic was sent to the correct link: On the issue of whether the traffic was sent to the appropriate link, the court says that the instant message conversation clearly demonstrated an intent to agree on a different link:

A close reading of the instant messages and careful consideration of the behavior of the parties during the conversation indicate clear assent on the part of both parties to stop sending traffic to the 'old' ecig link and to begin sending the traffic to the two new URLs.

The representatives of Smoking Everywhere and CX exchanged links (via email) that went to the new ecig langing page and both ran tests on the new links to make sure they were coded to track referrals from CX affiliates.

The modification of the 200 sale per day term: The court finds that the instant message conversation around modifying the 200 sale per day limit was equally definitive. CX asks about whether CX can refer 2000 referrals per day and asks for Smoking Everywhere's "blessing." In response, Smoking Everywhere says "NO LIMIT." (caps in original). The court finds that CX's suggestion of a 2000 sale per day limit was an offer of a new term. Smoking Everywhere's response of "NO LIMIT" was a counter-offer which suggested a new term, which varied the terms of the original offer. CX accepts this counter-offer by signifying assent - i.e., saying "awesome!" Smoking Everywhere tried to argue that its counter-offer of "NO LIMIT" could have been referring to another term of the agreement (and didn't necessarily refer to the sale per day limit) but the court does not buy this. Smoking Everywhere was unable to come up with a credible explanation of what other terms it could have been referring to.

The Signed Writing Clause: Smoking Everywhere also argued that a term in the insertion order which provided that it could only be "changed . . . by a subsequent writing signed by both parties" barred modification of the agreement by the exchange of instant messages. The court held that the instant message exchange was not oral (it was in writing) but it wasn't signed by both parties. However, under Delaware law, conduct or statements could modify a written contract with a signed writing clause, and therefore, an unsigned writing could as well. CX changed its position in reliance of the modification (and based on Smoking Everywhere's statements) by agreeing to pay its downstream affiliates for referrals. In these circumstances, Smoking Everywhere was estopped from asserting the signed writing clause as a defense.

Did the Vice President of Advertising Have the Authority to Bind Smoking Everywhere: Smoking Everywhere also argued that Nick Touris, the VP of advertising - who engaged in the instant message conversation with CX - did not have the requisite authority to bind Smoking Everywhere. The court held that Touris had apparent authority to bind Smoking Everywhere, and CX reasonably relied on this authority. There was plenty of indicia of Touris's authority: (1) he was the VP of marketing; (2) he negotiated the insertion order; and (3) he personally implemented the URL change. Smoking Everywhere argued that Touris informed CX that Touris could not get agreements signed without the approval of Smoking Everywhere's president, but Smoking Everywhere failed to come through and provide solid evidence on this point. Touris testified on the final day of trial that CX was aware that Smoking Everywhere could not enter into agreements without the permission of Smoking Everywhere's president, but the court was concerned about "the comportment of [Touris]" and the fact that the testimony was procured at the request of Smoking Everywhere's counsel, after he requested a recess during closing argument.

___

From the practitioner's standpoint, this looks like a significant ruling (or at least a good reminder that informal communications can modify written agreements). Written contracts are the currency of business dealings, and as a standard term, written contracts contain provisions that say they cannot be modified without a signed writing (signed by authorized representatives). Business representatives increasingly engage in informal communications and most people would reduce any later agreement to a writing in the form of an addendum. Here, the parties did not do that, and in the short time after the conversation in question, CX acted in reliance of the modification, and as a result Smoking Everywhere ends up with a whopping judgment against it. Yikes!

I'm guessing there is a body of case law to the effect that email exchanges can effect a modification of a signed contract, but this case is a useful reminder that even more informal communications such as instant message conversations can do the same.

Smoking Everywhere may appeal, and a footnote from the court's order indicates that its ultimate ruling on the no modification without a signed agreement clause came as a surprise to counsel for Smoking Everywhere, but the larger takeaway from the case (regardless of how it resolves) is that informal exchanges can result in the modification of written agreements.

______

Eric's comments:

It doesn't get more awesome than to have a contract counter-offer given a million dollar consequence through an IM saying, in total, "awesome!" Well, maybe it would be more awesome if he had scribbled the word "awesome!" on a bar napkin while he was high as a Georgia pine. (See Lucy v. Zehmer).

It's standard for contracts to restrict oral amendments. It's also standard for business partners to "talk" using email, IM, text messages, Twitter @replies, comments to Facebook status reports, etc., etc. The default rules should be that all of these electronically-mediated communications qualify as writings. (But see John O's post on an odd case from last summer). If you fear the legal effects of these communications, you could try to restrict contract amendments to terms printed on a piece of paper mutually signed in ink. But I think lawyers are fighting an uphill battle trying to denigrate the legal effect of these electronic communications. They are an integral part of the relationship, and there's not much we as lawyers can do to change that.

Posted by Venkat at 01:29 PM | Licensing/Contracts | TrackBack

March 27, 2011

Another Advertiser Class Action Lawsuit Filed Against Google--Woods v. Google

By Eric Goldman

Woods v. Google Inc., 5:11-cv-01263-HRL (N.D. Cal. complaint filed March 15, 2011)

Since Google settled its click fraud lawsuits in 2006 and the CLRB Hanson case in 2009, it's been a little quiet on the advertiser-vs.-Google class action lawsuit front. This lawsuit breaks that calm. It's a 300 paragraph broadside against many of Google's advertising practices that lead to alleged overcharges, which the complaint characterizes as click fraud.

A quick note about the named plaintiff: he describes himself in the complaint (para. 16) as "an Arkansas attorney advertising his legal services." (Is this him?) What is it with lawyers who sue Google as plaintiffs? I previously noted how lawyers suing for their own account were unusually common plaintiffs against Google.

Beneath the bloated and mind-numbing prose in the complaint, there could be some potentially juicy allegations here. Unfortunately, weak drafting prevents me from fully understanding the plaintiffs' beefs. It appears to have something to do with Google's AdSense terms restricting certain publisher behavior, which the complaint appears to treat as promises to advertisers that they would not be charged for such behavior. If I'm reading this correctly, the plaintiffs' complaints are predicated on the unfortunately all-too-common but nevertheless obviously flawed logic that Z's negative behavioral covenants with party X are Z's affirmative promises to party Y that such behavior won't occur. See, e.g., para. 70, which tries to convert the AdSense terms into affirmative promises to advertisers. More typically, Y tries to take advantage of X's negative behavioral covenants by claiming to be a third party beneficiary of the Z-X contract, but those arguments rarely work, and the plaintiffs don't try them here.

As a specific application of the flawed logic about advertisers as beneficiaries of the Google AdSense terms, the plaintiffs appear to be unhappy that Google cut special deals with big advertising distribution partners (such as IAC and Infospace) who were governed by different (and less advertiser-friendly) ad display rules than rank-and-file AdSense publishers. I believe this gripe is predicated an implicit assumption among advertisers that the published AdSense contract is the only rules that govern AdWords distribution. The cloak-and-dagger stuff about special partners having favorable hidden deals can be pretty interesting, but the complaint's assumption that advertisers didn't know that some AdSense publishers had customized terms seemed dubious to me.

The complaint also goes into some detail about Google's "Smart Pricing" mechanism and argues that it didn't work properly. The complaint gives some examples where the advertiser's bids allegedly were inflated because Smart Pricing wasn't turned on as it expected. I must confess that I find Google's explanation of this mechanism pretty opaque (the explanations talk about "business results," whatever that means), so I had a tough time evaluating the significance of the complaint's gripes.

Based solely on the complaint, it's virtually impossible to gauge the likelihood of the plaintiffs getting a payoff here. There are the usual challenges to class certification, including commonality/predominance of class issues. In this case, there's the additional variables of how the prior class action settlements might limit this complaint, plus the overlay of any statute of limitations (a number of citations were to 2007 publications). And, as usual, so much depends on discovery (if the plaintiffs survive the inevitable motion to dismiss)--can they find smoking guns, or will their arguments remain mostly conjecture and assumptions? Despite all of these potential impediments, I can't imagine Google is thrilled to be wrangling with a lawsuit like this.

Posted by Eric at 10:12 AM | Licensing/Contracts , Marketing , Search Engines | TrackBack

March 15, 2011

Intelius May be Liable for Deceptive Online Marketing Practices Based on Third Party Transaction at Checkout -- Keithly v. Intelius

[Post by Venkat Balasubramani]

Keithly v. Intelius, No. C09-1485RSL (W.D. Wash.; Feb. 08, 2011)

A district court judge in Washington held that Intelius could potentially be held liable for allegedly deceptive marketing practices based on its making available third party services as part of the online checkout process.

Background: Intelius offers "background check" and look-up services to customers on the web. Customers brought a putative class action alleging that they were deceived during the online check-out process into buying third party subscription services.

The plaintiffs' experiences varied slightly, but some of the plaintiffs alleged that after they selected the desired services from Intelius, they were offered these services for $49.95, but were also presented with an option to enroll in a "mysterious 'Identity Protect'" service and pay $39.95 (i.e., get a $10 discount on the product which they ordered). These customers were taken through several pages which mention the basic and add-on services, and in one of the pages, the customer was informed that enrolling in 'Identity Protect' would result in the customer's credit card being billed monthly (if the customer did not cancel after the seven day free trial).

At this point the customers could complete the order, but another group of customers were told that they could take a "Community Safety Survey," and receive $10.00 cash back, when they tried the "Family Safety Report." Customers who responded favorably to this were then presented with a survey - one of the questions is related to community safety, and the other question is billing related. Here, the customer is again presented with (what the court describes as) confusing options, one of which allows the customer to complete his or her order, and the other which sends the customer further down the path which ultimately results in the purchase of the "Family Report" service. As the court describes it, "[n]o information is provided regarding the company that is offering this service."

As alleged by plaintiffs, the services are offered after the customer has input his or her payment information and were offered by third party defendant Adaptive Marketing. [Intelius settled with the Washington AG's office in late 2010 around marketing practices that look similar to those alleged here. Adaptive parent's company was also recently hit with a big ($32.6 million) judgment in Iowa: "Judge hands down $32.6 million consumer protection verdict; hundreds of thousands of Iowans could receive restitution."]

Washington Consumer Protection Act: Defendants argued that the complaint failed to adequately allege deceptiveness. In order to satisfy the deceptiveness element, a plaintiff "need not show that defendants intended to deceive or defraud, but only that the practice had the capacity to deceive a substantial portion of the purchasing public." Additionally, deception (which is evaluated by the "net impression" created by the solicitation) "may result from the use of statements not technically false or which may be literally true." Under this standard, the court finds that two of the three marketing techniques were deceptive.

Identity Protect Plaintiffs: This group of plaintiff selected the background report for purchase. They had to click two different "continue" buttons to complete the transaction, and in between the two steps, "Identity Protect" was added to their orders, "without any meaningful disclosure regarding the service or its price." At some point down the road (in step 4), the pricing details of "Identity Protect" were revealed, but they were the least conspicuous elements on the page. As described by the court:

[t]he elements that are most noticeable at Step 4 convey the impression that the consumer is purchasing a background report for $39.95 (a savings of $10.00) and that Identity Protect costs nothing. A reasonable consumer in Keithly's position could believe that clicking the red "Continue" button would answer his every need: it would allow him to purchase the product he wanted for a total of $39.95. Nothing about the key design elements would suggest that Keithly should be hunting for other terms and conditions and, and even if he did, the details of the offer blend in with the description of "Identity Protect Benefits" and the site security information to such an extent that he could miss them. The consumer could reasonably believe that clicking "Continue" would complete the order he had initiated at least four screens ago.

After step four, these consumers were not presented with any opportunities to remove Identity Protect, despite the transaction running the course of "ten screens." Similarly, after step four, there were no other disclosures regarding the pricing or terms for the Identity Protect service. In fact, "every order summary presented between Step 4 and the end of the transaction indicated that Identity Protect would cost $0.00." The court does note that not everyone would be fooled by this marketing technique:

[s]ome individuals would understand that obtaining something for nothing is a rare event and, at Step 3, would decline the offer of a $10.00 discount on the assumption that there was a catch. Others would take the time to read every word of the screen shot labeled Step 4 and realize that the advertised $0.00 price tag for Identity Protect would jump to $19.95 per month after the first seven days. But not everyone is so wary and/or detail-oriented, nor is the CPA designed to protect only those who need no protection. The capacity of a marketing technique to deceive is determined with referenced to the least sophisticated consumers among us. The FTC has noted that on-line consumers do not read every word on a webpage and advises advertisers that they must draw attention to important disclosures to ensure that they are seen.
[emphasis added]

In other words, online retailers should not hide the ball as to what is being purchased, or as to the terms of the purchase. This applies to the text of the webpage, but also applies to the checkout process itself. If the process is confusing, it does not matter is the text is technically accurate! Consumers should be able to assume that they can "safely complete an uncomplicated internet transaction without fear of being swindled or saddled with unwanted goods and services if her reviews the order summary and clicks on the link or button that purportedly completes the purchase."

The court ruled with respect to a second group of Identity Protect plaintiffs that the practices were - as a matter of law - not deceptive because there was a disclosure on every screen that Identity Protect could be cancelled any time, but that "[a]fter [the] trial, [the consumer] will be billed $19.95 per month."

Family Safety Report Plaintiffs: The court similarly finds that the Family Service Report transactions could be deceptive. After the consumer bought the report from Intelius (and after the consumer clicked on the "show my report button") the consumer is presented with an option to "take the 2008 Community Safety Survey and claim $10.00 CASH BACK when you try Family Safety Report." Here the consumer is presented with a choice to try the Family Safety product or not, but the option to try the Family Safety Report is more prominently presented. If the customer clicks on the "Yes" button and provides his or her email address, the customer actually authorizes Intelius to "transfer" the customer's account information to the undisclosed third party who is offering the service. The court points to the design elements on the page that all fail to highlight that the consumer is actually signing up for something that he or she will be on the hook for:

None of the normal cues related to a consumer transaction are presented: no product is selected, no order summary is provided, no payment information is exchanged, and no confirmation of the transaction is generated. By providing an email address and clicking the red button, the consumer will have purchased an on-going service from an undisclosed entity. Unless the consumer had the forethought to print the webpage before moving on, he will have no idea how to contact the purveyor of the service once the subscription fee starts showing up on his account statement.

I blogged about the VistaPrint case where the plaintiffs argued that they were improperly signed up for a rewards program. There the district court and Firth Circuit both found that a disclaimer and the language of the transaction effectively undermined the claims. The court in this case disagrees with the approach in VistaPrint, noting that such "a truncated analysis is improper under Washington [law]" because the court should look at the transaction as a whole. Aside from the deference given to any disclaimers or disclosures, the processes in VistaPrint and in this case appear fairly different. There the customers had to check the box saying they agreed to the terms, enter their email address twice, and most importantly, the rewards program offer was presented after the transaction with VistaPrint.

In contrast, in this case, the court intimates that the merchant was doing everything it could to thwart the effective completion of the transaction, and the consumer is guided through a maze of steps where the merchant or third party tries to add an unwanted product into the consumer's shopping cart at each step. A big takeaway is that the flow of the transaction and overall impression to the consumer is equally as important to the text, and if the overall process is viewed as deceptive, a few disclaimers will not save you. Here, it was obvious that (taking the plaintiffs' allegations as true), customers were being put through a maze of a checkout process, with numerous traps along the way.

The practice of injecting third party service (with recurring billing) into a transaction has drawn the ire of regulators. State AG's have gone after companies, and recently President Obama signed the Restore Online Shopping Confidence Act. (Here's an interesting background article on this statute: "How an Oil Baron's Heir Cleaned Up a $1.4 Billion Internet Scam.") The act covers sales by "third party sellers," and prohibits the data pass that the plaintiffs are complaining about here. The act requires the third party seller to disclose the terms, and the fact that the third party seller is not affiliated with the merchant. The act also requires the third party seller to obtain "the express informed consent" for the charge by obtaining the account number, name and address, and a means to contact the consumer from the consumer, and requiring the consumer to check the box of perform some other affirmative act to indicate consent. It looks like the transactions in question would have been covered by the statute. The act is intended to be enforced by the FTC and the State Attorneys General, but it does not rule out private enforcement, and I'm sure plaintiffs will be citing it aplenty.

Previous posts:

"Fifth Circuit Blesses Vistaprint's Rewards Program Sign-Up Process -- Bott v. Vistaprint USA Inc."
"Internet Rewards Program Class Action Survives Initial Motion to Dismiss -- In re Easysaver Rewards"

Posted by Venkat at 04:39 PM | E-Commerce , Licensing/Contracts

March 14, 2011

Court Refuses to Set Aside Order Requiring Disclosure of Twitter Users' IP Addresses

[Post by Venkat Balasubramani with some comments by Eric]

In re: sec. 2703(d) Order; 10GJ3793; Miscellaneous Case No. 1:11dm00003 (E.D. Va. March 11, 2011) [pdf]

A federal magistrate judge refused to vacate a previously issued order granting the government's request to reveal information regarding various Twitter accounts for people allegedly associated with Wikileaks.

On December 14, 2010, at the government's ex parte request, the court entered a sealed order granting the government's request for the following information associated with the Twitter accounts of WIkileaks, rop_g, ioerror, birgittaj, Julian Assange, Bradley Manning, Rop Gonggrijp, and Birgitta Jonsodottir:

1. subscriber names, user names, and identities;
2. physical addresses, email addresses, and other contact information;
3. "connection records," records or session times and durations;
4. length of service and the types of service utilized;
5. "telephone or instrument number or other subscriber number or identity, including any temporarily assigned network addresses";
6. means and source of payment for service.

The order also required disclosure of all records and other information relating to these accounts, including the timing and method of connections, data transfer volumes, and "source and designation" IP addresses; "non-content information" associated with any communications, such as "source or destination email addresses and IP addresses;" and correspondence and notes of records relating to the accounts.

Twitter sought to have the order partially unsealed and give an opportunity for the affect account-holders to contest the order. (Kudos to Twitter for taking this step. ("Why Twitter Was the Only Company to Challenge the Secret WikiLeaks Subpoena.")) Several interested parties (Applebaum, Jonsdottir, Gonggrijp), represented by the ACLU and EFF, filed a motion seeking to vacate the order, but they were unsuccessful.

Standing Under the Stored Communications Act:

The first question was whether the moving parties had standing to challenge the order under the provisions of the Stored Communications Act. The court says that standing to challenge under section 2704(b)(1) is restricted to those customers who can show that the "contents" of their electronic communications have been sought. "Contents" are defined in the statute as information "concerning the substance, purport, or meaning" of the communications, and the court finds that the government did not seek the contents of any communication. [The court notes here that the moving parties face difficulties in challenging the application because they have not seen a copy of it - the application is under seal.]

First Amendment Arguments:

The First Amendment arguments centered around free association and the chilling effects that would result from the government being able to "create a 'map of association'" from obtaining the information in question. The court is unpersuaded by the First Amendment association argument, partially because the moving parties had "made their Twitter posts and associations publicly available." The court does not specify whether the accounts were set to private, but I assume if any of them were, the court would have mentioned it.

Fourth Amendment Arguments:

Finally, the moving parties made a Fourth Amendment argument that the disclosure order should have been vacated because it amounted to a warrantless search in violation of the Fourth Amendment. In particular, the moving parties argued that they had a privacy interest in their IP address information, and argued that requiring Twitter to produce IP address details for specific dates and times would be "'intensely revealing' as to location, including the interior of a home." The court is not sold on this argument. The court cites to a slew of federal appellate cases (including US v. Bynum, which was the subject of a brief post: "4th Cir.: No Expectation of Privacy in Internet and Phone Subscriber Info") holding that there is no privacy interest in an ISP subscriber's information. The moving parties argued that they never voluntarily conveyed their IP address to Twitter, but the court disagrees, and points to Twitter's privacy policy:

[b]efore creating a Twitter account, readers are notified that IP addresses are among the kinds of "Log Data" that Twitter collects, transfers, and manipulates . . . . Thus, because petitioners voluntarily conveyed their IP addresses to Twitter as a condition of use, they have no legitimate Fourth Amendment privacy interest.

I had not followed the goings on closely, but the moving parties had an uphill battle given that the government did not seek the contents of any communications. This is a fact that is sometimes obscured in media reports, which often paint the picture of the government getting access to sensitive and private communications. That isn't the case. The fact that the accounts in question were not set to private did not help either. (Also, in the consumer context, courts have held that IP addresses are not personally identifiable information. See "Court: IP Addresses Are Not 'Personally Identifiable' Information.")

On the expectation of privacy issue, Chris Soghoian makes a good point that I've alluded to before - it's awkward to measure the consumer's expectation of privacy based on the language of a privacy policy because people rarely read the policies: "Federal judge in Twitter/Wikileaks case rules that consumers read privacy policies." That said, most people would expect services like Twitter to collect and use IP addresses. It's just a question of how long Twitter may retain this information for and under what circumstances it would turn this information over. On this issue, the privacy policy was of no help.

[As a side note, I think this may be somewhat indicative of how many of the Facebook privacy lawsuits may shake out. Those lawsuits are heavily dependent on federal statutes which grant protection to the contents of communications, and if all that's being collected and used is the parameters of a person's internet activity, the plaintiffs will have a tough time arguing that any statutory violations occurred.]

EFF & the ACLU plan to appeal, so this isn't the last word.

Other coverage:

EFF: "Court Rules Against Privacy in Battle Over Twitter Records"
cnet (Declan M.): "DOJ wins access to WikiLeaks-related Twitter accounts"
Wired (Threat Level): "Judge Won’t Stop WikiLeaks Twitter-Records Request"
Chris Soghoian: "Federal judge in Twitter/Wikileaks case rules that consumers read privacy policies"

_______________

Eric's comments: In my recap of top cyberlaw issues from 2010, I ranked Wikileaks as the #1 issue of the year and wrote:

Wikileaks finally forces us to confront many of the cyberspace governance issues we were debating in 1996. I'm sad to say that our government, and many private businesses, failed the test.

This ruling appears to be another datapoint in support of that assessment. The government's request for Wikileaks-related information from Twitter very well may be lawless, but this judge--like so many others confronted with Wikileaks-related issues--is willing to roll with it using highly formalist reasoning. In this respect, Wikileaks may be the new Napster--whenever its name is invoked, the rule of law gets suspended in an overall effort to kick the unwanted enterprise out of the ecosystem; and everyone who touches Wikileaks gets tarred with the taint-by-association brush.

The court's ruling on 2704 standing to challenge a 2703(c) request is a fine example of the problem. The court says that, based on the statutory wording, the affected subscribers lack standing to challenge the records request. OK, but when do the affected subscribers have standing to challenge a 2703(c) request? According to this ruling, the answer may be never. That can't be right. Surely we as citizens have some way to fight back against overreaching government requests for non-public information about us...don't we?

We encounter the same problem with the court's discussion regarding IP addresses. The court makes a troubling categorical statement: "petitioners have no Fourth Amendment privacy interest in their IP addresses." As with the 2703(c) records request, is there any circumstance where a subscriber could prevent his/her IP address from being disclosed to the government? According to this court, the answer may be no.

Overall, the court seems tone-deaf about the possible consequences of revealing the information to the government. We've made a lot of progress striking a balance regarding unmaskings in the civil context; here, the court doesn't consider the possibility of balancing at all.

I'd like to think the Wikileaks participants used anonymizers for their IP addresses. If you are doing anything likely to incur the wrath of the US government, consider this a cautionary warning of the need to use good anonymizers for your activity.

For Twitter, there is a silver lining to the ruling. In a footnote, the court says "By clicking on "create my account", petitioners consented to Twitter’s terms of use in a binding “clickwrap” agreement to turn over to Twitter their IP addresses and more." Surely Twitter likes a judicial vote in favor of its online contract formation. However, the court's citation of Twitter's privacy policy reinforces that privacy policies are not just about the private arrangements between sites and their users. The government will trawl through a site's privacy policy to cite terms against the site's users as part of the government's rapacious desire to know everything about its citizens. As drafters of privacy policies, we might consider how we balance our clients' needs for information flexibility with the fact that the government will abuse that same flexibility for its own possibly lawless interests.

UPDATE: Jennifer Granick's post on the opinion.

Posted by Venkat at 11:43 AM | Licensing/Contracts , Privacy/Security

February 17, 2011

eBay's Venue Selection Clause Upheld in Missouri--Earll v. eBay

By Eric Goldman

Earll v. eBay, 2011 WL 497781 (W.D. Mo. Jan. 4, 2011). The initial complaint.

Earll, who is deaf, sued eBay for violations of the Americans with Disabilities Act (ADA) and the CA state law analogue. Her complaint relates to the fact that eBay telephonically confirms sellers, which poses a problem for deaf sellers. As part of the signup process, Earll clicked on eBay's user agreement, which included eBay's standard venue selection clause specifying its home court as the mandatory venue for lawsuits. eBay invoked the clause against Earll to move the suit there.

Earll tries to knock out the user agreement by arguing that it was fatally defective for not disclosing the telephonic verification requirement. The court deems that omission immaterial.

Earll then argues that the venue selection clause covers only a subset of claims a plaintiff might bring, and therefore it does not apply to her civil rights claim. The court rejects the argument because her claims "relate to her inability to sell items on eBay's website."

Earll then argues that some courts have rejected venue transfers in disability-related cases where a transfer would prevent disabled people from litigating, and thus undermining the law's policy objectives. Acknowledging that, the court says that Earll never indicated that she would abandon her claim if it was transferred, and California courts are just as capable of adjudicating ADA claims as the Missouri courts.

Having rejected Earll's arguments, the court orders the venue transfer. This is a nice win for eBay on two fronts. First, it's yet another case upholding its venue selection clause. I just blogged on a similarly favorable case (Evans v. Linden Research) where Second Life, invoking a clause copied from eBay's, also successfully invoked the clause. In light of the confusion we had after Comb v. PayPal, it's nice to see more predictable contract interpretation results.

Second, ADA claims are very dangerous for online sites. See, e.g., the NFB v. Target case. Having the case in eBay's home court surely helps eBay's odds of success in a risky case.

February 09, 2011

Second Life Forum Selection Clause Upheld--Evans v. Linden

By Eric Goldman

Evans v. Linden Research, Inc. (E.D. Pa. Feb. 3, 2011)

This lawsuit is similar to the Bragg lawsuit from a few years ago, which argued that land purchases in Second Life were equivalent to real property purchases (due to marketing representations made by Second Life), so Second Life couldn't unilaterally reclaim land from its users. In 2007, Bragg won a favorable jurisdictional ruling, defeating Second Life's invocation of the forum selection clause in its user agreement. See Bragg v. Linden Research, Inc., 487 F. Supp. 2d 593 (E.D. Pa. 2007). The parties subsequently settled. Now, another group of plaintiffs are taking a run at Second Life on the same basic theories.

I don't normally blog on forum selection clause cases any more, but this case is interesting because Second Life changed its fate. In contrast to the Bragg ruling, this opinion upheld Second Life's forum selection clause, shipping the case from ED Pa. to ND Cal. The new case involves the same basic arguments as the Bragg case, filed in the same court against the same defendant, and the decisions were written by the same judge. How did Second Life work this turnaround?

After the Bragg ruling, Second Life changed its user agreement's forum selection clause to basically mimic the approach eBay uses in its user agreement: mandatory jurisdiction/venue in Second Life's home court except for permissive virtual arbitration for low-dollar-value disputes. eBay adopted this structure in the early 2000s after it got a scary ruling in Comb v. PayPal, and since then eBay has had some litigation success with its new clause. Here, Second Life changed its contract from a mandatory arbitration clause--which failed--to eBay's mandatory jurisdiction/venue + permissive arbitration approach--which works. Nicely done.

(Personnel note: Second Life's mimicry of eBay's user agreement probably isn't an accident. Second Life's General Counsel at the relevant times, Marty Roberts, previously did a tour of duty as an in-house lawyer at eBay. See Marty's LinkedIn profile).

The court does not clearly explain how Second Life successfully amended its user agreement for any users who initially signed up under the old contract. (As I've previously blogged, retroactive contract amendments are tricky). The court says tersely "The information provided shows that each Plaintiff agreed to the March, 2010 TOS at some point before this action was brought." I would have loved to see the court explain in more detail how Second Life successfully moved everyone onto the new contract.

There are two very practical implications from this ruling:

1) If your mass-market online user agreement still contains a mandatory arbitration clause, you are playing with fire.

2) I have been recommending an eBay-style forum selection clause to my clients for many years now. Given that it is battled-tested in court, you might consider if the clause would be a useful starting point for you.

Posted by Eric at 09:27 AM | Licensing/Contracts , Virtual Worlds | TrackBack

January 27, 2011

Top 5 Cyberlaw Developments of 2010, Plus a 2010 Year-in-Review

By Eric Goldman

Earlier this Fall, I posted my top 8 trends in Internet law, and that's a good place to start if you want to see how I think things are developing. Because of that post, this year I'm shaking up the format of my year-end recap post a little bit. We'll start with the top 5 Cyberlaw events of 2010, but then we'll move to other topics. (This is a variation of my post to InformIT on Tuesday).

Top 5 Legal Developments

#5: Google pulls out of China. China's native search engines rejoice, but is this really a win for China's long term prospects? Meanwhile, I keep hoping Google will do the same in the EU too given how much the EU regulators hate Google.

#4: COICA and the pre-enactment COICA workaround, ICE's lawless seizure of 82 supposedly pirate-oriented domain names. Showing once again that domain name censorship is irresistible to government regulators.

#3: Righthaven goes on a litigation frenzy on behalf of newspapers. Which do you think will happen first--bloggers stop discussing newspaper articles for fear of being sued, or newspapers go out of business? What's amazing is that newspapers don't realize that the first will accelerate the second.

#2: Oracle gets $1.4B+ from SAP for competitive scraping. Oracle hit a grand slam with the damages in this case, ranking highly on several all-time-largest-awards charts.

And the top cyberlaw story of the year goes to...

#1: Wikileaks. Wikileaks finally forces us to confront many of the cyberspace governance issues we were debating in 1996. I'm sad to say that our government, and many private businesses, failed the test.

Other Key Developments

* Tiffany v. eBay. The Second Circuit thumps Tiffany's pathetic arguments and gives eBay a clean bill of trademark health. However, this ruling just preserved the status quo, so for my money, the much more important secondary trademark rulings involved providing other services to alleged counterfeiters. See Gucci v. Frontline, potentially exposing credit cards and other payment service providers to secondary liability for providing payment services to alleged counterfeiters, and Roger Cleveland Golf v. Price, potentially exposing SEOs/web designers to secondary liability as well.

* Viacom v. YouTube and Arista v. Limewire. These companion cases told us what we already knew: YouTube + 512(c) defense = good, P2P file sharing software vendor - DMCA safe harbor = bad.

* Sony v. Tenenbaum. I'm still waiting to see if this case is a blip or a watershed. It has the potential to make every copyright statutory damages case into a constitutional due process inquiry.

* Legally, it was a good year for Google. Google got a favorable trademark ruling in the ECJ. Google got a decisive win in its Rosetta Stone AdWords trademark case (and, as mentioned before, the YouTube case as well). Most of the other trademark plaintiffs lost or simply gave up.

* Legally, it was a lousy year for Google. Everyone in the world seems to be considering if they can run Google's algorithms better than it can: EU antitrust regulators, French antitrust regulators, the Texas AG, private plaintiffs, the New York Times and so many more. Google got trapped in a dangerous antitrust litigation in the unfavorable venue of Ohio state court. Google Street View has been a legal train wreck world-wide. The DOJ busted up a possible hiring cartel among Silicon Valley companies, and Google almost immediately handed out 10% pay raises for everyone. Buzz was a lousy product with a horrible launch, and it led to a multi-million dollar litigation kicker.

* It was a quiet year for 47 USC 230 litigation. From my perspective, quiet is good! The biggest defense win of the year: Milgram v. Orbitz. The biggest plaintiff win of the year: Swift v. Zynga.

* Perfect 10 v. Google. Google gets yet another win in this case, this time on 512(d)--one of the few cases interpreting the 512(d) safe harbor for linking to infringing content.

Notice I didn't put *any* of the Ninth Circuit Internet law jurisprudence on the list. There were plenty of interesting rulings this year: Krottner v. Starbucks, MDY v. Blizzard, Vernor v. Autodesk, DSPT v. Nahum, the Freecycle naked licensing case, Advertise.com v. AOL, Toyota v. Tabari, Visa v. JSL, CRS Recovery v. Laxton, Office Depot v. Zuccarini. However, I have lost all faith that 3 judge panel decisions by the Ninth Circuit have any binding precedential on other panels, so every case is effectively a one-off.

Less-Heralded But Nevertheless Interesting Disputes of the Year

Some under-the-radar legal disputes that I thought were more interesting than the overhyped stories:

* Barclays v. theflyonthewall. A brokerage house gets an injunction against the republication of its stock recommendations based on a hot news doctrine. The case is now on appeal to the Second Circuit. The case exposes the precarious business model of brokerage houses: they are content publishers trying to monetize via a commodity service, and brokerage house stock recommendations were exactly the kind of information John Perry Barlow explored in his 1994 Economy of Ideas article. Will the hot news doctrine prop up a doomed business model?

* Anderson v. Bell. Electronic signatures count towards the requirements for an election petition. This could launch a new era of citizen petitioning of the government.

* Snap-on v. O'Neil. A company can't scrape its own data from its outsourced vendor, seemingly authorizing the vendor to play hold-up games for companies that don't handle the contract correctly. The Eventbrite v. Cvent case provided some interesting contrast.

* Goforit v. Digimedia. A court upholds domain name wildcarding and says the TM owner/plainitff pursuing those wildcarded domain names may have engaged in reverse domain name hijacking.

* Lara Jade Coton v. TVX. The blog post title said it all: "Tip for Clean Living: Don't Use a 14 Year Old's Self-Portrait in Advertising for Porn."

Most Overhyped Stories

This year, for the first time, I'm separately breaking out a category for most overhyped stories of the year.

* Craigslist shuts down its adult services category. A toxic mix: Craigslist took a legally defensible but nevertheless obstinate position, and state AGs love to show their constituents how much they hate the Internet. When Craigslist finally gave in and shut down its adult services category (with a whining F-U), people went crazy.

* Borings get $1 for their trespassing claim. Google's Street View contractors made a mistake, drove up a private driveway, and captured what they saw. Google posted the photos until it got a complaint, then the homeowners with the odd surname ("Boring") went on a litigation frenzy. Their payoff for several years of litigation? $1. Not even enough for extra foam on a Starbucks mochachino.

* The Supreme Court's tech docket. Several fizzled out non-decisions from SCOTUS this year: Bilski, Quon, Costco. The Supreme Court is taking a steady diet of tech-related cases, but they are gun-shy about actually resolving them.

* Mark Hurd. Mark Hurd, Hewlett Packard's CEO, had an inappropriate relationship with an HP contractor/former B-list softcore porn actress and maybe fudged his expense reports. When he tried to take a job at HP's frenemy Oracle, HP got litigious, but it turns out their fur can be smoothed for a few million.

* Lost iPhone Prototype. Stop me if you've heard this joke before: an engineer walks in a bar and...loses a super-stealthy prototype of one of the most important new consumer technology launches ever...? I realize it's an uber-cool phone, but still, IT'S A PHONE, PEOPLE!

Our Snarkiest Company-Specific Posts

Occasionally, we get snarky about specific companies' practices. It's not our norm, but these posts sure do boost traffic. Companies in our crosshairs this year:

* The Problems With Google House Ads. Google's response to this post was pathetic and embarrassing.

* Scribd Puts My Old Uploads Behind a Paywall and Goes Onto My Shitlist. I still use Scribd, but I have zero loyalty.

* Hypocrisy Alert?! Expedia, a "FairSearch" Member, Marginalizes American Airlines in Its Search Results. If you're going to wave the "Search Neutrality" flag, please keep it hypocrisy-free.

* Facebook pulls a rare hat trick of snark this year: Q2 2010 Quick Links Part 3 (Special Facebook Edition), Facebook's Anti-Spam Filter Blocks Legitimate Conversations about Power.com, Distrust in the Cloud Part #2: Facebook Blocks J.mp Links and Takes Down Lots of Status Updates in the Process. I'm officially no longer in love with Facebook. I post the exact same content to Twitter and Facebook, so please follow me at Twitter instead.

* My RapLeaf Profile is Amusingly Mistaken. This is What the Fuss is All About?. In response to an article in the Wall Street Journal's "What They Know"/privacy plaintiffs lawyers full-employment series of articles.

Most Popular Blog Posts of the Year

1) Scribd Puts My Old Uploads Behind a Paywall and Goes Onto My Shitlist. Nearly 2X the traffic of #2. Putting profanity in the post title still works as a traffic booster.

2) Deleted Facebook and MySpace Posts Are Discoverable--Romano v. Steelcase (Topsy 100). I still can't figure out why this post was so popular; it just reminded us of something we already knew. See also the related but overreaching Millen v. Hummingbird Speedway.

3 & 5) #3: Twitter Clarifies Usage Rules, but AFP Still Claims Unbridled Right to Use Content Posted to "Twitter/TwitPic". Venkat also had an end-of-the-year hit with the #5 post, "Court Rejects Agence France-Presse's Attempt to Claim License to Haiti Earthquake Photos Through Twitter/Twitpic Terms of Service -- AFP v. Morel." Both posts were Topsy 100.

4) Viacom v. YouTube Summary Judgment Motions Highlights. Not surprisingly, the gossip about the lawsuit is way more popular than the blog post on the actual ruling.

One other post reached Topsy 100: "Ripoff Report Defeats Extortion Claim, But Plaintiffs Keep Trying--AEI v. Xcentric."

Lists of Yore

Previous top 10 lists from 2009, 2008, 2007 and 2006. Before that, John Ottaviani and I put together a list of top Internet IP cases for 2005, 2004 and 2003.

Posted by Eric at 06:56 AM | Content Regulation , Copyright , Derivative Liability , Domain Names , Evidence/Discovery , Internet History , Licensing/Contracts , Search Engines , Trademark , Trespass to Chattels | TrackBack

January 07, 2011

TweetPhoto (now Plixi) To Start Charging For Twitter Celeb's Pics

[Post by Venkat Balasubramani]

I posted last week about the AFP/Morel Haiti photo debacle where the court rejected AFP's arguments that it had a license to photos posted to Twitpic by virtue of the Twitter & Twitpic terms of service. Two quick follow up points to that post.

First, Joe Mullin covered the story at paidContent ("Court To AFP: Pics Aren’t Free Just Because They’re On Twitter"), and AFP's lawyers made some striking comments:

AFP’s attorney, Joshua Kaufman of Venable LLP, contacted me today and said his client will continue to litigate this case. AFP’s fundamental position—that uploading pictures to TwitPic makes them available for other parties to use—hasn’t changed. And it’s common practices for news services to use such images, added Kaufman, saying: “If you look in magazines, there are hundreds of pictures a week that are taken off of TwitPic.” That’s because when a user agrees to Twitter’s terms of service (which all TwitPic users must do), the user agrees that Twitter, its partners, “and others” have the right to re-broadcast content, according to Kaufman. (The Twitter terms of use appear to have changed since this all occurred in January 2010.) “AFP certainly believes they acted appropriately, within the terms of the license,” he said.

Yikes! If this is a "common practice," it looks like there could be other lawsuits out there. What's striking about this comment isn't that AFP's legal position is off-base (it is). What's most striking is that AFP is the same organization that sued Google for linking to AFP's stories. (See "AFP Gets Confused As To How The Internet Works.") Something tells me that a ruling in AFP's favor in this case could undercut their future position as a plaintiff.

Second, the New Statesman reports that TweetPhoto (now Plixi) has agreed to license celebrity photos which are posted on Plixi ("News agency seeks to cash in on celeb Twitter pics"). (h/t TweetSmarter) As the story notes, Plixi signed a deal with WENN, which will now start charging publishers for use of celebrity images. Plixi is in a different position than AFP. Plixi (like Twitter) could claim a broad license to exploit content uploaded to the service; unlike Plixi, AFP is a third party that's coming along and saying it can exploit the content. However, interestingly, Plixi's user agreement does not seem to convey such broad rights to Plixi (See section 15 of Plixi's Terms of Service). The terms only allow Plixi to use the photos for the purpose of promoting Plixi:

Plixi does not claim ownership of Content you submit or make available for inclusion on the Service. However, with respect to Content you submit or make available for inclusion on publicly accessible areas of the Service, you grant Plixi the following worldwide, royalty-free and non-exclusive license(s), as applicable:

With respect to Content you submit or make available for inclusion on publicly accessible areas of Plixi, the license to use, distribute, reproduce, modify, adapt, publicly perform and publicly display such Content on the Service solely for the purposes of providing and promoting Plixi to which such Content was submitted or made available. This license exists only for as long as you elect to continue to include such Content on the Service and will terminate at the time you remove or Plixi removes such Content from the Service.

Maybe Plixi has separate deals with celebrities regarding the rights in celebrity photos?

Added: Additional coverage and link to the original story from Press Gazette: "News agency seeks to cash in on celeb Twitter pics"

Posted by Venkat at 11:55 AM | Copyright , Licensing/Contracts

January 01, 2011

Nov.-Dec. 2010 Quick Links, Part 4

By Eric Goldman

Blogs and Boards

* Reuters on the wild-and-wooly world of investor message boards.

* KingCast.net v. Friends of Kelly Ayotte, 2010 WL 4683829 (D.N.H. Nov. 2, 2010). Blogger's unsuccessful lawsuit to gain mandatory access to a candidate's campaign events as a journalist.

* Mealer v. GMAC Mortg. LLC, 2010 WL 4586183 (D. Ariz. Nov. 2, 2010). A lawsuit against General Motors for an employee's allegedly disparaging blog post is dismissed because the new GM isn't liable for the old GM's activities.

* ABA Journal: some attorneys are using independent contractors to “ghost write” blog posts for them. This seems like a practice filled with legal landmines.

Contracts

* Florencia Marotta-Wurgler, Does Disclosure Matter? The abstract:

Disclosure has long been the preferred regulatory approach to curtail one-sided standard form contract terms....The appeal of disclosure is that it is relatively low cost, improves consumer decision-making and preserves consumer choice. For disclosure to be effective, however, it must increase readership and understanding of contracts to a meaningful rate, and, conditional on readership, contract content must be relevant to purchase decisions. This paper tests both these necessary conditions. We follow the clickstream of 47,399 households to 81 Internet software retailers to measure contract readership as a function of disclosure. We find that making contracts more prominently available does not increase readership in any significant way. In addition, the purchasing behavior of those few consumers who read contracts is unaffected by the one-sidedness of their terms. The results suggest that mandating disclosure online should not on its own be expected to have large effects on contract content.

* S. 3386, Restore Online Shoppers' Confidence Act, signed into law Dec. 29, 2010. The bill prevents online merchants from passing shoppers' credit card numbers to other merchants without requisite consent. It also restricts negative option sales without adequate disclosure, consent and ability to terminate.

Jurisdiction

* Penachio v. Benedict, 2010 WL 4505996 (S.D.N.Y. Nov. 9, 2010). "Defendants are not subject to personal jurisdiction in this Court. The preparation and dissemination of the defamatory material occurred outside of New York. Although the [YouTube] videos bear a relationship to the proceedings in New York and Defendants' alleged commercial interest in New York, Defendants' interaction with New York during the publication of the videos is too marginal to rise to the level of purposeful availment."

* Miller v. Kelly, 2010 WL 4684029 (D. Colo. Nov. 12, 2010). "Defendant's LiveJournal blog appears to the Court to have been merely a passive website that allowed internet users to access and view information posted by Defendant. Accordingly, the Court finds that Defendant's authorship of a LiveJournal blog is an insufficient basis for the exercise of general personal jurisdiction over her....the Defendant's authorship of an entry on the blog was not an act purposefully directed at Colorado. Although the blog entry was allegedly accessed by Plaintiff in Colorado, no allegation or evidence has been presented to indicate that Defendant expressly aimed the entry at Colorado."

* State v. Pierce, 2010 WL 4941473 (Minn. App. Ct. Dec. 7, 2010). A man was ordered not to contact his ex-girlfriend. He violated the order by sending her a MySpace message, but prosecutors could not establish that he sent or she received the message in their county, so the conviction was reversed.

Posted by Eric at 01:14 PM | Content Regulation , E-Commerce , Licensing/Contracts | TrackBack

December 29, 2010

Court Rejects Agence France-Presse's Attempt to Claim License to Haiti Earthquake Photos Through Twitter/Twitpic Terms of Service -- AFP v. Morel

[Post by Venkat with a few comments from Eric]

Agence France Presse v. Morel, 10 Civ. 2730 (WHP) (S.D.N.Y.; Dec. 23, 2010)

The Southern District of New York issued an order denying AFP's request to dismiss photographer Daniel Morel's copyright claims, rejecting AFP's argument that uploading pictures to Twitter/Twitpic granted third parties (including AFP) a broad license to exploit this content. The result is not surprising from a legal standpoint, but should allow photographers (and others who upload content into Twitter's ecosystem) to breathe a sigh of relief.

The court recaps in detail the factual background underlying the dispute in its order. In a nutshell, Morel took what turned out to be iconic photographs in the aftermath of the Haiti earthquake. He uploaded the photos to his Twitpic account and linked to them via his Twitter account. Shortly after Morel uploaded his photographs, Lisandro Suero copied the photographs and posted them to Suero's own Twitpic page. Suero did not attribute the photographs to Morel. The facts are somewhat murky, but it does not seem disputed that AFP downloaded the photographs from Suero's account, marketed and distributed the photographs, and initially credited Suero with taking the photographs. Ultimately, Morel cried foul, and AFP filed a declaratory judgment lawsuit saying it did not infringe. [Some of the discussions between AFP and Suero took place on Twitter, and make for interesting reading. I wonder if the casual nature of Twitter and email discussions contributed to AFP's foibles here.] [Also, the photos were broadly distributed and licensed downstream, so there are a slew of defendants. I've mostly omitted discussion of the various defendants, focusing on AFP.]

Copyright Claim: AFP's primary argument was that (1) "[it] had an express license to use Morel's images [by virtue of the Twitter or Twitpic terms]" or (2) that it was a third party beneficiary of the agreement between Morel and Twitter. The court rejects this argument:

[b]y their express language, Twitter's terms grant a license to use content only to Twitter and its partners. Similarly, Twitpic's terms grant a license to use photographs only to Twitpic.com or affiliated sites. . . . the provision that Twitter 'encourage[s] and permit[s] broad re-use of Content' does not clearly confer a right on others to re-use copyrighted postings

The court also rejects the argument that AFP was a third party beneficiary to the Twitter license agreement, since AFP was not a "partner or sublicensee" of Twitter - AFP acknowledged that it was only a "user."

Contributory/Vicarious Infringement: With respect to the contributory infringement claim, the court held that Morel's allegations were sufficient:

Morel's allegations that AFP and Getty knew that the images where his, disregarded his rights, and licensed his images to third parties are sufficient to plead knowledge and inducement of infringement.

The court similarly rejects AFP's and Getty's request to to dismiss the vicarious infringement claim. (The court does grant the request by CBS and CNN to dismiss the vicarious infringement claim because Morel failed to plead any "direct financial interest" in the exploitation of images by the affiliates of CBS and CNN.)

DMCA Copyright Management Information Claims: Morel's DMCA claims against AFP were premised on AFP's miscrediting of the images. AFP did not contest that the credit lines constituted "copyright management information" (as defined in section 1202), and the court finds that AFP acted with the requisite knowledge and intent. Interestingly, with respect to AFP, the court notes that Morel alleged that:

an AFP photo editor viewed [Morel's] photos before asking about identical photos on Suero's Twitpic page, and that when Morel failed to respond to the editor's email, AFP downloaded the pictures from Suero.

Morel brought a second 1202 claim based on AFP's "removal or alteration" of CMI, or distributing copyrighted material "knowing that CMI has been removed or altered." The crux of Morel's argument seems to be that he had posted CMI on his Twitpic page (e.g., by including "by photomorel," "daniel morel," and "morel") next to the photos when he uploaded them, and AFP violated section 1202 when it distributed photos downloaded from Suero's Twitpic account (which did not contain this information). The court construes the term CMI broadly, rejecting AFP's argument that CMI must be contained on the photograph itself. In the court's view, the information attached to Morel's Twitpic account constitutes CMI, and Morel's allegations regarding AFP's distribution of the photo which did not contain this CMI was sufficient to state a claim.

AFP argued that CMI is limited to a "component of an automated copyright protection or management system" (i.e., a technological measure that controls access and reproduction), but the court rejects this argument, and the line of cases which take this approach.

Lanham Act: The court rejects Morel's Lanham act claim as being foreclosed by Dastar, a case in which the Supreme Court rejected Lanham Act claims with respect to communicative products (finding that these claims should be brought under copyright law and allowing Lanham act claims would impermissibly broaden the scope of copyright protection).
__

As I mentioned in a previous post, AFP's position was a stretch, and it's nice to have some clarity that uploading content into the Twitter ecosystem does not grant third parties a license to use that content outside the ecosystem. (Nor does sharing and encouraging others to share result in a license to third parties.) Twitter and its partners have a broad license, but that's different from a random third party coming along, and claiming rights to the content. Photographers can rest easy!

The court construes Morel's 1202 arguments broadly, and as Professor Goldman notes below, this is equally interesting (if not more so) than the Twitter/Twitpic license issue. This looks like a boon to content providers - almost any sort of notation which indicates that the content is yours can be copyright management information (under the court's definition), and disseminating the content without this information (or after having removed it) can cause someone to incur 1202 liability. It seems like the court's reading of section 1202 (although it is supported by the language of the statute) allows a plaintiff to assert exactly the type of claim the Supreme Court negated in Dastar.

Earlier posts:

"Agence France-Presse Claims Twitter's Terms of Use Authorize Its Use of Photographs Posted to TwitPic"

"Twitter Clarifies Usage Rules, but AFP Still Claims Unbridled Right to Use Content Posted to 'Twitter/TwitPic'" (I blogged that AFP's position was a stretch, but this post at duckrabbit contains a link to the oral argument, which will give you a flavor of how incredulous the court was at AFP's argument that it had a license through the Twitter or Twitpic terms: "AFP, CNN, Getty, ABC, V Morel, why this case matters to all professional photographers or why Getty could be selling your photos without you even knowing …")

Earlier coverage of the dispute:

* paidContent: "Lawsuit Tests Whether Twitter Pictures Are Free For The Taking"
* ReadWriteWeb: "Agence France-Presse: "All Your Twitpics Are Belong to Us"
* Techdirt: "AFP Still Not Giving Up On Its Bizarre Claim That Twitpic Images Are Freely Licensed To Anyone"

______

Eric's comments:

This case is a clusterf**k. AFP made numerous mistakes that resulted in infringing photos being injected into the news coverage of a major world crisis, which inadvertently tainted a variety of downstream media properties--all of whom, due to copyright's strict liability standard, are likely to write checks to Morel. AFP and its unfortunate partners should end their likely-futile and sometimes-silly defense and settle up with Morel so that everyone can move on to more productive endeavors.

Even though the Twitter/Twitpic discussion will get the most attention, I think the court's discussion about the 1202 liability is the opinion's most noteworthy aspect. There has been an ongoing schism in the 1202 jurisprudence about whether or not it's a 1202 violation to copy a copyrighted work without retaining the CMI located somewhere other than in the work itself. This case is a fine example of the problem: when people copied Morel's photos, they didn't go back to Twitpic to see what additional CMI might have been presented on the pages alongside the images. Some courts, recognizing the potential trap this creates, have read the 1202 statute narrowly, basically saying that metadata not in the file itself can't trigger a 1202 violation. I've been skeptical about the statutory fidelity of those rulings, but I've applauded their efforts to keep 1202 from becoming a backdoor Dastar as Venkat calls it. Other cases, including this one, have rejected these narrow readings of 1202 and indicated that failing to capture and republish metadata outside the file itself could violate 1202. Should more courts jump on this bandwagon, expect 1202 to become the copyright plaintiff's favorite new toy in 2011.

Posted by Venkat at 06:10 AM | Copyright , Derivative Liability , Licensing/Contracts

December 24, 2010

Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues

[Post by Venkat with comments by Eric]

Mortensen v. Bresnan Comm., CV 10-13-BLG-RFC (D. Mont. Dec. 13, 2010)

A district court in Montana hearing one of the many NebuAd "deep packet inspection" lawsuits partially granted a defendant's motion to dismiss. This lawsuit arises out of NebuAd's alleged attempt to monitor and use an end user's internet activity for advertisement targeting purposes - i.e., not using cookies or other tracking, but actually routing the communications themselves through NebuAd's "appliance." There have been a slew of lawsuits out of this practice; this lawsuit involved claims against Bresnan Communications, an Internet access provider, who is accused of letting NebuAd install the appliance for its profit.

Electronic Communication Privacy Act Claims: Bresnan first argued that it did not engage in any interception itself, so it could not be held liable under the ECPA. The court rejects this argument on the basis of plaintiff's allegation that Bresnan "allowed" NebuAd to install its device on Bresnan's network, and but for the appliance, the monitoring would not have occurred.

However, the court accepts Bresnan's argument that the plaintiffs agreed to the interception based on disclosures in the terms of service and elsewhere. The court quotes from Bresnan's "Online Privacy Notice," which says:

the equipment used to provide the service collects information . . . [including] information about . . . 'electronic browsing,' and the text of email or other electronic communications the [users] send or receive using [the] services.

The notice also references that the information that is collected will be disclosed to third parties. Bresnan's "Online Subscriber Agreement" contained similar disclosures. Finally, the court notes that Bresnan alleges that it provided customers "specific notice" and a link to opt-out from information collections.

Shockingly, plaintiffs did not contest that "they agreed, by way of Bresnan's Privacy Notice and Subscriber Agreement to the interception." (??) Instead, plaintiffs quibble with the scope of the documents in question and argued that Bresnan construes plaintiffs' consent "cavalierly." The court rejects plaintiffs' argument, and grants Bresnan's motion to dismiss the ECPA claim on the basis of consent.

Invasion of Privacy Claims: Plaintiffs brought a common law invasion of privacy claim. The court finds that the notice and disclosure (discussed above) undermines any expectation of privacy plaintiffs had in their use of the service. This ends the court's discussion.

Computer Fraud and Abuse Act Claims: Although the court rejects plaintiffs ECPA claim, the court allows plaintiffs' Computer Fraud and Abuse Claim to go forward. The court concludes (based on Bresnan's disclosures to its customers) that Bresnan's access of plaintiffs' computers had some authorization. Nevertheless, the court finds that Bresnan may have exceeded the authorization that was initially granted. The court bases this conclusion on the fact that the notices provided by Bresnan did not clearly apprise plaintiffs that "their computer settings were to be actively altered or tampered with by Bresnan." The court concludes that for purposes of surviving a motion to dismiss, plaintiffs have sufficiently alleged that:

Bresnan's act of tampering with the security and privacy protocols exceeded any authorization that Plaintiffs may have given.

The court also addresses the jurisdictional damage requirement, under which a CFAA plaintiff must show that the unauthorized access caused $5,000+ in damages. The court notes that plaintiffs' allegations of emotional distress are not compensable, since only economic losses are recoverable under the CFAA. However, the court finds that plaintiffs satisfy the jurisdictional damage threshold since they allege they were "forced to mitigate Bresnan's invasive actions by expending time, money and resources to investigate and repair their personal computer's diminished performance."

Trespass to Chattels: Finally, the court allows plaintiffs' trespass to chattel claims to go forward. With respect to the trespass claim, the court says that the plaintiffs sufficiently alleged an interference with their chattel (their computers).
__

Venkat's Comments:

This is one of many privacy lawsuits that are percolating through the courts right now. I think this one differs qualitatively from many of the others in that here, there is an allegation of improper monitoring of the contents of the plaintiffs' communications. It's one thing to surreptitiously find out what websites someone has been visiting or leak someone's unique user ID. It's another thing entirely to read their email and the contents of what they access while browsing. This is an important distinction to keep in mind. I don't think you can necessarily extrapolate a tentative result in the other cases based on this result. Apart from the damages issue (discussed below) a key unknown in the pending cases is to what extent the information that is captured or disclosed are covered by the statutes in question.

I was somewhat surprised to see little or no discussion from the court on whether the policies were presented in a "leak proof" manner, or whether the disclosure satisfied FTC standards. Was there evidence that plaintiffs could not access the service without encountering the policy? (See Prof. Goldman's post on that topic: "Clickthrough Agreement With Acknowledgement Checkbox Enforced.")

The court's conclusion on the consent issue is also somewhat perplexing, in light of the exact same judge's earlier order denying Bresnan's request to compel arbitration, which you can access here. BNA recaps the decision denying Bresnan's request to subject the claims to arbitration as follows: "A mandatory arbitration clause in an internet service provider's terms of service—which was presented in capitalized text in the ninth paragraph of the unsigned document—was an inconspicuous part of a contract of adhesion and unenforceable under Montana law."

On the other hand, if plaintiffs conceded the consent/disclosure issue, then the court did not need to get into it. [What were the plaintiffs thinking, conceding this? If you are bringing this type of a lawsuit, you have to be able to put together enough allegations of no-consent to get past the motion to dismiss stage.]

At the end of the day, if consent is going to be the basis to defend against these types of privacy claims, defendants would be well advised to really be thorough in procuring this consent. In fact, I'm surprised that Bresnan - given that it is an IAP allegedly engaging in gray area practices - didn't just secure written consent at the time it first provided the service.

I'm also surprised at the court's conclusion on the Computer Fraud and Abuse Act damage issue, given its conclusion on the ECPA issue. If it was going to split hairs on the notice and consent (as it did with respect to the CFAA claims), it could have probably done so on the ECPA claims as well. Courts often keep in claims they may otherwise dismiss if they decided that some claims are going to survive. Also, some cases const

Search

Archives

Recent Entries

June 11, 2013

Warranty Disclaimer in PC TuneUp's EULA Fails -- Rottner v. AVG

June 05, 2013

Craigslist's Anti-Consumer Lawsuit Threatens to Break Internet Law--Craigslist v. 3Taps/Padmapper (Forbes Cross-Post)

May 09, 2013

Yahoo's User Agreement Fails in Battle Over Dead User's Email Account--Ajemian v. Yahoo

April 05, 2013

First Sale Doctrine Doesn't Allow Resale of Digital Songs – Capitol Records v. ReDigi

April 04, 2013

Online Trespass to Chattels Needs Structural Reform (Forbes Cross-Post)

March 26, 2013

The Supreme Court's Kirtsaeng Ruling Is Good News for Consumers, but the First Sale Doctrine Is Still Doomed--Kirtsaeng v. John Wiley (Forbes Cross-Post)

February 18, 2013

Facebook Posts and Twitter Invites Don't Violate Non-Solicitation Clause -- Pre-Paid Legal v. Cahill

February 14, 2013

Israeli Court Says Full-Text RSS Feeds Create an Implied Copyright License (Guest Blog Post)

February 08, 2013

Update: Facebook Countersues Profile Technology For Contract Breach--Facebook v. Profile Technology

February 06, 2013

"Privacy Policies in the United States" Presentation Slides

January 16, 2013

Court Definitively Rejects AFP's Argument That Posting a Photo to Twitter Grants AFP a License to Freely Use It -- AFP v. Morel

January 11, 2013

Top Ten Internet Law Developments of 2012 (Forbes Cross-Post)

December 31, 2012

Anti-Scraping Lawsuits Are Going Crazy in the Real Estate Industry (Catch-Up Post)

December 28, 2012

Sale of "Damn You Auto Correct!" Website Leads to Fights Over Its Google Analytics Numbers -- Studio 159 v. PopHang, LLC, et al.

December 26, 2012

Facebook Isn't--and Shouldn't Be--A Democracy (Forbes Cross-Post)

Lawsuit Against Instagram Over Terms of Service Changes Looks Flimsy -- Funes v. Instagram

December 20, 2012

Facebook’s Proposed Amended Sponsored Settlement and Instagram’s TOS Revs

December 16, 2012

Minors’ Suit Over Facebook Credits Survives in Part – I.B. v. Facebook

December 14, 2012

Search Engine Developer Sues Facebook for Disallowing Access to User Data -- Profile Technology v. Facebook (Catch-Up Post)

December 04, 2012

Employee/Ex-Employer Lawsuit Over Twitter Account Settles – Phonedog v. Kravitz

November 30, 2012

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

November 28, 2012

Lawsuit Over "Google Tags" Dismissed--Frezza v. Google

November 19, 2012

Engaging Facebook Friends Doesn't Violate Non-Solicitation Clause--Invidia v. DiFonzo

November 10, 2012

Email That Says “Done .. thanks!” Doesn't Transfer Copyrights – MVP Entertainment v. Frost

November 08, 2012

Social Media Producer’s Counterclaims Based on Website Ownership Rejected – Ardis Health v. Nankivell

October 29, 2012

How Zappos' User Agreement Failed In Court and Left Zappos Legally Naked (Forbes Cross-Post)

October 26, 2012

Google Gets Unwanted Ruling in AdWords Trademark Lawsuit--CYBERsitter v. Google

October 19, 2012

A Reward Offer Still An Offer, Even if It's Made on YouTube – Augstein v. Ryan Leslie

October 15, 2012

Sony Network Data Breach Class Action Suffers Setback -- In re Sony Gaming Networks

October 12, 2012

Second Circuit Says Arbitration Clause in Terms Emailed After-the-Fact Not Enforceable – Schnabel v. Trilegiant

September 30, 2012

Lovelorn Plaintiffs Strike Out Against Match.com – Robinson v. Match.com

September 14, 2012

Another Blow to Banks in ACH Fraud Cases: Funds Transfers Act Preempts Indemnity Agreements -- Choice Escrow v. BancorpSouth

September 07, 2012

Fight Over Access to Log-in Credentials for Blog Does not Trigger Copyright Preemption – Insynq v. Mann

September 05, 2012

Barnes & Noble's Online Contract Formation Process Fails --Nguyen v. Barnes & Noble

August 27, 2012

Virtual (SuperPoke!) Pet Owners Must Arbitrate Their Claims Against Google and Slide -- Abreu v. Slide

August 26, 2012

Online Marketplace Not Liable to Buyer for Aborted Private Sale of Facebook Shares -- Facie Libre Associates v. SecondMarket Holdings

August 14, 2012

No Liability for Takedown Notice that Results in Termination of Facebook Page -- Lown Cos. v. Piggy Paint

Bank Might Bear Loss for Fraudulent Money Transfers Initiated From Its Website--Patco v Ocean Bank (Catch-Up Post)

August 13, 2012

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

August 11, 2012