Technology & Marketing Law Blog: Privacy/Security Archives

Technology & Marketing Law Blog

May 24, 2013

Court Denies Restraining Order Against Ex-Boyfriend Who Threatened to Post Revenge Porn -- EC v. CBT

E.C. v. C.B.T., SR., A-1185-12T2 (N.J. Ct. App. May 6, 2013)

Plaintiff and defendant lived together between May and August 2011, and after that had a relationship that plaintiff characterized as dysfunctional. Plaintiff sought and obtained a restraining order based on defendant’s stalking. According to her, defendant:

- caused a scene at her workplace;

- threatened to tell her parents that the father had cheated on her stepmother;

- told her he planned to post compromising photos of her on craigslist;

- confronted her at a bar after her high school reunion and followed her and a male friend of hers to the friend’s house where he argued with the friend;

- in the days after the in-person confrontation, plaintiff and defendant exchanged text messages and other communications.

After these incidents, plaintiff continued to communicate with defendant, but ultimately broke it off. Prompted by a message defendant posted to her friend’s Facebook page (the content of which was not discussed by the court), plaintiff sought and obtained a restraining order.

Defendant had a different view of the events. He said that they had an “on-again/off-again” relationship. Regarding the reunion, he said the plan was for her to attend the reunion and for them to hook up after. He apparently went to the bar which was close to his house, saw plaintiff, and was concerned about whether plaintiff would be able to drive home. He said he followed her and the friend to the friend’s house where the friend started a scene. He said he couldn’t recall ever insulting or threatening plaintiff via email or text message, but he testified that he regularly exchanged messages with plaintiff.

The trial judge didn’t give much credence to the online activity at all:

I don't give a lot of credence to e-mails and Facebook and all that nonsense because that's not a face to face exchange. Nobody is in danger. Nobody suffers from that.

The judge was also confounded about the risqué pictures and why plaintiff sent them to defendant in the first place:

She tells him to stop and then submits naked pictures to him. That's the dilemma I have. What is she--what is she trying to express by doing that? Is that leave me alone? Is that I--the relationship will continue? I don't know. I can't understand that motive--motivation.

Nevertheless, the court granted the restraining order on the basis that defendant caused plaintiff fear by appearing at the bar and following her.

The appeals court reverses, finding that issuance of a stalking-based restraining order requires two elements--plaintiff must prove (1) a predicate act (in this case, stalking); and (2) that an order is necessary to protect the plaintiff from immediate danger or other acts of domestic violence. The court notes that the trial judge was equivocal in her own findings of fact, and failed to explain the many inconsistencies in plaintiffs’ testimony (and ignored defendant’s allegations). The trial judge also failed to find a “course of conduct,” which is required for stalking. The court does say that defendant’s conduct was “immature and jealous,” but there was insufficient evidence to find that he engaged in stalking.

The court also says that the judge failed to make a finding that the order was necessary to protect the plaintiff’s safety or person, pointing out that the trial judge also did not explain the equivocal nature of plaintiff’s conduct (i.e., she appeared to interact with him, despite her testimony that she was fearful of contact with him).
__

New Jersey's anti-harassment statute has a broad reach, which at least in one instance, has been curtailed by an appeals court. ("New Jersey Appeals Court Reverses Anti-Harassment Order Based on Emails – E.L. v. R.L.M.") This case is in a similar vein, and it illustrates how confusing the statute is in application.

The elephant in the room of course is defendant's threat to make public the risqué pictures that plaintiff sent to defendant. (The trial judge strangely brushed aside the online activities altogether.) Although the opinion is unclear on this issue, it's possible that this is what prompted plaintiff to seek the order in the first place. In any event, New Jersey's anti-stalking statute could conceivably reach this activity, except that the appeals court found no course of conduct to begin with.

The trial judge's comments question why plaintiff sent the photos after things appeared to be less-than-stable in the relationship. This is starting to go down the path of blaming the victim. Irrespective of when she sent the photos to the defendant, what's the plaintiff supposed to do now? Waiting until the photos are published is untenable, as the horse would be out of the barn, and no one has a practical solution to cleaning up images from the internet. On the other hand, there are clearly speech concerns with applying an overly broad law such as NJ's stalking law to solve this problem.

[photo credit: Shutterstock/Memo Angeles - "Internet Troll Using a Computer"]

Posted by Venkat at 11:46 AM | Content Regulation , Privacy/Security

May 17, 2013

Judge’s Facebook Friendship With Victim’s Parent Does not Taint Proceeding -- Youkers v. Texas

[Post by Venkat Balasubramani]

Youkers v . Texas, No. 05-11-01407-CR (Tx. Ct. App. May 15, 2013) [pdf]

Youkers was convicted for tampering with evidence after he was indicted for assaulting his girlfriend who was pregnant with his child. He entered into a plea deal under which his prison sentence would be suspended and he would have to pay a fine. Three months after the deal, the State filed a motion to revoke the suspended sentence (and send Youkers to prison), contending that he violated the terms of his supervision.

Younkers entered an “open plea of true” and sought leniency on the basis that while he did not previously have a stable place to live, he did now. The trial judge rejected his contentions and sentenced him to 8 years in prison. The judge also rejected his request for a new trial.

Youkers appealed, and raised (among other issues) the fact that (1) the trial judge was Facebook friends with the victim’s father and (2) in the context of the initial proceeding, the victim’s father sent the trial judge an ex parte communication in the form of a Facebook message. The appeals court says none of this rises to the level of improper bias.

The Communications Do not Show Bias: Youkers' appeal was focused on the Facebook friendship, but the court points out that the communications between the victim’s father and the judge in the initial proceedings do not show bias. The communication took place in the initial proceeding, was actually favorable to Youkers (it sought leniency), and the trial judge treated it as an ex parte communication. (The judge placed the communication in the record, and warned the father that such communications were not allowed.)

Mere Fact of Facebook Friendship Also Does not Show Bias: Turning to the key question of whether merely being Facebook friends is sufficient to show bias, the court says no. Citing to a recent ABA Standing Committee report, the court says that judges are not prohibited from using social media:

Allowing judges to use Facebook and other social media is also consistent with the premise that judges do not forfeit [their] right to associate with [their] friends and acquaintances nor [are they] condemned to live the life of a hermit.

In fact, such a regime "would . . . lessen the effectiveness of the judicial officer." (Citing Comm. on Jud. Ethics, State Bar of Tex., Op. 39 (1978).) Nevertheless, while social media may be useful professionally (judges are elected, and the court recognizes that social media is part of any modern day judicial campaign) and personally, judges must still abide by the applicable ethical rules.

The court looks to the Texas Code of Judicial Conduct and several Canons, all of which prohibit any actions that undermine public confidence in the judiciary or that would convey anything other than impartiality. On the core question of where mere Facebook friendship warrants recusal, the court says no:

Merely designating someone as a "friend" on Facebook "does not show the degree or intensity of a judge's relationship with a person." ABA Op. 462. One cannot say, based on this designation alone, whether the judge and the "friend" have met; are acquaintances that have met only once; are former business acquaintances; or have some deeper, more meaningful relationship. Thus, the designation, standing alone, provides no insight into the nature of the relationship.

Youkers was required to produce additional evidence that there was an improper relationship and he failed to do this. The court does say that judges should be careful to not let third parties (i.e., the victim’s father in this case) convey the impression that they have special sway over the judge, but the judge did the right thing here. As soon as the father made a statement, the judge flagged it as an improper ex parte communication and instructed the father to not send any more messages along these lines.

Shocker of shockers. For the most part, courts recognize that judges are also humans, and things like social networks should not be off-limits to them merely because they are judges.

Courts also recognize that a Facebook friendship is not necessarily a meaningful gesture, and even if it was, judges have friends too and should be able to socialize online (and express social preferences) in the same way they do off-line. (On the legal significance of Facebook friendship generally, see Quigley Corp. v. Karkus, No. 09-1725, 2009 U.S. Dist. LEXIS 41296, at *16, n.3 (E.D. Pa. May 19, 2009): "[T]he Court assigns no significance to the Facebook "friends" reference .. . . Indeed, "friendships" on Facebook may be as fleeting as the flick of a delete button.") This is not to say that judicial officers socializing online do not have to exercise extra care. Privacy settings can be confusing. When viewed offline or in a different context, it's often unclear who online statements may be attributed to. There's also the issue of judicial elections, which present additional concerns.

The real issue here is the ex parte communication, which the judge in this case recognized was a no-no. Most people would know to not send a letter trying to chambers trying to influence the outcome of a case. Does the Facebook system encourage ex parte communications and allow them to take place in a scenario where people who communicate to judges don't see them as obviously problematic? Also, most people would not necessarily have an easy time tracking down a judge's contact information, but does being Facebook friends with a judge make it that much easier to send him or her a note? I don't know the answers to these questions.

In the meantime, litigants will continue to attack decisions based on online relationships, but their efforts are likely for naught.

[image credit: Shutterstock/virinaflora: "best friends"]

Posted by Venkat at 02:26 PM | Privacy/Security

May 14, 2013

UK's New Defamation Law May Accelerate the Death of Anonymous User-Generated Content Internationally (Forbes Cross-Post)

By Eric Goldman

Historically, United Kingdom defamation law has been victim-favorable. In an effort to modernize its defamation law, the UK Parliament recently enacted the Defamation Act 2013 (royal assent was given on April 25). The act generally makes it harder for plaintiffs to win defamation lawsuits, but I'll focus on the effects of Section 5 of the act, entitled "Operators of websites."

Section 5 sets up a "notice-and-takedown" system for defamation from user-generated content (UGC). A web host or other online service provider isn't liable for defamatory UGC unless it receives a takedown notice (containing specific information required by the act) and fails to remove the content on a timely basis. Moderating user content doesn't disqualify the website operator from the act's protection, but the act excludes when the website operator acts with "malice"--a proviso that might prove nettlesome in practice. All told, in theory, a defamation victim cannot sue a UK-based UGC website without first sending a takedown notice and giving the website the opportunity to remove the content.

Notice-and-takedown schemes create predictable problems. It's easy enough for anyone to send a takedown notice, especially because the UK act apparently doesn't impose any adverse consequence for sending bogus notices; and if a website faces liability only if it ignores the notice, it will reflexively remove content in response to takedown notices, irrespective of the notice's legitimacy. So surely the act's notice-and-takedown will be abused, as inevitably happens with all notice-and-takedown systems.

However, what's really interesting about Section 5 is its bonus requirement for UGC websites to avoid defamation liability: they qualify for the act's protection only if the defamation victim can find the user to sue him/her. The act doesn't explicitly say what information about its users the website operator must give a defamation victim or when (and some of these requirements will be spelled out in regulations that are being developed), but to me the implication seems clear: if the website operator can't provide authenticated identifying information about its users, the website operator will lose the act's protection (unauthenticated information is useless to plaintiffs if falsified).

The requirement that website operators help plaintiffs find their users represents a major new development in the law applicable to UGC. In particular, I think the rest of the act's notice-and-takedown scheme effectively codifies existing UK law. For example, a February ruling (Tamiz v. Google, Inc., [2013] EWCA Civ 68) basically adopted a notice-and-takedown rule for defamatory UGC on Google's Blogger.com platform; and the European Union's Electronic Commerce Directive (2000/31/EC, Article 14--apparently adopted by the UK) establishes a notice-and-takedown scheme for all types of UGC, not just defamatory content. So I believe the act's most change to existing law is creating a user-identification obligation.

(Note 1: I don't know EU law well enough to understand if UK imposing this additional requirement violates the EU E-Commerce Directive and, if so, what consequences that has. If you have thoughts about that, please let me know).

(Note 2: some UGC websites, including Facebook and Google+, have voluntarily adopted policies that require users to provide their real names. This law likely won't change their behavior, though it might make those sites feel like they don't have discretion to repeal their policies).

So while we expected the UK Defamation Act to provide additional legal comfort to website operators, instead it creates an apparent dilemma for them. If UGC websites want the legal protection of a notice-and-takedown system, they have to authenticate and identify their users. If they don't, then they lose the act's protection, exposing them to potential liability for defamatory UGC even if they never receive a takedown notice.

Faced with this dilemma, UGC website operators in UK surely will prevent users from publicly posting any content until the website operator has authenticated the user's identity and contact information. (For example, simply having a user's IP address doesn't seem to satisfy the act, nor will websites rely on the fact that it's hard to publish truly anonymous UGC). As a result, even if a user publishes online content "anonymously" or "pseudonymously," their words still will be attributable to them if legally challenged.

Although the act only applies to defamatory UGC, website operators won't authenticate users only when users are writing potentially defamatory content. Instead, website operators will collect and authenticate users' identifying information universally, meaning that data will be available for anyone who submits a qualifying subpoena--including governments and plaintiffs pursuing non-defamation claims. The act could have restricted third party access to this user data when it isn't being sought by a defamation victim, but it didn't.

Further, I expect more legislatures throughout the world will follow this template: conditioning website operator protection (whether based on notice-and-takedown or some other system) on the ability to getting identifiable information about the bad user. So not only will UK websites authenticate all users before allowing them to post UGC, but eventually UGC websites in other countries will do so as well.

All of this reinforces how the United States' Internet Law differs from the rest of the world. The United States does have a notice-and-takedown scheme for copyright infringing UGC (17 U.S.C. 512(c), a provision that's proven somewhat problematic), but the safe harbor doesn't require websites to authenticate users or attribute their content. (Per 17 U.S.C. 512(h), websites must turn over information about their users on request, but they aren't required to collect or keep information about their users). Otherwise, websites generally aren't liable for UGC, whether or not potential plaintiffs can find the users to sue (see 47 U.S.C. 230). Occasionally we've seen proposals in the United States to link website protection with user attribution (see, e.g., New York and Illinois), but (1) those proposals have gone nowhere, (2) they are probably unconstitutional, and (3) when done at the state level, they are preempted by Section 230 (see, e.g., this ruling involving Backpage).

Thus, while anonymous online content appears imperiled globally, websites in the United States should be able to preserve anonymous online content for the foreseeable future. I'll leave it up to you to figure out which approach you like better.

[Photo credit: The Houses of Parliament and Big Ben at night // ShutterStock]

Posted by Eric at 09:00 AM | Content Regulation , Derivative Liability , Privacy/Security | TrackBack

May 09, 2013

Yahoo's User Agreement Fails in Battle Over Dead User's Email Account--Ajemian v. Yahoo

[Post by Venkat Balasubramani]

Ajemian v. Yahoo!, 12-P-178 (Mass. Ct. App. May 7, 2013)

This is a very interesting dispute that raises the question of ownership over digital assets after a person’s death.

Plaintiffs, John Ajemian's (the decedent's) executors and siblings, sued to declare his estate owner of email messages he sent and received via his Yahoo! account. Prior to filing suit, they tried to negotiate with Yahoo! to get access to the account, among other things, to notify friends of John’s death and service arrangements, and to organize and administer John’s assets. Yahoo! co-operated in providing basic subscriber information as part of an initial lawsuit, but Yahoo took the position that the Stored Communications Act barred disclosure of the message contents. A probate judge dismissed the complaint, finding that the forum selection clause required the lawsuit to be brought in California. The appeals court reverses.

Were the contract provisions reasonably communicated to the end user: On the core question of whether the online agreement is enforceable, the court says that Yahoo!’s terms should be enforced under the standards of any other agreement. The key question is whether the terms had been reasonably communicated to the end user. The terms had been amended to add a no third-party beneficiary and a “no-survivorship” clause. The court says the record is unclear as to how the initial terms, and the revised terms, were communicated to users. Because of the lack of clarity in the record on this issue, Yahoo! is not entitled to dismissal based on the forum selection clause, or based on other terms that would limit the estate's rights vis-a-vis the account.

Is the forum selection clause enforceable against the administrators?: Even assuming the terms and revisions were adequately communicated to the decedent, the court says that it would be unreasonable to enforce the forum selection clause against his estate administrators. The administrators are not parties to the agreement, which references the singular “you” in describing the counter-party to Yahoo! The decedent was domiciled in Massachusetts, and probate courts in the State of Massachusetts have a strong interest in resolving ownership questions over a resident decedent’s assets. Because the lawsuit involves a narrow issue about the account contents of the account, Yahoo!’s interest in having the lawsuit resolved in California is not as strong as it otherwise might have been (e.g., if the lawsuit was about Yahoo!’s services). The court also says that the forum selection clause is overly broad, and as written requires any suit between a subscriber and Yahoo! to be brought in California.

(The probate judge concluded that Res Judicata barred the second complaint which sought the contents of the email; the appeals court reverses on this question as well.)

An interesting factual backdrop to the case is that as the court notes, one of the administrators actually helped the decedent set up the account and may have even “shared” the account with the decedent. (Unfortunately, he did not remember or have the password.)

The merits are a veritable thicket. Does the Stored Communications Act allow an estate to grant consent on behalf of the decedent? Earlier cases involving Facebook address the waiver issue, but none really resolve it. (Stored Communications Act Bars Disclosure of Facebook Records to Surviving Family Members in the UK; "Court Orders Facebooking Juror to Disclose Additional Facebook Posts--Juror No. 1 v. Superior Court".) There's also the distinction between copyrights in the communications and ownership of the account (i.e., the "chattel"). While the estate probably owns the copyrights to the account contents, this does not mean that it can force Yahoo! to provide access to the account itself.

It's worth looking at what (if anything) Yahoo! could have done differently here.

1. Better contract amendment process: It's tough to say definitively whether the terms of service may be vindicated down the road, but the court’s approach to the terms of service issue reflects a fair amount of skepticism towards online agreements. While the court pays lip service to the fact that online agreements should be treated the same as any other contract, the court engages in some judicial contortion to not enforce the contractual terms. I'm not sure Yahoo! could do much more on this front to change the result here. On the other hand, Yahoo!’s terms contain the unfortunate “we can amend this agreement without providing you notice” language that companies would be wise to avoid.

2. Interplead the contents: Could Yahoo! have deposited the emails in the court’s registry and just have abided by the court’s decision? I'm not sure the Stored Communications Act envisions this, but it's not a great alternative for Yahoo! anyway. On a long term basis, this would mean that it will have some administrative involvement in far-flung jurisdictions.

3. Create a mechanism to allow users to control the fate of their accounts post-death: Google recently offered an “Inactive Account Manager,” that lets people designate what happens to the accounts when they pass. (See Kash Hill’s post: “Will You Use Google's Death Manager To Let Loved Ones Read Your Email When You Die?”.) This sounds like a good solution, although it requires an investment of resources on Yahoo!'s part.

Yahoo! could have, per its terms of service, merely deleted the content altogether, but it took a relatively consumer-friendly approach and preserved the contents. Unfortunately, as a result, it's now embroiled in an ongoing dispute in probate court in Massachusetts.

[image credit: Shutterstock / JMiks - "Login Box"]

Posted by Venkat at 08:52 AM | E-Commerce , Licensing/Contracts , Privacy/Security

May 03, 2013

Recap of Washington State’s Employer Social Media Password Bill

[Post by Venkat Balasubramani]

SB 5211 (passed by Senate April 27, 2013)

Both chambers of the Washington legislature passed Substitute Senate Bill 5211, and it now awaits the Governor’s signature. No Washington legislators voted against it.

Here are the key provisions:

- the bill restricts employers from (1) asking for passwords; (2) engaging in shoulder-surfing; (3) asking employees to change settings; or (4) asking employees to add them as friends;

- the statute does not define it, but uses the phrase “personal social networking account” to describe what is off limits;

- the statute contains a carve-out for employer investigations, but limits this to scenarios where employers merely request information (and not passwords) in order to investigate (1) legal violations or (2) suspicion of misappropriation by employees;

- the statute excludes employer-supplied devices, as well as intranets and other platforms “that [are] intended primarily to facilitate work-related information exchange, collaboration, or communication by employees or other workers” [Twitter!];

- finally, the statute provides for a private right of action and authorizes a court to award $500 in statutory damages and attorney’s fees.

The statute tackles the social media ownership question by excluding accounts that are “provided by virtue of the employee’s employment relationship with the employer .. [or] online account[s] paid for or supplied by the employer.” Earlier versions of the statute had more specific definitions for what constitutes a social network. One iteration also limited the private right of action.

Although I acknowledge that employee social networking activity that is private should be off-limits for employers, I still think this was a solution in search of a problem. With states’ well established failings in the era of regulating the internet, I predict this will create more problems than it will solve. Among other things, it's unclear what is covered by "social media" and equally unclear when an account is "personal" or "business"-related. (In practice they often seem mixed.) Eric delves into some of these issues in taking a look at California's social media legislation in this post: "Big Problems in California's New Law Restricting Employers' Access to Employees' Online Accounts."

Two approaches legislatures should consider taking when enacting these statutes is (1) making them only apply to prospective employees; and (2) getting rid of a private right of action or, at least, including an administrative exhaustion component. The Littler law firm has a great roundup of legislation from various states as well as some of the pitfalls these statutes may present: "Social Media Password Protection and Privacy -- The Patchwork of State Laws and How it Affects Employers" [pdf].

Other coverage on employer social media bills generally:

Littler: "Social Media Password Protection and Privacy -- The Patchwork of State Laws and How it Affects Employers" [pdf]
WIlliam Carleton: "Checking in on sate social media password laws"
Eric Meyer: "Wooooo pig sooie! Arkansas gets a workplace social media privacy law"
Lexology "Three more states hop on the social media legislation bandwagon"

[image credit: shutterstock/Andre Blais "high-tech background with targeted eye-scan"]

Posted by Venkat at 10:49 AM | Privacy/Security , Publicity/Privacy Rights , Trade Secrets

April 26, 2013

Nosal Convicted of Computer Fraud and Abuse Act Crime Despite His Ninth Circuit Win – US v. Nosal

[Post by Venkat Balasubramani, with a comment from Eric]

US v. Nosal, CR 08-0237 EMC (N.D. Cal. Mar. 12, 2013) (.pdf, denying motion to dismiss)

US v. Nosal, a case that spawned two Ninth Circuit opinions and that’s sure to involve more, just concluded at the trial court level with Nosal being convicted on charges of violating the Computer Fraud and Abuse Act. (See coverage from David Kravets here (“Hacking Trial Devoid of Hacking Awaits Jury Verdict”) and Vanessa Blum here (“Nosal Found Guilty in Trade Secret Case”.)

Judge Patel originally dismissed several of the counts that alleged the misuse of information that were accessed by individuals who were authorized to access the information. Although the 9th Circuit initially disagreed, an en banc panel agreed with this approach, ruling that criminality should not turn on the person’s intent in accessing information or employer policies. The key question is whether the defendant is authorized to access the information in question at all. Since the dismissed counts alleged people accessed information they were otherwise authorized to access but misused this information, these counts were out.

But this left some remaining counts, which involved access via password sharing. Nosal argued that the 9th Circuit’s en banc opinion in Nosal precluded these claims as well because they did not involve any “hacking” in the traditional sense, but the district court (now Judge Chen) disagreed. In a March 12th order, he said that the 9th Circuit’s discussion of the CFAA as anti-hacking was only relevant to discuss the general purposes behind the CFAA and not something by which the court intended to limit the statute. In any event, he noted that a password is a basic technological barrier to access and using someone else’s password is as much a violation of the CFAA as is breaking the password. Nosal also argued by analogy to off-line trespass, saying that accessing an office with someone else’s key is not trespass, but the court doesn’t buy this argument.

The court also addressed the parties’ argument over whether “access” for purposes of the CFAA is the act of initially logging on, or encompasses ongoing use. Defendant argued that access just involves logging on, and if someone logged on with their own password, then the access is not unauthorized. The court rejects this interpretation, saying that the scenario as alleged by the government is that someone logged on using their credentials, then handed over the computer to the person who was unauthorized who then conducted searches on the database. The court says this is functionally no different from just handing the password over and letting the other person access the database. (The court notes that it need not address the issue of whether looking over someone’s shoulder and “accessing” information falls under the statute.)

[As a sidenote, a federal district court in New York recently joined the 9th Circuit in rejecting the broader interpretation of the CFAA. Interestingly, this case also involved a recruiting business.]

It's interesting that with all the hand-wringing generated by the 9th Circuit's opinion, Nosal was convicted anyway! Eric has made this point previously, but it seems like there are always avenues open to employers to go after people who start competing businesses. Here, there was even a more narrower CFAA claim that was available after several of the claims were nuked by the 9th Circuit. Even with these claims gone, there are still plenty of claims, at least on the civil side.

Judge Chen's order, which is sure to be revisited in post-trial motions and in an appeal, grapples with the interesting issue of whether access by proxy violates the statute. Nosal's argument--that the initial access which is effected by a person is authorized and this is all that matters--is an interesting one, but one that is unlikely to get much traction in the 9th Circuit. Still, it has some appeal, since the line between logging on and letting someone access and logging on accessing the information and providing it to someone is legally thin. (It's also worth noting that this case should serve as a warning to those who share passwords.)
_______

Eric's Comment. This case baffles me. Did Nosal do something wrong? Yes, undoubtedly. Did he do something criminal? I'm not sure. Did he violate the Computer Fraud & Abuse Act? No, and it's not even close. At most, Nosal encouraged or induced a CFAA violation, but as I understand the facts, he didn't commit the CFAA violation directly. As Venkat notes--and as I outlined in my Forbes article on the CFAA--a variety of legal doctrines would have made Nosal pay for his choices. Contorting the CFAA to apply to him was unnecessary, and it's disquieting for the rest of us.
_______

Related posts:

Ex-Employee's Access/Misuse of Employer Files States CFAA Claim -- Weingand v. Harland Financial
Comments on the Ninth Circuit's En Banc Ruling in U.S. v. Nosal
Facebook Gets Decisive Win Against Pseudo-Competitor Power Ventures
Court Finds That the Value of Bartered-For Services Constitutes Loss Under the Computer Fraud and Abuse Act -- Animators at Law v. Capital Legal Solutions
No Computer Fraud and Abuse Act Violation for Access of Facebook and Personal Email by Employee -- Lee v. PMSI
9th Cir: Access of Computer in Violation of Employer's Use Policy Violates Computer Fraud and Abuse Act -- US v. Nosal (original panel opinion, vacated on rehearing)
Lori Drew Guilty of 3 Misdemeanor Violations of the Computer Fraud & Abuse Act

Posted by Venkat at 07:04 AM | Privacy/Security , Trade Secrets , Trespass to Chattels

April 24, 2013

Misguided Catfishing Scheme Leads to Discipline of College Students -- Zimmerman v. Ball State

[Post by Venkat Balasubramani with a comment from Eric]

Zimmerman v. Ball State Univ., et al., 12-cv-01475-JMS-DML (S.D. Ind. Apr. 15, 2013). (The complaint.)

Zimmerman and Sumwalt were students at Ball State University, a public university in Indiana. They apparently did not get along with their roommate, and they played a number of pranks on him. Once, when the roommate was away on vacation, they placed a sandwich in his bedroom, leaving it to rot and “preventing [him] from accessing his room when he returned.” Another prank involved setting up a Facebook page for a fictitious female high school sophomore named “Ashley,” and using the fake account to correspond with the (now-ex) roommate.

The two plaintiffs fostered the relationship between the fake Ashley and the ex-roommate, who ultimately suggested that he meet Ashley at a local movie theater. When the ex-roommate arrived at the movie theater’s lobby, the plaintiffs confronted him, disclosed that the Ashley profile was fake, and taped the whole thing. They then posted the recording to YouTube with the title that the former roommate “was a pedophile.”

Ball State received a complaint from the roommate and charged plaintiffs with two violations of the Conduct Code: (1) first for creating a intimidating or hostile environment; and (2) for using an audio, video, or photographic device to invade the roommate's privacy. Both students (who were represented by counsel) “accepted responsibility” for their conduct and signed documents acknowledging that they violated the provisions of the conduct code. At a later meeting, the academic review board recommended suspension for a year, as well as:

certain reflection and action to raise awareness of fellow students regarding the responsible use of social media.

At the request of the student conduct czar, the review board added additional sanctions, which included probation upon their return, and a no-contact order with the ex-roommate.

The students appealed the sanction on a variety of grounds. Their appeal within the university system was rejected. The students then sued, asserting Due Process and First Amendment violations. They also argued that the code of conduct should not be applied to regulate off-campus conduct.

Was their conduct objectionable: the plaintiffs asserted a variety of “ever-changing” arguments, as the court describes them, but one of the key arguments was that the university only had the power to regulate conduct that was “unlawful or objectionable.” The court says that both the sandwich prank and the Facebook + YouTube prank were “objectionable”. The court says that no reasonable juror would find the sandwich prank anything other than objectionable. The Facebook prank, the court says, does not even present a close question. Not only did the students engage in “catfishing,” the court says they took this one step further. They posted the video of the target’s reaction and labeled him a pedophile.

Plaintiffs’ First Amendment argument fails: Plaintiffs also raised a First Amendment argument, arguing that their Facebook communications and their YouTube video were both expressive. This argument gets little traction with the court. First, the court says that this does not absolve them of responsibility for the sandwich prank. Second, the court says that this is part of an overall scheme that the plaintiffs were disciplined for. The students tried to rely on US v. Alvarez, the Stolen Valor case where a plurality of the Court rejected Congress’ attempt to punish lying about military honors, but the court says that here the statements were made with the intent to inflict harm on the victim and actually caused such harm. In any event, the court says that the official actor defendants are entitled to qualified immunity for their decision.

What a mess.

There were a lot of reasons why this was a tough case for the students. The fact that they violated Facebook's terms of service. (CFAA violation alert!) The fact that they posted a video calling their ex-roommate a pedophile. The fact that they signed an acknowledgement that they violated the code of conduct and then tried to sue the university over it. The list goes on.

It's tempting to view the case as presenting a First Amendment conflict that threatens the ability of students to mouth off on social media, but that's a tough sell. As the court notes, there's plenty of unprotected speech that they could have (and were) been disciplined for. Any liability as a result of speech and conduct that would cause emotional distress in a reasonable person is probably acceptable from a First Amendment standpoint, particularly where a private figure is involved. At a certain point, a prohibition on "objectionable" speech that is used to squelch speech on matters of public concern could certainly present a First Amendment problem, but that wasn't the case here.

In the meantime, this case serves as a cautionary tale to remind college students that catfishing your ex-roommate and posting a video of his reaction isn't such a great idea. Then again, I guess the plaintiffs should look on the bright side that they were just disciplined, and not charged with something more serious, like a violation of the Computer Fraud and Abuse Act or for violation of an e-personation statute.

Eric's Comment: I did a search this morning in Westlaw and Lexis and, as far as I can tell, this is the first case using the term "catfishing." Citing the Urban Dictionary (!), the court defined catfishing as “[t]he phenomenon of internet predators that fabricate online identities and entire social circles to trick people into emotional/romantic relationships (over a long period of time).”

Jake's Comment: On a side note, the NFL draft is tomorrow night at and it will be interesting to see just how much the infamous catfish story degraded Manti Te'o's once-highly-touted draft status. The situation is obviously different since Te'o is a public figure, but the controversy may end up costing him millions if the he falls in the draft. Several current players have mentioned that the hoax will undoubtedly cause locker room distractions that GMs are keen to avoid.

[image credit: Shutterstock/Bigredlynx - "Catfish Fry Cook"]

Posted by Venkat at 10:30 AM | Content Regulation , Privacy/Security , Publicity/Privacy Rights

April 18, 2013

Cynthia Moreno Guest Lecture to My Internet Law Course

By Eric Goldman

Internet Law is blessed with some fantastic teaching cases, including the modern classic, Moreno v. Hanford Sentinel. Read the Ode to Coalinga that started it all.

Cynthia works in Sacramento--about 2 hours from SCU--so in November 2012 I invited her to guest-lecture at my Internet Law course. I learned so much from the visit! Some of the more interesting details:

* she had deliberately set her MySpace account as "private," meaning that only her friends (about 300 people) could see her post. That was not clear from the court opinion.
* she pursued multiple layers of administrative remedies before going to court. Her main goal was to redress the principal's conduct, not to generate cash. She interviewed dozens of attorneys before finding one who would take her case. Her attorney wasn't on contingency fee.
* she doesn't regret her post.
* the incident has had continuing deleterious effects on her younger sister.
* she has taken a job as a television personality at Univision.

Some of the materials we generated in connection with her visit:

* Video (synced with her slides) of her guest lecture (if that link doesn't work, try this one, item #32).

* Audio of her guest lecture (item #33)

* Her detailed PowerPoint slides

* Photos (the set)
- me, Cynthia, her mom Maria
- guest lecturing
- view of the classroom during her guest lecture
- the original newspaper with her essay
- the subsequent newspaper with letters to the editor, mostly excoriating her

[Email me if you want the higher-res versions of any photo].

Posted by Eric at 11:35 AM | Content Regulation , Privacy/Security | TrackBack

April 16, 2013

No Claim Based on Perez Hilton’s Publication of Unsolicited but Inflammatory Reader Email – Wargo v. Lavandeira

[Post by Venkat Balasubramani]

Wargo v. Lavandeira, JAMS Arbitration No. 1220041183 (Mar. 24, 2013)

Lavandeira runs the popular Perez Hilton website, which has been involved in its fair share of legal disputes.

In response to an item (presumably about Angelina Jolie—the dispute stems from an event in 2007!) posted by Perez, Wargo sent him the following email:

Perez you are a FAT GAY PIG! Angelina is a ugly whore! You love her because she is a Fag lover! Your brother is a gay little jerk just like your fat ugly ass! MANGELINA is a disgusting gross skank.

The subject line of the email read: “I Hate Skankelina the Homewrecker.” Screen Shot 2013-04-16 at 7.01.51 AM.png The opinion does not disclose any facts indicating that Wargo and Lavendeira had a business or other relationship. [What would prompt a stranger to send such an animated email to Perez left me scratching my head, but to each her own, I guess.]

Perez promptly published the email, along with Ms. Wargo’s email address. Unfortunately for Ms. Wargo, she had sent the above email using her work email address. As a result, executives at the company she worked at “received a flood of angry emails protesting [Ms. Wargo’s] comments.” Wargo’s employer turned around and fired her.

The dispute raised the question of whether Lavandeira’s publication of the email violated the terms of PerezHiton.com website.

PerezHilton.com’s Applicable Terms: The site’s terms provided that if users “post content or submit material” they grant the site a broad license to reproduce and use such content. Separately, the site had a privacy policy which stated that it

respects [the] privacy [of end users] and is committed to protecting it at all times.

A section of the policy talked about what “personal information” the site collected and what it did with such information. Reminiscent of IMDb’s privacy policy, PerezHilton’s policy broadly described information that users “enter on [the] website or give [the] site any other way.” A separate section talked about sharing, and as with IMDb stated that information would be “shared only with or for third-party service providers, business transfers, and to comply with the law, etc.” [This is the arbitrator’s description.]

Discussion: The arbitrator first says that no reasonable person would interpret the site terms to keep the content of the email confidential. Wargo’s email to Lavandeira is exactly what PerezHilton.com is in the business of publishing. Indeed, the terms grant a license to the site to broadly exploit any content submitted to it. Second, the arbitrator says that although the privacy policy provides for some protection for contact information, these protections are aimed at limiting when the site can disclose contact information for direct marketing purposes (i.e., to conform the policy to the requirements of California’s Shine the Light law). The policy also distinguishes between visitors and members of the site. Wargo was a visitor and not a member. Thus, her breach of contract claim fails.

The arbitrator also says that even if the policy somehow safeguarded her information, her breach of contract claim fails for causation. She was fired from her job for violating her employer’s network usage policy, and not for anything Lavandeira did. As a bonus, the court says that her own unclean hands also prevent her recovery.

Wargo brought a variety of other claims, including an invasion of privacy claim, and the arbitrator easily rejects these as well. She had no expectation of privacy in the material she submitted (including her name):

it is not reasonable for a visitor to a gossip website to expect privacy for gossipy submissions.

For similar reasons, Wargo’s claim for outrage and fraud fail as well.

Sigh. When will we learn that unsolicited emails you send people are not subject to some sort of magical audience-blogger privilege that allows the sender to restrict their publication? The arbitrator may have taken the route that the email was not subject to the privacy policy at all, but instead, he reads the policy to impose narrow limitations on what the site can do with contact information it collects.

It's worth noting that the privacy policy in this case was very similar to the policy in Hoang v. IMDb. Given how much legal documents get copied, this is not surprising. I'm not implying that either the lawyers for IMDb or Perez copied anyone else's documents, it's just that certain forms become the standard, and they end up being very widely used. Interestingly, I think the form policy could use some revising, particularly when it comes to distinguishing between various types of information and the various ways it can end up in a site operator's hands. [I'll save my thoughts on this for a separate post.]

This case is somewhat reminiscent of Moreno v. Hanford Sentinel and of course the recently concluded Hoang v. IMDb cases. Both long, drawn out battles involving privacy claims that went to juries where plaintiffs were awarded nothing. (In Moreno, the sole remaining claim that went to a jury was an infliction of emotional distress/outrage claim; still it was privacy-based.) Maybe the takeaway is that damages are tough to prove in these types of situations? If you voluntary put the information out there, it’s tough to muster up jury sympathy based on misuse of the information, at least where there are no clear restrictions in place?

It’s tempting to chalk this up to another loss for privacy plaintiffs but the claims here were unmoored from any sense of what the average person would find actionable. Perhaps I’m biased as a blogger, but it’s unreasonable to think that a blogger won’t share an unsolicited email, particularly one that is so inflammatory. Doubly unreasonable when that blogger is Perez Hilton!

Other coverage:

Eriq Gardner: Perez Hilton Wins 5-Year-Long Dispute Over Publishing Woman's Mean-Spirited E-Mail

Posted by Venkat at 07:11 AM | E-Commerce , Privacy/Security

April 11, 2013

Privacy on Trial: Reflections on Hoang v. IMDb

[Post by Venkat Balasubramani]

Hoang v. IMDb.com, C11-1709MJP (W.D. Wash. Mar. 18, 2013)

[Added: the jury ruled against Hoang and in favor of IMDb.]

At Eriq Gardner’s suggestion, I attended the trial in Hoang v. IMDb and reported on the proceedings for the Hollywood Reporter’s “THR, Esq.” blog. (Day 1: "Actress Suing IMDb Takes the Witness Stand"; Day 2: "Actress Suing IMDb Faces Tough Questions on Second Day of Trial".) Although I was hesitant to sink a few days into the glamorous and unpaid world of covering a trial as a law blogger, it was an educational experience and it was also fun (and very interesting). The trial also focused some of the issues that frequently come up in privacy cases. I wanted to offer a few anecdotal observations below. (Note: the parties finished, and the case is in the hands of the jury; I’m going to refrain from making a prediction one way or the other, but I wanted to get this post up before the verdict comes out just so it does not influence my thinking.)

The facts are somewhat basic and for the most part tough to contest. Hoang was an actress who in 2003 or 2004 signed up for a short trial subscription to IMDb Pro. She submitted (through someone else’s account) a birthdate of 1978. She always went by her nickname “Junie,” and took pains to keep her birthdate and real name confidential. She did, however, provide IMDb with her real name when she signed for a “pro” account.

In 2007 she moved to Los Angeles and focused her acting efforts there, gaining some traction. She signed up again for an IMDb pro account. She tried to get IMDb to remove the birthdate on her profile on the basis that it was incorrect. IMDb asked her to verify her identity by sending in a photocopy of her passport. Instead, she sent in a copy of her birth certificate with her name and date of birth redacted. (She was reluctant to send in a copy of the passport due to identity theft concerns.) IMDb repeatedly refused or ignored her requests to change the birthdate. Eventually, she grew exasperated and sent an all caps email asking what documentation IMDb had for the birthdate and asking them to remove it (I can’t remember the precise wording, although it’s somewhat important).

IMDb’s customer service czar, Giancarlo Cairella, viewed her email as an invitation to check whatever records he had. He looked in the database where registration information was kept and ascertained her real name. From here, he went to privateyee.com, a database, and conducted a paid search to determine her birth date. Once determined, he replaced the 1978 date with Hoang’s true date of birth (1971). This prompted further escalation from Hoang, who sent in a image of a fake passport and a novelty ID in an effort to get IMDb to delete the 1971 date of birth.

Eventually, it culminated in a lawsuit. (Interestingly, the lawsuit was originally filed as a Doe lawsuit, but Judge Pechman ordered the plaintiff to proceed using her real identity. Hoang's agent testified that he learned of her true age as a result of the publicity around the lawsuit.) As it proceeded to trial, the case revolved around the single issue of whether IMDb’s use of Hoang’s real name to access her birthdate and subsequent publication of her birthdate was a breach of contract (a violation of IMDb’s privacy policy which was incorporated by reference into the contract).

Regardless of how it resolves, here are some of the interesting themes that came out during the course of the trial:

Privacy damages: Privacy damages can be difficult to prove, and this was very much highlighted in this case. It was a struggle for Hoang to put on testimony that disclosure of her age harmed her. For procedural reasons not relevant here, Hoang did not have an expert testify. The court also excluded testimony from the Screen Actors Guild who has complained vociferously to IMDb about age discrimination as a systemic problem. Even still, you got the impression that while Hoang had been harmed, it would be very difficult to put a dollar figure on that harm with any degree of accuracy. There's also the question of whether someone can be harmed from disclosure of information about them that is accurate. There was testimony that disclosure of your real-life details can harm your prospects in the make-believe world of Hollywood, but would an award in Hoang's favor allow her to implicitly perpetuate misinformation?

Online agreements are terrible: A fair amount of time was spent walking through the IMDb user agreement (and its privacy policy, which as mentioned above was expressly made a part of the agreement). IMDb has highly competent lawyers representing it and the policy is about as good as any privacy policy out there I’m sure, but it was still painfully ambiguous about what IMDb could do with the information it "collected". The privacy policy had the typical flowery language that many privacy policies have and it left Hoang room to make a couple of different arguments. First, she argued that IMDb's use of her name didn't squarely fit within IMDb's examples of ways it would use information provided by users:

[w]e use the information that you provide for such purposes as responding to your requests, customizing future browsing for you, improving our site, and communicating with you...

Second, the policy contained a promise to obtain consent before disclosing the information to third parties:

Other than as set out above, you will always receive notice when information about you might go to third parties, and you will have an opportunity to choose not to share the information.

I would guess this type of language is in 99% of the policies out there, but it was still unclear what category of information Hoang's real name fell under, and whether either of these provisions of the policies applied.

Do people even read user agreements?: A related point is whether people even read user agreements. As the agreements were being hashed out in court, you couldn’t help but wonder whether Hoang even read and digested the agreements when she signed up for IMDb Pro. Interestingly, IMDb’s customer service manager said something to the effect that the privacy policy was a marketing-driven document. All of this raised the question of how a terms of service agreement should even be interpreted. Ordinarily, if there’s some ambiguity in the agreement, the parties would testify as to what they understood the agreement to mean, but who on IMDb’s side would offer this testimony? The court did discuss a jury instruction that any ambiguity should be interpreted against IMDb as the drafter, but ultimately, the agreement would end up being interpreted in accordance the jury’s common sense … which, when it comes to online privacy, may vary wildly.

Connecting information and de-identification: IMDb’s ability to look into its registration database and determine Hoang’s true name, and from there obtain her date of birth with just a few mouse-clicks, was a great illustration that you’re never as anonymous or pseudonymous as you think you are. Hoang's lawyer jokingly brought up the fact that she couldn’t stuff cash into her computer and send it to IMDb, but he had a good point. To sign up as a paying customer, you had to tell IMDb your real identity, and along with it, your birthdate (which was readily accessible with her identity). Eric has referenced Prof. Paul Ohm’s paper on de-identification on the blog. This seemed like a good illustration.

Internet customer service isn’t so great: IMDb is this cool company that has aggregated a ton of information. It lets people settle bets about who acted in what movies and it may be disrupting a certain segment of the casting process in Hollywood. But it has terrible customer service. No offense to their customer service manager that testified, but IMDb’s customer service just came across as lackluster. I certainly wouldn't characterize it as having an attitude that the customer (IMDb pro subscribers) is always right. Maybe it’s because as an internet company it feels that it can hide behind the veil of its computers and servers and never have to conduct business in person. Who knows. Hoang never talked to a live person at IMDb. Ever. I got the feeling that the entire dispute may have just resolved if she were able to talk to someone in person at IMDb.

Who gets to control her information: The ultimate resolution may be influenced by the jury's views on who gets to control her information. IMDb's position, which is one that plenty of internet companies share, is that it will never take down information (in IMDb's case, it says it will replace incorrect information with factually correct information). Having voluntarily submitted incorrect information into the IMDb vortex, should Hoang be forever precluded from exerting some control over that information? Was IMDb right to "connect the dots" and reach into its subscription database to ascertain her true date of birth? Does it matter that Hoang's true name was not available anywhere online, except for sites that collected it in connection with payment for goods or services?

Another interesting aspect of the lawsuit will come if the jury decides to award nominal damages, indicating that IMDb's disclosure of her birthdate was improper. Hoang may ask the court to issue an injunction forcing IMDb to remove her birthdate. The will set up an interesting dispute that requires the court to weigh a variety of factors, including the public interest, what ongoing harm Hoang will suffer from ongoing publication of her age, and IMDb's own interest in publishing accurate information. This isn't really a First Amendment dispute as such, given the existence of a contract, but it has interesting First Amendment undertones.

Previous posts:

Actress Suing IMDB Can Assert Claim Based on Privacy Policy – Hoang v. Amazon.com, Inc.
IMDB's Disclosure of Actress’s Age Will Go To Trial – Hoang v. Amazon

Posted by Venkat at 09:09 AM | Privacy/Security

April 07, 2013

Accessing Ex-girlfriend's MySpace Account and Posting Offensive Content Results in Conviction

[Post by Venkat Balasubramani]

State v Kucharski, 2013 Il App (2d) 120270 (Mar. 29, 2013):

Steven and the victim were in a relationship. Because the victim was “kind of computer illiterate,” Steven set up a MySpace account for her. After the relationship ended, Steven accessed the victim’s MySpace page. He posted a slew of offensive things about the victim, for example:

I’m a slut with no education. I’m gonna end up with 2 different baby daddys and I can’t even get a GED. Worst of all my dad buys my boyfriends blow jobs . . .

He also posted the victim’s name and phone number with a note saying “call me.” Finally, Steven posted a photo of the victim in a thong (that he had taken during the course of their relationship and retained, despite the victim’s request that he return or delete it).

When the victim became aware of these changes, she called Steven, who started “giggling and laughing” and said that “she deserved it.” Steven, who continued to access the page despite the victim having repeatedly changed the password, “essentially deleted” the page.

The authorities investigated and determined that the email address associated with the account was Steven’s and that the page was accessed via an IP addressed associated with Steven’s father. He was charged with: (1) attempted identity theft (720 ILCS 5/16G); (2) two separate counts of harassment through electronic communications (720 ILCS 135/1-2(a)(1) and (a)(2)); and (3) unlawful use of encryption (720 ILCS 5/17-52.5(b)(1)).

The defendant tried to poke holes in the State’s case saying that the investigator did not verify who at Steven’s household had actually accessed the page or for that matter who else had computers who resided in the same house who could have accessed the page. Steven's father testified, implying that it could have been Steven's younger brother who accessed the page. The trial court found the victim’s testimony credible and convicted on all of the counts. At the defendant’s request, the trial court dismissed the first count, but sentenced the defendant for violations of the remaining counts.

E-Harassment: Making an Obscene Comment with the Intent to Offend:

This part of the statute prohibited any obscene comment made with the intent to offend.

Defendant argued that the statute discriminated on the basis of content, which requires greater First Amendment scrutiny (even when the discrimination occurs within otherwise proscribable categories of speech). The court says no—the statute does not restrict obscene comments based on their content but rather based on the intent behind the comments.

Defendant also argued that the comments were not obscene. The court was faced with the question of whether the statute covered content that was obscene as defined by the Miller v. California test, or obscene in the everyday sense of the term. Citing to a California case dealing with telephone harassment, the court says that the statute covers the latter. (“[B]ased on the differing purposes between the electronic harassment statute and the obscenity statute, it would be unreasonable to apply the definition of obscene from the obscenity statute when interpreting the electronic harassment statute.”)

E-Harassment: Interrupting the Electronic Communication Service With the Intent to Harass:

Defendant challenged this statute on vagueness grounds. Because the statute is not directed to First Amendment activity, the court says that he has a particularly uphill battle. Defendant does not appear to have expanded his argument much on the vagueness issue, but the one example he cited to demonstrate the vagueness of the statute was that he could conceivably violate the statute by having a heated political exchange via instant message and interrupting the other person. The court says that this argument would get some mileage if harass was defined as an annoyance, but in reality, it only reaches:

interruptions . . . made with the intent to produce emotional distress or discomfort substantially greater than mere annoyance . . . .

Finally, the defendant argued that since the MySpace account was a shared account, and in any event he removed the account within hours of the victim’s call, there was no evidence that he interrupted access with the intent to harass. The court rejects this argument.

Unlawful Use of Encryption:

This statute prohibited the “use of encryption . . . to commit, facilitate, further, or promote any criminal offense.” The statute defined encryption broadly as “any protective or disruptive measure . . . “ that controlled interface with a device or with data. The key question was whether changing the victim’s password was a “use of encryption” within the meaning of the statute.

The court says that although the list from the statute is not exhaustive, the statutory definition should be informed by the items on the list: “cryptography, enciphering, encoding, or a computer contaminant.” All of these involve the manipulation of data, but the court says that entering a password (even one that’s been repeatedly changed but emailed to you) into a UI isn’t the same. The court reverses the conviction on this count.
__

Yikes!

The victim did two things (maybe understandable due to her age) that should be avoided at all costs: (1) letting someone take a picture of you in a compromising position; and (2) sharing a password with someone. Granted she did not overtly share the password, and tried to change it after she broke up with the defendant, but maybe we should add “don’t let your significant other/partner set up your online accounts” to the list of things to avoid. (It was not totally clear how the defendant obtained the new passwords after the victim repeatedly changed them. The court says they were probably sent to him via email, but I wonder if he also had to answer a security question?)

Assuming it’s true as alleged, the defendant’s conduct is despicable, harmful, and should result in civil liability and possibly criminal liability as well. However, the charges brought against him illustrate that the laws don’t easily cover this type of scenario. To the extent, you are going to stretch the laws to fit this type of a situation, you run the risk of sweeping a whole lot of other innocent conduct, or at least conduct that does not present the same societal problems or concerns.

1. Identity theft: the trial court got rid of the identity theft count based on an Illinois Supreme Court ruling that invalidated the statute. (See “Part of Illinois Identity Theft Statute Found Unconstitutional.”) Although the statutes are different, this is reminiscent of Rolando S., the California case involving Facebook trolling by posting comments through someone else’s Facebook page. E-personation statutes are sketchy in my opinion and I'm guessing we will continue to see challenges to these statutes.

2. Harassment through making an obscene comment: the harassment discussion was dispiriting from a First Amendment standpoint. The court’s conclusion on the first harassment count was that any content that is “disgusting to the senses” or “abhorrent to morality or virtue” is obscene, and if this type of content is posted with the intent to offend, this is enough to violate the statute. [Note to self: never tell any Illinois residents to “fuck off” in an online forum!] This causes all sorts of First Amendment problems I would think. First, the definition of “obscene” is broad enough to sweep up a whole host of online content that most people wouldn’t view as harassment. (The legislature should take a spin through the comment thread of any news website.) Second, general offensiveness in an online forum shouldn’t be enough to suppress speech from a First Amendment standpoint, unless there’s some online exception to cases such as Hustler v. Falwell; Cohen v. California; and Snyder v. Phelps that I’m not aware of. (The court focused on phone harassment but this is obviously different, since there’s some degree of privacy invasion that can justify suppression of the speech altogether.) Finally, measuring the acceptability of speech based on its supposed offensiveness injects the problem of subjectivity and unbridled discretion. What is "disgusting to the senses" differs from person to person.

3. Harassment through interruption of service: this part of the statute was downright bizarre and I have no idea what the legislature was trying to get at. The only thing that came to mind was something like cutting someone’s telephone line when you’re in a feud with them? I would have read the term "communication service" to encompass only things like telephone service or internet service. It didn’t make much sense to read it to cover a third party website.

4. Misuse of encryption: the court sensibly rejects application of this statute to the facts, but I think it illustrates the fact that prosecutors will reach in these types of scenarios and the statutes are not necessarily clear.

Either way, this was an interesting case that raised a whole host of issues. Above all, I think cases like this illustrate the challenges in regulating this type of conduct or expression, and the fact that the statutes are often poorly written and suck in protected expression. There's something about passwords, websites, and online profiles, that tend to throw legislators for a tailspin.

[photo credit: Shutterstock/Memo Angeles - "Internet Troll Using a Computer"]

Posted by Venkat at 08:20 AM | Content Regulation , Privacy/Security

March 27, 2013

Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora

[Post by Venkat Balasubramani]

Yunker v Pandora Media, Inc., 2013 US Dist LEXIS 42691 (N.D. Cal. Mar. 26, 2013)

Pandora has been sued before for allegedly revealing listening preferences, but this is a more run-of-the-mill privacy lawsuit against Pandora. Pandora represents to its users that it will not disclose personally identifiable information to third parties. (The representation is implied as the quoted portion of its privacy policy says that it would share non-PII to third parties.) Yunker claims that Pandora did not de-identify the PII and allowed advertisers to access end users’ PII. Predictably, plaintiff considered the PII to be his property and as having economic value. Separately, plaintiff also alleged that certain Pandora components ate up the memory on his device.

Standing: the court concludes about standing: (1) dimunition in the value of PII is not sufficient to confer standing; (2) the allegations regarding decrease in memory space are insufficient; (3) the prospect of future harm from non-anonyized PII is too speculative; and (4) he has standing to pursue violations of his constitutional privacy rights.

Wiretap Claim: the court dismisses Yunker’s wiretap claim on familiar grounds: (1) there is no interception of any communication (using a separate device); and (2) as the recipient of any communication, Pandora could divulge it without running afoul of the Wiretap Act.

Stored Communications Act: the SCA claim has similar definitional problems. Yunker does not identify anything in “storage” that was wrongly disclosed. Cookies don’t fall within the SCA’s protection for stored communications because they are temporary. Yunker also tried to argue that Pandora provided remote computing services but, other than parroting the statutory definition, he did not identify what Pandora offered that fit within this definition. Although he cited to the discovery ruling in the YouTube case, the court distinguishes this on the basis that, unlike YouTube, nothing is uploaded and stored to Pandora by the user.

CFAA claim: the CFAA claim fails due to Yunker’s failure to allege loss sufficient to satisfy the $5,000 jurisdictional threshold. The court says there are other problems with this claim, but dismisses on the basis of failure to satisfy this element.

State law claims: Yunker’s state law claims also suffer from a variety of deficiencies. He cannot advance a claim under the Unfair Competition Law because he has not lost “money or other property” (and PII is not property); Yunker is not a “consumer” under the CLRA because he has not leased or purchased anything; his contract claim is deficient because he fails to allege damages; his privacy claim fails because Pandora’s conduct does not constitute an “egregious breach of social norms”; his disclosure of private facts claims because no personal/intimate facts were disclosed to anyone; and finally, his trespass and conversion claims also fail.

Yunker has the chance to file an amended complaint, but given the skepticism expressed by the court, his chances of curing the deficiencies are fairly slim.

This is a fairly unsurprising result, and in line with numerous recent cases that have tried to assert claims against networks or companies for failing to anonymize information before disclosing to advertisers. As I mentioned in my post about Hoang v. IMDB, that’s a case where a plaintiff actually has some chance of proving harm. Unless plaintiff comes forward with an “Insider”esque smoking gun, these lawsuits are doomed to fail from the start.

Previous privacy lawsuit against Pandora: Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media

[image credit: Shutterstock]

Posted by Venkat at 09:30 AM | E-Commerce , Privacy/Security

March 22, 2013

Another Credit Card Breach Lawsuit Fails – Willingham v. Global Payments

[Post by Venkat Balasubramani]

Willingham v. Global Payments, Inc., 12-CV-01157 (N.D. Ga. Feb 5, 2013) (case later dismissed by the parties)

This is a data breach lawsuit arising out of an incident in which credit card information was purloined from a payment processor. Global Payments, the defendant in the lawsuit, handled transaction processing for merchants. Two plaintiffs sued on their own behalf and on behalf of a putative class. Willingham alleged she noticed fraudulent charges made using her card totaling approximately $1,000. The Hieslers, the other named plaintiffs, made similar allegations. The plaintiffs did not allege whether they were able to get their credit card company to reverse the charge. Plaintiffs assert a variety of state and federal law claims. The court dismisses them all.

Standing: The court engages in a long but ultimately academic discussion on standing. The court says that injury-in-fact requires out-of-pocket loss, and even an unauthorized charge is not necessarily enough:

To sufficiently allege that identity theft actually occurred, a plaintiff must, allege more than fraudulent charges which were removed . . . some further factual allegation, such as that Plaintiff was not reimbursed for those charges or that she incurred fees or other expenses or financial consequences [is required] . . . .

If there is no injury-in-fact, plaintiff may find standing based on future harm only if it is “imminent.” The court says that plaintiffs’ allegations fall short, and also that they are speculative because they depend on the actions of a third party. (The court expresses disagreement with other cases that have held that the risk of future harm is sufficient for standing.) The court also says that plaintiffs’ personal information does not have “inherent monetary value.” (citing to the Facebook privacy litigation and RockYou)

After all this, the court says that it’s preferable to resolve the dispute on the merits than dismiss on the basis of standing.

Stored Communications Act: Plaintiffs argued that Global Payments violated the Stored Communications Act because it knowingly divulged plaintiffs’ credit card information to third parties, by having in place lax authority and allowing hackers to access it. The court debates the issue of whether Global Payments falls under the statute’s definitions of providing an electronic communications service or a remote computing service. Regardless of how this issue shakes out, the court says that Global Payments does not provide a service “to the public” (it deals with merchants). More importantly, it did not “knowingly” divulge any information. At best, it failed to take appropriate steps to safeguard the data, but this does not amount to “knowing” disclosure.

Fair Credit Reporting Act: Plaintiff also alleged that Global Payments willfully and negligently violated the FCRA by failing to implement reasonable security procedures to maintain the confidentiality of plaintiffs’ information. The court rejects this claim as well, saying that under the FCRA, liability in this context only attaches where the covered entity improperly “furnishes” a consumer report to third parties. Here, the court says, Global Payments did not “furnish” the information to anyone.

Georgia Unfair Trade Practices Act: Plaintiffs argued that Global Payments misrepresented the level of security provided and engaged in a deceptive trade practice. The court says that plaintiffs fail to allege reliance on any misrepresentations and failed to allege damages sufficient to support injunctive relief. Plaintiffs also argued that the are entitled to injunctive relief because defendant “farmed out” its obligation to provide adequate security to third parties. Plaintiffs tried to rely on the data breach notification provisions in further support of this argument, but the court says this doesn’t necessarily require notification when an entity delegates its obligations; and in any event, the obligation only applies to the information of residents of the state.

Negligence: A big problem with the negligence claim is that there’s no relationship between Global Papyments and plaintiffs (they are not direct customers). Thus, the court says there is no duty. Plaintiffs tried to rely on the “voluntary undertaking doctrine,” but the court says that the lack of bodily injury or physical harm renders this unavailable. Plaintiffs’ negligence claim was also barred by the economic loss doctrine which limits a party to contractual remedies (where there is a contract) and only allows negligence claims for certain exemplary damages or conduct.

Contract: Plaintiffs’ contract claims fail because they are not third party beneficiaries to the agreements between Global Payments and the merchants. The court also says that there’s no basis for an implied contract—any broad statements that Global Payments would safeguard the underlying data are insufficient to form an implied contract.

Plaintiffs are having a tougher and tougher time in data breach cases. Courts seem to require the allegations of out-of-pocket loss to be unequivocal, and here, the court says that even the allegation of an errant charge is insufficient, absent an accompanying allegation that they were not reimbursed or charged back. A stray case or two seemed to offer a glimmer of hope to these types of plaintiffs, but cases rejecting claims keep piling up. If you can't cobble together a claim when your credit card information has been compromised, I wouldn't be very optimistic, in general, as a data breach plaintiff.

Data breach notification laws also do not seem to offer much help to plaintiffs. Granted, plaintiffs only presented their claims under the data breach statute obliquely, in order to support their unfair competition claims, but I can’t think of many cases where consumers were able to recover damages based on an entity’s alleged failure to provide timely notice or otherwise comply with a notification statute.

Federal statutes similarly do not offer much help. From the beginning, early data breach plaintiffs have tried many different variations of federal privacy statutes, but none have really stuck. I thought plaintiffs were creative here with their invocation of the FCRA, but the court rejects this as well.

Although the results in these cases may make sense, courts do engage in some doctrinal contortion to get there. As such, appellate relief is possible. (Again, while a few cases have offered slight rays of sunshine to these types of plaintiffs, none have truly opened the door.)

Other coverage:

Magistrate recommends lawsuit against global payments should be dismissed

[image credit: Sutterstock/budiadiliansyah: a programmer work at night to be a cracker]

Posted by Venkat at 07:00 AM | E-Commerce , Privacy/Security

March 19, 2013

IMDB's Disclosure of Actress’s Age Will Go To Trial – Hoang v. Amazon

[Post by Venkat Balasubramani with a comment by Eric]

Hoang v. IMDb.com, C11-1709MJP (W.D. Wash. Mar. 18, 2013)

We’ve blogged about this dispute—involving an actress’s attempt to hold IMDb liable for publishing her age against her wishes—before. The court recently denied the parties’ motions for summary judgment, setting the case up for a trial.

Background: The court discusses some of the factual background on how IMDb decided to “disclose” Hoang’s age information, and this is somewhat damning to Hoang. Apparently, she signed up without including her age, but later used her friend’s account to submit an incorrect birthdate (1978 instead of 1971). She then decided that she no longer wanted this date on her profile and followed up with IMDb in an attempt to get this error fixed. She even sent IMDb a scanned copy of a fake Texas identification, but none of this had the intended effect. Eventually, she emailed IMDb and asked it to:

Go back on your files and see if you have any documentation, verification, or identification that [her] birthdate [was] in 1978.

In response to her email, a customer service manager accessed information from IMDb’s database containing “pro” registration details. He found Hoang’s legal name. He then searched for her name in “PrivateEye,” a public records database, and ascertained that her birthdate was in 1971. He directed IMDb to update her profile to include the correct birthdate.

Hoang continued to lobby IMDb to change the birthdate:

press[ing] ahead with her false information campaign, sending IMDb links to her fake passport to ‘collect/delete [her birthdate]' . . . .

She sought summary judgment on her then-remaining claims for breach of contract and violations of the consumer protection act. Amazon and IMDb both sought summary judgment as well.

Amazon is entitled to dismissal: The court dismisses Amazon because there is no evidence that it was involved in the decision-making of IMDb (a separate entity). Hoang asserted a variety of arguments, including that the customer service manager listed Amazon along with IMDb on his LinkedIn profile, but none were sufficient to overcome the general rule against holding a parent liable for the acts of its subsidiaries. The court notes there is no evidence that the two entitles shared databases.

Unclean hands: IMDb argued that Hoang should be barred by the doctrine of unclean hands. The court rejects this argument, noting that her unclean hands played no part in acquiring the rights at issue.

Breach of contract: The court rejects summary judgment on the key issue of whether IMDb breached the terms of the privacy policy by updating Hoang’s birthdate information. The privacy policy provided that IMDb would use “the information [end users] provide for such purposes as responding to [users’] requests.” The court says that a jury could conclude that IMDb was responding to her requests in searching its files and updating her information. The court cites to an (all caps) email from Hoang that exhorted IMDb to:

GO BACK ON YOUR FILES AND SEE IF YOU HAVE ANY DOCUMENTATION, VERIFICATION, OR IDENTIFICATION THAT MY BIRTHDATE IS IN 1978. IF YOU DO, PLEASE EMAIL IT TO ME BECAUSE I’M CURIOUS TO SEE WHAT YOU’RE GOING OFF OF. IF YOU DON’T FIND ANY PROOF ON RECORD, PLEASE DELETE IT BECAUSE I KNOW THAT 1978 ISN’T MY DATE OF BIRTH

Damages: The court addresses Hoang's damages.

First, the court nukes the limitation of damages contained in IMDb’s term of service. [Ouch.] Its terms of service excluded consequential and exemplary damages, and capped liability to the amount of any fees paid to IMDb in the year prior to the claim. These provisions operated only in favor of IMDb, and the court says these provisions effectively result in a situation where no attorney would want to take a case alleging a violation of IMDb terms.

Second, the court says that Hoang can seek the following damages: (1) nominal damages; (2) direct losses; and (3) career damages. Emotional distress damages are not available in contract cases. The court also rejects her attempt to claim damages in the form of diminution to the value of her property (her personal information). On the other hand, the court does reject IMDb’s argument that no reasonable jury could conclude she has been damaged.

CPA claim: The consumer protection act claim turned on whether this was part of a pattern or likely to recur. If it’s an isolated one-time dispute between these two parties, then there’s no public interest. As part of her argument that this was part of a pattern, Hoang presented evidence that IMDb accessed the PrivateEye database over 20 times. However, IMDb came forward with evidence that each of these instances of access involved searches based on public record or publicly available IMDb information.

This is a super interesting dispute. We should be excited at the prospect of trial. Unlike the numerous class action cases we blog about, this presents the situation where a single plaintiff has an opportunity to present evidence to a jury that a company’s misuse of her information has resulted in damages.

Of course, the court’s “unclean hands” discussion is not particularly flattering to Hoang, and the fact that all of this was precipitated by her initial inclusion of incorrect information and subsequent attempts to “correct” this information doesn’t make her look good. That’s setting aside the fact that she’s complaining about IMDb’s publication of her information that only disclosed her accurate date of birth to prospective employers. [We've seen another instance or two of privacy plaintiffs being subject to the harsh light of scrutiny, so this is not surprising.]

Other items of interest in the ruling:

- databases are a treasure trove of information, as demonstrated by the fact that IMDb obtained her birthdate from a public database
- it’s sort of a reminder of how de-anonymization isn’t always effective (or can often be circumvented or reverse-engineered)
- the PII as valuable information argument doesn’t seem to resonate
- it's always interesting to see a terms of use get axed by court--I would say a one-way limitation is fairly typical in these types of agreements, but the decision illustrates that they are by no means safe

I’m excited to see this case go to trial. I fear that the court’s ruling effectively steers the parties towards settlement, but if it goes to trial, I’ll make sure to attend and report back (since it’s in Seattle).
___

Eric's Comment. The court has nicely teed this case up for settlement. Without the contract risk provisions, IMDB doesn't want the damages exposure. And Hoang runs the real risk of a jury negatively reacting to her serial incidents of deception. A small check from IMDB to Hoang should be in both parties' interest.

Other coverage:

Actress' Lawsuit Against IMDb for Revealing Her Age to Proceed to Trial
Actress’s Suit Against IMDb for Publishing Her Actual Age Can Go to Trial

Previous post:

Actress Suing IMDB Can Assert Claim Based on Privacy Policy – Hoang v. Amazon.com, Inc.

Posts on data breach cases:

Posted by Venkat at 03:35 PM | E-Commerce , Privacy/Security

March 14, 2013

Court Rejects Attempt to Hold Software Company Liable for Surveillance Conducted by Its Customer – Luis v. Zang

[Post by Venkat Balasubramani]

Luis v. Zang, 12 cv 629 (S.D. Oh. Mar. 5, 2013)

Divorces have spawned some of the most interesting privacy disputes, such as the cases involving whether GPS surveillance of a vehicle violated one spouse’s privacy rights and whether accessing webmail using a shared computer constitutes a violation of privacy laws. This particular case involved the use of “WebWatcher” software that ostensibly allows people to monitor the computer-related activities of individuals. We blogged on a separate matter involving this divorce (see “Lawyer Who Advised Brother-in-Law Regarding the Use of Spyware on His Wife Disqualified in Ensuing Privacy Dispute”), but this particular lawsuit is one of a three lawsuits spawned out of the divorce; two of which were filed by Javier Luis (against a variety of defendants) relating to the monitoring of his communications with Cathy Zang:

[a]lthough Plaintiff alleges that he has never met Cathy Zang in person, he alleges that he virtually met her, via a "Metaphysics" internet chat room, in January or February 2009 (Doc. 39, P 15). Shortly thereafter, Plaintiff alleges that he began to have "daily" communications, in the course of a "caring relationship" with Ms. Zang via the telephone and computer.

[Zang filed a separate lawsuit as well.] The key question before the court is whether Access Technologies, maker of WebWatcher, can be held liable for the monitoring activities conducted by its customer.

Whether WebWatcher ‘Intercepts” Communications: The court struggles with several semantic questions surrounding whether there has been an ‘interception’ as defined by the wiretap statute: (1) is information captured instantaneously; (2) is the information captured transmitted locally; and (3) is the information re-routed. The court rejects Access’ argument that there has been no interception, noting that the facts at this stage indicate a near-instantaneous capture and re-routing of information to a remote location.

Can Access be held liable for its customers’ conduct: Even assuming an interception occurred, the court says Luis’s claims fall short because remedies are only available against the individuals that “intercepted, disclosed, or intentionally used” communications in violation of the statute. The court says that the statute does not contemplate imposing civil liability “on software manufacturers and distributors for the activities of third parties.” While there is a provision of the statute that prohibits the "[m]anufacture, distribution, possession, and advertising [of devices” that can be used for interception]," (and imposes criminal liability for this activity) the court says that the civil remedies provision does not extend to this part of the statute.

The court also dismisses the litany of state law claims brought against Access (invasion of privacy, infliction of emotional distress, “bullying and harassment”) on the basis that Access did not have any knowledge of Mr. Zang’s use of the product and was not a party to any agreement that involved unlawful interception of communications. (The court does not mention Section 230, but that sounds like a fairly plausible basis for rejecting the state law claims as well.)
__

Although the two cases analyzed slightly different statutory provisions, this dispute is reminiscent of the SpectorSoft case, where a federal district court in Tennessee held that an ex-spouse could not assert federal or state law claims against the company that made monitoring software. In SpectorSoft, the court focused on whether the disclosure of communications was knowing or intentional. In this case, the court says there was an interception, but says that liability for the interception does not extend to third parties. Either way, the result is the same: in the garden-variety case, it's difficult to hold the software developer liable for interceptions effected by customers and clients. This decision reaffirms what is a fairly helpful result for developers of these types of software providers.

As far as derivative liability goes, both with respect to the Wiretap Act and the Computer Fraud and Abuse Act, plaintiffs have fared poorly in holding third parties liable for the actions of the people who actually did the monitoring, intercepting, or accessing. Courts have been reluctant to extend the reach of these statutes to third parties who did not directly participate in the allegedly wrongful activities themselves.

It's worth flagging that in addition to lawsuits from private parties, these software providers also have to worry about FTC actions. As noted in this 2008 Wired article, the FTC shut down the websites of a company that sold 'DIY spyware'.

[image credit -- kar/shutterstock: eyeball spy catcher]

Posted by Venkat at 10:25 PM | Adware/Spyware , E-Commerce , Privacy/Security , Publicity/Privacy Rights

March 12, 2013

"Regulation of Social Media and Mobile Media" Talk Slides

By Eric Goldman

Last month, I spoke at the ABA Antitrust Section's always-well-done Consumer Protection Conference. This time I was recruited as the provocateur to discuss the challenges of regulating social media and mobile media. Regular readers know where I stand on that question. My talk slides.

I did forget to make one joke in my talk, so I'll share it here. Can you imagine how much crime-fighting time that Dick Tracy lost while trying to scroll through the privacy policy on his wrist TV? BTW, the other device on that slide is a Kaypro, the very first computer my family owned over 3 decades ago running the long-forgotten CP/M operating system. They marketed it as a portable device, calling it "luggable" because it weighed in about 30 pounds.

Posted by Eric at 07:12 AM | Internet History , Privacy/Security | TrackBack

March 07, 2013

Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation

[Post by Venkat Balasubramani]

In re LinkedIn User Privacy Litigation, 2013 WL 844291 (N.D. Cal. Mar. 5, 2013) [pdf]

LinkedIn suffered a data breach in 2012. Someone allegedly posted 6.5 million passwords and email addresses from LinkedIn users on the internet. Screen Shot 2013-03-07 at 9.23.47 AM.jpg Shortly after the password dump, LinkedIn announced that it switched encryption and would store passwords in a more secure encrypted format.

Plaintiffs predictably sued. The two named plaintiffs (in a now-consolidated lawsuit) were LinkedIn “premium” users, which meant that they paid a monthly or yearly fee for upgraded services. One of the plaintiffs alleged that her password was posted online, but the other did not. They sued on behalf of a putative class, consisting of all premium account subscribers. They also asserted claims on behalf of a subclass consisting of individuals whose information was compromised by the data breach. Plaintiffs pointed to language in LinkedIn’s privacy policy as evidence that LinkedIn had misrepresented the level of security for the storage of user passwords:

All information that you provide will be protected with industry standard protocols and technology.

In a short 8 page order, Judge Davila says plaintiffs lack standing. Plaintiffs proceeded based on a “benefit of the bargain” theory because they were paying customers, but the court found several problems with this theory.

First, there is no plausible allegation that plaintiffs paid money to LinkedIn in exchange for any enhanced security services. In fact, the privacy policy and levels of security were expressly the same for paying and non-paying users. As the court notes, the purchase of a premium account is “actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn’s services.”

Second, plaintiffs failed to allege reliance on any alleged misrepresentations—they did not allege that they read the privacy policy.

The court also says that the cases where plaintiffs asserted claims for insufficient performance have required plaintiffs to allege “something more” than merely overpaying. For example, damages based on identity theft would constitute something more, but neither plaintiff alleged any damages in this category.

One of the plaintiffs separately raised the argument that she suffered injury by virtue of her information being posted online, but the court also rejects this theory:

Plaintiff Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.

Plaintiffs’ failure to sue on behalf of a subclass that actually suffered out-of-pocket loss as a result of their information being posted online is telling, and probably spells the end of this lawsuit. Although they have a chance to amend, the court appears fairly hostile to plaintiffs’ claims.

The lay of the land for data breach lawsuits has not changed much. The overwhelming majority of plaintiffs lose, either on the basis of standing or the merits. In either scenario, the underlying rationale is the same: no out-of-pocket losses equals no cognizable damages.

The plaintiffs here tried a different tack that a few other plaintiffs have also tried: as paying customers, they asserted contract-based claims and claims for misrepresentation. Like earlier plaintiffs, these plaintiffs were also unsuccessful, at least on the first round. Early indications from these cases are that the “benefit of the bargain” argument is unlikely to be successful in the typical data breach case.

It's worth noting that dodging a civil lawsuit does not mean that LinkedIn may not come under fire from the FTC for its representations. More than one company has gotten into trouble over flowery language in its privacy policy about security that did not match up with actual practices.

Other coverage:

(Threat Post): LinkedIn Data Breach Lawsuit Dismissed

Posted by Venkat at 09:31 AM | E-Commerce , Privacy/Security

February 28, 2013

Employer Fails to State Stored Communications Act Claims Absent Allegations That Employees Interfered With Company Accounts – Castle Megastore v. Wilson

[Post by Venkat Balasubramani]

Castle Megastore Group, Inc. v. Wilson, et al., 2013 WL 672895 (D. Ariz. Feb. 25, 2013)

Castle Megastore is going after three of its former employees for their alleged breaches of contract, misappropriation of trade secrets, and related acts. Not surprisingly, the acts of the ex-employees Castle complains of involve social media.

Castle alleges that one of the defendants (Wilson) posted an image displaying Castle’s computer system to Twitter. Wilson is also alleged to have “prepared application materials to other companies that contained ‘confidential information regarding CMG, including CMG’s facilities data, [CMG’s] employees, its annual revenue, [etc.]”

One of the other defendants, Flynn, was engaged by Castle as a “social media specialist.” Castle alleges that Flynn posted a video of a “confidential [Castle] Managers’ meeting” to Vimeo, and also shared the link and password to the Vimeo account to his co-defendants. Castle also alleges that after he was terminated, Flynn “changed the password of the Facebook account he created for Castle.”

They key question is whether any of defendants’ actions violate the Stored Communications Act, which is the only federal claim alleged by Castle. If the answer to this question is no, the court can decline to exercise jurisdiction over the remaining claims and send the lawsuit to state court.

The court says that the answer to this question is no. The court says that Vimeo may or may not be an “electronic communications service” facility as defined by the Stored Communications Act, but there’s no evidence that Flynn was not authorized to access the Vimeo account (or authorize others to view it). Castle did not allege that Flynn obtained the video through unauthorized access to Castle’s Vimeo account or that he authorized others improperly to access this account. The court says:

[s]ending or using a link and password to access a personal account created on a third party website does not appear to violate the SCA.

The court also says that Castle’s bare allegations that Flynn allegedly changed the Facebook password is not sufficient to state a claim under the SCA. Again, the court says that it’s unclear that the page is even an electronic communications service under the SCA. [Castle did not bring a claim under the Computer Fraud and Abuse Act.]

Two themes recurring throughout social media ownership cases are present in this case.

First, it's not easy to slot social media assets into particular legal buckets. We've seen attempts by parties to characterize social media assets as trade secrets, tie them to trademark or publicity rights, or make all sorts of clunky attempts to fit them into existing regimes of intellectual property law, but usually it's a poor fit. And this case is no exception.

Second, there's also the recurring issue of whether accounts are private accounts or employer accounts, or as Eric has flagged before, often mixed. Here, the Vimeo account appeared personal (although the facts are taken from pleadings, so they are hardly conclusive), and the court says that there's not enough to characterize the Facebook account as a business account. Interestingly, the case highlights the possibility that preventing an employer from accessing a business account that's offered by a third party may constitute a Stored Communications Act violation.

Ultimately, the solution (at least as to the Facebook account) is to have contractual protection. While it can set expectations between the parties, it can also answer the question of whether an account is personal or business in nature. (Query as to how to best deal with this in an agreement. Should the accounts be referred to generically (e.g., any account incorporating the branding of the company) or by name?)

[image credit: Shutterstock:zozian greetings .. "bluebird sticker"]

Posted by Venkat at 07:33 AM | Privacy/Security , Trade Secrets

February 25, 2013

Building Owner Can't Discover the Identity of Tenant Who Writes Bashing Yelp Review (Forbes Cross-Post)

By Eric Goldman

Brompton Building, LLC v. Yelp!, Inc., 2013 IL App (1st) 120547-U (Ill. App. Ct. Jan. 31, 2013)

Battles over online anonymity aren't new, and we've made a lot of progress clarifying the legal rules. Usually, when a plaintiff sues an unknown defendant (called a "Doe"), the court requires the plaintiff to show that its case has some merit before issuing a subpoena to identify the defendant (sometimes called an "unmasking subpoena"). This judicial review balances the plaintiffs' rights to pursue unknown defendants against the potentially significant consequences of unmasking, including the possibility that unmasked defendants will be punished outside the courtroom (such as an employer firing a critical employee). However, judicial review can mean that sometimes plaintiffs get stuck in court, as illustrated by a recent landlord/tenant dispute over a negative Yelp review.

What Happened?

The landlord, Brompton, sought a subpoena (pursuant to Illinois Supreme Court Rule 224) from Yelp ($YELP) to identify user "Diana Z.," who wrote a critical review of the landlord's former management company, Beal Properties. (Diana Z. doesn't appear to be the only Yelper unhappy with Beal--you'll need asbestos glasses to read its Yelp reviews). Diana Z.'s Yelp posting concludes sarcastically:

my interaction with Beal has made me a better person in the following ways:

I actually enjoy talking with my HR department.
I look forward to moving to a worse neighborhood....
Contracting herpes doesn't seem as horrible.

[Note: normally I'd link to the review so you could read it in all its glory, but it is offline (more on that in a moment). The full text is quoted in the opinion.]

Brompton specifically objected to Diana Z.'s assertions that Beal lied about the date it received her rent check (leading to a late fee) and that "Beal Properties is illegally charging tenants late fees for their rent." If untrue, these sound like the kinds of statements that could be defamatory. Yet, the court says that in the context of the entire review, the statements were Diana Z.'s opinion, not assertions of fact. The court also notes that Beal Properties, not Brompton, is probably the proper plaintiff. Because Brompton's case wasn't meritorious enough on its face, the appellate court denies Brompton's request for an unmasking subpoena. As a result, Brompton has hit a dead-end in any lawsuit against Diana Z.--unless it discovers the accountholder's identity some other way.

Implications

Opinion v. Fact. Diana Z.'s assertions are fairly detailed and specific. On their face, they look like factual assertions. Still, the court generously characterized them as opinions, making the statements non-actionable. I don't purport to understand the judicial line between fact and opinion, but courts increasingly are treating online statements as opinions, not facts. Indeed, we've seen numerous cases indicating that readers don't interpret online content literally (see, e.g., Seaton v. TripAdvisor, McKee v. Laurion; LeBlanc v. Skinner; Seldon v. Compass Restaurant; and Redmond v. Gawker). This is creating a type of Internet exceptionalism, where the medium makes a difference to the legal outcome. Overall, I think this trend is beneficial for consumer reviews, but it does create the possibility that fact-like statements are legally immune online.

The Court Protected the Absent Reviewer. Yelp didn't appear in this action (and, of course, Yelp didn't have to worry any legal liability due to 47 USC 230). I checked with Yelp, and they told me that their policy is to notify targeted users about subpoena requests and related efforts, like this pre-litigation action for discovery, Yelp did notify the user in this case. Nevertheless, Diana Z. didn't make an appearance in court either. As a result, Brompton's action faced no opposition--but it still lost. The result is a nice and mildly surprising victory for user privacy, even when users don't show up to advocate for their own interests.

Can Brompton Identify Diana Z.? Brompton may have struck out in court, but there are other ways to unmask anonymous online authors. For example, in the AutoAdmit case, the plaintiffs determined the identity of anonymous commenters by correlating their activities on other websites and learning their identity from those sites. (See, e.g., this discussion for some thoughts on how to do it). Or, in a case involving online comments to a newspaper, the plaintiff deduced the anonymous commenter's identity using linguistic analysis. Or, in this case, the review provided so many details that Brompton should be able to make an educated guess about the tenant's identity just by corroborating the review's details against its tenant roster. Extra efforts to identify Diana Z. may not be worth it in a case like this, but Brompton feels otherwise, it still has options despite the court loss.

Where is Diana Z.'s Review? The review no longer appears on Yelp. Presumably Diana Z. removed it (Yelp confirmed to me that it didn't remove the post for a terms-of-service violation), perhaps in a panic after learning about Brompton's action. So despite its court loss, Brompton effectively scuttled the critical Yelp review. While we might lament the plaintiff's inability to sue over online statements due to anonymity, this case--along with many others--reminds us that plaintiffs often achieve their goals irrespective of the judicial outcome.

[Photo Credit: Closeup of a common cold sore virus herpes // ShutterStock]

Posted by Eric at 08:36 AM | Content Regulation , Derivative Liability , Evidence/Discovery , Privacy/Security | TrackBack

February 09, 2013

Washington State's Proposed Employer Social Media Law: The Legislature Should Take a Cautious Approach -- SB 5211

[Post by Venkat Balasubramani]

[Washington State’s Proposed Employer Social Media Password Legislation – SB 5211]

Eric previously posted on his concerns about California’s law restricting employer access to social media accounts. The Washington State Senate recently proposed a law (SB 5211) and it suffers from many of the similar problems.

Summary: The proposed law prohibits both public and private employers from requiring “directly or indirectly . . . as a condition of employment or continued employment,” that an employee or prospective employee provide any password “or other related account information” for the employee’s profile on a “social networking web site.” The legislation defines “social networking web site” to be any internet-based service that allows individuals to (1) construct profiles; (2) create lists of connections; and (3) view and navigate those lists.

The legislation excludes information that is “in the public domain.”

Finally, the proposed statute says that in the event of a violation, the court may award $500, in addition to actual damages, and reasonable fees and costs to the prevailing party.

Possible problems with the legislation:

Is this really an issue that warrants legislative attention? First, it’s unclear that employers even engage in the practice of requesting access to the private profiles of prospective employers with any regularity. Most risk-averse lawyers would advise their clients to refrain from learning about the details of their prospective employees' personal lives for reasons unrelated to the privacy issue (e.g., learning about a medical condition or religious belief; this would constitute a violation of the terms of service of most social networks). Given the bad publicity something like this generates, it also doesn’t seem like a good business practice. I would be surprised if employers engaged in this activity en masse. (A separate issue--and one this statute does not address directly--is whether employers engage the service of data aggregators to look into profiles or prospective employees and conduct de facto credit checks.)

Definitional issues: While the definition of “social networking website” does not suffer from the same flaws as the California statute (that statute applies to digital content, including content that is stored locally), the definition is still vague. It’s also unclear as to what the statute means by “password or other related account information.” Does this attempt to get at something like a protected Twitter account where the account-holder must accept a follow request? Is this the “other account information” that the statute has in mind?

Perhaps more importantly, the statute does not effectively distinguish between private and public accounts, which is a key distinction the statute should make. This is probably what the “public domain” language of the statute is getting at, but “public domain” is not the optimal choice of words here.

Inadvertent effect on ownership questions: We have blogged about many different cases where employer and employee battled over ownership of social media assets. (PhoneDog v. Kravitz; Eagle v. Morgan; Maremont v. SF Design Group; Ardis Health v. Nankivell). Because the proposed Washington statute does not distinguish between prospective and existing employees, the statute could inadvertently affect social media account ownership issues. Court disputes have not produced any definitive standards, but do point to the fact that accounts are often used for mixed purposes. By restricting employer access to “an employee’s . . . account or profile on a social networking site,” the rule arguably prohibits employers from requesting passwords for social networking accounts used by the employee for the benefit of both the employer and employee. Ideally, the statute would make clear that it is not intended to affect any ownership issues between employer and employee and is only intended to deal with a situation where an employer seeks access to a social media account in order to conduct a background check in advance of making an offer of employment.

No exceptions: The statute also does not take a very flexible approach and does not contain carve-outs for scenarios where employers would legitimately need to access information from a social media account used by the employee. These could include accessing information in order to conduct investigations or look into misconduct. The California statute contains a broad exception, but the proposed Washington legislation does not contain one.

Private cause of action: The proposed law also provides for a private cause of action and authorizes courts to award statutory damages. Most likely, this provision will result in the statute being just another routine cause of action that a disgruntled former employee asserts against an employer, rather than a meaningful check on employer snooping.

The statute has “unintended consequences” written all over it.

Given the uncertainty around whether this is really a rampant practice that needs legislative attention, along with the difficulties in making the statute reasonably precise, this looks like a great candidate to take a wait and see approach, rather than rushing in.

(h/t to William Carleton and Danan Margason for flagging it)

Other coverage:

Seattle Times (Brian Rosenthal): Must job hunters reveal Facebook password?
Trade Secrets: Hands Off My Tweets: Washington State Senate Proposes Ban on Mandatory Disclosure of Employee Social Networking Passwords
William Carleton: Washington State to consider a social networking password protection law; Grading the social media savvy of six state legislatures

Related materials:

National Conference of State Legislature's Survey: "Employer Access to Social Media Usernames and Passwords"
H.R. 5050: "Social Networking Online Protection Act"

[image credit: Shutterstock "electronic biometric fingerprint scanning"]

Posted by Venkat at 08:25 AM | Privacy/Security

February 06, 2013

"Privacy Policies in the United States" Presentation Slides

By Eric Goldman

I recently guest lectured on drafting privacy policies in the United States. My presentation slides.

One of my big-picture takeaway points is that privacy laws and associated industry self-regulation have gotten so extensive that drafting privacy policies is strictly for privacy experts. Unlike the good ol' days, the average competent lawyer--and even the sophisticated cyberlawyer who dabbles with privacy issues--may be unintentionally treading towards the malpractice line given the number and complexity of the applicable laws and technology. As a result, in all likelihood, I've already drafted the last privacy policy of my career. I'm curious if you agree (if you email me, let me know if I can post your email as a comment to this post).

[Photo credit: message on keyboard enter key, for privacy policy concepts // ShutterStock]

Posted by Eric at 07:31 AM | Licensing/Contracts , Privacy/Security | TrackBack

February 05, 2013

California Supreme Court: Retail Privacy Statute Doesn't Apply to Download Transactions – Apple v Superior Court (Krescent)

[Post by Venkat Balasubramani with comments from Eric]

Apple v. Superior Court ex rel Krescent, S199384 (Cal. Sup. Ct. Feb. 4, 2013)

In a divided ruling, the California Supreme Court held that California’s privacy statute restricting retailers from collecting personal information as part of credit card transactions (the Song-Beverly Credit Card Act) does not apply to online sales of downloadable materials.

Plaintiff was an apple customer who purchased digital goods. He alleged that Apple collected both a street address and a telephone number while accepting credit cards, and that neither data category fell under the statutory exception for the collection of information. The statutory scheme is set forth in section 1747, et seq., and had most recently been applied by the court in Pineda, where the court found that collection of a zip-code by a bricks and mortar retailer violated the statute. While the statute provides for several exceptions allowing the collection of some personal information during credit card transactions (certain types of transactions; when the retailer is “contractually obligated” to collect the information; transactions at the pump), none of those statutory exceptions explicitly applied to an online sale. The statute also provides for the collection of a driver’s license or “positive identification” but where the customer does not make the card available on request.

Majority opinion: the majority says that the statute—which pre-dated online commerce—does not provide a clear answer. However, the court says that the legislature was concerned with consumer privacy, but also built in flexibility to allow merchants to take fraud control measures. The court also says that fraud control mechanisms that are available to bricks and mortar retailers (e.g., inspecting the customer’s ID) are not available to online retailers. Accordingly, the court says:

[w]e cannot conclude that if the Legislature . . . had been prescient enough to anticipate online transactions involving electronically downloadable products, it would have intended section 1747.08(a)’s prohibitions to apply to such transactions despite the unavailability of section 1747.08(d)’s safeguards.

Plaintiff acknowledged that Apple could at least require his address as a verification mechanism and that Apple's collection of this information does not clearly fall under any statutory exception. In fact, the statute says that the address is a type of identification that retailers are not allowed to collect, unless incident to fulfilling the transaction (which does not apply when a download is involved and there is nothing to ship).

Plaintiff also argued that a 2011 amendment (excluding the collection of zip-codes in pay-at-the-pump transactions) shows that the statute overall applies to online transactions. According to plaintiff, this narrow exception would only be necessary if the statute applies to all remote transactions. The court says no. The amendment was enacted in response to Pineda, which held that zip-codes were personal information, and to insulate gas stations who had been collecting this information for ages, under the mistaken belief that it was not prohibited by the statute.

Finally, the court points to other legislation as adequately protecting plaintiffs. The California Online Privacy Protection Act is, according to the court, a good backstop for regulating the transfer of consumer information in online transactions. Similarly, the TCPA also offers some protection against unsolicited telephone calls.

In closing, the court says that in light of the legislative purpose and structure of the statute, it’s not clear that it applies to online sale of downloads. Obviously, if the legislature wants, it can revisit the issue.

Justice Kennard: Justice Kennard tees off on the majority’s internet exceptionalism and says this is what is driving the conclusion. He is particularly unpersuaded by the fact that the transaction should be treated differently because it is a “card not present” transaction, saying that these transactions (mail order) existed well before the internet, and the legislature did not build in any exceptions for mail or telephone into the statute. Justice Kennard also says that sellers of downloadable products can take preventative measures against fraud. They can record the buyer’s driver’s license number or other ID number. They can also collect personal identification if “contractually obligated” to do so.

Justice Baxter: Justice Baxter also dissents, saying that applicability of the statute to online retailers flows from the statute, isn’t absurd, and promotes the legislative objectives. Justice Baxter says that the purpose of the statute is to protect consumer privacy, and to the extent there is any anti-fraud purpose behind the statute, it’s to protect consumers, and not retailers, from fraud. Justice Baxter also focuses on mail order and telephone transactions and says that there’s no reason why the legislature would intend these transactions to not be excluded but somehow intend internet transactions to be excluded. He also says that whether the information was collected for fraud protection purposes is a factual matter anyway that shouldn’t be resolved against plaintiff on a demurrer. Finally, Justice Baxter says that California’s Online Privacy Protect Act does “nothing to restrict an online retailer’s use of a consumer’s personal identification information . . . .”
__

This lawsuit vaguely brings to mind the debate about FACTA's credit card receipt truncation requirements and whether these applied to online transactions (answer: no). As meritless as these lawsuits may seem, I have to admit that the dissents made some pretty good points. The majority's statutory interpretation seemed tortured. In particular, the fact that remote transactions have pre-dated the internet, would (to me) point to the fact that the lack of an express carve-out in the statute for online transactions means that these transactions would be presumed to be covered. Also persuasive was the argument that even if the address is justifiable as a fraud-prevention mechanism, the phone number not so much. (As a sidenote, online retailers deal with a set of byzantine rules when it comes to fraud prevention and for the most part are on the hook for fraudulent transactions.)

Interestingly, the majority cites to California's online privacy statutes as a backstop that offers protection to consumers, but judicial interpretations of harm, or lack thereof, have rendered those statutes as ineffectual weapons--at best--in the hands of consumers. (See, e.g., Boorstein v. Men's Journal.)

Although other federal courts and lower state courts have declined to apply the statute to online transactions as a whole, the court's opinion here repeatedly mentions downloadable transactions. It's interesting that the court did not take the extra step to just exclude online transactions as a whole. As Eric notes below, this is a fairly narrow holding.

I would chalk this decision up to a dose of internet exceptionalism coupled with distrust towards privacy class actions that are based on statutory causes of action. It puts the ball squarely in the legislature's court.
____

Eric's Comments

Although the dissents and the media coverage have tried to play up the importance of this ruling, it's actually a pretty narrow ruling. The majority opinion says that the Song-Beverly statute doesn't restrict the collection of personal information during credit card sales of downloadable files. That's all it does. Plus, the personal information in those transactions may be regulated by dozens of other statutes, legal doctrines, industry guidelines, contracts and technology. So saying this statute doesn't apply to these limited transactions hardly opens up a huge privacy hole. The majority opinion made this point and the dissents basically ignore it--to their detriment.

It's easy to criticize the California Supreme Court for its messy decisions here (their debates about technological facts were wince-inducing--they reminded me of their embarrassing Intel v. Hamidi debate about what an "intranet" is), but the California legislature is really the one to blame. Simply put, the Song-Beverly Act is a terrible piece of legislation. Among other reasons:

* the act was a specific solution to a specific problem. The act bans certain common retailer practices from the 1980s. But obviously retailer practices evolve over time, requiring constant legislative attention to address new practices. When that doesn't happen (i.e., always), those laws don't age well. This would have been a great statute to contain a sunset provision that forced the legislature to revisit it after a certain length of time.
* worse, the act encodes unexpressed assumptions about credit card technologies and retailer practices. Not surprisingly, judges have a tough time dealing with legislation like that.
* worst of all, the law has a private right of action, ensuring that lawyers would gang-tackle hyper-technical violations of the act where no consumer actually suffered any harm. Case in point: tell me exactly how Apple's consumers are harmed by providing their address/phone number when making an iTunes purchase? It's possible to come up with some make-weight arguments about possible future harm, such as an increased risk of identity theft, unwanted personal tracking, or possible future telemarketing/junk mail (but what does Apple say about this in its privacy policy?). But has anyone today experienced actual harm from the practices subject to the lawsuit? If not, why was this case brought?

Overall, I see Song-Beverly litigation as just one class in the superset of stupid privacy litigation, designed to advance the interests of the lawyers, not the interests of the class of consumers they purportedly represent. I've criticized this phenomenon in my The Irony of Privacy Class Action Litigation article.

____

Posted by Venkat at 02:45 PM | E-Commerce , Privacy/Security

January 28, 2013

State Laws Restricting Social Media Use by Sex Offenders Are Failing in Court

[Post by Venkat Balasubramani with comments by Eric]

Statutory schemes in three different states intending to regulating the online activities of convicted sex offenders have meet with judicial disapproval.

Doe v. Nebraska, 09CV456 (D. Neb. Oct. 17, 2012):

Nebraska’s statute (1) required registrants to disclose their device identifiers and online profiles; (2) required registrants to consent to searches and the installation of monitoring apparatus and (3) criminalized use of sites that are accessible by minors.

Sex Offender Search.jpg Ban on internet use: Section 28.322.05 banned sex offenders from using any “social networking website, instant messaging, or chat room service” that also allows users who are less than 18 to access those services. Citing to an array of facts and figures regarding the ubiquity of social networks and utilities, the court says that the statute restricts the affected individuals from using “an enormous portion of the internet” to engage in expressive activity. The court notes that the ban is not dependent on any past use of utilities to commit crimes, or any particular online risk posed by the offenders. The ban is overly broad and violates the First Amendment.

The court also picks apart the definitions employed by the statute and says that the statutory definitions render it unconstitutionally vague. The government offered a slew of narrowing constructions to different terms in the statute, but the court says that these suggestions further illustrated the vagueness underlying the statute. For example, the statute banned “instant messaging” services—that were defined as services that enabled instantaneous text transmissions—but the State claimed that this did not include text messaging services. The court was charitable toward the legislature, but at a certain point the snark just broke through:

Without intending to be unkind, the fourth suggested construction is laughable. It states that ‘virtually instantaneous’—for purposes of ‘instant messaging’ services or ‘chat rooms’—means ‘real time.’ What in the world does ‘real time’ mean? Particularly when it comes to ‘text messages’ sent through ‘instant messaging’ services, the substitution of the words ‘real time’ for ‘virtually instantaneous’ is of no help whatever in clarifying the glaring ambiguity in the statute. The proposed construction is very much like a dog chasing its tail—the dog and the tail simply turn in a humorous circle.

The court says that, in addition to being overly broad, the ban does not leave open alternate channels of communication. While the State argued that sex offenders could still obtain information through news media, the court says that not being able to access information via Twitter and Facebook is as good as a ban—it doesn’t matter that you can access the news in the next day’s edition of the newspaper. Similarly, not being able to use Skype means not being able to videoconference with family members. According to the court, there’s no substitute.

The court rules this provision facially unconstitutional.

Disclosure of identifiers: The statute requires offenders to disclose device identifiers as well as “internet communication identifiers”. A related statutory provision also required offenders to consent to a search of his or her devices. With a cite to McIntyre and a nod to the fact that “anonymity is a shield from the tyranny of the majority,” the court says that these provisions also do not pass muster. The court finds particularly troubling the fact that an offender is required to disclose any blogs or sites maintained by the person – i.e., the disclosure provisions effectively eviscerate an offender’s right to engage in anonymous online speech. And the court is clear that even registered sex offenders have this right.

The court also rules this provision facially unconstitutional.

Ex Post Facto Challenge: The court also says that the statute violates the ex post facto clause. The key question is whether the statute has a punitive intent or merely a civil regulatory scheme. Citing to statements from the sponsoring lawmaker (and the fact that the State elected to exercise legislative privilege to block inquiry into the purpose of the bill), the court says the statute is punitive in nature and violates ex post facto with respect to people who had been convicted prior to the effective date.

The court does dismiss as unripe the Fourth Amendment challenge brought against the consent to search provisions by those who were not on probation. (In any event, the court ruled these provisions unconstitutional on other grounds.)

Doe v. Harris, C12-5713 (N.D. Cal. Jan. 11, 2013):

California voters overwhelmingly approved the “Californians Against Sexual Exploitation Act” (Proposition 35). The statute requires sex offenders who fall under California’s sex offender registration program to provide the following:

- a list of all “internet identifiers established or used” by the person
- a list of all “service providers used by the person”

Internet identifier is further defined as:

an electronic mail address, user name, screen name, or similar identifier used for the purpose of Internet forum discussions, Internet chat room discussions, instant messaging, social networking, or similar communication.

The statute also required registrants to provide (in writing) any changes to the above information. The information is to be provided to the agencies that otherwise deal with the registrant, but those agencies would make the information available to the Department of Justice. The court initially entered a TRO, but subsequently issued a preliminary injunction, enjoining enforcement of the statute pending outcome of the litigation.

Level of scrutiny: First, the court says that the statute is not subject to strict scrutiny because it is content neutral, even though it affects a class of speakers.

Construing the statute: Second, the court narrows the statute in accordance with the government’s concessions: (1) the only service providers a registrant needs to report are those with whom the registrant actually has an account (e.g., if you are at the library and Time Warner is the ISP that allows you to access the internet from the library, you need not report this); (2) only identifiers that are actually used to post content or communicate are required to be reported (e.g., your Amazon account information that you use to purchase books is not required to be reported, assuming you also do not use that profile to comment or interact online).

Is the statute “narrowly tailored”?: The court says that it’s conceivable that the registration requirement generally advances the stated government interest of preventing future crimes by registrants. The court notes the hypothetical example of being able to cross-check a person who uses an online identity to recruit against the database of registrants. However, the court says that narrow tailoring in this context also requires restrictions on when law enforcement can access the information and what they can do with it. Here the law says that law enforcement can disclose identify information “when necessary to ensure public safety.” The law was similar to statutes in other states (Georgia and Utah) that have been struck down.

The court is also concerned that the statute will have a chilling effect—failure to report is a criminal violation, punishable by up to three years in prison. The statute also has the effect of depriving registrants of their online anonymity.

The court points to the fact that the state’s own assessment process classified a chunk of the offenders as having a “low to moderate” risk of re-offending. The government could not explain why these offenders should be treated the same as higher risk offenders. There was also no data of how likely offenders are to commit future offenses using the internet. Similarly, the court says that some data is available to the effect that online exploitation is much less likely to occur on sites that involve discussion of political or social issues. It's unclear there's adequate justification for requiring registration for these types of sites or services (even for those whom the data ostensibly says are likely to re-offend online).

In closing the court says:

The Case ACT provisions extend to [websites dedicated to discussion of public, political, and social issues], and registrants are likely to be chilled from engaging in legitimate public, political, and civil communications for fear of losing their anonymity. As a Nebraska district court forcefully stated, a requirement that sex offenders report to the government all communications on blogs and websites puts a stake through the heart of the First Amendment’s protection of anonymity [and] surely deters faint-hearted offenders from expressing themselves on matters of public concern.

Interestingly, the statute was sponsored by Facebook’s ex-Chief Privacy Officer.

Doe v. Indiana, 2013 WL 238735 (7th Cir. Jan. 23, 2013):

The Indiana statute in question prohibited sex offenders from:

knowingly or intentionally using a social networking web site or an instant messaging or chat room program that the offender knows allows a person who is less than eighteen (18) years of age to access of use the web site or program.

Doe sued on his own behalf and on behalf of a putative class of offenders who were required to register but were not on any form of supervised release. The district court found that the statute burdened more speech than necessary, but upheld the statute, finding that Doe didn’t “furnish the court with workable [alternatives].” The Seventh Circuit disagrees, and says the statute does not pass First Amendment muster.

According to the Seventh Circuit, the issue was that the problematic activity was only a subset of the overall expression that the statute regulated (something the Nebraska and California courts focused on also). It was aimed at improper online communications between registered offenders and minors, but this was “a minuscule subset of the universe of social network activity.” Moreover, Indiana already had statutes on the books that were targeted at the particular ills at issue – it’s already a crime in Indiana to solicit minors, or engage in inappropriate communications with children. Penalties are increased when you do so using a computer.

The court does step back and say that it should be careful to not impose too high a standard on state legislatures. Some amount of over-inclusiveness can be justified by “administrabilty concerns,” but the statute as currently crafted can't be justified on this basis.

The State also argued that existing statutes serve a different purpose than the social networking ban at issue in the case. According to the State, existing laws aim to punish those who have committed the crime of solicitation, while the ban aims to “prevent and deter.” The court is not persuaded by this distinction, saying that all laws punish those who have committed conduct that is proscribed by the laws, and this punishment is what deters. The court is also not sold on the argument that the social networking ban would be more effective because it would prevent would-be offenders from being on social networks in the first place. The court says that to the extent someone would break the law and solicit a child, they would be just as likely to break the law banning them from using a social networking site in the first place.

The court closes with a nod to the legislature that it’s not foreclosing a more carefully crafted statute, or even one that may be better supported by legislative facts or studies. To the extent a class of individuals “whose presence on social media impels them to solicit children,” the legislature could presumably enact legislation targeting these individuals.

Finally, the court says that nothing in its opinion should be read to limit the latitude of district courts in fashioning terms of supervised release.
__

These three cases, as well as laws aimed at Backpage from Washington and Tennessee, are more than enough to mark a trend. Legislatures are rightly concerned with online sex offenses, but are taking the blunt instrument approach to regulating the online activities of sex offenders. Courts are consistently saying that the First Amendment requires a more finely crafted approach. As Eric has highlighted before, state legislatures do not seem particularly adept when it comes to regulation online. Definitional terms are a major stumbling block. The Nebraska case in particular highlights this; the court had a field day poking holes in legislative definitions of things like "chat rooms" and "instant messaging".

Though the three statutes differed significantly in their approach, in all three cases the courts found that only a subset of sex offenders were likely to engage in problematic conduct online, and regulation of sex offenders as a whole without reference to whether they were likely to engage in problematic acts online sweeps in too much First Amendment protected expression – i.e., sex offenders use the internet for normal activity just like everyone else. To the extent legislatures try to regulate the online activities of those whose sex offenses included an online component, they would probably have a much easier time doing so. However, even as to these individuals, courts will be concerned with any over-inclusiveness of a ban. On a related note, trying to restrict registrants' access to sites that also allow access by those under 18 is not workable.

[Eric's addendum: There is actually social science on this question that could inform policy-makers if they actually did their homework. For example, I call your attention to Lee, Austin F., et al. Predicting hands-on child sexual offenses among possessors of Internet child pornography, 18 Psychol. Pub. Pol'y & L. 644-672 (2012):

CP [Child pornography] offenders appear to comprise a subgroup of sex offenders characterized by taxonomic heterogeneity. As Seto has pointed out on multiple occasions, those apprehended with CP have a sexual interest, if not a sexual preference, for children, and, given prevailing DSM criteria, are frequently diagnosable as pedophiles. Indeed, this same point was noted in U.S. v. Swarm--Dr. Mills and Dr. Saleh correctly agreed with the Bureau of Prisons' memorandum that states, quote: "Paraphilias, including pedophilia, range in severity from a condition in which the individual experiences deviant sexual fantasies and urges, but did not engage in any victim contact, to individuals who act on their urges and fantasies . .." (p. 21). Paradoxically, this group of pedophiles, as noted, is at low risk to commit hands-on sexual assaults of children. Those CP offenders that do sexually assault children are distinguished by a much higher degree of antisociality compared to those that refrain from such crimes. Moreover, those CP offenders that sexually assault children typically present as lower in educational and vocational achievement than those for refrain from such crimes. We found in the present study, e.g., that 21% of the Internet-only offenders were professionals, compared with only 8% of the "dual" offenders. Witt (2010) commented that "Studies have found that child pornography offenders are generally more educated, more intelligent, and have more stable work and relationship histories than contact sex offenders" (p. 4). Generally, these findings are consistent with the hypothesis that increased social and vocational competence inhibit the expression of antisocial behavior in IO-only offenders. By contrast, one could readily hypothesize that traits associated with Antisocial Personality Disorder (APA, 2000), such as deceitfulness, manipulativeness, impulsivity, aggressiveness, disregard for others, and impaired social emotions (remorse, guilt, and empathy), more likely found among offline offenders, are disinhibitory to committing a battery offense. Babchishin et al. (2011) concluded similarly, noting the presumptive importance of inhibitors and self-control in differentiating between online and offline offenders.]

The cases also highlighted internet anonymity and made clear that just because you are a sex offender does not mean that you lose your First Amendment right to speak anonymously online. As Eric points out below, sex offenders aren't a class of individuals who have the most political clout, so it's nice to see judges acting as a meaningful check on the legislature in this arena.
____

Eric's Comments

Efforts to ban sex offenders from social media sites, or require them to report their credentials, are at the intersection of three memes that have consistently undermined rational policy-making:

1) Protect the kids online. "Protect the kids" makes for great political soundbites, but let me ask a serious question: Can you point me to *any* law that was enacted under the conceit of protecting kids online that has actually had that effect? Politicians pontificate greatly on the need to protect kids online, but I'm drawing a blank on when they've succeeded with that effort.
2) Deprive sex offenders of civil liberties. As pariahs in our society, sex offenders have no one fighting for their civil liberties in legislative processes, so policy-makers can reduce their civil liberties to sub-human levels without any pushback. Fortunately, the courts are standing up to these systematic legislative efforts to functionally eliminate convicted sex offenders from our society, but only at significant cost.
3) Social media exceptionalism. When a new and important Internet medium emerges, policy-makers feel like they have to be "cutting-edge" and fix the purported problems in the emerging medium. But as these and other numerous cases have made abundantly clear, it is absolutely impossible to define social media as a subset of the Internet, so the bans on using social media become the functional equivalent of Internet bans and therefore are clearly unconstitutional. Yet, despite the resoundingly clear message from the courts, statute-drafters keep making the same damn drafting mistakes.

I am particularly disgusted with California's Proposition 35 for three reasons:

1) It was a bait-and-switch on the public. The proposition was sold as an anti-human trafficking law, but the online sex offender restrictions went well beyond that topic.
2) I am not aware of any social science linking sex offenders online with human trafficking. As far as I know, the legislation hardwired assumptions about sex offender behavior that had absolutely no grounding in fact. This wasn't even junk science; it's ascientific policy-making.
3) Even though California has a deficit of billions of dollars, we taxpayers spent our money defending this law--despite the fact it was obviously unconstitutional on its face. Yay for wasted government resources!

I believe California's voter initiative process is irreparably broken, and seeing shitty and unconstitutional initiatives like this get 80%+ voter approval provides more evidence of that.

Overall, the fact that states keep making the same systematic errors provides more evidence that states are terrible "laboratories of experimentation." Rather than replicating the best state laws after the laws empirically demonstrate their worth, states embrace and propagate bad memes quickly--and without any evidence of efficacy--when it comes to regulating the Internet, multiplying the costs to judicially remedy the legislative pandering. We desperately need a moratorium on state laws that regulate the Internet until policy-makers can figure out why they keep making the same mistakes and build processes to overcome the forces causing the systematic errors. (Of course, I'd rather just get state legislatures out of the Internet regulation business altogether, but a moratorium would be a good start).
____

Posted by Venkat at 10:57 AM | Content Regulation , Privacy/Security

January 22, 2013

My Talk to High Schoolers About Accountability for Online Content

By Eric Goldman

Earlier this month, I spoke at Los Altos High School as part of their "History Week" (check out that speaker roster!). The topic title is "Internet and Social Media Usage Rights," which I turned into a talk about ways teenagers can get themselves into trouble on social media. I used three case studies: Finkel v. Dauber, D.C. v. R.R., and Moreno v. Hanford Sentinel.

This was my first talk ever to high school students, and they are a challenging audience (especially when it's mandatory attendance). Still, only a few of them fell asleep on me, and I even coaxed few audible chuckles from the audience, so I'll chalk it up as more successful than not.

My talk slides. Recording of my talk (to preserve student privacy, I turned off the recording before taking Qs) [download and streaming].

Posted by Eric at 09:13 AM | Content Regulation , Privacy/Security | TrackBack

January 19, 2013

Is Recusal Required When a Judge is Facebook "Friends" With a Prosecutor? Question Certified to Florida Supreme Court -- Domville v. State

[Post by @VBalasubramani]

Domville v. State, No. 4D12 556 (Fla. Dist. Ct. App. Jan. 16, 2013) [pdf]

We blogged about a decision where a Florida court ruled that a judge who was hearing a criminal case and was Facebook friends with the prosecutor should have been disqualified: Florida Judge Disqualified Over Facebook Friendship With Prosecutor. The appeals court denied the state’s request for a rehearing but certified the following question to the Florida Supreme Court:

Where the presiding judge in a criminal case has accepted the prosecutor assigned to the case as a Facebook "friend," would a reasonably prudent person fear that he could not get a fair and impartial trial, so that the defendant's motion for disqualification should be granted?

One concurring judge had the following to say:

Judges do not have the unfettered social freedom of teenagers. Central to the public's confidence in the courts is the belief that fair decisions are rendered by an impartial tribunal. Maintenance of the appearance of impartiality requires the avoidance of entanglements and relationships that compromise that appearance. Unlike face to face social interaction, an electronic blip on a social media site can become eternal in the electronic ether of the internet. Posts on a Facebook page might be of a type that a judge should not consider in a given case. The existence of a judge's Facebook page might exert pressure on lawyers or litigants to take direct or indirect action to curry favor with the judge. As we recognized in the panel opinion, a person who accepts the responsibility of being a judge must also accept limitations on personal freedom.

Another judge partially dissents, saying that the case was correctly decided, and this isn’t really a question of “great public importance” after all, and thus should not be certified for further appellate review. The judge also notes that requiring disqualification isn't a comment on the ethical propriety of the trial judge’s original decision.

These Facebook friending discussions always bring to mind the court’s comment in Quigley Corp. v. Karkus:

[T]he Court assigns no significance to the Facebook "friends" reference. Facebook reportedly has more than 200 million active users, and the average user has 120 "friends" on the site. . . . Indeed, "friendships" on Facebook may be as fleeting as the flick of a delete button.

No. 09-1725, 2009 U.S. Dist. LEXIS 41296, at *16, n.3 (E.D. Pa. May 19, 2009). This is certainly a path a court could take in dealing with these types of issues. On the other hand, a member of the public who does not have familiarity with the legal system may ascribe some significance to the relationship and this may affect the perception of impartiality. Off-line friendships are not “on display” or memorialized in the same way that online friendships are. (Facebook exceptionalism alert!)

Perhaps disclosure and education at the outset would adequately address this issue?

[image credit: Shutterstock/virinaflora: "best friends"]

Posted by Venkat at 10:27 AM | General , Privacy/Security

January 14, 2013

Tenured Teacher Properly Fired for Facebook Quips About Her Students–In re Tenure Hearing of Jennifer O’Brien

[Post by Venkat Balasubramani with comments by Eric]

In the Matter of the Tenure Hearing of Jennifer O’Brien, State Operated School District of the City of Patterson, Passaic County, 2013 WL 132508 (Jan. 11, 2013) [pdf]

O’Brien taught in New Jersey since 1998. She was initially assigned to teach fifth grade at School No. 29, but was ultimately assigned to teach the first grade. School 29 has a student body that was “almost entirely composed" of minorities. The 23 students in her class were either Latino or African American. She previously taught at a different school and apparently had a tough time adjusting to School No. 29.

O’Brien posted two statements to Facebook:

I’m not a teacher – I’m a warden for future criminals!

They had a scared straight program in school – why couldn’t [I] bring [first] graders.

The principal of O’Brien’s former school apparently forwarded a copy of the message to the principal of School 29, asking if “there is anything we can do about this.” O'Brien's current principal confronted her about the posts and she was suspended without pay, pending a full investigation. Meanwhile, news of the posts “spread quickly . . . .” The media got wind of the posts. Parents also complained about the posts. O’Brien was charged with “conduct unbecoming a teacher.”

An ALJ heard the matter, rejected her First Amendment arguments, and ordered O’Brien removed from her tenured position:

An internet-social networking site such as Facebook is a questionable place to begin an earnest conversation about an important school issue such as classroom discipline. More to the point, a description of first-grade children as criminals with their teacher as their warden is intemperate and vituperative. It becomes impossible for parents to cooperate with or have faith in a teacher who insults their children and trivializes legitimate educational concerns on the internet.

Interestingly, the ALJ was on the fence about whether removal was the appropriate sanction, but was ultimately swayed by O'Brien's apparent lack of contrition. The Commissioner adopted the ALJ’s decision in its entirety.

The court affirms the Commissioner’s decision. Applying the Pickering test for when public employees can be terminated for speech, the court says that O'Brien's statements were not a matter of public concern. Even assuming the speech was on a matter of “public concern,” the court says that the district’s interest in the efficient operation of its schools outweighed O'Brien's right to express those comments. The court also agrees that the posts evince a “disturbing lack of self-restraint [and were] inimical to her role as a professional educator.”

Oof. This is a rough result for O'Brien, who at best experienced a momentary lapse of reason in choosing her particular mode of expression. Ten or fifteen years ago, O'Brien's statement would have taken place in the context of a conversation among peers in a coffee shop or over a beer and would have been instantly forgotten. Today, of course, things are different. Because the comments were posted on Facebook, her former boss was aware of them and was able to forward them to her current boss. News media picked up on them. Parents became agitated. None of this would have happened 15 years ago.

The legal rules are not terribly favorable to public employees, and it's tough to fault the ALJ and the court for their application of the doctrinal rules. My own view is that it's an overreaction to fire someone over something like this, especially someone who had a clean track record. You have to wonder whether generational divides and/or attitudes about internet use influence the outcome in these types of cases. The ALJ's comments and her views about O'Brien's lack of contrition make me think they do. [As a side note, you also have to wonder how O'Brien would have fared against a private employer, given the absurdly expansive aggressive stance taken by the NLRB against employers who take action based on social media posts.] Also, I can see O'Brien appealing this one. She would face better than usual chances on an appeal.

I hate to end this post with a cautionary note to employees who also happened to be users of social media (which seems like a big chunk of the world's population), but careful about what you post! As we've detailed in innumerable posts here, it can and will come back to haunt you. And when it does, the legal rules are not particularly favorable and unlikely to be of much help.
____

Eric's Comments

It's human nature for employees to joke about common challenges they face in their industry. The teaching profession is no different. Even the most dedicated and passionate teachers will joke about the never-ending and frequent difficulties they face helping students reach their potential. In some cases, this humor will take a dark and edgy turn. I love my job and I care deeply about helping my students, but I'm sure I've made remarks--both online and off--that, if subjected to cold, harsh scrutiny by outsiders, could be misunderstood out-of-context.

This case reminds us that many jobs/industries have taboo humor. In addition to this example in the teaching industry, we've seen special sensitivity to job-related "jokes" in the funeral industry (Tatro), nursing industry (Yoder and Byrnes) and EMT industry (CareFlite).

[Update: for another example of the intolerance of bad jokes in the funeral industry, see Sutton v. Bailey, 2012 WL 5990291 (8th Cir. Dec. 3, 2012), where a university funeral services director was fired for posting to Facebook: "Toby Sutton hopes this teaching gig works out. Guess I shouldn't have cheated through mortuary school and faked people out. Crap!"]

I'm sure other industries have taboos where jokes are not OK. Employees in those industries must recognize those taboos--even if they are unstated and the acceptability line is invisible--especially when posting in social media. Otherwise, they face significant social condemnation if the spotlight shines on their attempts at humor. One of the hazards of the job, I guess.

I'm especially interested that Ms. O'Brien didn't show any contrition for her posts, presumably because she didn't feel any remorse. I respect her conviction and intellectual honesty, but my reading of this opinion suggests she'd still have her job today if she had showed contrition.

____

[photo credit: Javier Brosch/Shutterstock -- "dog listening with big ear"]

Posted by Venkat at 06:45 AM | Content Regulation , Evidence/Discovery , Privacy/Security

January 11, 2013

Top Ten Internet Law Developments of 2012 (Forbes Cross-Post)

By Eric Goldman

I'm pleased to share my list of top 10 developments of 2012:

#10: The Push Towards Anti-Class Action Arbitration Clauses. In 2011, the U.S. Supreme Court ruled in AT&T Mobility v. Concepcion that businesses may be able to adopt mandatory arbitration clauses that ban customer class-action lawsuits. The ruling was hardly crystal-clear, but in its wake, many websites adopted such clauses. Nevertheless, as the Zappos decision points out, these clauses must be adopted according to the laws governing contract formation and amendment, or they will fail in court.

#9: General Patraeus/Paula Broadwell Imbroglio. On the surface, it's just your typical Washington DC sex scandal. However, it had several interesting cyberlaw angles, including the attempts to hide digital conversations and Ms. Broadwell's alleged cyberharassment of Jill Kelley. My biggest takeaway: If the CIA Director can't keep the FBI from reading his email, what chance do you or I have?

#8: Do-Not-Track Meltdown. Everyone hoped that industry would come up with a do-not-track (DNT) standard rather than kicking the issue to Congress or the FTC. Then, it all went to heck. Microsoft announced it would turn on DNT by default in its browser, which prompted Internet publishers to threaten to ignore Microsoft's DNT signal. Meanwhile, Internet publishers and others adopted a narrow definition of "do-not-track," arguing it meant no-tracking for advertising purposes, but tracking for other purposes was still OK. The effort then devolved into acrimonious recriminations and left open the possibility that government regulators will fill the gap--to everyone's detriment. (For what it's worth, I take a very dim view of technological do-not-track efforts for reasons I explain here).

#7: Social Media Exceptionalism. In 2012, regulators eagerly sought to "fix" social media through regulation, but their efforts will fail because no one can precisely define social media as a subset of Internet activity. For example, California's recent attempt to curb employers' attempts to obtain employees' social media passwords led to the astounding definition that "social media" means all digital data, whether online or off.

#6: Megaupload. The US government proudly touted its takedown of Megaupload as a victory for Internet copyright enforcement. Unfortunately, it appears that takedown involved an enforcement action where it appears the US government repeatedly ignored or broke the law.

#5: Software Patents/Smartphone Wars. The smartphone industry has ushered in a glorious era of innovation, but it's also highlighted how patents can hinder, not spur, innovation. Smartphone players have spent (wasted?) billions of dollars on patents with the hope that they can operate without restriction from other players' patents, and many tens of millions of dollars have been spent (wasted?) on legal fees as the players sue each other for patent infringement and defend against interlopers with weak/bogus patents hoping for a little taste of the action. See my essay on software patents:

#4: Europe Hates Silicon Valley. I'm surprised whenever I read about a new European ruling that's adverse to a Silicon Valley company, because at this point I assume that everything Silicon Valley companies do in Europe is already illegal. Google, Facebook and other Silicon Valley players are under constant legal attack in Europe on countless fronts. Everyone might be happier if the Silicon Valley players just got out of Europe altogether.

#3: Google and Antitrust. The FTC largely dropped its antitrust investigation against Google, and dropped it completely with respect to Google's search engine practices. (Technically the denouement rolled out on January 3, 2013, but I'm still counting it as a 2012 development). This is an important development for several reasons. First, the FTC--which makes its living by bringing enforcement actions--admitted it had no reason to complain about Google's search engine practices. Second, the scuttlebutt all throughout the investigated suggested that the FTC was committed to busting Google, and Google turned that situation around 180 degrees. Third, not intervening into the operation of Google's search algorithm is a logical decision, but one still worth celebrating. This was a great resolution for Google, a complete rejection of the concerns raised by Microsoft and other Google-haters, and due to the FTC's non-involvement, ultimately a big win for Google's users.

#2: ITU/WCIT's Attempted Internet Takeover. I really didn't understand what happened in Dubai at the ITU/WCIT meeting. All I know is that nothing good could have happened there, so preserving the status quo is a win, as ironic as that sounds.

However, there has been some teeth-gnashing that the meeting exposed looming fault lines between pro-censorship and anti-censorship governments. I don't understand that angst for at least two reasons. First, all governments are pro-censorship, and that certainly includes the United States. Indeed, the US has exhibited some awkward duality as it rails against foreign attempts to censor the Internet even as both Congress and the Obama Administration exhibit a never-ending pursuit of controlling the Internet themselves.

Second, the Internet has already fractured into multiple "Internets." The Internet in the United States increasingly bears little resemblance to the Internet in foreign countries, both because local regulators simply block certain websites and because websites localize their services to accommodate local regulation. Plus, it's been proven that countries can simply "unplug" from the Internet. Thus, we don't have a single unified Internet; we have many partially-overlapping Internets. I will say more about this in a future post.

#1: SOPA's Failure. The failure of SOPA/PIPA is not the watershed event for our republican democracy that we wished it would be. Citizen-driven rejection of special-interest Internet legislation will not happen very often. But as a David-and-Goliath story--the uncoordinated and oft-ignored Internet user community rising up against a well-oiled and undefeated copyright lobby--it doesn't get any bigger than SOPA. Also, we learned something really important: American voters will acquiesce to a lot of bad and self-interested decisions by their elected officials, but voters will grab the torches and pitchforks if they think the Internet is threatened.

Honorable Mentions

Some other developments of note:

* despite the Fourth Circuit's rekindling of the Rosetta Stone case before it settled, the decade-long keyword advertising litigation battles against Google are basically over with a big win for Google and other keyword advertising vendors. I also think we'll see trademark owner-vs-advertiser lawsuits tapering off too.

* app cloning is a big business, and we're seeing increasing lawsuits in the area, including the EA v. Zynga and TripleTown cases.

* the application of the Computer Fraud & Abuse Act is being dialed back in the employment context (see the Nosal and WEC cases).

* Oracle v. Google gave us one of the cleanest rulings to date that software APIs are not copyrightable. The case was also interesting for the judge's investigation into the paid advocacy efforts of both Oracle and Google.

* the images of Marilyn Monroe and Albert Einstein are moving closer to the public domain.

* the IB v. Facebook ruling could be a watershed decision in spurring class action lawyers to make a buck in the name of "protecting the kids" in court.

* Web publishers can improve their defamation defenses by hyperlinking to original sources.

Most Interesting Cases

I read a lot of cases in 2012, and some of the most interesting cases I saw this year:

* Erickson v. Blake. Music composers can create copyrightable compositions by equating the digits of the number "pi" (π) to musical notes, but they can't stop others from creating their own musical compositions based on pi's digits.

* Bland v. Roberts. Two government employees "liked" their boss' opponent in an upcoming election; after the boss won reelection, the employees allegedly got fired for their divided loyalties. The court (mistakenly, in my opinion) said that "liking" an item on Facebook isn't constitutionally protected speech.

* Scott v. WorldStarHipHop. A classmate posted a video of Scott fighting with an ex-girlfriend. Scott obtained the copyright to the video from his classmate and, as the new copyright owner, sent copyright takedown notices in an effort to scrub the video from the Internet. This copyright acquisition scheme basically converts copyright law into a "right to forget." In 2013, expect to see even more plaintiffs acquire copyright ownership as a way to suppress/control unflattering content about them.

* In re Heartland Payment Systems. This is a settlement of a data security breach class action lawsuit with 130M class members. The parties spent $1.5M to encourage class members to tender damage claims and another $270k to process the tendered claims. A total of 290 claims were tendered, of which 11 were valid, with a maximum payout per valid claim of $175. So the parties incurred $1.75M in transaction costs to award about $2k in damages. Interesting.

* Augstein v. Leslie. If you post a YouTube video promising $1M for the return of your laptop, you could actually owe $1M if someone returns your laptop.

* Olson v. LaBrie. Facebook should bring families closer together, but in one family, photo tagging plus a snarky comment prompted a lawsuit for a restraining order.

Lists from Previous Years

Previous top 10 lists from 2011, 2010, 2009, 2008, 2007 and 2006. Before that, John Ottaviani and I put together a list of top Internet IP cases for 2005, 2004 and 2003.

[Photo Credit: Top Ten Key // ShutterStock]

Posted by Eric at 07:25 AM | Content Regulation , Copyright , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Marketing , Patents , Privacy/Security , Publicity/Privacy Rights , Search Engines , Trademark , Trespass to Chattels | TrackBack

January 09, 2013

Q4 2012 Quick Links, Part 2 (Privacy, Advertising, Content)

By Eric Goldman

Privacy/Security

* Knowing how the FTC is cracking down on privacy violations and deceptive persuasion techniques, it's a little jarring to see how aggressive Obama's campaign was on both fronts. NY Times (1, 2), WSJ and Time. Even if the tactics were completely legal, is it the kind of ethical behavior that the Obama administration expects to see from businesses? Kate Kaye nails it at AdAge: Obama's Approach to Big Data: Do As I Say, Not As I Do.

* Google's privacy audit disclosure mandated by its settlement of the FTC Google Buzz case. Does this look like it's a helpful document to anyone? To me, the document looks very...expensive.

* Danny Sullivan, Microsoft To Make Same Privacy Change Google Was Attacked For; No One Seems To Care. NY Times coverage.

* U.S. v. Google Inc., 2012 WL 5833994 (N.D. Cal. November 16, 2012). Court approves the FTC-Google settlement over Safari cookie tracking.

* Using sophistry, Microsoft navigates FERPA to provide cloud services to universities.

* EU Data Privacy regulators want Google to fix its integrated privacy policy.

* Google Video executives' Italian privacy conviction overturned

* In HR 6671, Congress gives Netflix the right to get users to provide advance consent to frictionless sharing. Forget the fiscal cliff; this is maximally important work for Congress to prioritize. Of course, the ECPA update—part of a quid pro quo with NetFlix’s request—somehow got lost along the way.

* Murdock v. L.A. Fitness Intern., LLC, 2012 WL 5331224 (D. Minn. Oct. 29, 2012). A Facebook posting about an employee's termination isn't a privacy invasion.

* In re Platt, 2012 WL 5337197 (Bkrtcy. W.D. Tex. Oct. 29, 2012). After a physical altercation, the court made negative inferences against one of the participants for that person making their Facebook page private shortly thereafter.

* Del Vecchio v Amazon settles. Prior blog post.

* KISSMetrics settles supercookies lawsuit.

* Twitter's t.co shortened link--which Twitter automatically overlays on other shortened links--got briefly suspended, possibly because it was misclassified as a phishing threat.

Advertising

* Facebook's pay-to-promote and Sponsored Stories advertising units may create a conflict of interest with its algorithmic filtering of friends' posts: Ars Technica and George Takei. Facebook's sorta response.

* NY Times reports that advertisers are increasingly moving away from buying ads at publishers with attractive audiences and instead delivering ads via ad networks that find the targeted audiences wherever they are on the web. The result is that publishers can't charge a premium for aggregating high-value audiences because, through targeting, advertisers can reach that audience at cheaper venues. More NYT coverage of this issue.

* Wired: Facebook Is Quietly Making a Killing With Ads That Pursue You

* AdWeek interviews Google's "ad cop," David Baker.

* Internet Retailer: How Zappos balances privacy and targeted ads

* If most brands in movies are paid product placement, the logical inverse is that brands want to veto free placement they don't like.

* False advertising lawsuit against New York Law School rejected.

Content Industry

* 90% of Brazilian newspapers opt out of Google News. Meanwhile, Google threatens to cut off French publishers if France passes a law taxing Google for including them in Google News. NY Times recap of the issue.

* Blodget digs into the economics of the New York Times' newsroom.

* How cable bundling is leading to inflated cable subscription prices, mostly because sports broadcasters are overpaying sports leagues for broadcasting rights. Another reason why we don’t have cable at home.

Posted by Eric at 08:50 AM | Marketing , Privacy/Security | TrackBack

January 07, 2013

Privacy Plaintiffs in Deep Packet Inspection Case Get No Love From the Tenth Circuit -- Kirch v. Embarq Managmenet

[Post by Venkat Balasubramani]

Kirch v. Embarq Management, No. 11-3275 (10th Cir. Dec. 28, 2012)

This is an appeal from one of the many lawsuits against IAPs for implementing the ill-fated NebuAd “deep packet inspection” system. Here’s my post on the district court grant of summary judgment in favor of Embarq: Deep Packet Inspection Lawsuits: NebuAd Partner ISP Wins Summary Judgment. Plaintiffs do not fare any better in their appeal.

On the factual side, plaintiffs were not able to develop any evidence that (1) Embarq obtained or utilized any of the data extracted by NebuAd, or (2) the flow of data through Embarq’s system differed in any way from how data typically flowed through Embarq's system (the big exception being that the data was routed in a way that allowed NebuAd to extract data regarding plaintiffs).

Canvassing the ECPA's legislative history and context, and the fact that there’s no general federal statutory liability for aiding and abetting (absent a clear Congressional directive), the court says that Embarq cannot be held liable for any alleged ECPA violations of NebuAd. Thus, the court looks to see if Embarq violated the ECPA directly.

With respect to whether Embarq itself “intercepted” plaintiffs’ communications, the court notes the clunky application of the term "intercept" to the facts. "Interception" is defined as the "acquisition" of a communication's “contents,” but the line between "access" and "acquisition" is murky at best. The court instead relies on the portion of the definition of “device” that excludes any equipment “used by a provider of wire or electronic communication services in the ordinary course of its business.” Noting there was no dispute that Embarq only acquired the same access to the data that it had as an IAP, the court concludes that Embarq falls under this exception and can't be held liable for intercepting plaintiffs' communications.

Ouch. There were some mildly favorable facts to Embarq (the fact that it was paid an absurdly small amount of money for participating in the DPI test), but I still find the emphatic defense win somewhat remarkable. Privacy plaintiffs just cannot seem to catch a break.

The lack of a derivative liability concept under the ECPA is significant, and a majority of courts have said there is no derivative liability under either the ECPA or the Computer Fraud and Abuse Act. (See also Valentine v. WideOpen West Finance (another NebuAd case) and the somewhat factually bizarre CAIR v. Gaubatz which recently came to the same conclusion on the ECPA issue; the CAIR case fell through the cracks of the blogging queue.)

Interestingly, in Valentine, the district court granted summary judgment on the basis that plaintiffs failed to adequately allege any interception but left things open as to whether plaintiffs could state a claim for "disclosure" or "use" of communications under 2511. The court directed the parties to file additional briefs on this issue.

Additional coverage:

Courthouse News: ISPs Duck Class Claims of Targeted Ad Spyware
Wendy Davis: Appeals Court Sides With Embarq in Privacy Lawsuit
InsidePrivacy: Two New Decisions on the Wiretap Act and Secondary Liability
Bloomberg/BNA: ISP Falls Beyond Reach of ECPA for Role In Transmitting User Traffic to NebuAd

[image credit: Shutterstock/lightspring - Internet privacy and spying on line with a computer laptop and the web by hacking or cyber virus that steals your technology data and follows your social media history]

Posted by Venkat at 04:26 AM | Privacy/Security , Publicity/Privacy Rights

January 02, 2013

Section 230 Still Keeping the Pro Se Plaintiffs at Bay--Klayman v. Facebook, and More

By Eric Goldman

I'm personally committed to blogging every Section 230 case I see, but I fell off the wagon in the second half of 2012. So what better way to usher out 2012 and ring in the new year than to recap some Section 230 wins from the past 6 months? The following four cases all involve pro se litigants whose unmeritorous cases got unceremoniously swept out of court, just like Baby New Year walks Father Time out the door. In 2013, I resolve to give continued thanks to Section 230 for keeping the court system relatively free of junk lawsuits like these:

Klayman v. Zuckerberg, 2012 WL 6725588 (D.D.C. December 28, 2012). Klayman is a lawyer-plaintiff. For reasons that are unclear to me, pro se lawyer-plaintiffs fail in court at about the same rate (or worse) as the typical pro se. I find this hard to comprehend; after all, shouldn't lawyers have a better sense which legal claims are worth pursuing than the average individual litigant? Presumably, the only more knowledgeable litigants are judge-plaintiffs; I don't see many of those cases, but these usually also fail in a pretty embarrassing way. This sounds like a good area for further research.

Larry Klayman is notorious enough to have his own Wikipedia page. I'm not sure how to gauge his accomplishments because the Wikipedia page only highlights his failed lawsuits--the word "unsuccessful" shows up four times on the page, not including this lawsuit.

The case involves a user-created Facebook page titled 'Third Palestinian Intifada.'" It's not clear from the opinion how this page harmed Klayman, but I guess it doesn't take much to provoke a lawyer to sue. While typing the complaint, Klayman's finger apparently got stuck on the "zero" key. He demanded $1,000,000,000.00--that's right, $1 billion--because Facebook didn't take down the page fast enough.

The court runs through the typical three-factor Section 230 analysis:

1) ICS? Facebook provides an interactive computer service because it maintains "a website that gives its users the ability to create, upload, and share various types of information, potentially with hundreds of millions of other users."

2) Publisher/Speaker Claim? Klaynan sued Facebook for assault (!) and negligence. The court says:

the defendants' alleged conduct ascribed to them the status of publishers of information, whether by "using" the website to post certain content (i.e., publishing), id. ¶ 17, "allow[ing]" certain content to be posted to the website (i.e., deciding whether to publish), id. ¶¶ 17, 19, or by "refus[ing] . . . to remove these postings," id. ¶ 19. The defendants' potential liability is thus "derive[d] from [their] status or conduct as a publisher or speaker."

Klayman belatedly attempted the Barnes promise-based workaround to Section 230 and gets mocked:

It begs credulity that the plaintiff, a "highly visible and well known lawyer," Compl. ¶ 11, would not have included a claim for breach of contract if he contemplated such a claim as a viable possibility.

3) Were the defendants the ICPs? [note: normally this is phrased as whether the content came from third party content providers, but I think this restyling is OK in this case.] The court says:

Nowhere in his complaint or in his opposition brief does the plaintiff allege that the defendants contributed to the content of the Facebook page at issue. Rather, as described above, the plaintiff focuses on the role that the defendants played in publishing the Facebook page. [FN3] The plaintiff's own allegations are inconsistent with a finding that the defendants acted as information content providers with respect to the offensive material at issue.

FN3 is interesting. Klayman argued that Facebook collects data about its users and then personalizes their site views based on this data. The court says that even if that's true, it would just represent another form of editorial control immunized by Section 230.

Having satisfied the three elements of a successful Section 230 immunity, the court grants Facebook's motion to dismiss. This is a good outcome for Facebook, but I'm not clear why Facebook didn't make an anti-SLAPP motion under D.C.'s anti-SLAPP law. That way, Klayman would have to write Facebook a tuition check for his Section 230 schooling. Even without anti-SLAPP protection, I hope Facebook seeks Rule 11 sanctions against Klayman. We haven't seen too many courts grant Rule 11 motions in Section 230 cases (I wish they did) but Klayman's lawsuit broke absolutely no new legal ground and was doomed from inception.

A Facebook spokesperson told me: "We are pleased with the court's ruling dismissing all claims with prejudice."

Merritt v. Lexis Nexis, 2012 WL 6725882 (E.D. Mich. October 23, 2012). Merritt claimed Lexis-Nexis published false information about him. The court never explicitly says the information comes from third parties, but that's the logical inference given Lexis-Nexis' business model. The court says that Lexis-Nexis qualifies for Section 230's immunity (citing the memorable Gaston case). The court then says Merritt's claims fall "squarely" in Section 230's immunity.

Nieman v. Versuslaw, Inc., 2012 WL 3201931 (C.D.Ill. August 3, 2012). See also the magistrate's report, 2012 WL 3201935 (C.D.Ill. June 13, 2012). I've held off blogging this case because the University and I have received threats from Nieman (lucky us!). So just the facts on this one.

The court summarizes Nieman's arguments:

Between January 2009 and the date of filing this action, Plaintiff applied for one or more positions of employment. Plaintiff believes that the potential employers have performed Internet browser searches by way of Google.com, Yahoo.com, or Bing.com, and found documents related to litigation against his former employer Nationwide. Plaintiff also believes that the potential employers have used this information to disqualify him from candidacy for the applied position or have shared this information with others who have done so. In other words, Plaintiff alleges he “has been effectively ‘blacklisted’ as to employment opportunities due to the ease at which these references appear pursuant to a simple name search, and due to the unlawful acts of third parties who then use such information to unlawfully disqualify” his candidacy.

He sued Microsoft, Versuslaw, Yahoo!, Google, and Joseph W. Acton for, among other claims:

* violations of Illinois' human rights law. The court rejects the claim, saying the complaint only alleged "Defendants provided access to public information that potential employers used to deny Plaintiff employment," and that doesn't suffice.

* publicity rights. The court says:

First, the exemption from liability for using a person's identity for a non-commercial purpose, including in a news or public affairs account is applicable here. Plaintiff's prior litigation is a matter of public record and public interest. Moreover, Plaintiff's identity is not being used for a “commercial purpose” as defined by the Right of Publicity Act because his name is used only to find documents related to his case, which are part of the public record. His name is not being held out or used to entice anyone to buy a product. Under Plaintiff's theory, every person who is involved in litigation who has public court documents that can be accessed for a fee on the Internet by doing a browser search or found by using Westlaw, Lexis, Versuslaw, or any other legal research site can state a claim under the Right of Publicity Act. This cannot be the case.

* 42 USC 1981. The court says he didn't allege any discrimination on improper bases.

* Lanham Act. Nieman alleged "Defendants Versuslaw and Acton are attempting to associate Plaintiff with their for-profit website. Plaintiff accuses Defendants Google, Yahoo, and Microsoft of actively participating in “these unlawful acts ... by way of their paid search ranking and/or AdWords mechanisms.”"

Citing Stayart v. Yahoo, the court says Nieman doesn't have standing because he lacks the requisite commercial interest in his name.

* Unjust enrichment. "Defendants are not “retaining a benefit” to Plaintiff's detriment just because they are selling electronic access to public information and Plaintiff does not like the information contained in those public documents."

The court also grants Microsoft and Yahoo's First Amendment and 47 USC 230 defenses. Regarding the First Amendment, the court says "all of Plaintiff's allegations rest on the premise that Defendants' websites provide links to information that is in the public record. Plaintiff cannot show he is plausibly entitled to relief." Regarding 47 USC 230, the court says that it agrees with the magistrate report that Section 230 applies, but the judge expresses uncertainty about the immunity for the trademark and publicity rights claims because they are IP claims; and also about the RICO claim as a federal crime (the court doesn't cite the several cases rejecting its line of reasoning on that point).

Getachew v. Google, Inc., 2012 WL 3217611 (10th Cir. August 9, 2012). This case is quite similar to the Nieman case. The court recaps:

Mr. Getachew alleges that when all or part of his name is entered into Google's Internet search engine, the search results yield negative information about him. For example, Mr. Getachew was previously a plaintiff in an employment action, and he alleges that the summary judgment order in that case is available when part of his name is entered into Google's search engine. He also alleges that another Google search result links his name to a "[g]raduate position available in evolutionary systems biology."

All of this, he alleges, hurt his employment prospects. The district court said that his discrimination and Title VII claims were "frivolous" and his state law claims against Google were immunized by 47 USC 230. The appeals court upholds these conclusions. With respect to 47 USC 230, the court says "Google is immune from Mr. Getachew's state-law claims under 47 U.S.C. § 230(c)(1). Under that provision, Google cannot be held liable for search results that yield content created by a third party."

[Photo Credit: Dust Bunny // ShutterStock]

Posted by Eric at 07:38 AM | Content Regulation , Derivative Liability , Privacy/Security , Publicity/Privacy Rights , Search Engines , Trademark | TrackBack

December 31, 2012

Google's Privacy Policy Integration Initially Defeats Legal Challenge -- In re Google Privacy Policy Litigation

[Post by Venkat Balasubramani with comments from Eric]

In re Google, Inc. Privacy Policy Litigation, C 12-01382 PSG (N.D. Cal.; Dec. 28, 2012)

In a decision that should be closely watched by the Instagram plaintiffs who are complaining about Instagram’s terms of use changes, Magistrate Judge Grewal initially rebuffed plaintiffs’ efforts to challenge Google’s privacy policy changes.

Plaintiffs are unhappy about Google combining its 70 odd privacy policies into a single policy, which Google explains has the following effects:

The main change is for consumers with Google Accounts . . . Our new Privacy Policy makes clear that, if you’re signed in, we may combine information that you've provided from one service with information from other services. In short, we’ll treat you as a single user across all our products, which will mean simpler, more intuitive Google experience.

The complaint alleges “violations of the Wiretap Act, 18 U.S.C. 2511 et seq., California’s Right of Publicity Statute, Cal. Civ. Code 3344, California’s Unfair Competition Law, Cal. Bus. & Prof. Code 17200 et seq., California’s Consumer Legal Remedies Act, Cal. Civ. Code 1750 et seq., common law breach of contract, common law intrusion upon seclusion, common law commercial misappropriation, and violation of consumer protection laws of the various states.”

The court does not get to the merits, and instead rebuffs plaintiffs on the basis that they do not satisfy the requisite (Article III) standards for standing.

The first argument for standing was that the privacy policy changes would force plaintiffs to replace their Android-powered devices. However, no plaintiff actually alleged that he or she actually was “forced” to replace their phone on the basis of the privacy policy changes.

Second, the court also takes issue that the combining of personal information by Google causes any (compensable) harm at all. Citing to Specific Media, a cookie case, the court says that vague ideas of “opportunity costs,” “value-for-value exchanges,” “consumer choice,” and “diminished performance,” are not enough for standing.

Finally, the court grapples with the issue of whether an alleged statutory violation is enough for standing. Although the court’s resolution of this issue is not entirely clear, the court expresses doubt regarding plaintiffs’ ability to get past a Rule 12b6 motion on at least two causes of action: the Wiretap Act and California’s right of publicity statute. The Wiretap Act claim probably fails because the definition of “device” excludes any equipment used by Google in the ordinary course of its business (and the statute contains a carve-out for interceptions by providers). The publicity rights claim fails because the plaintiffs simply do not allege any use of their “name, voice, signature, photograph, or likeness . . . .”

As I mentioned initially, Instagram plaintiffs take note! I think they will have an even harder time than the plaintiffs in this case, but they are sure to face an initial standing hurdle (regardless of how they fare on the merits).

Here is a big question that's left unaddressed, at least in the order: are Google's changes prospective only or do they apply to previously collected data. I'm guessing the answer has to be the latter, because it seems foolish to challenge a prospective-only change. A follow-up question would be whether Google gives people the ability to wipe their old data. I don't have a ton of confidence for the FTC to resolve these issues (although the confidence level is slightly higher than in the class action system), but this all makes you wonder whether these changes have to go through the FTC hoop. My understanding was that any material changes of privacy policies have to be submitted to the FTC (or something like this)?

It's interesting to see courts continue to grapple with the question of whether a statutory violation is enough to create standing.

Also interesting to see the continuing viability of the Specific Media opinion, which did a nice job of breaking down plaintiff's abstract contentions around the loss of value to personal information arguments. I wonder if other arguments will take their place (e.g., price discrimination based on tracking) but in any event, we've seen enough cases reject this argument to know its viability is seriously in doubt.
______

Eric's Comments

What a fitting way to end 2012, much like it began: with yet another bogus privacy lawsuit against an Internet company being tossed from court early. I don't know whether I'm heartened by the way the judicial system has handled the onslaught of privacy lawsuits in 2012, or saddened by the fact that privacy plaintiffs lawyers don't seem to be getting the message. Maybe that horse has left the barn; perhaps for the rest of our careers, we're destined to see a never-ending flow of bottom-feeding lawsuits every time an Internet company sneezes. Oh joy.

Even though Judge Grewal properly flushes this P.O.S. down the toilet, it's not all hugs and kisses to Google, especially when he says:

The court observes that Plaintiffs have raised serious questions regarding Google’s respect for consumers’ privacy.

He's right, and we should have an intelligent and cogent discussion about that. I sometimes wonder about Google's practices myself. Still, no matter how angry you are with Google's privacy practices, you should be even angrier about junk privacy lawsuits that aren't intended to, and won't, advance our interests as consumers.

Posted by Venkat at 09:51 AM | E-Commerce , Marketing , Privacy/Security , Publicity/Privacy Rights

December 27, 2012

Court Dismisses Class Action Against Apple Over Its App Developers’ Information Collection Practices – Pirozzi v. Apple

[Post by Venkat Balasubramani with comments from Eric]

Pirozzi v. Apple, 2012 WL 6652453 (N.D. Cal.; Dec. 20, 2012)

This is one of several putative class actions over the information collection practices of apps. I previously covered how the lawsuit against Path survived: “Class Action Against Path Over Cellphone Address Book Access Keeps Going”. Judge Koh also whittled down the lawsuit against Apple over its iPhone app privacy practices: “Judge Koh Whittles Down iPhone App Privacy Lawsuit.” This lawsuit seems to overlap with both and is dismissed, albeit with leave to amend.

Plaintiff brought claims under California’s unfair competition law, for false advertising, for violations of the Consumer Legal Remedies Act, for negligence and unjust enrichment. Although it's unclear what apps she is complaining about, the following apps are mentioned in the complaint: Path, Angry Birds, Cut-the-Rope, Twitter, Facebook, LinkedIn, Gowalla,Foodspotting, Instagram, Foursquare, Beluga, Yelp!, Hipster and Kik Messenger.

Standing: The court dismisses on the basis of standing, but there were two interesting aspects to the standing discussion.

First, plaintiff cited to a bunch of somewhat persuasive marketing copy about how Apple had adequate restrictions in place regarding the collection of information by app developers. However, it was unclear as to how exactly plaintiff was induced to make a purchase in reliance of these alleged promises. The court finds that the pleadings are unduly vague about what plaintiff was induced to purchase (or download) and what statements induced the purchases or downloads.

Second, the court also notes that the pleading suffers from deficiencies regarding harm. If information was improperly collected by app developers, so what? Citing to Hernandez v. Path and Krottner v. Starbucks, the court says that future risk of identity theft is insufficient to allege harm. This leaves economic harm, and here plaintiff’s allegations were again unduly vague. In a short sentence, the court notes that the “personal information as inherently valuable” argument will be unlikely to carry the day. Still, the court grants leave to amend.

Sidenote: WSJ recently published a story about merchants offering varying prices to individuals based on targeting. I wonder if this will surface in a future standing argument. I'm guessing it will.

Section 230: I am sure Prof. Goldman will have more to say about the Section 230 issue, but here’s my take. To the extent plaintiff tries to hold Apple liable for any harm effected via apps, this will run squarely into Section 230. Apple’s only role in making the apps available is a publisher or distributor. (See for example, Green v. AOL, where claims based on transmission of a virus via chatroom was held to be immunized by Section 230.) There is, of course, the promissory estoppel (contractual) carveout to Section 230 as recognized in Barnes v. Yahoo!. The claims allowed by the 9th Circuit in Barnes were fairly narrow, and it’s unclear as to whether any alleged contractual representations by Apple should open the door to things like CLRA claims. At least some of plaintiff’s claims should have been dismissed under Section 230 (the negligence and negligent misrepresentation claims). As to the statutory claims centered around misrepresentation, I suspect they are a bit trickier. Although the misrepresentation claims may have problems on the merits on their own, the applicability of Section 230 to those claims is a bit tougher in my estimation.

Issues on the Merits: The court also points out a few other issues with the pleadings:

1. Any claims alleging misrepresentation (unfair competition; false advertising; consumer legal remedies act) sound in fraud and therefore have to be pled with particularity. Plaintiff fails to do so.
2. Her CLRA claims are unclear as to whether they are directed at the services (the apps or the app store) or the goods (the devices). The court dismisses but with leave to amend. Applicability of the CLRA to the app store is less than clear, and the plaintiff has obvious problems alleging CLRA claims with respect to the devices (which on their own, functioned as promised).
3. The negligence claims fails. As articulated in Judge Koh’s ruling: there is no duty to protect someone’s information vis a vis third parties, absent a special relationship. (Again, this would have been a good candidate to nuke on Section 230 grounds.)
4. The court also says that the unjust enrichment claim fails because plaintiff does not identify how exactly Apple has been enriched by the information collection practices of the app developers.
__

In theory, plaintiff should have a hard time holding Apple liable for the information collection practices of its developers. The fact that the apps in question are free should make it particularly difficult. Because the apps are free, it's difficult to demonstrate economic harm based on download of the apps, and plaintiff is left to argue informational harm, which hasn't gained much traction in courts (absent misuse of the data that results in economic harm). With respect to misrepresentations that induced plaintiff to purchase any devices, plaintiff's qualm isn't really with the devices--it's with the app store. I don't know that the law permits you to argue you are entitled to a refund of the price of your device just because a rogue app or two happened to be out there.

On the other hand, there's some troubling marketing copy that ended up out there. It may have been wise for Apple to issue disclaimers regarding its inability to control the conduct of app developers who use its platform. As to whether it could stretch the case out, it's tough to tell, but the absence of that language would certainly have made the lawsuit an easier battle for Apple.

Related posts:

Eric's Comments

The plaintiffs allege that Apple offers a certification program for apps in its app store, so I understand in concept how Apple might be responsible for failed certifications. Still, I get nervous every time I see plaintiffs use a defendant's marketing representations or site disclosures as a way of getting around what should fundamentally be a 47 USC 230 immunity. The doctrinal interplays between first-party marketing representations and liability for third-party conduct under 47 USC 230 remains a legally chaotic one, and I hope the judge understands the problems with Section 230 workarounds and is appropriately sensitive to that issue.

The opinion only references 47 USC 230(c)(1), even though this seems more like a 230(c)(2) case. The plaintiffs are suing Apple for doing a poor job of filtering apps out of its app store, and that's exactly what 230(c)(2) covers.

Posted by Venkat at 11:56 AM | Content Regulation , Derivative Liability , E-Commerce , Privacy/Security

The FTC's New Kid Privacy Rules (COPPA) Are a Big Mess (Forbes Cross-Post)

By Eric Goldman

Earlier this month, the U.S. Federal Trade Commission (the FTC) promulgated new rules (effectively July 1, 2013) interpreting the Children's Online Privacy Protection Act (COPPA), and the new rules are a real mess. They are riddled with innumerable ambiguities and questionable policy choices, and I could spend a decade or two trying to figure out how the new rules apply to different factual situations.

Rather than do that, this post considers only one aspect of the new rules, but it's crucial: is your website or app governed by the new rules? If the rules don't apply to you, who cares how byzantine and stupid they are?

Fortunately, most websites and apps won't be newly affected directly by the rule change. If you don't have a kid-oriented website or app, you can probably avoid the new rule easily (if you're potentially covered at all). However, the news is less happy for vendors to kid-oriented websites or apps, including ad networks and app plug-ins, and for kid-oriented websites that haven't already complied with COPPA.

Background

Congress enacted COPPA in 1998 as part of its never-ending efforts to "protect kids online." The statute provides extra online privacy protections for kids 12 and under unless parents consent. The law, however, has some obvious structural deficiencies, such as:

* the law doesn't apply to teens, even though minors can't enter into binding contracts--including privacy policies. So the statute leaves an odd gap for 13-17 year old users who aren't covered by COPPA but presumably can't agree to privacy policies themselves.

* most websites don't authenticate users' ages and can't do so easily or cost-effectively, so many websites have no idea when they are dealing with kids.

* websites don't have a reliable way to obtain parents' consent online, forcing COPPA-compliant websites to adopt costly off-line verification methods.

Combine these problems with the fact that kids under 13 usually don't have a lot of direct purchasing power, and the choice was clear for most websites: maximize profits by avoiding being covered by COPPA.

How to Avoid COPPA: the Existing Rules

Under the FTC's existing COPPA rules, it was fairly easy to figure out how to navigate around COPPA. The rules applied to:

any operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child

Thus, websites could avoid the rules in two ways. First, if they targeted kids, they could avoid collecting personal information. Second, if they didn't target kids, they could avoid collecting users' age information, or they could bounce any self-identified kids. While these policies aren't ideal, they provide substantial predictability for the Internet community.

How to Avoid COPPA: the New Rules

The FTC wanted to crack down on these COPPA workarounds, but in typical FTC fashion, it did so in a ham-fisted and marble-mouthed way. The basic rule of who is governed hasn't changed, but the details have:

Directed to Kids. If you ask for age information and users self-report being under 13, then you are governed by COPPA because you actually know you're dealing with kids. That's not new. You can bounce those users to avoid "knowing" you're dealing with kids 12 and under.

However, whether or not you collect age information from users, you still might be deemed to be a website/online service directed to kids. The new rules define this term in three parts:

* Subpart (a) applies when site/app content appeals to kids 12-and-under. This definition isn't new (although the factors are expanded), and we haven't seen any problematic FTC interpretations of this language to date.

* Subpart (b) applies when a service "has actual knowledge that it is collecting personal information directly from users of another website or online service directed to children" (emphasis added). This is intended to cover vendors/service providers to websites dealing with kids, such as ad networks or app plug-ins, but I find this language inscrutable.

* Subpart (c) applies to services that are "directed" to kids but don't target them as their primary audience. This is a nonsense definition, because the rules define "directed" to kids as "targeted to" kids. So how can a service simultaneously target kids but not target them as the primary audience? This defines a null set, so the FTC made a drafting error. (I asked the FTC about this in their Twitter chat and, characteristically, got a non-response). Subpart (c) provides a safe harbor for these sites/apps if they (1) don't collect personal information before age verification (an impossibility under the new rules) and (2) ask users' ages and bounce users who self-report as under 13.

In its guidance accompanying the rules, the FTC implies that subpart (c) means "those sites that, based on overall content, are likely to draw a disproportionate number of child users." Elsewhere, the FTC clarifies that subpart (c) is supposed to be good news, not bad; it says subpart (c) "create[s] a new compliance option for a subset of websites and online services already considered directed to children under the Rule’s totality of the circumstances standard." Given their sloppy drafting, that's not actually what they said, but I'll take their word on it.

Thus, one way of reading subpart (c) is that it applies when a site/apps has lots of kid users even though that wasn't the operator's goal. On balance, COPPA would be better without this extra provision, but if my reading is right, I don't anticipate any shocking enforcement actions using this provision.

Accordingly, most websites and services that aren't governed by COPPA today should remain outside COPPA. Still, the FTC's poor drafting on this crucial point is inexcusable, and I hope they fix it ASAP.

Collect and Personal Information. The rules have expanded definitions of what it means to "collect" information from users and what constitutes "personal information." Personal information expressly includes IP addresses, which every website acquires by definition, and "collect" includes "passive tracking." It's not clear if merely capturing IP addresses in a server log qualifies as "passive tracking." Any efforts to personalize the experience based on IP address probably qualifies as passive tracking. The FTC has made it clear that behavioral advertising on kid-oriented sites/apps definitely qualifies.

As a practical matter, once a website/service is deemed a website/service "directed" to kids, COPPA applies in all its glory (and ugliness) because the website/service collects IP addresses or related identifiers. This especially impacts sites that currently target under-13s but don't ask users for personal information. The new rules have such an expansive definition of personal information that all of these sites are now under COPPA's umbrella. In mitigation, the rules provide a partial exception if the data collection only is done for "internal operations." Presumably this would cover storing IP addresses in server logs; it also covers some other administrative and non-ad-targeting personalization activities. In those cases, no notice or parental consent is required in advance, but even so the other obligations still apply--even if the website considers itself purely content publisher and never tries to interact with its users.

Effects on Other Third Parties. The new rules also more deeply reach into the relationships between kid-oriented websites and vendors/service providers to those websites, such as ad networks. So if you are running a business supporting websites, you might be side-swiped by COPPA because your clients are now newly deemed to be kid-directed. This is a major problem both logistically and legally. Among other things, I think the FTC has potential problems under 47 U.S.C. 230 for trying to hold online service providers accountable for other businesses' activities, but the FTC lives in a parallel universe where they (incorrectly) believe 47 U.S.C. 230 doesn't exist.

Conclusion. If under-13 kids aren't your target audience and you don't collect users' age information, the revised COPPA rules probably won't affect you. If you do collect age information, rethink whether you want to do so; and if you do, definitely make sure to bounce under-13 users.

Reminder: This post isn't legal advice. Please consult your attorney before making any decisions.
_____

December 27, 2012 Update

1) My headline declares the new regulations a "big mess," but my blog post doesn't fully support that characterization. Instead, the post explains the mess in only one small--though crucial--corner. I fully stand by the characterization that the COPPA regulations are a big mess, but my decision not to defend the broader claim was pragmatic. It took me over 6 hours to write this post initially, and I didn't have the time (or, frankly, the enthusiasm) to do similarly time-consuming deconstructions of the many other ambiguities. I trust others will be rolling out those deconstructions over the coming months.

2) Based on responses to my initial Forbes post, I'm clearer that subpart (c) does not change the interpretation of subpart (a). Instead, subpart (c) provides an option to websites/apps that that supart (a) has determined are kid-directed. I don't think subpart (c) is a very useful option because the website/app probably has to show an age verification screen immediately upon the user's arrival. (Otherwise, it's collecting IP addresses--overinclusively deemed personal information under the new regulations--from kids without parental permission). Even so, I guess more options are better than fewer. Still, I hope the FTC clarifies its language.

If your website/app isn't collecting age information (and I recommend you don't collect it if you don't need it), subpart (a) remains the crucial provision to review to determine if COPPA applies to you. The new regulations add some language to subpart (a), but I don't anticipate the FTC will use the new language in subpart (a) to chase borderline cases.

3) I've been fascinated by the press coverage typically hailing the new regulation as a "win" for kids' privacy. Perhaps that's true if all you care about is kids' privacy, but viewed more holistically, I don't see the new regulation as a clear win for kids. The new regulations provide even more reasons for websites/apps not to cater to the under-13 crowd--meaning the Internet will be less rich and resourceful to that segment of society. We saw the same dynamic when COPPA was newly enacted; the Internet literally shrunk for kids under 13 immediately after those rules went into effect in 2000 (at Epinions, we found all the self-reported under-13s and terminated their accounts). Some might lament what under-13 kids lost from that constriction, but not the FTC. They didn't have any problem with the Internet shrinkage in 2000, and I'm sure they won't have any problem with it now either.

[Photo Credit: Internet Protection Concept // ShutterStock]

Posted by Eric at 08:41 AM | Internet History , Privacy/Security | TrackBack

December 26, 2012

Facebook Isn't--and Shouldn't Be--A Democracy (Forbes Cross-Post)

By Eric Goldman

In 2009, Facebook ($FB) nominally enabled user governance by obligating itself to honor user votes before making certain site policy changes. This experiment in user self-governance was radical and largely unprecedented--especially given the size of Facebook's userbase, which now would outrank all but China and India in population if it were a country. Recently, however, Facebook terminated its user-governance experiment. This post explores two hypotheses for the experiment's failure and explains why users never wanted Facebook to be a democracy.

The Mechanical Problem

Facebook promised to honor users' votes if users achieved a minimum voter turnout of 30%. This threshold was too high by a lot--at least 30x too high, by my estimate.

Facebook logically set a high enough threshold to screen out the crazies or pranksters (see, e.g., the 28,000+ people who petitioned the White House to build a Death Star) and avoid letting small minority interest group hijack the site from the minority. Indeed, in the context of typical U.S. voter turnouts for government elections, 30% would be quite low.

Nevertheless, my rough rule of thumb is that less than 1% of users read any website's privacy policy. Users don't read privacy policies for a variety of reasons: users can't understand them (they are long, dense and filled with legalese); the agreements aren't negotiable; users care more about enjoying the website's functionality than the details governing that enjoyment; and users routinely "free-ride" by relying on more motivated consumers or activists to identify and combat overreaching terms. In Facebook's case, I'd add that its website functionality and policies change so rapidly that it's more than a full-time job to keep up. As a result, we shouldn't castigate users for not caring more about Facebook's policies (see, e.g., this Wired story blaming you for killing Facebook democracy). The 99%+ of Facebook users who don't read Facebook's privacy policies are behaving quite rationally.

But if I'm right that less than 1% of Facebook users have read Facebook's privacy policy, then a minimum voter turnout of 30% was off-the-charts ridiculous. There was never any chance of that ever happening, and it was silly for Facebook to put the procedures in place. It makes me think Facebook always intended user empowerment to be illusory--a type of democracy theater. Robert Hof explores this aspect further.

The Conceptual Problem

An observation: no major user-generated content (UGC) websites operate as democracies. Some UGC websites turn over aspects of their operations to trusted community members, but not the general population; and rarely are key policy questions handled on a straight majority-vote election. Even Wikipedia, perhaps the flagship example of a major community-operated UGC website, isn't a democracy. Wikipedia's operators reserve certain policy decisions for themselves, and community decisions require consensus, not a majority-vote.

Perhaps users don't want their UGC websites to be democracies. Instead, I think users typically prefer "managed" website experiences. The vast majority of users don't want to make policy decisions about how the website should work; instead, they want websites to read their minds and give them exactly what they want automatically (i.e., the "surprise and delight" maxim of customer relations). Stated differently, users want UGC benevolent dictatorships, not UGC democracies.

Rather than imposing majority-rule on consumers, UGC websites actually empower users more by enabling users to individually configure their site experiences, such as letting users individually opt-into or opt-out of site policies or functionality. By letting users choose what policies or functionality they want, users get a more direct payoff from their action than voting on site-wide policies. Unfortunately, Facebook is notoriously poor about giving users complete power over their configuration choices. For example, Facebook forced everyone onto Timeline, even users who vocally hated it, and Facebook still doesn't let users categorically opt-out of being featured in Sponsored Stories.

Admittedly, it's costly for UGC websites to give more configuration options to users, especially if requires the website to maintain old or duplicative code. And from users' standpoint, too many configuration options can become overwhelming (as many users already feel about the multitudinous options Facebook does provide). Still, it's helpful to see how website individualization and personalization is more pro-user than UGC democracy.

When users can't configure their own choices, the next-best option for users isn't website democracy, it's competition. UGC websites will remain most responsive to users' concerns when competitors are nipping at their heels. For example, recall how quickly Facebook's tone changed after Google ($GOOG) rolled out Google+. Unfortunately, social networking site competition isn't robust enough to meaningfully punish Facebook for its steady stream of anti-user decisions. If we could solve that competition problem, Facebook users would get better outcomes than they would from any attempt at user democracy, faux or real.

More: A couple of my related academic papers: Wikipedia’s Labor Squeeze and its Consequences and Online User Account Termination and 47 U.S.C. §230(c)(2).
___

In response to this post, David Post commented:

"Eric, you’re being a little careless in your use of the term “democracy,” I think. A democracy is simply a polity that respects each member’s equal right to participate in formulating policies and rules. Democracy does not (as you imply) mean “majority rule” — majority rule is one of the ways that democracy can be implemented, but it is hardly the only one. To say that Wikipedia is not organized “democratically” because it operates by consensus is bizarre."

I replied:

David, that’s a good point, and you’re right that democracy takes various forms and that I principally used the term only for one implementation. Even so, I don’t see Wikipedia as a democracy–at least, not as it actually operates–for the reasons I explain in http://ssrn.com/abstract=1458162. Eric.

[Photo Credit: Yes Is the Best // ShutterStock]

Posted by Eric at 09:16 AM | Internet History , Licensing/Contracts , Privacy/Security | TrackBack

November 30, 2012

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

[Post by Venkat Balasubramani]

Sterk v. Best Buy, 11 C 1894 (N.D. Ill. Oct. 17, 2012)

The VPPA has spawned a lot of litigation over the past couple of years. One hot button area has been the applicability of the statute to online streaming services. (Netflix; Hulu). Another has been lawsuits brought to plaintiffs seeking to enforce the purging requirement imposed by the VPPA. (Redbox; Netflix). [A proposed update to the statute's consent provisions is winding its way through. See: "Why Netflix Getting What it Wants From Congress Means Your Email Will Get Warrant Protection."]

This lawsuit is a putative class action alleging that plaintiff purchased DVDs from Best Buy, and that Best Buy: (1) retained the purchase history for over a year; and (2) disclosed this information to an affiliated entity (Best Buy Co., Inc.).

No private right of action for improper retention of personal information: Section 2710(e) is a poorly worded provision that requires covered entities to purge personally identifiable information “as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected.” The Seventh Circuit in Sterk v. Redbox (same plaintiff/counsel as in this case) held that section 2710(c) does not provide for a private right of action under 2710(e): “Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information.” Given that this court is clearly bound by this ruling, plaintiff tried to get creative and argue that he could assert a claim under the Stored Communications Act which is part of the same chapter as the VPPA. Judge Kennelly considered and rejected plaintiff’s argument in Sterk v. Redbox (on remand), and the court follows suit here. Another court in the Northern District of California recently came to the same conclusion: Rodriguez v. Sony Computer Entertainment.

Plaintiffs lack standing to pursue injunctive relief: Plaintiffs also sought injunctive relief, which required the court to address the issue of standing. The court runs through the classic test for standing, but importantly says that Congress cannot create standing for injuries that do not satisfy Article III’s minimum standing requirement. The court also notes (citing to the Seventh Circuit’s opinion in Sterk, and to Van Alstyne v. Elec. Scriptorium, an email privacy case) that only plaintiffs that are “aggrieved” may seek relief under the VPPA. Here, any injury from retention is meager at best and shouldn’t support standing. Plaintiffs’ disclosure claim similarly did nothing to establish injury—the data was being disclosed to a 100% parent corporation. Plaintiffs also tried to rely on the diminution of value of their information and the fact that they allegedly overpaid for the services provided by Best Buy, but the court easily rejects these arguments.

Plaintiffs also brought a breach of contract claim. The court says that claims based on older purchases were time-barred. Claims based on later purchases were dismissed due to lack of alleged damages. Plaintiffs are permitted to replead these.

Claims alleging failure to purge under the VPPA represent the far extreme of privacy lawsuits. As the Seventh Circuit’s ruling from Sterk, as well as the rulings in Rodriguez and this case demonstrate, courts will not be very enthusiastic about these claims.

It’s interesting to see the court cite to the Supreme Court’s decision in First American Finance Corp. v. Edwards. Although this case dealt with standing to sue under the Real Estate Settlement Procedures Act, in advance of the ruling, many thought this case would alter the landscape for privacy lawsuits and standing. I thought it fizzled out in this regard, but maybe it has more vitality than originally thought.

[cross-posted at IAPP's Privacy Advisor]

Posted by Venkat at 09:38 AM | E-Commerce , Licensing/Contracts , Privacy/Security

November 28, 2012

Lawsuit Over "Google Tags" Dismissed--Frezza v. Google

By Eric Goldman

Frezza v. Google, 2012 WL 5877587 (N.D. Cal. Nov. 20, 2012)

In Feb. 2010, Google introduced Google Tags, an advertising option in Google Places. Google Tags is now dead, but Google's still dealing with the aftermath. To spur adoption, Google offered free tags to Google Places merchants. There is a dispute about the offering terms. The plaintiffs thought they could get one month of unlimited tags for free; Google says the offer was for $25 off (the amount of one tag for a month). The plaintiffs are also grousy that Google allegedly didn't delete their credit card numbers after they terminated their Tags accounts.

The court dismisses all of the plaintiffs' claims, but gives them a second chance at more futility. I assume the plaintiffs will try again. The court's specific discussions:

Breach of Contract. This claim fails because the plaintiffs didn't quote the written contract terms they think bind Google.

Unjust enrichment. This claim is dependent upon, and therefore merges into, the contract breach claim.

CLRA. This is one of California's consumer protection statutes, and the plaintiffs don't qualify because they are businesses, not consumers.

Breach of Implied Contract. Plaintiffs claim they had an implied contract with Google to flush their credit card numbers. But what contract? The plaintiffs say industry standard is the Data Security Standards ("DSS") promulgated by the Payment Card Industry Security Standards Council, but the plaintiffs don't assert that Google agreed to comply with the DSS.

The court addresses a second argument:

If, as plaintiffs argue in their opposition, Google simply agreed to "handle its customers' credit card information responsibly," Dkt. No. 13, the claim still fails. Plaintiffs contend that Google breached the implied contract because it has retained the credit card information of plaintiffs after they have cancelled their subscription to Google Tags. See Compl. P 60. However, retaining information does not amount to handling it irresponsibly. Without more, plaintiffs have not sufficiently alleged that Google breached a general obligation to reasonably safeguard customer information.

Customer Records Act. Finally, the plaintiffs asserted that Google breached a California statute saying a "business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business." The court says this statute doesn't require the disposal of customer records at any specific time; it simply applies once a business has decided to make the disposal.

[Photo credit: "Crisis" // ShutterStock]

Posted by Eric at 04:22 PM | E-Commerce , Licensing/Contracts , Marketing , Privacy/Security , Search Engines | TrackBack

November 25, 2012

Online Data Broker Need not Comply With Licensing Requirements for Private Investigators – Brown v. Intelius

[Post by Venkat Balasubramani with a comment by Eric]

Brown v. Intelius, 4:12cv00852 AGF (E.D. Miss. Nov. 21, 2012)

Intelius brokers data about individuals. The information comes from a variety of sources, including public sources. Plaintiff paid a fee and obtained from Intelius the following information regarding certain individuals:

their current whereabouts, criminal history, property ownership, social networking history, and relatives.

Plaintiff sued Intelius, including an allegation that Intelius was an unlicensed “private investigator” in violation of Missouri law (section 324.1104). The law in question (section 1000) defined the PI business as follows:

the furnishing of, making of, or agreeing to make, any investigation for the purpose of obtaining information pertaining to . . . the identity, habits, conduct, business, occupation, honesty, integrity, credibility, knowledge, trustworthiness, efficiency, loyalty, activity, movement, whereabouts, affiliations, associations, transactions, acts, reputation, or character of any person.

Intelius raised several defenses, including its user agreement and Section 230, but ultimately the court interprets the plain meaning of the word "investigate" such that Intelius' services don't fit the bill (“to observe or study closely”; “detailed examination . . . study . . . research . . . official probe”). Plaintiff did not pay Intelius to study or research specific individuals—Intelius merely made information accessible to Plaintiff that was available in the databases of Intelius or its third party partners.

The court also says that plaintiff's claim has serious problems with his damages allegations. There’s no allegation that the information provided by Intelius was incorrect, and there is no authority for the proposition that plaintiff should recover (or be able to rescind the agreement) merely because Intelius hasn’t complied with local licensing laws.

In passing, the court says that Section 230 likely doesn’t apply because the claims may not relate to third party content. The court also irresolutely mentions that the statute may not provide for a cause of action. (The order does not mention First Amendment or Dormant Commerce Clause defenses, but these seemed like possibilities as well.)

I’m not sure what to say about this one. The least the plaintiff could have done was to be able to allege that the information provided was materially incorrect and this somehow led plaintiff astray on his investigation and resulted in a parade of horribles. Leaving aside the damages issue, it was a stretch to think that the licensure statute applied to an entity such as Intelius. Interestingly, the statute excludes a whole host of activities that would otherwise encompass investigatory functions. Perhaps a more interesting hypothetical would be if the investigation involved the use of drones or something.

I didn't initially see this lawsuit as part of the overall privacy war that is going on in courts, but Eric's probably right (see his comment below). And from that standpoint it's tough to take too seriously.

[image credit: huhu/Shutterstock / "the symbol of Sherlock Holmes"]

_____

Eric's Comment. This ruling nicely encapsulates the sad and desperate state of privacy litigation today. In their zeal to fight back on privacy, plaintiff's lawyers are grasping at straws to find some claim--any claim--that will advance their cause, no matter how farcical the result might be. (It reminded me a little of the illogical implications of the overwritten Illinois identity theft statute, which got struck down as unconstitutional). Perhaps anything is possible, but for now I'm putting this attempt in the "mockable" pile.

Posted by Venkat at 12:47 PM | Content Regulation , E-Commerce , Privacy/Security

November 20, 2012

Court Kicks Data Breach Claim Against Valve – Grigsby v. Valve

[Post by Venkat Balasubramani]

Grigsby v. Valve Corp., No. C12-0553JLR (W.D. Wash. Nov. 14, 2012)

Valve is facing a putative class action over a hacking incident involving a breach of Valve’s security system and access to the personal information of “Steam” users. (See "Valve confirms Steam hack: credit cards, personal info may be stolen.") This is an unexceptional ruling in a data breach class action: the court dismisses the claims (albeit with leave to amend).

The lawsuit was originally filed in the Central District of California, but the case was transferred to the Western District of Washington based on application of a forum selection clause in the Steam user agreement. data breach.jpg The court analyzes the allegations of harm in two different categories:

Allegations of future harm: First, there are allegations of future harm—i.e., plaintiffs said they would have to “spend money to ‘protect their privacy’”. (quotations in original) The court says (citing to Pisciotta and Ruiz v. Gap) that these are not cognizable damages.

Allegations of present harm: The allegations of present harm fall into a few categories: (1) loss of access to Valve’s service; (2) loss of data; and (3) loss of “the benefit of the bargain”. The court says that the present harm allegations do not give rise to the same unique issues and looks instead to the general principles applicable to pleadings, and the standards set forth by the Supreme Court in Iqbal and Twobmly. The court says that Twombly marked a shift, and together the two cases established a more stringent pleading requirement (the complaint must allege facts “with a sufficient level of specificity to raise entitlement to relief above the speculative level”). The court also says that the pleading requirements are particularly important in a putative class action such as this one where the loss of a 12b6 motion opens the door to discovery—that is likely to be resource-intensive and expensive for the defendant. In light of this, the court says: “plaintiffs’ complaint must rise to a higher plausibility threshold than it would if it were a garden-variety tort claim or a claim brought by Mr. Grigsby alone.” The court says that plaintiffs allegations fall “well short”:

[Plaintiffs] say nothing about which services were interrupted, which subscriptions or gaming networks they were unable to access, what data they ‘lost,’ how their data could have been ‘lost’ in this situation, or how they may have lost money by subscribing to Steam, which is free.

Although the court dismisses the complaint, the court gives plaintiffs 30 days leave to amend.

Not a surprising result. Courts have invoked Iqbal and Twombly in the past, but I don't recall courts focusing so much on the discovery burdens imposed by class actions and how this warrants even more stringent pleading standards. This is closely related doctrinally to standing, but it's just another tool courts have available to put the brakes on privacy class actions.

The plaintiff here does not appear to have suffered any effects from the misuse of his data, and this takes him outside the small category of recent cases where courts have declined to dismiss data breach claims. Any allegations based on diminution in value to plaintiff’s personal data are unlikely to gain any traction. Similarly, any allegations based on alleged deprivation of the benefit of the bargain are also unlikely to gain traction.

The court sends a pretty strong message to the plaintiff that it’s not enthused about his claims and will not let them move forward absent some more concrete allegations and more importantly, harm. We’ll see what the plaintiff comes back with. (The order does not contain any discussion of whether Valve offered standard credit monitoring services, but this obviously bears on the issue of whether plaintiff has cognizable damages.)

(h/t: PogoWasRIght)

Other coverage:

Data Privacy Monitor: Data Breach Class Action against Popular Video Game Developer Dismissed for Failure to Plead Adequate Damages

Posted by Venkat at 07:50 AM | E-Commerce , Privacy/Security

November 18, 2012

Court Orders Password Turnover and In Camera Review of Social Media Accounts – EEOC v. Original Honeybaked Ham Co.

[Post by Venkat Balasubramani]

EEOC v. Original Honeybaked Ham Co. of Georgia, Inc., 11 cv 02560 MSK MEH (D. Col. Nov. 7, 2012)

This was a lawsuit brought by the EEOC on behalf of 20-22 persons who were allegedly subject to harassment and retaliation. Not surprisingly, the defendant-employer sought access to social media accounts of the class members. party pic.jpg Citing to the following posts by one of the plaintiff-intervenors, Honeybaked argued that the accounts contained relevant information:

Statements that discuss her financial expectations in [the] lawsuit; a photograph of herself wearing a shirt with the word “CUNT” in large letters written across the front (a term she alleges was used pejoratively against her, also alleging that such use offended her); musings about her emotional state in having lost a beloved pet as well as having suffered a broken relationship; other writings addressing her positive outlook on how her life was post-termination; her self-described sexual aggressiveness; statements about actions she engaged in as a supervisor with Defendant . . . ; sexually amorous communications with other class members; her post-termination employment and income opportunities and financial condition . . .

The court says that the fact this type of information “exists in cyberspace . . . is a logistical and, perhaps, financial problem, but not a circumstance that removes the information from accessibility by a party opponent in litigation.” Based on the evidence cited by the employer, the court says it’s satisfied that there’s no fishing expedition. Accordingly, it orders “each class member’s social media content . . . produced.” The court proposes to use a special master, and orders the parties to collaborate and work out the specific instructions to the special master. The special master will produce information which the court will then review for relevance, and then allow the EEOC (or plaintiffs) to designate privileged material. The remaining items will be turned over to the employer.

Unfortunately, the court also mentions that class members have to turn over to the special master “all necessary information to access . . . social media websites.” The court finally says that the parties will share the costs.

Gak! In the realm of zany things courts consider doing (e.g., offering to friend litigants), requiring disclosure of passwords should be completely off the list. Apart from the fact that this results in disclosure of or access to the entire contents of the account (including information that is not relevant or information that is covered by the Stored Communications Act) it may result in unwitting changes to the account. Facebook offers export functionality. (See Eric’s post on this issue: A Dark Side of Data Portability: Litigators Love It.) Presumably other sites offer something similar. If not, the litigant can manually export the information. Either way, courts should never take the password turnover route. (Largent v. Reed is one example where the court ordered the password turned over; I'm sure many other such examples are out there.)

It's also worth mentioning that online conversations among class members should be avoided. They take place prior to when lawyers are involved, but these conversations are sure to contain some juicy bits that are useful to defendant.

Added: Richards v. Hertz. Corp., -- N.Y.S.2d ----, 2012 WL 5503841 (N.Y.A.D. 2 Dept.), 2012 N.Y. Slip Op. 07650 (Nov. 14, 2012), reaches a similar result as to in camera inspection. There the plaintiffs suffered injuries. Defendants sought access to social media content or in the alternative an order precluding plaintiffs from presenting evidence as to damages. The trial court largely sided with plaintiffs, ordering plaintiffs to produce a subset of photographs (those depicting plaintiffs "participating in a sporting activity." The appeals court reverses, saying that it was erroneous to limit discovery to just photographs--other social media content may equally be probative. Accordingly, the court orders an in camera inspection of the contents of the Facebook page of one of the plaintiffs. With respect to the other plaintiff the court says there is no threshold showing of relevance. (Although the court doesn't specifically exclude private messages, these are not listed in the categories plaintiff is required to turn over.)

Other coverage:

Court Orders Broad Discovery of Class Members' Social Media, Text Messages & Email (K&L Gates)
Testing The Social Media Waters - Court Requires The EEOC To Produce Facebook Postings (Workplace Class Action Blog)
Court orders in camera review of injured plaintiff’s Facebook content (Evan Brown)

Previous posts:

"Social Media Discovery Case Update and Tips for Those Seeking Discovery"
"Social Media Discovery Roundup"
"Court Orders Production of Five Years' Worth of Facebook and MySpace Posts – Thompson v. Autoliv"
"Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway"
"Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville"
"Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier"
"Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson"
"Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc."

[image credit: Kzenon/Shutterstock]

Posted by Venkat at 08:29 AM | Evidence/Discovery , Privacy/Security

November 15, 2012

Scribd Botches Its Frictionless Sharing Implementation...AGAIN (Forbes Cross-Post)

By Eric Goldman

I'm generally a skeptic of "frictionless sharing," such as automatically publishing to my friends a list of the articles I've read. Frictionless sharing takes a good idea--sharing with my friends the best things I've seen in the day--and turns it into a very bad idea. Frictionless sharing can become a way to spam my friends about the worst things I've read that day, and it can intellectually chill me from exploring marginal reading material for fear of engendering my friends' opprobrium.

Still, even if it's not a good solution for me, I don't have a problem with other folks deciding to automatically share their reading lists with their friends--so long as people make the deliberate and well-informed choice to do so. Unfortunately, websites seemingly cannot resist enabling frictionless sharing without fully and clearly informing their users. For example, Facebook did exactly that with its Beacon program, a bad judgment call that cost it a $9.5M settlement.

Scribd, a document hosting service, made the same mistake in 2010. They deployed a feature called "Readcast," which lets Scribd users publicly share documents with their followers on Scribd. Subsequently, Scribd quietly switched Readcast's default so that all documents a Scribd user read were automatically readcast. Users could opt-out (which I did), but Scribd's notification to users was obscure enough that most users didn't notice. After some public criticism, including my own, Scribd backed down and made automatic readcasting opt-in instead of opt-out.

After recently modifying their readcast tool, Scribd again tried to sell users on its automatic readcasting feature. Apparently, something went wrong, however, and Scribd once again automatically readcast some users' reading lists--including mine, despite my express instructions to the contrary. I asked Scribd's CEO, Trip Adler, what happened, and he sent me the following explanation:

We did redesign the automatic readcasting feature, and we gave a new prompt to our users to give them a chance to opt in to the redesigned feature. But this time we decided to be very careful and make sure users explicitly opt in to the feature, as we didn't want to repeat what happened last time.

However, I'm embarrassed to say that there was a bug and a very small group of users (which included you) started passively readcasting without explicitly choosing to do so. I apologize that this happened, and the bug should be fixed within 24 hours. Thanks very much for bringing it to our attention.

Mistakes happen. Having worked at an Internet company myself, I'm probably more tolerant of dot com snafus than most folks. But the precondition for this gaffe started with Scribd overzealously trying to provide services beyond their core value proposition of hosting documents. As Scribd tries to reach into ancillary services, it simultaneously increases the opportunities to make mistakes--and thereby make unwanted disclosures of my reading list.

I've had a long and once-positive relationship with Scribd. My first upload was 5 1/2 years ago (April 2007), and since then I've uploaded about 750 documents that have generated nearly 700,000 reads. I've also used Scribd to sell documents (including my Internet Law reader and my co-authored Advertising Law casebook) which have generated nearly $1,700 of royalties in the past five months.

However, Scribd's latest mistake is the last straw for me. I'm done with Scribd. I'm not killing my account (that would break a LOT of links) but I'm not adding anything new to it. At this point, I can't recommend anyone use Scribd.

The last time I kvetched about Scribd, I didn't have great alternatives to recommend. Indeed, I still can't recommend other "free" document hosting services, because all of them have gone, or are likely to go, rogue on their users. The best option is to host all documents yourself at your own website. That ensures maximum control over the documents, but it does mean paying the hosting costs. The second-best alternative is to use a commercial hosting service like Box.net or Dropbox. As the maxim goes, you get what you pay for. In my case, as a professor, I principally use my university's hosting solution.

As for selling documents, I have been quite pleased with Gumroad.com (see my Internet Law reader and Advertising Law casebook). Gumroad is less feature-rich than Scribd (though Scribd isn't exactly a publisher's paradise), and it's still working through some kinks in its service. However, compared to Scribd as a paid publication platform, it has two clear advantages: (1) it's a noticeably more seamless purchasing experience for buyers, and (2) they keep only 5% of revenues (plus 25 cents), compared to Scribd's 20% rate.

[Photo credit: Share Your Story // Shutterstock]

Posted by Eric at 09:11 AM | Privacy/Security | TrackBack

November 05, 2012

Confirmatory Opt-out Text Message Not Actionable Under the TCPA -- Ryabyshchuck v. Citibank

[Post by Venkat Balasubramani]

Ryabyshchuck v. Citibank, 11-CV-1236 – IEG (WVG) (S.D. Ca. Oct. 30, 2012)

Ryabyshchuck filled out an online credit card application. A pop-up message displayed when he entered his information alerted him to the fact that by providing his number, he:

agree[d] to receive calls and messages, such as text messages, to service [his] account.

A couple of days later, he received a text from Citibank to the number he provided:

Free Text Msg.: Citi Cards needs to talk with you regarding your recent application. Please call 866 365-8692. To Opt-Out reply STOP.

He replied “STOP,” and promptly received confirmation that Citi opted him out from receiving additional messages:

Free Text Msg.: Per your request you will no longer receive text messages from Citi Cards Credit Dept. If you have any questions call 866 365 8962.

He sued, alleging that the text messages violated the Telephone Consumer Protection Act. The court initially denied Citibank’s motion to dismiss. (Here’s our previous blog post on this ruling: “Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank.“) However, the court recently granted Citibank's motion for summary judgment.

Plaintiff abandoned his argument as to the initial message so the only message at issue was the confirmatory opt-out message. At least one court has held that a confirmatory opt-out message does not violate the TCPA (Ibey v. Taco Bell), and this court follows suit as well. Agreeing with the conclusion that imposing liability for a single confirmatory text message would “contravene public policy and the spirit of the statute,” the court grants Citibank’s motion for summary judgment.

Nice to have that cleared up.

[NB: Ryabyshchuck has a name that even I found difficult to spell (and that’s saying something). I thought I misspelled his name in the previous blog post about the case, but it turns out I followed the court’s spelling—that ended up changing from the previous order to this order.]

Group Text Services Grapple with TCPA Class Actions
Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster
Cellphone Spam Violates TCPA--Joffe v. Acacia Mortgage
Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank
Court Rejects Constitutional Challenge to TCPA Based on Vagueness in "Prior Express Consent" Exception -- Kramer v. Autobytel, Inc.
Another Court Finds that TCPA Applies to Text Messages -- Lozano v. Twentieth Century Fox Film Corp.
Court Finds that SMS Spam Messages are Subject to the TCPA and Rejects First Amendment Defense -- Abbas v. Selling Source, LLC
Confirmatory Opt-Out Text Message Doesn't Violate TCPA – Ibey v. Taco Bell
Franchisor Isn't Liable Under the TCPA for Franchisees' Text Message Campaign – Thomas v. Taco Bell

[image credit: "old fashioned phone over white" earshot/shutterstock]

Posted by Venkat at 03:24 PM | Content Regulation , Marketing , Privacy/Security , Spam

October 31, 2012

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information -- Burrows v. Purchasing Power

[Post by Venkat Balasubramani]

Burrows v. Purchasing Power, LLC, 12-cv-22800-UU (S.D. Fla. Oct. 18, 2012) [pdf]

This is another data breach lawsuit. Some of the claims survive defendants’ motion to dismiss.

Purchasing Power runs a preferred purchasing (or discount purchasing) program for Winn-Dixie employees. It offers Winn-Dixie employees the ability to pay for items purchased via automatic payroll deductions. In October 2011, Purchasing Power and Winn-Dixie learned that a Purchasing Power employee had obtained the personal information of Burrows (the named plaintiff) and other Winn-Dixie employees. data breach.jpg Burrows alleged that when he went to file his 2012 tax return, he was advised that a return had already been filed in his name, and therefore Burrows could not get the refund that he was owed. He sued Winn-Dixie and Purchasing Power, alleging negligence, violations of the Stored Communications Act and the Florida Deceptive Trade Practices Statute, and invasion of privacy.

Standing: Defendants argued that Burrows did not suffer any actual monetary loss, and Burrows had not taken up with the IRS the issue of whether he could obtain his refund--i.e., he hadn't exhausted his remedies with the IRS. The court disagrees and says that by alleging “actual identity theft,” Burrows satisfies standing, regardless of any monetary loss. The court notes that even in Reilly v. Ceridian, an Eleventh Circuit data breach case that took a narrow view of standing, the court intimated that risk of future identity theft is not sufficient but found that actual misuse of information would be sufficient.

Negligence: The court says that Burrows’ allegation “for monetary loss for the use of his PII and identity theft” sufficiently alleges a claim for negligence. However, it also says that his allegation as to the “lost monetary value of his PII” is insufficient. The court grants the motion and denies it in part with respect to the negligence claim. I found the ruling on the negligence issue somewhat confusing, but the big takeaway is that his allegation of identity theft sufficiently states a claim for negligence.

Stored Communications Act: The court dismisses the Stored Communications Act because Burrows doesn’t allege that defendants either offer Electronic Communications Services or Remote Computing Services as defined under the SCA.

FDUTPA: The court denies the motion with respect to the deceptive trade practices statute based on several allegations: (1) defendants failed to adequately secure the PII, (2) defendants allegedly transferred the personal data of employees regardless of their participation in the purchase program; and (3) defendants failed to notify Burrows promptly of the data breach.

Invasion of Privacy: The court dismisses the invasion of privacy claim on the basis that it's an intentional tort and there was no allegation that defendants intended to compromise the employees' personal information.
__

Data breach plaintiffs have historically gotten blasted in court, but this marks the second or third ruling where the court finds standing and allows claims to move forward. What accounts for the different results? One way to explain it is that if there's actual evidence that your personal data has been misused, and this misuse is not obviously financially covered elsewhere (e.g., by a bank refund or reversal of charges), then you have enough damages to bring a claim. The risk of identity theft is still not sufficient for most courts. The claims themselves are still all across the board. In a recent California case, the court applied the rule barring economic damages without physical injury or an exception to the rule in the form of a special relationship. The court in this case doesn't discuss this issue at all; perhaps under Florida law, plaintiff could have easily alleged a special relationship (e.g., employer / employee). It's tough to know whether this is part of a larger trend, or a few outlier rulings. Either way, this ruling is broad in some respects (in allowing negligence and finding that the mere transfer of information for all employees or failure to notify affected parties quickly enough could constitute a deceptive trade practice).

Resolution of the Stored Communications Act was worth noting; it's an affirmation that entities who do not provide computing services to the public do not fall under the statute. I would have thought that plaintiff may have had an argument with respect to Purchasing Power, who was in the business of facilitating the purchases and would presumably deal with a fairly large segment of the public in situations involving the transfer of information between its client/employers and employees.

Most data breach rulings highlight the importance of the relationship between a company that takes in personal information and its service providers, but this ruling does more so. What looked like a perk for employees that any employer would be eager to offer its employees has now turned into a litigation nightmare (and has resulted in loss or hassle for some employees). I would hope the agreement between Winn-Dixie and Purchasing Power spells out what protections are put in place and who bears the responsibility for any data breach and related litigation. It's a fair bet that this agreement offers a less than definitive resolution of the issues, and it's likely we'll see another round of litigation between these two parties and/or their insurers.

(h/t: PogoWasRIght)

Other coverage:

Data Security Law Journal: The Southern District of Florida Weighs in on Data Breach Lawsuits
InsidePrivacy: Florida Data Security Claims Survive Motion to Dismiss

Related posts:

Sony Network Data Breach Class Action Suffers Setback -- In re Sony Gaming Network
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data -- Reilly v. Ceridian
First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing--Katz v Pershing
New Essay: The Irony of Privacy Class Action Lawsuits
Another Data Loss Case Tossed on Article III Grounds--Whitaker v. Health Net
Reidentification Theory Doesn't Save Privacy Lawsuit--Steinberg v. CVS Caremark
Men's Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute -- Boorstein v. Men’s Journal
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]

[image credit: Shutterstock / budiadiliansyah ("programmer"/"hacker")]

Posted by Venkat at 10:54 AM | E-Commerce , Privacy/Security

October 29, 2012

How Zappos' User Agreement Failed In Court and Left Zappos Legally Naked (Forbes Cross-Post)

By Eric Goldman

In re Zappos.com Inc., Customer Data Security Breach Litigation, 2012 WL 4466660 (D. Nev. Sept. 27, 2012).

In January, Zappos (part of $AMZN) announced a massive data security breach affecting 24 million consumers. As typically happens in these situations, plaintiffs' class action lawyers swarmed over Zappos for the breach, filing dozens of lawsuits. Zappos tried to send the lawsuits to arbitration based on an arbitration clause in its user agreement. Recently, a federal court struck down Zappos.com's user agreement, denying Zappos' arbitration request. This is an unfortunate ruling for Zappos, because its contract--now dead--would have been quite helpful in combating this high-profile and potentially very expensive data security breach lawsuit. More importantly, the mistakes Zappos made in its user agreement--though common throughout the Internet--are completely and easily avoidable. This post will make some suggestions for how to avoid Zappos' fate.

Nomenclature note: "user agreement" synonyms include "terms of service"/"TOS," "terms of use"/"TOU," "end user license agreement"/"EULA," and "member agreement."

Zappos' Terms of Use Was a "Browsewrap"

Courts generally divide user agreements into one of three groups: "clickwraps," "browsewraps" and "clearly not a contract." I don't use the term clickwrap; instead I prefer the term "clickthrough agreement." A clickthrough agreement is presented to users in such a way that they must take some action--usually, clicking on a button--that unambiguously signifies that they are assenting to the contract. When properly implemented, clickthrough agreements are extremely effective in courts.

In contrast, "browsewraps" are user agreements that purport to bind users simply because users browse the website. I don't use the term browsewrap; instead, I prefer to call those documents "not a contract." Although there are some aberrational cases to the contrary, for the most part courts do not treat browsewraps as a contract, and anyone relying on a so-called browsewrap does so at their extreme peril.

According to the court, Zappos presented its "terms of use" as a browsewrap. You can see the implementation from this screenshot snippet above--look for the obscure link entitled "terms of use" on the left side. (As the court notes, if you printed out the home page of Zappos.com, this snippet would be on page 3 of the 4 page printout).

The court does not have kind words for Zappos' implementation:

we cannot conclude that Plaintiffs ever viewed, let alone manifested assent to, the Terms of Use. The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use. No reasonable user would have reason to click on the Terms of Use, even those users who have alleged that they clicked and relied on statements found in adjacent links, such as the site's “Privacy Policy.”

Later, the court reinforces how unimpressed it is with Zappos' browsewrap argument:

The arbitration provision found in the Zappos.com Terms of Use purportedly binds all users of the website by virtue of their browsing. However, the advent of the Internet has not changed the basic requirements of a contract, and there is no agreement where there is no acceptance, no meeting of the minds, and no manifestation of assent. A party cannot assent to terms of which it has no knowledge or constructive notice, and a highly inconspicuous hyperlink buried among a sea of links does not provide such notice. Because Plaintiffs did not assent to the terms, no contract exists, and they cannot be compelled to arbitrate.

Zappos Reserved the Right to Amend the Contract Whenever It Wanted

As you can see from the screenshot snippet above, Zappos' terms of use says "We reserve the right to change...these terms and conditions at any time." Zappos isn't the only website using language like this; it's ubiquitous on the Internet. Unfortunately, despite its widespread usage, this language is toxic to a contract.

The court takes this amendment power to its logical conclusion. If Zappos can change the terms at any time, then it can change the arbitration clause at any time. Thus, citing to a long list of cases, the court says that such unilateral power to change the arbitration clause makes the clause "illusory"--and thus unenforceable.

Lessons

Zappos can hardly be surprised by this adverse judicial ruling. We have known for years that browsewraps are unenforceable (see some of the cases discussed here) and judges clearly dislike unilateral amendment clauses (see, e.g., the uncited Ninth Circuit's Douglas ruling from 2007 and the cited 2009 ruling in the Blockbuster/Facebook Beacon case).

Still, the ruling leaves Zappos in a bad position. Its contract is legally irrelevant, meaning that all of the risk management provisions in its contract are ineffective--its disclaimer of warranties, its waiver of consequential damages, its reduced statute of limitations, its clause restricting class actions in arbitration...all of these are gone, leaving Zappos governed by the default legal rules, which aren't nearly as favorable to it. Losing its contract provisions meant Zappos is legally naked.

Avoiding this outcome is surprisingly easy. Use clickthrough agreements, not browsewraps, and remove any clauses that say you can unilaterally amend the contract.

Using Clickthrough Agreements. Zappos had an easy way to form a clickthrough agreement. As shoppers are checking out of the store with their shopping cart, Zappos could say "By clicking the 'purchase' button, you agree to the Zappos terms of use" with a link to the document. It's as easy as that. No custom coding, no interstitial web pages, no real risk of abandoned shopping carts.

Even if you aren't an e-commerce site, it's still easy to form a clickthrough agreement if you have an account registration process. Right before users complete the registration, present the terms as "By [creating an account], you agree to the user agreement" with a link to the document.

Thus, the only websites that can't easily implement a clickthrough agreement are sites that have no checkout or registration processes. Websites in that category should carefully consider why they need a user agreement at all.

No Unilateral Amendment Clauses. If you are changing the user agreement only for new users who enter into the contract after the change, you don't need to tell them that you've amended the terms. They are automatically bound to your then-current terms when they click through. If you form a contract with your users each time you interact with them (such as with an e-commerce site), you aren't "amending" your contract; you're just changing the terms for subsequent transactions.

In contrast, if you are providing ongoing services to users and you want to change the deal with them, then you need to amend the existing agreement. Unfortunately, there is no reliable legal way to do so other than to require users to click through the new terms--an imperfect solution because many existing users never come back to the site, and other users will balk at the request. And worse, any failed amendment creates a variety of legal vulnerabilities, so you need an airtight amendment implementation.

Thus, to develop a legally effective contract amendment process, you should brainstorm with your attorney about creative solutions that provide flexibility without breaking the law or undermining your contract. Or, just accept that you can never materially change the contract terms for users who have signed up under a different deal. You might be surprised how little that limits you in practice.

Either way, Zappos' loss provides a good warning what not to do: don't just clone-and-revise the amendment provisions you've seen on other sites. THAT DOESN'T WORK in court, and you'll be in for an unpleasant surprise if you learn that the hard way.

Disclaimer: this post is just a general discussion about legal topics. It doesn't provide legal advice. Consult your own attorney before making any decisions.

Posted by Eric at 09:00 AM | E-Commerce , Licensing/Contracts , Privacy/Security | TrackBack

October 28, 2012

Social Media Discovery Case Update and Tips for Those Seeking Discovery

[Post by Venkat Balasubramani]

I’m tired of social media discovery cases. Maybe I’m just tired of discovery (that’s civil discovery I’m talking about, not discovery in the conventional sense). Anyway, we keep seeing these cases, courts (and litigants) continue to struggle with the issues, and it doesn’t make sense to not post about them. (Here's the previous update from September 15th: "Social Media Discovery Roundup" (discussing Robinson v. Riverwalk Grill; Mailhoit v. Home Depot; and Robinson v. Jones Lang Lasalle).)

Kregg v. Maldonado, 2012 WL 4469935 (N.Y. App. Div. Sept. 28, 2012): The plaintiff’s son was involved in a motorcycle accident. The defendants (Suzuki) learned that accounts had been created on behalf of plaintiff's son, and sought the “entire contents” of all social media accounts “maintained by or on behalf of the injured party [the son].” Plaintiff objected on the basis that this was a mere fishing expedition. The court denies defendants’ motion to compel without prejudice and says that they have to come back with some sort of factual predicate and more narrowly tailored requests.

Howell v. The Buckeye Ranch, Inc., 2012 U.S. Dist LEXIS 141368 (S.D. Oh. Oct. 1, 2012): This is a sexual harassment and discrimination lawsuit. Defendants moved to compel plaintiff to turn over her user names and passwords “for each of the social media sites she uses.” The court says (familiarly) that social media evidence is not magically off-limits, but any discovery requests must be limited by relevance. party pic.jpg Also, a party seeking discovery “does not [have] the right to rummage through” the contents of an opposing party or witness’s social media accounts. The court tells defendants to come back with more narrowly tailored interrogatories and discovery requests; plaintiff can then respond to these requests. (Not surprisingly, no password turnover.)

In re White Tail Oilfield Services, L.L.C., 2012 U.S. Dist. LEXIS 146321 (E.D. La. Oct. 11, 2012): This discovery dispute was a back and forth between the parties and Facebook as to who could access the social media information sought by defendant. White Tail (the party issuing discovery) propounded fairly broad discovery requests that required Pellegrin (the injured party) to produce his “account data for the period of September 1, 2012, through present.” While Pellegrin could have probably objected to the scope of the discovery requests, he took the position that he couldn’t download all of this information from Facebook. Ultimately, the court recognizes that Facebook makes available a “download your information” link at which you can download the entire contents of your account. Pellegrin is ordered to do this. (See Eric’s post at Forbes on this case: A Dark Side of Data Portability: Litigators Love It).

A few comments that these cases brings to mind, in the form of tips to people who are seeking discovery--most of these comments are just based on common sense, but the cases make me wonder how much common sense people employ when seeking discovery regarding a party's social media accounts:

- make sure you have some sort of factual predicate for why you seek the information in question;
- make your requests narrowly tailored; people sometimes get away with requesting entire account information but more often than not this will be rejected;
- do not ask for passwords—people get away with this on occasion but courts shouldn’t be ordering people to turn over their passwords;
- be aware of the Stored Communications Act; the provider will almost always raise a privacy/Stored Communications Act objection to production—be aware of the SCA's contours and obtain user consent if possible (or position user consent to tee up a motion to compel);
- be precise in your requests when it comes to what type of account information you are looking for (registration information, IP logs, public content, private messages, wall posts, comments?);
- results may vary depending on who you seek the discovery from (the provider vs. the end user) (see the comment above regarding the Stored Communications Act);
- if you are seeking consent, actually draft up a form or track one down that will be acceptable to the provider;
- be aware of exporting functionality (as in White Tail)—it should not change what is discoverable, but can certainly short circuit an argument from the end user that the end user cannot obtain the information in question.

[image credit: Kzenon/Shutterstock]

Previous posts:

"Social Media Discovery Roundup"
"Court Orders Production of Five Years' Worth of Facebook and MySpace Posts – Thompson v. Autoliv"
"Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway"
"Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville"
"Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier"
"Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson"
"Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc."

Posted by Venkat at 08:14 AM | Evidence/Discovery , Privacy/Security

October 24, 2012

Class Action Against Path Over Cellphone Address Book Access Keeps Going -- Hernandez v. Path

[Post by Venkat Balasubramani with a comment from Eric]

Hernandez v. Path, Inc., 2012 WL 5194120 (N.D. Cal. Oct. 17, 2012)

This is another lawsuit alleging that apps improperly accessed address book and contact information on mobile devices. Screen Shot 2012-10-23 at 1.02.29 PM.png The related lawsuit Opperman v. Path is pending in front of Judge Sparks; he initially dismissed the lawsuit with some harsh words for plaintiffs, but they filed a second amended complaint. Access the dismissal order here and the amended complaint here.

The Hernandez lawsuit is pending in the Northern District of California, and some of the plaintiffs' claims survive Path’s motion to dismiss.

Standing: The court says there is no standing problem, citing among other things the “hypothetical threat of future harm due to a security risk to plaintiff’s personal information” (citing Krottner v. Starbucks).

Wiretap Act & Stored Communications Act: The court dismisses the Wiretap Act claims because the complaint fails to allege that Path “intercepted” any communications. The court reaches a similar result with respect to the SCA claims: “[plaintiffs’ address books] are not a communication to which the SCA applies.” Both of these claims are dismissed with leave to amend.

CA Anti-Hacking Law: The court denies the claims with respect to Section 502 (the statute implicated in Facebook v. Power Ventures). Judge Koh (in the iPhone app class action) said that voluntarily downloading software could undermine a claim under this statute, but Judge Gonzales Rogers does not reach the same conclusion.

CA Invasion of Privacy: Plaintiffs sued under the “wiretapping” provision of California’s invasion of privacy statute. The court dismisses this claim based on the same rationale as the Wiretap Act and SCA claims.

Unfair Competition: Plaintiffs brought claims under California’s notoriously broad (but procedurally limited) unfair competition law. The court says that plaintiffs adequately allege that Path’s conduct was either unfair or unlawful. I was surprised to see no discussion of the fact that Path’s app is free. Section 17200 limits the types of monetary remedies to restitution or disgorgement, and since plaintiffs have not paid Path any money for downloading the app, this is typically a tough argument to make.

Negligence: Most surprisingly, the court allows the negligence claims to move forward. The court says that Path has a duty to not extract plaintiffs’ personal information, not transmit it to third parties, and not store it in an insecure manner. As for damages, the court allows plaintiffs to rely on the costs of removing the tracking software and the diminished bandwidth. (Contrast this with the recent ruling in the Sony PSN data breach case: "Sony Network Data Breach Class Action Suffers Setback.")

Conversion and Trespass: The court grants the motion with respect to the conversion and trespass claims. According to the court there is no allegation of a “wrongful disposition” of plaintiffs’ property. Similarly, the court says that there’s no allegation of impairment (as required under Intel v. Hamidi) to support a claim for trespass.

This is a bummer for Path, which must now deal with discovery on a bunch of claims. It will be interesting to see whether it will take a hard line and try to get this thrown out at the summary judgment stage.

The ruling is confusing on a bunch of levels. On the one hand the court says that the impairment to plaintiffs’ device is de minimis. On the other hand, the court says that it’s sufficient for a negligence claim. This is just one example of the schizophrenic instincts that seem to inspire the ruling.

The idea that Path has an obligation to safeguard plaintiffs’ information that can be enforced by plaintiffs in advance of any breach and resulting damage is certainly new. This is similar to the theory embraced by the FTC which is currently going after Wyndham Hotels. This is a sketchy enough theory when used by the FTC--an entity that ostensibly has a broader mandate that may include going after conduct that adversely affect consumers, even when there is no present harm--but the idea that a private plaintiff can use this theory is wacky. The FTC's case against Wyndham Hotels was at least precipitated by a data breach; there's no such allegation here.

It’s downright painful to see plaintiffs (and the court) contort themselves to slot Path’s conduct into legal causes of action. At the end of the day, Path dropped the ball as far as informing users about how and when it would access their contact information. It used the information to suggest users or allow end users to “find their friends” on Path. It may have done more (and there are vague allegations of improper tracking in the court's order), but most importantly, it did not use that contact information to do what companies sometimes do—send out spammy communications. Maybe Path deserves a slap on the wrist, but the price it ends up paying (which will go mostly to plaintiffs’ lawyers) will most certainly be out of proportion to any harm it caused.
____

Eric's Comment. To me, this case reinforces the irony of privacy class action lawsuits. Consumers almost certainly will get no meaningful benefit from the lawsuits against Path even if they "succeed," but the lawsuits will produce plenty of (wasted) motion and perhaps a fat payday for the agitating lawyers. Most disappointing is that Judge Rogers was incredibly--and, in my opinion, overly--cautious about dismissing weak causes of action. She repeatedly pointed out defects in the claims but didn't dismiss them. If judges don't decisively kill bad lawsuits early, lots of socially wasteful activity ensue.

____

Other coverage:

Wendy Davis (MediaPost): "Judge Allows Privacy Lawsuit Against Path to Proceed"

Posted by Venkat at 07:40 AM | Privacy/Security , Trespass to Chattels

October 21, 2012

Q3 2012 Quick Links, Part 3 (Advertising, Privacy, Consumer Protection)

By Eric Goldman and Jake McGowan

Advertising

* Marketing Land: Google Results Position: How Much is First Place Really Worth?

* Tom O'Toole recaps the ubiquity of text messaging marketing by NHL teams...and their need to clean up their privacy compliance.

* AdAge: Web Ads Target Based on What You Watched on TV

* CLRB Hanson v. Google settlement checks went out, and they are mockably small. Prior blog post.

* National big-brand advertisers may be skeptical of Facebook's results, but some mom-and-pop businesses are loving "F-commerce." Just remember, as the article says, "business owners should be aware that they do not own their Facebook pages — Facebook does, and it can change the appearance and rules whenever it wants." See, e.g., Complexions v. Complexions Day Spa (N.D.N.Y. 2011); Lown v. Piggy Paint (W.D. Mich. 2012).

* NAD: “weight-loss success stories “pinned” to [Pinterest] represent consumer testimonials and require the complete disclosure of material information. NAD further noted its appreciation that Nutrisystem took immediate steps to provide such disclosures."

* Cases against laws school for false advertising are making little progress:
- Phillips v. DePaul University: Another case over law school’s employment statistics tossed.
- Macdonald v. Cooley. Rebecca’s coverage.
- Compare the California cases. Rebecca's coverage.

* Oracle America, Inc. v. Google Inc., 2012 WL 3854012 (N.D. Cal. Sept. 4, 2012):

"The Court takes this opportunity to state that it will take no further action regarding the subject of payments by the litigants to commentators and journalists and reassures both sides that no commentary has in any way influenced the Court's orders and ruling herein save and except for any treatise or article expressly cited in an order or ruling."

Prior blog post.

- San Jose Mercury News: Microsoft and Google battle for influence in the policy shadows
- Google vs. Microsoft: See who’s clashing behind the scenes.
- Paul Levy: Judge Alsup’s ”Identify Your Shills” Order.
- Spiegel: "Search engine giant Google officially opens its hip new Berlin office this week. But the company has long been active in the German capital in its bid to influence government Internet policy. Its subtle approach to lobbying involves building an opaque network of PR professionals, activists and academics -- and its efforts are paying off. "

* Australia expects advertisers to clean up their users’ Facebook comments at least once a day.

* Swatch, S.A. v. Beehive Wholesale, L.L.C., 2012 WL 3578942 (E.D. Va. August 16, 2012):

“The sole overlap in the Parties' advertising is their use of the internet, in particular their internet stores. But that is no overlap at all. Though Swatch maintains a page on Facebook and a Twitter account, there is no evidence it purchases advertisements on any website. Neither does Beehive. The parties simply maintain stores on their corporate websites where individuals can purchase their products. When taken alone, however, internet stores are no more of an advertisement than a brick and mortar store front."

* More allegations of “pay for play” against Yelp.

* WSJ on how movie studios are getting smarter about social media marketing and dealing with online word of mouth.

Privacy

* TechCrunch: 5 Design Tricks Facebook Uses to Affect Your Privacy Decisions.

* Wired: Your Website Comes From 1,000 Places. Here’s How to Map Them.

* Incorp Services Inc. v. IncSmart.Biz Inc., No. 11-CV-4660-EJD-PSG, 2012 WL 3685994 (N.D. Cal. Aug. 24, 2012). Competitive click fraudding doesn't violate the Computer Fraud & Abuse Act.

* Attorney General Kamala D. Harris Announces Privacy Enforcement and Protection Unit. I can imagine this department has only one raison d'etre: to crack skulls in Silicon Valley. Something to look forward to.

* Neeley v. NameMedia, Inc., 2012 WL 3135717 (W.D. Ark. August 1, 2012): Another loss in this ongoing saga, this time on grounds of res judicata and failure to state a claim.

* FTC Backs $22.5M Google Settlement Over Safari: Reuters. FTC. Recap of FTC’s Twitter chat on the Google settlement

* FTC Seeks Comments on Additional Proposed Revisions to Children’s Online Privacy Protection Rule

* Illinois Bill 3782: Another states restricts employers' access to employees' social media login credentials. Prior blog post on California's similar law.

* Denouement of IMS v. Sorrell: Vermont is writing a $2.2M check to the statute challengers for attorneys’ fees. Vermont taxpayers got an expensive lesson in how their legislators can waste a lot of their money trying to suppress targeted advertising.

* FTC approves the Facebook settlement.

* FTC Finalizes Privacy Settlement with MySpace.

* The Deal Pipeline: "[Joshua] Wright is the first member of the social media generation nominated to the FTC and it will be interesting to see how the Democratic-controlled Senate reacts to his online prolificacy."

Consumer Protection

* Drew v. Equifax (9th Cir. Aug. 7, 2012): identity theft victim's lawsuit against credit reporting agencies revived.

* The ALI is starting up a project on a Restatements of Consumer Contracts.

* NY Times: Does price discrimination make consumers victims . . . or winners?

* Consumer Financial Protection Bureau makes $165M bust of Capital One. New cop on the beat.

* NY Times: After the big antitrust settlement by Visa and Mastercard, will there be any real changes for either merchants or consumers?

Posted by JakeMcGowan at 08:24 AM | Marketing , Privacy/Security | TrackBack

October 20, 2012

9th Circuit Zings Best Buy Over Robocalls – Chesbro v. Best Buy

[Post by Venkat Balasubramani, with a comment from Eric]

Chesbro v. Best Buy Stores, L.P., No. 11-35784 (9th Cir. Oct. 17, 2012) [pdf]

The Ninth Circuit has issued a few consumer-favorable rulings in the unsolicited text and phone call realm. Here is a another one.

Chesbro bought a computer at Best Buy and provided his telephone number. Best Buy says that he also signed up for Best Buy's “Rewards Zone Program.” Chesbro says he knows nothing about the program, and if he signed up to enroll, he did so unwittingly.

Then, the robocalls started. Chesbro says he received “more than five, less than a dozen” calls from Best Buy following his computer purchase. Chesbro complained to the Washington AG’s office after receiving one particular call. He also called Best Buy and told them to put him on their internal “do not call” list. (He was also signed up on the national “do not call” registry, but that doesn’t seem to have been very effective.) Finally, the straw that broke the proverbial camel’s back:

This is a very important message regarding the Best Buy Reward Zone program. We’re making some changes to increase the security of the program and be more environmentally friendly. Please listen to the entire message and then go to MyReward-Zone.com for details and to update your membership.

The following changes take effect October 31st, 2009 …

For full details and to make sure you’re ready for these changes, go to MyRewardZone.com.

If you would like to hear this message again, press 9
Thank you for your time — and for being a valued Reward Zone program member.

Chesbro sued, asserting claims under the TCPA and Washington’s do not call statute. The TCPA allows the FCC to exempt certain commercial calls that do not adversely affect the privacy interests protected by the TCPA and do not contain unsolicited advertisements. The FCC promulgated rules but said that “dual purpose” calls—calls where a company may inquire about the customer’s satisfaction or otherwise provide customer-service information but also offer to sell additional goods or services--are advertisements and subject to the prohibitions of the TCPA.

Best Buy says that the calls were purely courtesy calls or informational calls. The court disagrees:

The robot-calls urged the listener to “redeem” his Reward Zone points, directed him to a website where he could further engage with the RZP, and thanked him for “shopping at Best Buy.” Redeeming Reward Zone points required going to a Best Buy store and making further purchases of Best Buy’s goods. There was no other use for the Reward Zone points.

The court says that the absence of any reference to products or services is not determinative. The court also allows Chesbro’s claims under the Washington version of the TCPA to move forward.

Ouch. The court’s conclusion that the calls are advertisements only leaves room for Best Buy to argue consent, and that doesn’t seem like a particularly easy argument to make. (See Citibank; Thrasher-Lyon v. CCS Commercial.)

As a consumer, I applaud the court’s privacy-friendly approach. I (like everyone) can’t stand robocalls. But the court's interpretation doesn't leave much room for "informational calls" that are not advertisements. Maybe this is the right approach, as a "purely informational" or customer service call from a corporation is about as real as a unicorn. Perhaps what ultimately swayed the court is Best Buy’s mule-like refusal to honor Chesbro’s numerous opt-out requests. It’s a given in today’s day that the right hand of the corporation will never talk to the left, but that is very likely what could have tipped the scales here.

I've long advocated leaving text message-based marketing out of the marketing toolbox (due to the risk of liability). Perhaps it's time to add robocalls to the list.

Added: I thought it was worth mentioning Stern v. Bluestone, a 2009 decision from New York's highest court tackling this issue in the context of unsolicited faxes sent by attorneys: "N.Y. High Court Finds Attorney's Unsolicited Faxes Did Not Violate Communications Act."

Of interest: “The Federal Trade Commission (FTC) is challenging innovators to create solutions that will block illegal robocalls.” $50,000 bounty!
___

Eric's Comment: Following the Dex v. Seattle case we'll be blogging about soon, this is a second Ninth Circuit case this week attempting to make legal distinctions between editorial content and advertising. As I indicate in the upcoming Dex post, there are simply too many border cases for that distinction to remain coherent. Consider this: this week, the Ninth Circuit held that Yellow Pages are editorial content and a reminder about expiring loyalty points is advertising. Good luck rationalizing those conclusions!

[image credit: John T. Takai / Shutterstock]

Posted by Venkat at 09:38 AM | Content Regulation , E-Commerce , Marketing , Privacy/Security , Spam

October 17, 2012

$1 Billion Pro Se Privacy Lawsuit Against Google Fails--Shah v. MyLife

By Eric Goldman

Shah v. MyLife.Com, Inc., 2012 WL 4863696 (D. Or. September 21, 2012) (magistrate's report and recommendations). On October 11, 2012, the judge approved the magistrate's report only on subject matter and personal jurisdiction grounds. The initial complaint.

This year, I have seen a spike in the number of pro se lawsuits against Google and other Internet companies basically claiming that it's illegal for to publish the plaintiff's name or other personal information online. We might characterize these lawsuits as an attempt to synthetically manufacture a "right to forget," or we could just put them into the crazy bucket. I've seen so many of these lawsuits that I haven't had a chance to blog them all; I'm still sitting on at least two interesting rulings from summer (the Getachew and Nieman cases) that I hope to blog eventually.

Shah's complaint is so sparse and ambiguous that it's hard to know exactly what the beef is about. The magistrate judge tries to summarize that Shah sued:

MyLife.com, Inc., and Google, Inc., and several of their officers, as well as “XYZ Corporation(s) and John Does(s),” for a minimum of $1 billion damages because they listed her and her “family members' names, ages and places in which they live” on the internet without permission and “are in a business of selling private information to third parties.”

A billion dollars would be nice. Sign me up for that!

In response to this framing of Shah's complaint, the magistrate dismisses the complaint for lacking federal subject-matter jurisdiction. The magistrate says:

Plaintiff alleges only that defendants have violated the “commerce laws of the United States of America and our fundamental right of privacy.” Complaint, ¶ 4. This allegation is nothing “more than an unadorned, the-defendant-unlawfully-harmed-me accusation” which is insufficient to state any claim, let alone a federal claim.

In a portion of the magistrate report not adopted by the supervising judge, the magistrate says the complaint also fails under 47 USC 230:

Although she does not allege the source of that private information, it is reasonable to infer that defendants obtained it from third parties. Thus, the two corporate defendants, as well as their agents, cannot be sued for simply republishing information provided by third parties, including any claim under state law for invasion of privacy by an internet posting of personal information obtained from another party.

Even if the ruling isn't surprising or all that enlightening, the lawsuit nevertheless deserves instant classic status based on this gem of an allegation in the complaint:

"Person's privacy is a priceless pristine pearl not for public purchase or procurement."

Wow. Just wow.

Photo credit: Raywoo / Shutterstock

The case also demonstrates why I remain so adamantly opposed to any new privacy rules, such as a "right to forget," that contain private causes of action. I've already explained that we should not cheer privacy class action suits, but in addition, we should also fear the volume of meritless pro se complaints that will inevitably follow. Already, even when there's no legitimate basis whatsoever (and in some cases a $350 filing fee hurdle), we're seeing a groundswell of "right to forget" pro se complaints. Can you imagine the volume of complaints, and the associated adjudication and defense costs, if the pro se litigants' arguments could assert a legitimate legal doctrine? The lawsuits likely wouldn't be any more meritorious, but the costs of weeding them out would go up substantially. Even if the new cause of action might protect the interests of some legitimate plaintiffs, these costs would make it a bad deal for society overall.

Posted by Eric at 09:20 AM | Derivative Liability , Privacy/Security | TrackBack

October 15, 2012

Sony Network Data Breach Class Action Suffers Setback -- In re Sony Gaming Networks

[Post by Venkat Balasubramani]

In re Sony Gaming Networks and Customer Data Security Breach Litigation, 2012 WL 4849054 (S.D. Cal.; Oct. 11, 2012)

This is a class action arising out of a hack of Sony’s online gaming network. The hacks commenced on April 16 or 17, 2011. When Sony discovered that its networks had been compromised, it took some networks completely offline (for up to a month). Approximately 10 days later, Sony acknowledged that customer information had been compromised and said that it was “reviewing options.” Ultimately, Sony offered its consumers:

free identity theft protection services, certain free downloads and online services, and ‘[said that it would] consider’ helping customers who [had] been issued new credit cards.

data breach.jpg Plaintiffs’ lawyers readied their engines and filed multiple class actions that were consolidated in the Southern District of California. (The page listing counsel is worth a look--there were 100s of lawyers involved!) Sony brought a motion to dismiss. The court grants the motion, with leave to amend.

Standing: Citing Krottner v. Starbucks, a case where employee data was stolen from a laptop, the court says that plaintiffs satisfy standing. The court does find that plaintiffs failed to allege any basis for standing as to two Sony entities, but Sony doesn’t have any luck overall kicking the lawsuit on the basis of standing.

Negligence: As to plaintiffs’ negligence claim, the court says that, absent accompanying physical harm, a plaintiff cannot recover for “purely economic loss” in negligence (under California law). In order to get around the economic loss rule, plaintiffs have to plead either the existence of a “special relationship” or allege that they suffered physical or property damage. The court finds that plaintiffs failed to adequately allege facts regarding the exception, but gives them a chance to re-plead. The court also hammers plaintiffs on whether they have alleged cognizable injury for negligence purposes:

without specific factual statements that plaintiffs’ personal information has been misused, in the form of an open bank account, or an un-reimbursed charges, the mere ‘danger of future harm, unaccompanied by present damage, will not support a negligence action.’

Ouch. For good measure, the court also says plaintiffs’ allegations that their consoles have lost value as a result of the data breach are “illusory.”

Consumer protection act claims: The court dismisses the consumer protection act claims brought by the out-of-state plaintiffs. For in-state plaintiffs, to have standing, plaintiffs have to show that they lost “money or other property.” The court rejects each of the plaintiffs’ arguments that they lost money or other property as a result of the breach: (1) heightened risk of injury and money spent allegedly remedying this is not sufficient under unfair competition statutes (citing the iPhone App Litigation and Ruiz v. Gap); (2) interruption of service and damage to the value of their consoles is similarly too speculative; and finally (3) diminution in the value of their consoles isn’t a credible allegation (and one that plaintiffs disavowed at oral argument).

Even if plaintiffs had standing, they had to point to statements by Sony that are “likely to deceive” a reasonable consumer, and show that consumers actually relied on such statements. Even if they get past this hurdle, they fail to point to what type of injunctive relief they would be entitled to; they don’t have restitution available as a remedy because plaintiffs did not pay Sony money for something that they didn’t obtain the benefit of.

Separately, the court says that plaintiffs do not have a cause of action available under the Consumer Legal Remedies Act because the transaction (access to the PSN) did not result in a sale or lease and even if it did, access to PSN is not a “good or service” for purposes of the CLRA (citing Ferrington v McAffee).

CA Data breach statute: Plaintiffs also brought claims under California’s newly enacted data breach statute [pdf]. This statute requires businesses to notify affected consumers of data breaches “in the most expedient time possible and without unreasonable delay.” The court says that only California residents can bring this cause of action. With respect to these plaintiffs, the court says that the savings clause insulates Sony’s actions. Section 1798.84(d) says that unless there’s an allegation that the defendant acted willfully, the defendant company is totally insulated if it provided the known information within 90 days of when it had knowledge that there was a breach.

Bailment: Plaintiffs finally brought a cause of action for bailment, which is where you deposit personal property with someone (and they are required to return it to you?). The court says that the intervening act of a third party malfeasor makes it hard to hold Sony liable, and in any event, it’s difficult to see how plaintiffs “deposited their personal property” with Sony.
__

This is another in a long line of cases rejecting claims brought by data breach plaintiffs. Although the court gives plaintiffs leave to amend their complaint, they don't have an easy task amending to remedy the deficiencies. In particular, application of the economic loss rule will make it tough for plaintiffs to bring negligence claims. The consumer protection act claims also have built in procedural challenges in a situation such as this where plaintiffs are not complaining about a straightforward money for goods/services transaction where consumers were injured. There's the final recurring issue that's common to all of the data breach cases: plaintiffs have to come forward with some credible injury or out-of-pocket loss, and an apprehension that your data will be misused is generally regarded is insufficient.

It's worth contrasting the result here with a recent opinion in a data breach case from the Eleventh Circuit (Resnick v. Avmed). (See posts from David Navetta and SC Magazine on this ruling.) In Avmed the Eleventh Circuit reversed the district court's dismissal of claims brought by data breach plaintiffs, but noted that the named plaintiffs alleged that their information had actually been misused:

Curry's . . . information was used to open a Bank of America account and change her address with the United States Post Office, and Moore's . . . information was used to open an E*Trade Financial account . . . .

In contrast, in this case, the court notes that allegations of misuse of the data were missing ("without specific factual statements that plaintiffs' [information] has been misused . . . the . . . danger of future harm, unaccompanied by present damage, will not support a negligence action").

These cases raise a couple of questions. Are these class actions going to end up consisting of classes of individuals who have had their information misused in some way? Second, does it matter whether these expenses or losses are unreimbursed? If someone opens a bank account in an end user's name and ultimately the bank cancels the card and all of the charges, does the hassle and expense of dealing with the situation count as compensable damages?

The court's conclusion on the California data breach statute is significant given the dearth of rulings (if any) under this statute. [I was slightly confused by the court's application of 1798.84(d), as this appeared to me to be a provision of California's "Shine the Light" statute.]

[image credit: Shutterstock / budiadiliansyah]

Posted by Venkat at 08:18 AM | E-Commerce , Licensing/Contracts , Privacy/Security

October 11, 2012

The Proposed "Cloud Computing Act of 2012," and How Internet Regulation Can Go Awry (Forbes Cross-Post)

By Eric Goldman

Sen. Amy Klobuchar has introduced a new bill, the "Cloud Computing Act of 2012" (S.3569), that purports to "improve the enforcement of criminal and civil law with respect to cloud computing." Given its introduction so close to the election, it's doubtful this bill will go anywhere. Still, it provides an excellent case study of how even well-meaning legislators can botch Internet regulation.

What the Bill Does

From its 1980s origins as a law restricting hacking into government computers, the Computer Fraud and Abuse Act (CFAA) has morphed into a general-purpose federal law against trespassing on anyone else's computers. With that breadth, the CFAA extends to a wide variety of activities, ranging from data scraping (see, e.g., EF Cultural Travel v. Explorica) to fake profiles (see, e.g., the Lori Drew prosecution related to Megan Meier's death) to ex-employees walking out the door with competitively sensitive information (see, e.g., US v. Nosal and WEC v. Miller).

The proposed bill's main substantive provisions attempt to give "cloud computing services" extra protections under the CFAA. First, the bill says that each unauthorized access of a cloud computing account counts as a separate CFAA offense. Second, the bill specifies a formula for computing losses in CFAA violations involving cloud computing services, setting a minimum floor of $500 loss per affected cloud computing account.

Problems with the Bill

The CFAA is Already a Mess. Good luck trying to read the CFAA's text. Constant amendments over the years have created spaghetti code. This bill adds only slightly to the CFAA's overall lack-of-tidiness, but every incremental amendment makes the CFAA more unwieldy.

The Definition of "Cloud Computing Service" is Incoherent. The bill seeks to protect cloud computing services, but what are those? Check out the bill's definition:

the term "cloud computing service" means a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service.

What??? This sounds more like a vendor's sales pitch than a basis for criminal prosecution. We can reinforce the definition's weakness by trying to determine what isn't a cloud computing service. Every user-generated content website seems to qualify; but so should every online bank. In fact, this definition of cloud computing service probably becomes co-extensive with the Internet generally.

To be fair, the failed definition isn't totally the drafter's fault. I don't think it's possible to define "cloud computing service" precisely. Tip to legislators: if you can't clearly define your subject matter of your legislation, you're probably doing something wrong.

What's the Problem That Needs to Be Solved? I can't figure out how the proposed amendments address any problem we're seeing in the field. It's possible I've missed some relevant case, but I can't think of a single case I've seen where the CFAA underprotected a cloud computing service or this legislation would have changed the outcome. Seeking some clarity, I submitted a press inquiry to Sen. Klobuchar's office last week and got no response. So I have no idea what problem this bill purports to solve.

Implications

This bill exemplifies several ongoing problems with efforts to legislate the Internet:

1) Legislative grandstanding. It's flashy for legislators to tell their constituents that they are fighting hard to protect emerging technologies like "cloud computing." But legislators rarely understand cutting-edge technologies, and usually rapidly evolving technologies are poor candidates for legislative intervention. So legislators' efforts to push buzzword-laden legislation are often more for show than substance.

2) Regulatory exceptionalism. As I explain here, legislators keep creating new "exceptionalist" rules for subsets of the Internet ecosystem--online dating sites, social networks, cloud computing services, etc. We saw how well that worked in California's effort to ban employers from asking employees for social media login credentials. California so utterly failed at defining "social media" that it simply covered the entire Internet...and all non-networked electronic data too! Yet, legislators seemingly haven't learned from their colleagues' repeated failed efforts to precisely define the contours of some Internet subcommunity. The proposed CFAA amendment, and its gibberish definition of "cloud computing service," exemplifies this.

3) Code proliferation. For every problem, real or perceived, legislators think they can fix the problem with more regulatory code. But the manufacturing of new legal code exacts a toll of its own. This bill increases the CFAA's complexity with minimal or zero commensurate benefit. If Sen. Klobuchar or anyone else really wants to "fix" the CFAA, a good start would be to reduce the law's length, organize it better, and reduce its implications for users' ordinary Internet activity.

Posted by Eric at 10:58 AM | Content Regulation , Internet History , Privacy/Security | TrackBack

October 05, 2012

Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media

[Post by Venkat Balasubramani]

Deacon v. Pandora Media, Inc., 2012 WL 4497796 (N.D. Cal.; Sept. 28, 2012)

The plaintiffs sued Pandora for improperly disclosing their “listening history” and related information (bookmarked tracks, stations, recent activity, and bookmarked artists). Plaintiffs alleged that Pandora disclosed this information in violation of Michigan’s version of the federal Video Privacy Protection Act (VPPA) to other Pandora users, non-subscribers, and finally through Facebook integration to their Facebook friends. Judge Armstrong of the Northern District dismisses the lawsuit. Although the dismissal is without prejudice, the judge sends a signal that this lawsuit is probably dead.

Standing: Pandora argued that plaintiffs lacked standing. The court says a violation of a statutory right is sufficient to confer standing, and statutes may confer standing without the showing of actual damages. Here, the language of the statute says that anyone whose information is disclosed in violation of the statute can bring a claim for actual damages or $5000, whichever is greater. So there’s no standing problem.

Statutory violation: The key question was whether Pandora engaged in “selling . . . , renting, or lending . . . sound recordings.”

The court looks to the dictionary definition of the term “renting” and says it means: the payment of consideration in exchange for “use” of something. Here, Pandora selects the song, streams the song, and deletes the song after it’s streamed. Plaintiffs don’t “use” the song in the conventional sense of the term. The court also looks to Pandora’s terms of service which say that users can’t do anything with the song (edit, change, store, or alter it in any way). Additionally, listeners have to listen to it through Pandora.com or a Pandora-supported device.

The court comes to a similar conclusion with respect to the term “lend” (to allow for temporary use of something “on the condition that the thing . . . be returned”). Each song is placed temporarily in the user’s hard drive and there’s nothing returned to Pandora after the song is played. Once the song is over, “the song file is deleted from the subscriber’s computer by Pandora.” The user doesn’t "return" the song.

The plaintiffs’ claims with respect to the disclosure of sales also fails. Pandora doesn’t sell any songs to users—it provides links where people can click through and buy songs. There also were insufficient allegations that Pandora even disclosed any items purchased by plaintiffs, whether through the referral links or otherwise.

Copyright law: Pandora also made the creative argument that copyright owners had the exclusive right to distribute the songs and transfer ownership by sale, transfer, lease (etc.). Here, Pandora obtained a license to stream the songs and the license was limited to a public performance license. Pandora did not have the right to do anything more with the underlying content and thus could not grant any of these rights to users. The court likes this argument.

CPA.The court also dismisses claims under the Michigan Consumer Protection Act, saying that a class-based complaint requires an allegation of actual damages under Michigan case law.

While the VPPA only covers “video cassette tapes or similar audio visual materials,” states have added their own protections to the mix. California, for example, enacted the Reader Privacy Protection Act. (See Eric’s post on that statute and its possible breadth here.) There’s an argument to be made that music should be treated differently from books and videotapes because books and videotapes typically provide more insight into a person’s intellectual direction and shouldn’t be disclosed to third parties without consent. In any event, the Michigan statute covers “sound recordings” so music obviously comes within this definition.

There is of course a big question about whether the Michigan statute (which was enacted more than 20 years ago) was even intended to apply to services such as Pandora. The answer has to be no, but the court gets to this result by analyzing the text of the statute with copyright licensing concepts overlaid on top. In contrast, the Hulu decision from a couple of weeks ago denied Hulu’s motion to dismiss. The differences in text between the VPPA and the Michigan statute probably accounts for this variation. The VPPA defines consumers as anyone who “rents, purchases, or subscribes,” and defines a provider as anyone engaged in the business of “rental, sale, or delivery” of videos or similar audio visual materials.

Pandora also raised a consent argument based on its terms of service. The court doesn't rely on this argument, and it's unclear if the Michigan statute's exception for written consent applies to online terms. This is an ongoing battle in the VPPA realm. See the testimony of Prof. McGeveran with respect to the consent provisions of the VPPA: "Testimony of William McGeveran".

These cases are good illustrations of the fact that these statutes should all be revisited to account for changes in delivery and distribution of information online. Minor changes in the texts of both statutes arguably account for the differing results, but the drafting choices were just happenstance, at least as they related to streaming services. Eric made this point more bluntly in recent posts about the Cloud Computing Act of 2012 and California's effort to protect social media accounts: legislatures bake technological assumptions into their drafting. These assumptions don't age well; yet legislators keep making the same mistakes.

Other coverage:

(Declan/cnet) Pandora Defeats Privacy Suit Over Facebook Integration
(Wendy / MediaPost) Pandora prevails in privacy case

[image credit: Shutterstock]

Posted by Venkat at 11:10 AM | Copyright , E-Commerce , Privacy/Security

Big Problems in California's New Law Restricting Employers' Access to Employees' Online Accounts (Forbes Cross-Post)

By Eric Goldman

Last week, California Governor Jerry Brown signed two laws restricting demands for social media accounts or login credentials. Senate Bill 1349 restricts schools' access to students' social media accounts. Assembly Bill 1844 restricts employers' access to employees' social media accounts.

[Photo credit: Solomonkein/Shutterstock]

Superficially, both laws sound like a good idea. It's ridiculous to force people to disclose social media content if they don't want to do so; not only can that violate the accountholder's privacy, but it can violate the privacy rights of innocent third parties. Demanding access to a social media account can be just as invasive as demanding access to an email account, something we all already knows is off-limits.

Still, new legislation is a blunt tool, and it's not the right solution to every problem. In this situation, California's new laws create two problems, one big and the other bigger.

The Big Problem: "Social Media" Isn't Definable, So the Law Covers More Than Anyone Expects

Although the laws expressly say they are regulating "social media" like Facebook or Twitter, it's not possible to define "social media" as a subset of the Internet ecosystem. As evidence of this definitional challenge, look at the statutes' definition of "social media" (it's the same for both bills):

"social media" means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.

In other words, the law governs effectively all digital content and activity, both on the Internet and stored in local storage devices, not just social media. After all, what digital resource isn't "an electronic service or account, or electronic content"? The coverage of the law has focused only on its application to social media accounts, but the law's unexpectedly broad reach--including to locally-stored content--virtually ensures that the law will have unintended consequences.

The Bigger Problem: It's Often Not Clear When Social Media Accounts Are "Personal"

In addition to the breadth problem, AB 1844 (regarding employer/employee relationships) makes a serious conceptual error. The law restricts employers' access to "personal" social media, presumably in contradistinction to "business-related." Yet, the law doesn't define when a social media account is "personal," leaving all of us to speculate what that means.

Thus, the law assumes that social media accounts have only two states: personal or not-personal. Sadly, that's completely contrary to the cases I'm seeing in court right now. Instead, social media accounts fit along a continuum where the endpoints are (1) completely personal, and (2) completely business-related--but many employees' social media accounts (narrowly construed, ignoring the statutory overbreadth problem) fit somewhere in between those two endpoints. Indeed, employers and employees routinely disagree about whether or not a social media account was personal or business-related. See, e.g., Insynq v. Mann, Eagle v. Sawabeh, Maremont v. SF Design Group, Kremer v. Tea Party Patriots, and PhoneDog v. Kravitz.

Meanwhile, employers can--and should--demand that employees provide them with the login credentials to business-related social media accounts. In fact, I've previously said "the cardinal rule about employee-operated social media accounts: get the login credentials BEFORE terminating the employee."

Putting the two concepts together, employers should require that employees provide them with login credentials for social media accounts relating to their business; but the law makes it illegal for employers to ask for login credentials to "personal" accounts. This puts employers in an obvious squeeze: employers may not know which employee accounts are purely personal and which are a mix of personal and business-related; the statute doesn't expressly allow employers to access mixed account; and the statute doesn't give employers a defense if they demand the login credentials because they reasonably but mistakenly thought the account was all or partially business-related. Courts will likely have to create common law exclusions for employers trying to get access to mixed accounts, but only after much angst, confusion and costly--and avoidable--litigation.

Note: SB 1349 uses the same "personal" terminology as AB 1844, but it's more likely to be clear when a student's accounts are personal than with employees.

Lessons

Question for you: are you surprised to see a state legislature enact an Internet-related bill with obvious problems? (Please, answer that question honestly). Speaking for myself, I always assume that a state legislature trying to "fix an Internet problem" will botch the job. After all, state legislatures have a virtually unbroken history of poorly designed Internet regulations. (See some examples on my 2007 ranking of the best and worst Internet laws). In a future post, I hope to explain why state legislatures should never regulate the Internet.

For now, you can see why I'm not cheering California's new laws, even though I support their motivations. It's hard to get enthusiastic about a new law--especially when it relates to the Internet--that, from on day 1, has manifest problems that could have been avoided with more considered policy-making. I also wish that the many other state legislatures considering similar legislation will learn from California's drafting mistakes; but realistically, state legislatures never learn from each other's mistakes, especially when legislators are overeager to "do something about privacy."

Posted by Eric at 08:57 AM | Privacy/Security | TrackBack

September 25, 2012

Stored Communications Act Bars Disclosure of Facebook Records to Surviving Family Members in the UK

[Post by Venkat Balasubramani]

In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, C 12-80171 LHK (PSG) (N.D. Cal.; Sept. 20, 2012)

In 2008, Sahar Daftary fell from a 12th floor building in England. Her surviving family members are trying to access records from her Facebook account to gather information that may show Daftary didn't commit suicide. (Here is a news story that mentions the family's efforts: "New twist in 'Face of Asia' model's Salford Quays death fall tragedy".) The family members sought an order under 28 USC 1782 to force Facebook to disclose the contents (created or posted during a limited time period) from Daftary’s account.

Citing the Stored Communications Act, the court grants Facebook’s motion to quash. The family members argued that they could consent to disclosure on Daftary’s behalf, but the court says that consent does not mandate disclosure. Under 18 USC 2702, a service provider such as Facebook may disclose the contents of an account based on consent. Unfortunately, the court declines to issue what it characterizes as an advisory opinion on the question of whether the family members may consent on Daftary’s behalf.
__

The waiver argument: Access to the social media profiles by a decedent's estate is an issue that’s been brewing over the past several years, and as described in this recent article, at least a couple of jurisdictions are considering laws that would allow the estate to access social media posts. The issue of whether the owner of an account may consent to disclosure of its contents that are protected under the SCA is also something that courts have struggled with, mostly in discovery cases. (See, e.g., the Juror No. 1 case.) There hasn't been a clear answer, but a few courts have said that a party can be forced to consent to disclosure of otherwise discoverable evidence. Here, of course, the decedent is not around to consent, and the issue of whether the estate can consent on behalf of the decedent complicates matters. Unfortunately for the parties, Judge Grewal punts on this issue. It is significant that he says consent only permits the network to disclose communications to the extent it chooses to do so. This conclusion may put a wrench in the consent/waiver argument as used in civil cases.

The Twitter OWS case: This case brings to mind the Harris case, where privacy and metadata were at issue (at least as I understood it) but in public statements, likely to address the standing issue, the case ended up being spun as one over the "ownership of Tweets." (See, e.g., "Judge Orders Twitter to Release Protester’s Messages.") The Harris case seems largely consistent with this case in that it involved publicly posted tweets with respect to which the court said there is no expectation of privacy (the metadata would be subject to disclosure based on the third party doctrine). That case involved law enforcement rather than private parties seeking information from the social network, so this partially accounts for the differing results.

Privacy vs. ownership of the content: As with all other social media ownership cases, it's worth separating access to the account from ownership or access to the content or posts within the account. There are two separate interests at play: copyright or ownership of the content vs. the privacy interests of the account holder. With respect to the publicly available content, the parties may be able to make a copyright argument that the rights to the content passes to the decedent's estate, but that's not what the family wants in this case--it's interested in private communications that are protected from disclosure under the SCA. Interestingly, the court didn't drill down into what categories of content (or non-content information) were sought by the family. The sought after information is merely described as (presumably non-public) "records" from Daftary's Facebook account. (Non-content information would presumably be available in discovery. See Mintz v. Bartlestein, where a court ordered non-content phone records disclosed. The disclosure of publicly available posts should not be barred by the SCA. See Crispin v. Audigier.)

The ownership of a decedent's online content was implicated in a 2009 case where someone sued Google over allegedly defamatory content posted by someone who had since passed away: "Blogspot Sued for Dead Blogger's Content." As Eric mentions in that post, it probably makes sense for the networks to have their own processes in place and not make it too easy for third parties to get access to accounts. Networks also face liability from the other direction where they provide access without following the proper protocols. (See, for example Eyesoldt v. Proscan.)

Treatment of the account vis a vis the decedent's privacy interests is a tough one. Unlike ownership of the content, the decedent has a privacy interest in his or her account that shouldn't necessarily pass to the estate. As Eric mentioned when we were chatting about this case via email, shouldn't people be able to take secrets with them to the grave? I don't know how papers and personal effects that are intended to be kept private are treated in the offline world, but this certainly seems to say that at least in the event of your passing, if you want something kept private, your social accounts may be one possible place to store it. (On the other hand, networks seem to be taking a privacy-friendly approach of late, but they are erratic at best over the long term.)

It's also worth nothing services exist that purport to give family members access to your account credentials post-death. I have no idea how effective those services are, and I can certainly see Facebook or another network taking a hard line approach and refusing access to family members on the basis that access to the decedent's account does not comport with the network's terms of service. Another alternative I've wondered about is whether networks would come up with their own protocol for being able to designate who gets access and under what conditions. (Here's a post from Facebook on what looks like its current policy on dealing with the accounts of deceased individuals.)

***

In any event, this is an interesting issue and one that should come up in the courts with increasing frequency. Getting access to non-publicly posted Facebook materials does not look like it will be an easy task.

Other reading of interest on this topic:

"Who Owns a Decedent’s E-mails: Inheritable Probate Asset or Property of the Network" [pdf]

Other coverage:

Facebook fights for deceased beauty queen's privacy (Declan / cnet)

[image credit: Shutterstock]

Posted by Venkat at 03:03 PM | Evidence/Discovery , Privacy/Security

September 21, 2012

Split 9th Circuit Panel Approves Facebook Beacon Settlement – Lane v. Facebook

[Post by Venkat Balasubramani]

Lane v. Facebook, 10-16380 (9th Cir. Sept. 20, 2012)

Facebook’s Beacon initiative has generated more than a few blog posts.

Judge Seeborg approved the class settlement, over the objections of several objectors, including Ginger McCall. The objectors appealed to the Ninth Circuit saying that the settlement should not have been approved. The Ninth Circuit says that approval of the settlement was not an abuse of discretion.

The terms of the settlement were that Facebook would pay $9.5M for a full release of the claims. $3 million of this amount would go to fees and costs of administration. The remaining $6.5 million would go to the “Digital Trust Foundation,” an organization run by a three-member board of directors (Larry Magid, Chris Hoofnagle, and Timothy Sparapani, Facebook’s director of public policy). The organization would also have a legal advisory board which would consist consist of class counsel and counsel for Facebook. No monetary relief would be awarded to the class members, although they could opt-out. Facebook would agree to terminate Beacon, but nothing in the agreement stopped it from re-launching a similar initiative. (Hello, Sponsored Stories 2.0!)

The majority says that appellate review is limited to determining whether there has been a “clear abuse of discretion.” It says that cy pres remedies (where there is the “next best” distribution of the settlement amount – to someone other than the class members) are allowed, and nothing in the structure of DTF causes the cy pres remedy to be improper. As long as the remedy accounts “for the nature of the . . . lawsuit, the objectives of the underlying statutes, and the interests of the silent class members,” that’s all that is necessary.

As to the second objection that focused on the value of the settlement and the district court’s failure to consider the availability of statutory damages under the VPPA, the court relies on the familiar argument that the claims, being privacy claims, are uncertain. There aren’t a long line of cases where plaintiffs have been awarded damages under the Video Privacy Protection Act, and it’s unclear that the claims could be easily brought against Facebook, rather than Blockbuster, an entity that is in a financial quagmire. [There has been a bunch of VPPA activity involving Netflix, Hulu, and Redbox, but no clear wins, and certainly no blockbuster damage awards, for plaintiffs.]

A dissenting Judge Klienfeld tees off on Facebook and on the settlement (and to some extent the class action system in general). He has a long list of problems ranging from expansion of the class to the scope of injunctive relief, to the combination of a “clear sailing” agreement as to fees coupled with no monetary relief to class members. It’s tough to do it justice by recapping it in a blog post, so I would urge readers to check it out for themselves. Here’s a key graf that summarizes his qualms:

In this case, the [class action] process has failed. The attorneys for the class have obtained a judgment for millions of dollars in fees. The defendant, Facebook, has obtained a judgment that bars claims by millions of people victimized by its conduct. So have the other companies involved in Beacon. The victims, on the other hand, have obtained nothing. Under the settlement, Facebook even preserved the right to do the same thing in the future.

Meh. This is an underwhelming result for how long it took for the court to issue its opinion.

The 9th Circuit issued recent decisions on fees (Dennis v. Kellog) and on cy pres settlements (Nachshin v. AOL) that made me think this settlement wouldn’t get its stamp of approval, so perhaps this is a surprising ruling. I wonder whether the objectors will seek re-hearing and whether Judge Kleinfield’s dissent will interest enough interest from other 9th Circuit judges to make that happen. (Judge Seeborg tentatively rejected the proposed settlement in the Sponsored Stories class action: "Judge Seeborg Rejects Sponsored Stories Settlement For Now -- Fraley v. Facebook." This ruling likely paves the way for everyone to clean up the issues he identified in his ruling, and get it approved.)

To me, what makes the settlement problematic is the toothless injunctive relief negotiated on behalf of the class. As Judge Kleinfield points out, as long as it’s called something else, there’s nothing to stop Facebook from launching Beacon 2.0. Even assuming that cy pres is appropriate and it would be impractical to distribute small amounts to class members, I don’t get the sense that this lawsuit will act as a meaningful check on Facebook’s privacy practices, either as to programs such as Beacon, or as a general matter. It’s silly to assume that a non-profit that’s funded by Facebook could achieve this result when third party organizations haven’t been able to do much. (On the other hand, maybe people don’t really care about privacy on Facebook. Although there were some quibbles about the adequacy of notice, of the 3,663,651 class members identified by Facebook, a measly 108 opted out, and 4 submitted written objections.)

See also: New Essay: The Irony of Privacy Class Action Lawsuits (Eric's essay)

Other coverage:

Facebook’s $9.5 Million ‘Beacon’ Settlement Approved (David Kravets/Wired)
Facebook Beacon settlement gets OK (San Francisco Chronicle) (with comments from Greg Beck)
Facebook's Beacon Settlement Upheld By 9th Circuit (Wendy Davis/Media Post)

Posts on Fraley v. Facebook:

Facebook "Sponsored Stories" Publicity Rights Lawsuit Survives Motion to Dismiss--Fraley v. Facebook
Judge Seeborg Rejects Sponsored Stories Settlement For Now -- Fraley v. Facebook

Posted by Venkat at 12:13 PM | E-Commerce , Privacy/Security , Publicity/Privacy Rights

September 15, 2012

Social Media Discovery Roundup

[Post by Venkat Balasubramani]

* Douglas v. Riverwalk Grill, LLC, 11-15230 (E.D. Mich.; Aug 24, 2012)
* Mailhoit v. Home Depot USA, Inc., 11-03892 DOC (SSx) (C.D. Cal.; Sept. 7, 2012)
* Robinson v. Jones Lang Lasalle Americas, Inc., 12 cv 00127 PK (D. Or.; Aug 29, 2012)

A few recent cases have addressed social media and discovery, an issue courts and litigants continue to struggle with. I don’t see any clear pattern, apart from the fact that no one seems to have a good solution to a key logistical issue: how a party requesting discovery narrowly describes what is sought without knowing in advance what is contained in a social media profile. (For good context on the dispute check out Bruce Boyden’s post: The Proper Procedure for Facebook Discovery, Part I, as well as our numerous posts on the topic. (It's worth mentioning that ethical issues arise when counsel or those acting on counsel's behalf friend witnesses in the course of trying to obtain information. See this recent article for an example: "Hostile use of 'friend' request puts lawyers in ethical trouble.")

In camera inspection: One possible scenario is to have the court conduct an in-camera inspection of the litigant’s social media profile in order to determine what’s relevant. This isn’t ideal since someone ends up “rummaging around” in the party’s social media profiles (it’s not the party seeking discovery, but the witness/responding party’s information is still exposed to someone and there’s a resulting loss of privacy). The court took this approach in Douglas v. Riverwalk Grill, LLC [pdf], a discrimination case. After reviewing over 250 pages of discovery and “thousands of entries,” the court says that the majority of entries bore “absolutely no relevance to [the] case.” The court grants a request to turn over 18 entries. The court didn’t reproduce the entries in the order granting discovery, so it’s hard to tell the nature of the entries, but the whole thing seemed like a wasteful exercise. The court doesn’t specify who bears the costs of production and in-camera review, but the order left me wondering whether this should be a part of the discovery calculus.

Any posts that reveal emotion: Given that courts frown fishing expeditions and rummaging around in a party’s social media profile, one set of defense lawyers (in Mailhoit v. Home Depot USA, Inc.) sought to narrow their request for plaintiff’s social networking information. They sought the following information:

Any profiles, postings or messages . . . from October 2005 . . . through the present that reveal, refer, or relate to any emotion, feeling, or mental state of plaintiff, as well as communications by or from plaintiff that reveal, refer, or relate to events that could reasonably be expected to produce a significant emotion, feeling, or mental state.

They also sought a second category of information (any communications that place the above messages in context), as well as a third category, which consisted of any photos posted or in which plaintiff was tagged.

The court (like all other courts to have addressed the issue) notes that social networking evidence may be relevant and is not off-limits by virtue of some magical privilege or zone of privacy. However, the court says that the requests to disclose this information must describe the information sought with “reasonable particularity.” The court says the requests fail this standard:

[e]ven if the first part of this category, which seeks communications relating to ‘any emotion’ could be understood to encompass only communications containing specific emotive words . . . the category would still arguably require the production of many materials or doubtful relevants, such as posting with a statement “I hate it when my cable goes out” . . . . Arguably, watching a football game or a movie on television is an “event” that may produce some sort of “significant emotion,” but it is unclear whether plaintiff would be required to produce messages relating to such activities.

Narrowing the discovery requests: A third case (Robinson v. Jones Lang Lasalle Americas, Inc.) also involved claims for discrimination, and the defendant sought: (1) communications with former co-workers; and (2) all social media content that “reveals or relates to [plaintiff's] ‘emotion, feeling, or mental state,’ to events that could be reasonably expected to produce a significant emotion, feeling or mental state, or to allegations in [the] complaint." [If you ever wonder why civil discovery is such a joy, the phrasing of this discovery request provides good insight into the process.]

The court says that where the plaintiff alleges beyond the “garden variety” emotional distress, social media evidence may become relevant. Social media often provides a window into the mental state of the person and can reveal information that is inconsistent with positions they take in a lawsuit. (See Eric’s numerous posts cataloguing examples.) The plaintiff agreed to produce any discussions with ex-co-workers and also any social media updates or content that “reference her allegedly discriminatory supervisor or ‘work-related emotions’.” The court says this is not enough, and orders plaintiff to produce any posts that:

Reveal, refer, or relate to (a) any significant emotion, feeling, or mental state allegedly caused by defendant’s conduct; or (b) events or communications that could reasonably be expected to produce a significant emotion, feeling, or mental state allegedly caused by defendant’s conduct.

All of these approaches have their drawbacks. The in-camera approach employed by the court in Riverwalk Grill is intrusive and needlessly expensive. The language in the discovery requests from the Home Depot and Robinson cases make my head hurt, and surely don't give much by way of guidance to the litigants or those involved in the discovery process. I'm inclined to stick with my original instinct and say that this should be treated similar to documents that arguably fall under attorney-client privilege. A party should be required to produce some sort of index that lists the entries in summary form. Using this index the parties can then fight out what is and what is not relevant.

[image credit: Kzenon/Shutterstock]

Previous posts:

"Court Orders Production of Five Years' Worth of Facebook and MySpace Posts – Thompson v. Autoliv"
"Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway"
"Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville"
"Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier"
"Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson"
"Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc."

Posted by Venkat at 08:22 AM | Evidence/Discovery , Privacy/Security

September 14, 2012

Another Blow to Banks in ACH Fraud Cases: Funds Transfers Act Preempts Indemnity Agreements -- Choice Escrow v. BancorpSouth

[Post by Jake McGowan]

Choice Escrow and Land Title, LLC v. BancorpSouth Bank, 10-03531 (W.D. Miss. Aug. 20, 2012)

Asharkyu / Shutterstock.com

Last month, we blogged about Patco v. Ocean Bank, where the First Circuit held that the bank may bear the loss of fraudulent ACH transfers because its security procedures were not “commercially reasonable” under the Funds Transfers Act provisions of the UCC. Though the decision left open the question of customer responsibility, for now it belongs in the win column for customers.

But the vast majority of these banking relationships include an agreement where the customer promises to indemnify the bank for a fraudulent wire transfer. It was unclear how these agreements can factor into the analysis--could an indemnity agreement shield a bank from the UCC’s “commercially reasonable” analysis altogether?

A district court for the Western District of Missouri considered this question in Choice Escrow v. BancorpSouth, and held that the UCC provisions preempt indemnity agreements.

Background

Choice Escrow maintained a trust account with BancorpSouth (“BSB”). In March 2010, BSB received a request online to transfer $440,000 out of Choice’s trust account. The third party made the request using Choice Escrow’s login credentials.

Choice Escrow filed claims against BSB under the “Funds Transfers Act” (i.e. the relevant UCC provisions) as adopted by Missouri. BancorpSouth shot back with four counterclaims relating to indemnity agreements signed by Choice Escrow, agreeing to indemnify BSB for any losses, costs, liabilities or expenses.

Funds Transfers Act UCC Provisions Preempt Written Indemnity Agreements

In a close call, the district court held that these ACH fraud matters are governed specifically by the Funds Transfers Act. Arriving at its decision, the court paid special attention to the intent of the UCC drafters:

On one hand, it seems obvious that the drafters of the UCC wanted banking sector parties to be protected from common law negligence claims and to encourage uniformity and consistency. On the other hand, it seems unlikely that the drafters of the UCC wanted to discourage business entities from freely exercising their rights to contract the terms of their relationships

Concluding that the Act displaced the indemnity agreements, the Court granted Choice Escrow’s motion and dismissed Bancorp’s counterclaims.

It’s rare to see a court strike out an agreed-upon contract provision; it’s even more rare when both parties are “sophisticated,” as is the case here. When it happens, it’s always a good idea to look to the policy considerations.

It’s true that these wire fraud cases would be a lot less messy if banks could avoid liability using indemnity clauses. But such “uniformity and consistency” might be unduly harsh on customers if, through these agreements, they were always on the hook regardless of the bank’s actions.

In the same vein, widespread use of indemnity clauses might also reduce banks' motivations to invest a lot in their security infrastructure--especially if they never had to fear liability for these large sums of money. Of course, the banks would still have an incentive to keep their customers’ accounts safe in an Adam Smith “Invisible Hand” sense, but I think the court doesn’t like any movement in that direction because security from wire fraud is such an important goal. With most of these cases, hundreds of thousands (if not millions) of dollars are at stake.

We still don’t know what (if any) duties the customer has in preventing fraud on their online bank accounts. It’s an important question in this case because the hacker got access through Choice Escrow’s account. The court in Patco recommended further hearings on the issue, so we may just have to wait and see.

[Eric's comment: although deal lawyers often spend lots of time drafting and negotiating indemnity clauses, there's widespread suspicion that indemnity clauses rarely work in the field or in court. Another good example here.]

Posted by JakeMcGowan at 07:58 AM | E-Commerce , Licensing/Contracts , Privacy/Security | TrackBack

September 13, 2012

My Presentations on the Obama Administration’s “Privacy Bill of Rights” and the Proposed Amendments to the EU Data Privacy Directive

By Eric Goldman

Many of you probably haven’t heard about the “CONSENT” project in Europe, but you probably will. The CONSENT project is a multi-year, multi-million dollar research project, funded by the European Union, to conduct empirical research on consumer privacy issues in Europe. Ultimately, the research findings should feed into the EU's evaluation of proposed amendments to the 1995 EU Data Privacy Directive (more on that in a moment). I’m pretty sure the project's empirical findings will spark some discussion when they are publicly released.

As part of the project, the various project participants recently met face-to-face in Cluj-Napoca, Romania to discuss their work and present some preliminary findings. The conference also had some related presentations, which is what got me to Romania. (See my recap of my trip to Romania and my photo gallery).

The organizers asked me to present about Obama Administration’s Privacy Bill of Rights. As I’m sure many of you can appreciate, this was not my first choice of topics (indeed, I took a pass on blogging the document when it was released). So after repeatedly confirming if the organizers really, really wanted to discuss the document and if I was the right person to do so, I gave a 30 minute talk describing the Obama administration’s report and providing some critiques. I’ve posted my slides and a recording of my talk (download--item 28 or stream).[FN1]

[FN1] After multiple requests from blog readers, I am trying to get better about doing self-recordings of my talks where the organizers aren’t posting their own recording. Thanks to the readers for encouraging me to do this.

Later in the conference, I participated in a panel discussion about the January 2012 proposed amendments to the EU Data Privacy Directive. I was confused by the interaction between these amendments and the CONSENT project. On the one hand, the EU is spending millions of Euros conducting empirical research to assist its policy-making; on the other hand, the EU is evaluating a proposed amendment before the completion of that research project. I’m a fan of empirical-based policy-making, but only if the empirical work in fact feeds back into the policy-making!

Among conference participants, there seemed to be consensus that (a) the Jan. 2012 proposed amendments will not succeed in their current form, and (b) most folks want data privacy handled as an EU regulation rather than as a directive, which would preempt the patchwork implementation of the directive across the 27 EU member states. Certainly American companies trying to enter the European market would prefer a harmonized regulation rather than having to wrangle 27 different implementations.

As part of my remarks on the panel, I made the following points:

1) Now is a perfect time to rigorously review the lessons learned from the 1995 Directive. It’s been 17 years—long enough to generate enough data to assess its efficacy, but a short enough time that many of the key players in 1995 are still around to get their historical perspectives. This is the same animating principle behind our 15 year retrospective of 47 USC 230 and our upcoming 15 year retrospective of the Digital Millennium Copyright Act. Certainly in the context of considering an amendment to the directive, it would make sense to figure out what went right in the initial directive so the EU can do more of that—and what didn’t work as expected so the EU can avoid making the same mistakes this time.

2) Harmonizing the privacy laws within the EU is a good idea because it helps create a larger common market (an all-EU-wide market), and larger common markets provide greater economic opportunities. Indeed, forming larger common markets is one of the single biggest benefits of the EU generally.

As big as the EU is, the Internet is a potentially bigger common market than the EU—in fact, it has the potential to become the largest common market the world has ever seen. However, I fear that geographic-based regulation is breaking apart the Internet as a common market. So even if the EU succeeds in harmonizing its own law, if the result is that it fragments the Internet into a US Internet and an EU Internet, I think we’ll have lost a major opportunity. The proposed amendment makes a number of points about trying to discipline Internet companies not located in the EU for violating EU law, which could lead to the kind of transborder blockades that we feared with SOPA. But even if we don’t go that far, the reality is that the proposed amendment—along with the current directive—force the larger Internet companies to create EU-specific services that differ from the service offerings in the United States. The result is that we do end up with multiple unconnected Internets, not a single Internet. I hope to write a Forbes blog post expanding this thought in the near future.

3) If I were to place a $100 wager on whether, over a 50 year time horizon, the US economy will outperform the EU economy, I’d confidently wager all $100 dollars on the US over the EU. We have many, many economic challenges in the United States, but we remain the best place to start new companies that have the best chance of growing into major global companies, while the layers of regulation in the EU make it hard for new companies to start and grow. The proposed amendments to the Data Privacy Directive are just one example of that phenomenon. Instead of trying to foster innovation by scaling back some of the already-onerous provisions of the existing directive, the proposed amendment doubles-down on regulation, adding new layers of costly and innovation-chilling regulation. When the EU does that, it enhances the advantages that American businesses have against their global competition (so we in the United States will reap the economic benefits), but it would still make me sad if we lost an opportunity to enhance the overall social welfare in the world due to overregulation. As you can imagine, this last point was especially unpopular in a crowd of pro-privacy Europeans.

Posted by Eric at 03:25 PM | Privacy/Security | TrackBack

September 12, 2012

Another School Violated a Student's First Amendment Rights by Disciplining Her For Facebook Posts -- R.S. v. Minnewaska Area School Dist. No. 2149

[Post by Venkat Balasubramani]

R.S. ex rel. S.S. v. Minnewaska Area School Dist. No. 2149, 2012 WL 3870868 (D.Minn. September 6, 2012)

R.S. was a twelve year old student at a Minnewaska Area middle school. She posted a message to her Facebook page about an adult hall monitor at her school:

[I hate] a Kathy person at school because [Kathy] was mean to me.

The post was only accessible to her friends. One of her friends brought the post to the attention of the administration. The principal called R.S. into his office and told R.S. “that he considered the message about Kathy to be impermissible bullying.” (???) As a result of the message, R.S. was required to apologize, given detention, and received a disciplinary notation in her records. R.S. was disciplined a second time when she expressed her chagrin that someone had told on her (“I want to know who the f%$# told on me.”) [“f%$#” in original] This time she was disciplined for “insubordination” and “dangerous, harmful, and nuisance substances and articles.” (???)

Separately, school officials received a complaint from a parent that R.S. was allegedly communicating with another student about “sexual topics on the internet.” A school official told R.S.’s mother that, apparently, a boy had initiated an online conversation about sex with R.S. This time, R.S. was pulled out of class and grilled about the conversation. Dissatisfied with the responses R.S. provided, officials asked R.S. for her Facebook password. Although she initially said she forgot it, under the glare of the lights, she provided the password. School officials proceeded to search her Facebook account, including private messages. For good measure, they also searched her private email account.

R.S. was understandably upset by the search and the instances of discipline. She sued, alleging violations of her constitutional rights.

First Amendment claims: The court has no trouble concluding that assuming the facts as alleged as true, school officials violated R.S.’s First Amendment rights. The court says that posts on social networks are protected unless they are “true threats” or are reasonably calculated to reach the school environment and pose a safety risk or a risk of substantial disruption of the school environment. R.S.’s posts were not true threats. Even assuming the statements were reasonably calculated to reach the school audience, there was no possibility of disruption. The court distinguished D.J.M. v. Hannibal Public School District #60, a case where the Eighth Circuit said that a student could be properly disciplined for threatening instant messages (quick linked here) on the basis that that case involved a threat and actually disrupted the school environment. The court also cites to Layshcok, where the Third Circuit said that setting up a mocking profile of a high school principal was not sufficient to warrant discipline. (See also J.S. ex rel. Snyder v. Blue Mountain Sch. Dist.)

Fourth Amendment claims: The court also says that the school officials violated R.S.’s Fourth Amendment rights to the extent they rummaged around in her Facebook page and her private email account. Private emails were like letters of other private conversations, and subject to Fourth Amendment protections. Private Facebook messages are no different. There was no evidence that the officials tailored their search to minimize the intrusion. Even if they had, they had no underlying basis to search in the first place.

Other claims: The court does dismiss the claims for intentional inflection of emotional distress. However, it allows the claims for invasion of privacy. In passing, it also rejects the school’s argument that R.S.’s violation of Facebook terms (by misrepresenting her age when she signed up) does not mean that she is entitled to fewer privacy protections.

Not much more to say about this one. Assuming the facts are as they alleged (something the court takes pains to say may not be the case), this looks like a major over-reaction from the school. Disciplining R.S. for her off-campus and relatively innocuous post was bad enough. Searching her Facebook account and email was a gaffe for which the school district will likely end up writing a check.

[Eric's comment: perhaps naively, I keep hoping that, over time, school administrators will stop freaking out about students' social media activities. This is a contrary datapoint; based on the allegations, this looks like a freakout. In particular, it's a good example of how administrators might use the "bullying" label as a pretextual justification for punishment. The term "bullying" has way too much semantic ambiguity, but it should never stretch as far as calling another person "mean."]

Other coverage:

Judge won't dismiss lawsuit accusing Minnesota school of demanding sixth-grader's Facebook password (SPLC)
Student's suit for forced Facebook disclosure survives motion to dismiss; court finds reasonable expectation of privacy in Facebook messages (Cybercrime Review)

Mortuary Student Can Be Disciplined for Facebook Posts--Tatro v. University of Minnesota
Suspension for Facebook/YouTube Rap Video Critical of High School Coach Does not Violate First Amendment – Bell v. Itawamba County School Board
Racy Teen Photos Posted to Facebook Are Constitutionally Protected Speech--TV v. Smith-Green
Mortuary Sciences College Student Disciplined for Threatening Facebook Posts--Tatro v. University of Minnesota
Student Loses First Amendment Fight To Call School Officials “Douchebags” After Four Years Of Litigation--Doninger v. Niehoff
Nursing School Can't Expel Students for Posting Photo to Facebook--Byrnes v. Johnson County CC
Sending Politically Charged Emails Does Not Support Disturbing the Peace Conviction -- State v. Drahota
Private Facebook Group's Conversations Aren't Defamatory--Finkel v. Dauber
Third Circuit Schizophrenia Over Student Discipline for Fake MySpace Profiles
Private High School Not Liable for Cyberbullying--DC v. Harvard-Westlake
Nursing Student's Blog Post Doesn't Support Expulsion--Yoder v. University of Louisville
Principal Loses Lawsuit Against Students and Parents Over Fake MySpace Page--Draker v. Schreiber
Court Upholds Student Suspension For YouTube Video of Teacher
Teenager Busted for Creating Fake "News" Story

Posted by Venkat at 09:42 AM | Content Regulation , Privacy/Security

August 31, 2012

Stored Communications Act Does Not Bar Discovery of Employee Phone Records–Mintz v. Bartelstein Assocs.

[Post by Venkat Balasubramani]

Mintz v. Bartelstein & Assocs, CV 12 02554 SVW (SSx) (Aug. 14, 2012)

Mintz is a sports agent who represents among others, some NBA players. He worked for Bartelstein & Associates for 11 years. After leaving to accept a position with a competitor (CAA), he sought declaratory relief to invalidate his non-compete agreement. Bartelstein counterclaimed saying that Mintz allegedly misappropriated trade secrets and conspired with Mintz’s current employer to steal clients. Bartelstein subpoenaed Mintz’s phone records from AT&T. The subpoena sought ten categories of documents, the bulk of which related to the dates, times, and numbers/accounts for Mintz's phone calls. The court grants in part and denies in part Mintz’s motion to quash the subpoena as follows:

1. The Stored Communications Act allows for the disclosure of non-content information to non-governmental entities. Thus, the bulk of the sought-after information (with the exception of the content of the text messages) are not barred from disclosure by the SCA.

2. With respect to the content of the text messages, although Bartelstein can’t subpoena them from AT&T, Bartelstein can force Mintz to disclose them. This information is “within [Mintz’s] control,” because he has a legal right to get it from AT&T.

Mintz also argued that his California constitutional right of privacy protected against disclosure of the sought after information, including non-content information. The court resolves two factual issues relating to this argument. First, the phone started out as Mintz’s personal phone but was “converted” to his employer's phone along the way. The facts seemed grey and didn't establish the phone as having been used exclusively for business or pleasure; the fact that Mintz used the phone for both personal and business purposes cut both ways. The fact that Mintz and Bartelstein both paid for a part of Mintz's phone also cut both ways. There was also an employee manual in place which stated that any personal information placed on company emails would “not be considered the private or confidential property of the employee . . . [and the employer had] the ability and right to review e-mail, voice mail, and telephone messages.” [Interestingly, no mention of text messages.] Although Mintz raised the typical argument that he didn't read or agree to the employee manual, Bartelstein's evidence to the contrary was clear--it sent him a copy along with a follow-up email and produced both of these items of evidence for the court. Although Mintz did not sign an acknowledgement saying he read the manual, he clearly received a copy of it.

The court says that Mintz had a “limited expectation of privacy” in the non-content information. A protective order could adequately guard against any unwarranted intrusion into MIntz's privacy. The court also notes (citing to Quon and the third party doctrine) that federal law is consistent with this approach. (The court does mention the fact that federal courts are divided as to whether individuals have an expectation of privacy in historic cell cite information.)
__

The SCA is an unwieldy beast, and it provides for a labyrinthine framework for what can be disclosed and who can request what information. As the court notes, what law enforcement can obtain is different from what private parties may obtain in litigation. With respect to private parties, non-content information is fair game, but content information gets a clunky treatment that either relies on a waiver concept or allows the party requesting the information to get it from the person who has control over it. (The Juror No. 1 case which is playing out across several different tribunals discusses these issues, as does Flagg v. City of Detroit, which is discussed in the Juror No. 1 ruling.) The trend from courts is to treat the Stored Communications Act as a speedbump in civil discovery rather than a roadblock. Most of the courts to have looked at the issue have said that the SCA does not bar discovery of content information. It merely precludes obtaining it directly from the provider (in this case AT&T).

The decision illustrates the importance of a policy in the employment context. Allowing employees to mix business and pleasure on their devices results in unpredictable results as far as what information the employer can get access to. The employer in this case dodged a bullet by having a broad policy that was clearly communicated to the employee (Mintz).

The case is also a great illustration that virtually everything we do in the modern era results in digital footprints--and, when we fall out of love with each other, there will be resulting fights over who can get access to these footprints, the results of which will be unpredictable at best.

Previous posts:

[Photo courtesy of ShutterStock.]

Posted by Venkat at 11:18 AM | Evidence/Discovery , Privacy/Security

August 22, 2012

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices -- Mollett v. Netflix

[Post by Venkat Balasubramani]

Mollett v. Netflix, 11-CV-01629 (N.D. Cal.; Aug 17, 2012)

This is a putative class action under the Video Privacy Protection Act alleging Netflix violated the VPPA (and Cal. Civ. Code 1799.3) by .. get this .. freely displaying, to a subscriber’s family members, a subscriber’s “recently watched” and “instant queue titles” on the subscriber’s Netflix-Enabled Device. I’m surprised the court didn’t just enter a three word order (“WTF”) dismissing the claim.

Netflix allows you to register devices that can access your Netflix account. Once you enter your password, you need not keep entering it in again. Plaintiffs alleged that this was a problem because a subscriber’s family members could then access the device and see a subscriber’s "recently watched" and "instant queue" titles without entering a password.

Netflix did not contest that the VPPA applies to streaming video providers. As cited by the court, a different judge in the Northern District of California recently concluded that Hulu was subject to the VPPA regardless of the fact that it offers streaming services and doesn’t charge its customers for some of its services. (See "Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu.")

Nevertheless, the court says that plaintiffs cannot state a claim because the disclosures in question were made to the customers themselves (i.e., through their devices). Although not determinative, the court notes that Netflix’s privacy policy tells users that if they share their devices or passwords with others, they take “full responsibility for their actions.”

Plaintiffs argued, citing to legislative history of the VPPA, that Congress intended to regulate disclosures among spouses. The court says that the example cited in the VPPA’s legislative history was not analogous because it involved a divorcing spouse requesting records of the soon-to-be-ex spouse’s viewing habits in order to use this information in a child custody proceeding. The situation in this case is more akin to someone walking into a video rental store with their wife or husband and overhearing a clerk’s reference to a previous rental record (maybe in the context of a late fee discussion). The latter is something the user can control—i.e., by not taking their spouse to the video store with them.

The court also concludes that any disclosure was not knowing (or in the case of 1799.3, willful). The court says that Netflix wouldn’t necessarily know that anyone other than the subscriber could access the rental records and this would be outside of Netflix’s control or knowledge anyway. The court also says that Netflix’s reading of the statute to permit this type of sharing was reasonable.

This was a crazily misguided lawsuit that just aimed to take advantage of a possible litigation opportunity. If the plaintiffs had won, Netflix would have to make it more difficult for anyone to access their account history on Netflix enabled devices. I doubt anyone wants this outcome (except for the plaintiffs' lawyers). Not surprisingly, the court shut it down. I'm only surprised that the judge didn't have harsher words for the plaintiffs' lawyers.

(This is not to say that intra-spousal disclosures are not consequential. In plenty of other scenarios (HIPPA and ECPA) these disclosures can rightly form the basis of liability. But here, the fact that the disclosure occurred on the device, and was something the account-holder could control should be determinative. The Apple in-app lawsuit that survived a motion to dismiss also came to mind, but there were additional facts in that case that made a claim more plausible.)

In re Hulu set potentially important precedent in construing the VPPA to apply to streaming providers. This lawsuit was filed well before the ruling in Hulu, but I'm curious as to whether the Hulu ruling will open up the floodgates to possible claims against other streaming services. In any event, it's clear that the VPPA is becoming an important weapon in the arsenal of plaintiffs' lawyers. We've seen cases against Hulu, Redbox, Netflix, among others. It will be interesting to see who else ends up in their crosshairs.

[Update: Netflix clarified via email that Netflix did not concede applicability of the VPPA to its service for all purposes, but only for purposes of the particular motion. To the extent the case continues, Netflix reserved the right to argue that the VPPA does not cover streaming and therefore Netflix is not a VTSP for purposes of the claims against it]

Posted by Venkat at 08:07 AM | Privacy/Security

August 21, 2012

6th Circuit Allows Police GPS Tracking on Prepaid “Burner” Phones -- United States v. Skinner

[Post by Jake McGowan]

United States v. Skinner, 09-6497 (6th Cir. August 14, 2012)

If the name Stringer Bell means anything to you, you probably know what a “burner” is. The third season of The Wire saw aspiring drug runner Bernard tasked with purchasing unregistered pre-paid cellphones from various corner stores in Baltimore. The Barksdale crime organization would use and then discard these burners about every two weeks, avoiding any potential wiretaps and making detective Lester Freamon’s life much more difficult.

But even police forces outside HBO’s jurisdiction struggled with these “burner” issues, at around the same time season three hit the airwaves. Without IDs tied to the mobile phones, agents had a hard time obtaining proper search warrants and had to come up with new ways to track down the bad guys.

But how far could they go before running afoul of the Fourth Amendment? Could they “ping” the phone’s GPS chip to track its location in realtime? The Sixth Circuit Court of Appeals considered this question recently in United States v. Skinner, and handed down its controversial decision on August 14th.

In a 2-1 ruling, the Court held that the police’s GPS pinging did not violate the Fourth Amendment, even without a search warrant based on probable cause.

Background

In 2006, DEA authorities gained inside knowledge relating to a large-scale drug-trafficking operation led by James Michael West and supplier Philip Apodaca. Defendant Melvin Skinner was a courier in this operation, transporting marijuana from Mexico to Tennessee. Throughout his travels, Skinner used burners purchased by Apodaca to communicate with West; none of whom were aware that the phones contained GPS chips.

At the time, the police only knew Skinner by his alias: Big Foot. Through a series of wiretaps on regular mobile phones registered to West, agents got an idea of the organization’s plan, and discovered the phone number of Big Foot’s secret phone. By pinging the phone and observing its GPS data, the police were ultimately able to locate Skinner’s RV. They brought out drug-sniffing dogs and then entered the motorhome, uncovering over 1,100 pounds of marijuana and two semi-automatic handguns.

Before trial, Skinner sought to suppress the search of the motorhome on Fourth Amendment grounds, since it took place without a warrant. The district court did not buy this argument, and Skinner appealed.

No Fourth Amendment Violation

The Sixth Circuit affirmed, holding that Skinner did not have a reasonable expectation of privacy in the data given off by his burner phones:

If a tool used to transport contraband gives off a signal that can be tracked for location, certainly the police can track the signal. The law cannot be that a criminal is entitled to rely on the expected untrackability of his tools.

That last sentence really sets the tone for the entire decision--leading with a moral obligation and then weaving through precedent to achieve that result.

Toward this end, the Court cited United States v. Knotts, and reasoned that the agents monitoring Skinner did not violate the Fourth Amendment because the information they received by pinging the burner could have been obtained by following Skinner down public roads. In other words, the Court saw the GPS data as “simply a proxy for [the defendant’s] visually observable location.”

Continuing this “proxy” argument, the Court brings up United States v. Forest, where DEA agents pinged the defendant’s cellphone and used the coordinates to reconnect after losing visual contact along a public roadway. Again, the Court points to the fact that the police only used the GPS data to “augment” what they could have seen with their own eyes, and thus did not conduct a “search” within the meaning of the Fourth Amendment.

Later on, the Court distinguishes United States v. Jones by emphasizing the ‘trespassory nature of the police action” in that case. The DEA agents in Jones "lojacked" the vehicle by attaching a tracking device. In Skinner, the police did not place a tracking device on the RV; they didn’t have to since they suspected he already had the phone. Nor did the Court see the police’s surveillance as “extremely comprehensive” to the point that it violated the Fourth Amendment in and of itself.

For these reasons, the Court held that Skinner did not have a reasonable expectation of privacy in the GPS data and location of his burner phone.

This decision reeks of “You’re gonna get what you deserve” to the point where it has already rankled a lot of legal analysts. The Court seems to start from a point of moral outcry (technology helps criminals but not the police), and then works backward toward a passable legal explanation for its ruling. Maybe there is a good legal explanation, but this decision is filled with logical leaps and slippery slope analogies.

For example, the Court reasons that a criminal should not be able to “rely on the expected untrackability of his tools.” But this reasoning seems to gloss over the important question of when the “suspect” turns into a full-fledged “criminal.” True, it’s hard to feel bad for Skinner (especially knowing what he did), but how will the Court’s logic affect future suspects? Will it not deprive them of Fourth Amendment rights on the police’s assumption that they are conducting criminal activity? It’s hard to see where the idea of probable cause fits into the equation.

Immediately following, the Court reduces the opposing argument to absurdity--imagining a world where “dogs could not be used to track a fugitive if the fugitive did not know that the dog hounds had his scent,” or where “a getaway car could not be identified and followed based on the license plate number if the driver reasonably thought he had gotten away unseen.” Without further development, these analogies do not seem to support the idea that Skinner forfeited his constitutional protections by driving on a public road.

As Julian Sanchez pointed out on the Cato@Liberty blog, the Supreme Court held in Katz v. United States that “what a person knowingly exposes to the public, even in his own home or offices is not a subject of Fourth Amendment protection . . . But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected” (emphasis added).

This is important because while Skinner’s RV was viewable by the general public, the location of his phone and its connection to the drug plot were not. This would seem to cut against the Court’s comparison to Knotts.

The decision also seems to sidestep the fact that the police did not even know Skinner’s true identity when they started tracking him. To the Court, it is an irrelevant question because the police could have obtained this info “by other means.” In response, critics have pointed to Kyllo v. United States (absent from the decision), where the Supreme Court held that the agents’ use of thermal imaging did not escape the requirements of the Fourth Amendment, simply because the same information could have been acquired through other lawful means.

All in all, this decision is definitely worthy of its resemblance to The Wire--it forces you to grapple with the moral dilemma of admiring creative police work, while fearing how it could be abused. But hey . . . it’s all ‘n the game, right?

Posted by JakeMcGowan at 10:11 AM | Privacy/Security | TrackBack

August 16, 2012

No Fourth Amendment Violation When Your Facebook "Friend" Shares Profile Information With Law Enforcement--US v. Meregildo

[Post by Venkat Balasubramani]

US v. Meregildo, No. 11 CR 576 (WHP) (S.D.N.Y.; Aug 10, 2012)

Colon moved to suppress evidence seized from his Facebook account pursuant to a warrant. He did not contest the finding of probable cause, but he took issue with the government’s methods used to procure evidence in support of its showing of probable cause. The government used a cooperating witness who was "friends" with Colon on Facebook and who provided Colon's information (pictures or posts?) that supported the warrant application. (Friends is in quotes because obviously this wasn't a very friendly thing to do). Colon argued that the government's procurement of information in this way violated his Fourth Amendment rights.

(As a side note, this may be Colon's Twitter account and Facebook page.)

The court says that there is no Fourth Amendment protection in publicly posted information. On the other hand, if users post content to social networking sites “using more secure privacy settings, [this] reflect[s] the user’s intent to preserve information as private” and may engender Fourth Amendment protection. Colon’s Facebook profile did not fall into the second category. His profile allowed his friends to view a list of all his other friends, “as well as messages and photographs that Colon and others posted to Colon’s profile.” Because the privacy settings allowed Colon’s friends to view materials posted to his Facebook account, the court says there was no Fourth Amendment violation:

Where Facebook privacy settings allow viewership of postings by “friends” the Government may access them through a cooperating witness who is a “friend” without violating the Fourth Amendment…While Colon undoubtedly believed that his Facebook profile would not be shared with law enforcement, he had no justifiable expectation that his “friends” would keep his profile private.

In other words, when Colon posted sketchy stuff to Facebook, he did so at his peril!
__

I’m struggling with what to make of this one. It may be disconcerting to learn that the government can approach your Facebook friends and ask them for incriminating information about you, but that's what cooperating witnesses do. The government does this all the time and there's no reason why they can't do it online just like they do it offline.

The situation may have been different if the government prompted the friending. The court doesn't highlight this, but I think the fact that they were already friends is important. What about if the government just made up a fake Facebook profile and friended Colon? I'm not familiar enough with Fourth Amendment law to know the answers to these questions, but I’m regularly surprised at how far the government can go in obtaining information, even through subterfuge. While there are obviously limits on how far the government can go in "infiltrating" groups, even in this context, courts have given the government plenty of room. At a certain point, these efforts would bump up against the individual's right of association and chill First Amendment activity, but this isn't the easiest case to prove. In any event, those issues were not implicated here.

Of course, there’s the issue of Facebook’s privacy settings. I have long found them confounding and tough to use (tough enough that I deleted my account). Is the court saying here that if you have the default privacy settings on your Facebook profile (i.e., don’t restrict information to certain groups) then, if an informant friends you, there’s no Fourth Amendment bar to the government obtaining this information? The court’s discussion on privacy settings may have been gratuitous. Another way to look at it is that if your privacy settings are such that someone can access material through Facebook, then the government can obviously obtain this information (without a warrant) through whomever can access the information. There's nothing particularly shocking about this.

It's interesting to compare this case to the other cases where privacy settings ended up being relevant to the legal analysis. In the civil discovery context, courts regularly look to the privacy settings on your profile as one part of the question of whether this information can be obtained in discovery (e.g., Zimmerman; Romano v. Steelcase are a few of the many cases in this vein). The issue has come up in the employment context as well, where one court said that shoulder-surfing over a co-worker's shoulder could state a privacy claim (Ehling v. Monmouth Ocean) and another court rejected privacy claims based on an employer disciplining a worker's comments posted to a co-worker's Facebook profile (Sumien v. Careflite). It's worth noting that in the Monmouth case, the court said that there could be a privacy claim where an employer gains access to your Facebook profile through a co-worker, but the government can engage in exactly this conduct (at least there's no Fourth Amendment bar). Finally, in the generic privacy context, Moreno v. Hanford Sentinel is one of the early cases that said that there's no invasion of privacy where someone republishes a MySpace post that was publicly available, even it was disseminated more widely than the initial post.

At the end of the day, this case is yet another illustration that your circle of Facebook friends affects your privacy. This is just restating the obvious, but it seems like it's worth restating.

I guess we should look at the bright side. At least the government ultimately obtained a warrant, and didn’t just send Facebook an administrative subpoena requesting the information.

Other coverage:

Jeff John Roberts: 'Friends' can share your Facebook Profile With the Government, Court Rules
Evan Brown: No Fourth Amendment violation when government looked at Facebook profile using friend’s account
NY Post: Facebook 'gang-banger' outed to feds when 'friend' turns rat
Cyb3rcrim3: Facebook, “Friends” and the 4th Amendment

Posted by Venkat at 11:41 AM | Privacy/Security

August 14, 2012

Bank Might Bear Loss for Fraudulent Money Transfers Initiated From Its Website--Patco v Ocean Bank (Catch-Up Post)

By Blogging Assistant Jake McGowan (with Venkat's supervision), with a comment from Eric

Patco v. Ocean Bank, 11-2031 (1st Cir. July 3, 2012)

When a scammer siphons money from a customer's online bank account, should the bank or the customer bear the loss? Last year, we blogged about a pair of cases that considered this question and came to differing conclusions, albeit under slightly different portions of the Uniform Commercial Code.

Article 4A of the UCC states that the risk of loss falls on the banks by default, but banks can shift it back to the customer in two ways: (1) by showing the commercial reasonableness of the security procedures it offered, or (2) by showing that the payment was approved in good faith and in compliance with security procedures agreed to by the customer.

In Experi-Metal v. Comerica Bank, a district court in Michigan focused on whether the bank accepted suspicious transfers “in good faith.” The court sided with the customer, finding that Comerica did not act in good faith since it approved the fraudulent wire transfers despite several warning signs. In contrast, in the lower court opinion in Patco v. Ocean Bank, a district court in Maine focused on the other portion of Article 4A: whether the bank’s security procedures were “commercially reasonable.” That district court sided with Ocean Bank, ruling that the security procedures in question were commercially reasonable and thus insulated the bank from liability. Patco appealed the adverse ruling against it.

On July 3, the First Circuit reversed the district court decision and ruled in favor of Patco, holding that Ocean Bank’s online fraud security measures were not “commercially reasonable” under the UCC as codified under Maine law. The court, however, did leave room for Ocean Bank to argue that Patco might have been partially responsible for the loss.

After the First Circuit’s ruling, both this and the Experi-Metal decisions place the risk of loss (or in Patco’s case, proving the adequacy of security measures) on the bank. Still, questions linger how and when banks may successfully shift the risk of loss back to the customer.

Background

Patco was a small business that maintained a business account with Ocean Bank’s predecessor. Ocean Bank (and its predecessor, who Ocean Bank acquired during the time period at issue) used a “Premium” multifactor authentication scheme devised by Jack Henry & Associates to protect customer funds from ACH fraud. Along with passwords and device-specific cookies, Ocean Bank utilized “challenge questions” created by the customer as a last line of defense. The questions could be triggered by transactions with high-risk profiles (e.g., unusual IP address or unusual time of withdrawal) or by a transaction exceeding a specified dollar amount. Ocean Bank controlled what types of transactions would trigger additional security measures.

The ACH fraud that resulted in loss of the funds occurred after the bank decided to lower the dollar amount triggering the extra security steps from $100,000.00 to $1.00, meaning all Patco transactions triggered the “challenge questions” line of defense against ACH fraud. This increased the challenge questions’ vulnerability to key-logging malware, and thus diluted its protective qualities. As Venkat explained in his initial post on this case, the wrongdoers gained access to the account by installing malware on Patco’s computers. The key question was whether the security measures employed by the bank were commercially reasonable.

The First Circuit’s Ruling

“Commercial Reasonableness” and the One-Size-Fits-All Approach

The First Circuit found that the bank’s security procedures must take into account “the circumstances of the customer” known to the bank. In this case, Ocean Bank did not comply with this mandate because it lowered the challenge question dollar-amount trigger to $1.00. The bank claimed that it lowered the amount to combat low-dollar fraud, but the Court didn’t see that as a valid excuse. Patco’s transfers were typically much larger, so the one-size-fits-all approach would have violated the “circumstances of the customer” requirement anyway.

Ocean Bank also tried to satisfy the requirement by trotting out its risk-profiling procedure, which provides a numeric score based on the risk of fraud associated with the circumstances of a particular transaction. But the court quickly dismissed this line of reasoning, pointing out that Ocean Bank failed to act upon the unusually high-risk profile scores for the specific fraudulent transactions in question.

Further, the Court went on to suggest that compliance with federal security guidelines would not necessarily qualify the procedures as “commercially reasonable.” While Ocean Bank’s multifactor authentication scheme complied with federal guidelines, its one-size-fits-all security measures were ineffective for Patco, and therefore were not commercially reasonable. In other words, the scheme has to be geared to work for the particular customer.

Together, these passages raise the already high standard set for “commercially reasonable,” and make it harder for banks to shift the risk of loss in ACH fraud cases.

Customers’ Responsibilities in a “Commercially Unreasonable” Security System

While the court held that Ocean Bank could not prove that its security measures were commercially reasonable—and in fact the court said they were unreasonable—the decision also noted that Patco (the customer) might bear some blame for the loss: “Article 4A does not appear to be a one-way street. Commercial customers have obligations and responsibilities as well[.]” The Court stopped short of stating what those responsibilities might look like, and left those questions for development on remand.

From the perspective of the banks, this passage in the Patco ruling may be a sign that they lost a battle but can win the war. Arguably the most important feature of this decision is that it opens the door for an analysis of the customer's security obligations, even where the bank's security system is “commercially unreasonable.” It is unclear how the court will handle such an analysis; an egregious example of employee negligence regarding passwords or challenge questions may shift liability entirely. For example, even though Ocean Bank’s system was “commercially unreasonable,” Patco may have been partially liable for the breach if its carelessness with a password or user ID led to the breach.

On the other hand, a breach of such an obligation might just be a way for banks to mitigate damages, in a contributory negligence style of defense. Until this question is fleshed out in further decisions, it will be too early for either customers or banks to point to this decision as an emphatic victory.

Two other notes: We’ve blogged ad nauseam about data breach plaintiffs who get kicked out of court for lack of standing (not being able to prove harm). This is an easy standing case for the plaintiff for the simple reason that it suffered out-of-pocket loss. It’s also worth pointing out that the risk of loss rules here apply to commercial accounts. As the court footnotes, Reg Z governs consumer accounts (consumers can more easily shift much of the loss to the bank by default). A final question that remains is whether the bank (or more likely insurance company) can go after the security consultant for its own role in advising the bank regarding its security measures—is “premium” protection a guarantee of commercial reasonableness?

As always, both banks and customers should educate themselves of the latest phishing tactics and try to minimize the potential of ACH fraud. It’s nearly impossible to legislate security. In the same vein, an off-the-shelf anti-fraud prevention program will not necessarily protect you against the type of fraud that occurred in this scenario.
_____

Eric's Comment

Neither litigant looks great in this dispute. Patco allegedly got malwared with a keystroke logger, and now it may be trying to foist the economic consequences of that hack onto the bank. On the other hand, the bank is throwing its customer under the bus, even though the bank transferred money when its own security procedures had flagged a problem. As Jake points out, the consumer rules in these circumstances are more favorable. Otherwise, this case would be incredibly chilling for consumer online banking. Even so, I could see Ocean Bank's corporate customers questioning their banking relationship given Ocean Bank's corner-cutting on security, its security procedure failure and its willingness to fight its customer over losses that the bank could have prevented.

Posted by Venkat at 09:23 AM | E-Commerce , Licensing/Contracts , Privacy/Security

August 13, 2012

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

[Post by Venkat Balasubramani]

In re Hulu Privacy Litigation, C 11-03764 LB (N.D. Cal.; Aug. 10, 2012)

Hulu is facing a putative class action alleging that Hulu improperly disclosed the video viewing choices of its users without obtaining consent. Hulu initially argued that plaintiffs lacked standing. Relying on the Ninth Circuit’s decision in First American Fin’l Corp. v. Edwards, the court said that alleging a violation of a federal statute was sufficient to satisfy Article III standing. Now the court looks at whether the allegations state a claim for 12(b)(6) purposes.

Is Hulu a “video tape service provider”? The VPPA only covers the rental, sale, or delivery of “prerecorded video cassette tapes or similar audiovisual materials.” Hulu argued that this language does not cover online providers. The court disagrees. The court looks to the language of the statute and finds that the phrase “similar audiovisual materials” focuses on the content, not the means of content delivery. While the dictionary definition of the word “material” is inconclusive, and everyone agrees that online delivery wasn’t around when the VPPA was enacted, the court looks to the legislative intent:

Congress was concerned with protecting the confidentiality of private information about viewing preferences regardless of the business model or media format involved. The question is whether the mechanism of delivery here – streaming versus bricks-and-mortar delivery – ends this case at the pleading stage. . . . Given Congress’s concern with protecting consumers’ privacy in an evolving technological world, the court rejects [Hulu’s] argument [that it’s not covered by the statute because the statute does not cover digital distribution].

Other defenses: Hulu raised two other defenses, neither of which the court buys, at least at the 12(b)(6) stage. First, Hulu says that its disclosures fall within the VPPA’s “ordinary course of business” exception. The statute defines ordinary course of business to include “debt collection activities, order fulfillment, request processing, and the transfer of ownership.” Hulu’s disclosures (to Facebook, Doubleclick, QuantCast, Google Analytics, and ScoreCard) do not clearly fall under this definition. No dismissal at the pleading stage based on this defense.

Second, Hulu argued that plaintiffs were not “consumers” as defined by the VPPA. The statute defines consumers as “any renter, purchaser, or subscriber,” and since the proposed class did not involve paying Hulu customers, Hulu argued that they were not consumers. The court disagrees with Hulu, saying that “[i]f Congress wanted to limit the word ‘subscriber’ to ‘paid subscriber,’ it would have said so.”

The VPPA has spawned a lot of litigation recently! Facebook’s ill-fated beacon initiative was the first target, but since then, Netflix, Redbox, and Hulu have all been ensnared in VPPA class actions. Interestingly, someone mentioned that books were initially proposed to be part of the VPPA, but at the FBI’s request, were carved out. [Eric's note: books are now covered in California under the Reader Privacy Act.]

To my knowledge, two of the three issues decided in this ruling have not been previously dealt with: (1) does the VPPA apply to purely online service providers, and (2) does it cover non-paying customers. The court could have probably gone either way on this, and the court's conclusion takes the privacy-friendly approach. As interpreted in this manner, the VPPA applies to a wide range of sites, from YouTube to Vimeo. The scope of the proposed class also shows the reach of the VPPA as construed in this manner. The proposed class encompasses people who visited Hulu.com between March 4, 2011 and July 28, 2011 and who viewed video content. Hulu didn’t actually provide a list to third parties of what videos these individuals viewed. It used certain cookies that respawned and were difficult to delete, and disclosed unique identifiers (e.g., Facebook IDs & Hulu profile identifiers). It’s tough to argue based on the allegations in the complaint that Hulu was guilty of some sort of knowing malfeasance. It used a third party ad network that allegedly engaged in aggressive tracking practices and as a result Hulu is potentially on hook for damages under the VPPA.

I’m somewhat surprised to not see any discussion of the Hulu terms of use. I would expect that, if I register on a free website to view videos, my viewing habits would at a minimum be used for ad targeting. As to why this and more was not disclosed and assented to in the terms of service is a mystery to me. I guess some interpret the VPPA to require consent on a movie-by-movie basis and something other than a term of use-based consent. See this post by Wendy Davis that mentions possible amendments to the VPPA that would tweak these to make sharing easier.

Other coverage:

ReadWriteWeb (Nancy Scola): The Hulu Dilemma: How Private is Your Video Playlist?
Forbes (Kash Hill): Court Case Spells Trouble for Frictionless Sharing of Videos on Facebook

Related posts:

Posted by Venkat at 08:43 AM | E-Commerce , Licensing/Contracts , Marketing , Privacy/Security

August 08, 2012

Ex-Employee's Access/Misuse of Employer Files States CFAA Claim -- Weingand v. Harland Financial

[Post by Venkat Balasubramani with comments by Eric]

Weingand v. Harland Financial Solutions, C 11 3109 EMC (N.D. Cal.; June 19, 2012)

Weingand involves claims brought by an employee, and proposed counterclaims brought by the employer against the employee. Nor surprisingly, the employer tried to assert claims under the Computer Fraud and Abuse Act (and California Penal Code section 502, a state anti-hacking statute). The court grants the employer's motion for leave to amend, finding that the counterclaims would survive a 12(b)(6) motion.

The facts are similar to other employee CFAA cases in the sense that the employer alleges that the employee accessed the network and misused the employer's information, but there’s a small twist. The employee allegedly accessed the employer’s network after he left the company. He gained access to the network by telling the employer that he wanted to access some of his personal files. According to the employer, the employee then accessed some 2,700 business files of the employer, "all of which contained non-public information, copyrighted information, and/or confidential and propriety [sic] information." The big question is whether this constitutes access without authorization, or access in excess of authorization, under the CFAA.

CFAA: The court first addresses whether Harland Financial states a claim under the CFAA. Weingand argued that since he was authorized to access the network, he could not be held liable under the CFAA. Citing to Nosal, Weingand contended that:

[the] level of verbal . . . authorization was irrelevant because the only 'authorization' to which the statue speaks is 'code' authorization (i.e., whether someone is literally blocked from certain files by some security measure such as a password).

The court disagrees and says that Nosal draws a distinction between access and use, not between types of authorization pertaining to access. According to the court, you can be held liable if you access something without authorization, but not if you use information that you were authorized to access in a way that’s unauthorized.

Cal. Penal Code sec. 502: Section 502 is a state anti-hacking statute that was central to Facebook’s claim against Power Ventures. In that case Judge Ware said that a violation of the statute had to be premised on circumvention of technical measures (even circumvention of IP-address blocking could suffice, but there had to be something). Judge Chen declines to follow this approach, instead following Facebook v. ConnectU where Judge Seeborg held that access in violation of Facebook terms using log-in information supplied by registered users was sufficient to state a claim under Section 502. In other words, an employee's violation of an employer's network policy may state a claim under Section 502 because it's the same as unauthorized access.

Other miscellaneous claims: Finally, the court says that the employer's claims for conversion, breach of contract, unjust enrichment, interference with prospective economic advantage, and unfair competition (under California’s UCL statute) would survive a 12(b)(6) motion.
__

A question left open by Nosal is to what extent that decision would gut employer claims under the CFAA. Nosal (and the WEC Carolina Energy case from the Fourth Circuit) seemed to leave open the possibility that, if an employee is not authorized to access certain information at all (even though she is authorized to access "the network"), this may amount to unauthorized access under the CFAA. The court here seizes upon that--Weingand is authorized to access the network but not the information in question. However, it's worth noting that the factual scenario here is somewhat unique because the access occurred after the employment relationship ended (which would support some sort of access-obtained-by-fraud argument on the part of the employer). A similar factual scenario was presented in LVRC v. Brekka where the Ninth Circuit held that (1) access during employment in contravention of a policy is not sufficient to state a CFAA claim, and (2) while post-employment access may support a CFAA claim, the employer in that case failed to present sufficient evidence of post-employment access to withstand the employee's motion for summary judgment.

The court in this case doesn't delve into the precise exchange between the employer and employee relating to the access. Did the employee already have access and merely give the employer the heads-up that he was logging into the network? Had the employer terminated access (and revoked the password) and did the employer reinstate it to allow the employee to access the network? If it's the former, it's tough to make a principled distinction between Nosal (and WEC Carolina Energy) and this case, and the court certainly does not delve into this issue. In any event, as Eric explores below, CFAA jurisprudence remains murky, and as a result, employers will probably re-draft their network policies and continue to push the envelope on CFAA claims.

The fact that the employer here was able to assert numerous other claims illustrates that (as argued by the court in WCE Carolina Energy) the CFAA did not need to be interpreted as expansively as employers contend--i.e., they have adequate other remedies available.
____

Eric's Comments

I think it's safe to declare that the CFAA jurisprudence is officially a mess. (Apropos of this, see this Reuters recap). There are multiple scenarios that the courts keep jumbling up:

Scenario #1: defendant never has authorization to access the protected computer or the information on the protected computer (i.e., the bad hacker scenario)
Scenario #2: defendant does not have authorization to access the protected computer but does have authorization to information on the computer (i.e., maybe this describes the Lori Drew situation)
Scenario #3: defendant has authorization to access the protected computer but doesn't have authorization for information on the computer (i.e., employee misappropriation of trade secrets stored on company computers)
Scenario #4: defendant has both authorization to access the protected computer and information on it

Scenario #1 is the easy CFAA case. Scenario #4 should not result in any CFAA liability. Scenarios #2 and #3 are vexing the courts.

I had thought after Nosal and WEC that Scenario #3 wasn't actionable under the CFAA but would be actionable under the laws protecting the information (such as trade secret misappropriation). This case seems to disagree. This case also seems to imply that employers could simply redraft their employee computer use policies to say that employees aren't authorized to access the computers if they subsequently misuse the information on the computers, and that such a policy would revive the CFAA claim. This drafting workaround seems way too easy.

Another way of reading the situation is that CFAA law distinguishes between non-employees and employees. Perhaps there's no circumstance where employees can violate the CFAA when accessing their employee's computers, but all bets are off the moment they leave employment. If this latter distinction is true, then the CFAA remains a potent threat in the scraping context.

Putting aside the CFAA issues for a moment, what in the world was the employer thinking providing an ex-employee unrestricted/unsupervised access to its computers? This is a huge no-no. Cf. Meyerkord v. Zipatoni; Ground Zero Museum v. Wilson. Even ex-employees who left on the best of terms should not be given this power. At most, the employer should have had an HR person do the downloading him/herself.
____

Posted by Venkat at 02:30 PM | Privacy/Security , Trespass to Chattels

August 04, 2012

CA Court Confirms that Pineda v Williams-Sonoma (the Zip-Code-as-PII Case) Applies Retrospectively -- Dardarian v. OfficeMax

[Post by Venkat Balasubramani]

Dardarian v. OfficeMax North America, Inc., 11-CV-0947-YGR (N.D. Cal.; Jun. 25, 2012)

The Song-Beverly Act is a California statute that prohibits retailers from requesting personal identification information in connection with credit card transactions. In Pineda v. Williams-Sonoma, the California Supreme Court held that the definition of personal information includes a zip-code (i.e., retailers cannot ask for zip codes during credit card transactions). The court in that case held that its decision could be applied retrospectively and rejected Williams Sonoma’s arguments that it would be unfair to apply this decision to conduct before the date of the decision. (Here is our prior blog post recapping that case: “California Supreme Court Rules That a ZIP Code is Personal Identification Information -- Pineda v. Williams-Sonoma.”)

The question in this case was whether OfficeMax offered any better arguments for why the statute should not be applied retrospectively against it. OfficeMax argued that the California Supreme Court’s decision in Pineda was a departure from previous precedent and that OfficeMax had relied on a lower court decision in Party City v. Superior Court, where a court of appeal held that a zip-code does not constitute personal information.

The court says that this is insufficient to escape retrospective application of the statute for several reasons. First, Pineda was a decision from the California Supreme Court and it did not overrule any existing precedent from the same court. Party City was a lower appellate court decision and the California Supreme Court did not sanction the lower court’s approach when it denied review. Moreover, the court finds that the Party City opinion was only around for two years before the California Supreme Court granted review in Pineda and announced the contrary rule. OfficeMax was unable to point to a “near-unanimous body of lower-court authorities” that sanctioned its practice of collecting zip-codes.

In addition to Party City, OfficeMax pointed to one other case it happened to be involved in in support of its argument that it relied on lower court decisions when it collected zip-codes: Thoms v. OfficeMax. In Thoms v. OfficeMax, the court granted OfficeMax’s demurrer based on the Party City decision. While both Party City and Thoms held that zip-codes are not personal information (and were effectively overruled in Pineda) the court says that OfficeMax did not start collecting zip-code information based on these decisions. It had a long-standing policy of collecting zip-codes and merely continued its practice in light of these two decisions. This isn’t the type of reliance (e.g., a change in behavior) that warrants against retrospective application.

OfficeMax also argued that Pineda granted review on the question of whether “reverse engineering” someone’s address based on their zip-code violated the statute and thus Pineda’s decision to address the larger question of whether a zip-code constituted personal information was a surprise. Although the court ruled on the broader question of whether it was appropriate to collect the zip-code information, OfficeMax argued that the decision in Pineda was unforeseeable. The court disagrees, noting that as early as when the parties filed their briefs in Pineda, the issue of whether a zip-code constituted personal information was on everyone’s radar screen and therefore, there was nothing unforeseeable about the court’s decision in Pineda.

Finally, the court also finds that public policy favors retrospective application of the statute. OfficeMax argued that it had ceased the practice of collecting zip-code information and that it never reverse engineered this information to obtain the addresses of its customers, but the court says that the policy furthered by the statute is to forbid retailers from collecting information that could result in a breach of the customer’s privacy. While the fact that OfficeMax did not reverse-engineer this information may bear on OfficeMax’s culpability, the fact that it collected the information in the first place meant that it engaged in conduct that the statute was aimed to prevent. The court also rejects OfficeMax’s argument that retrospective application would undermine the administration of justice by holding it liable for actions it thought were lawful when it engaged in them. The court says that OfficeMax should have taken the conservative route and not have collected this information in the first place.

Pineda was a harsh decision for retailers, and the court’s conclusion in that case was certainly not an obvious one given the language of the statute. Nevertheless, the court in this case does not give OfficeMax a reprieve and says that it should be held to this conduct.

The big take away from Pineda is that collecting seemingly innocuous bits of information that can be reverse engineered can trigger a privacy violation. (For another example of this, see the recent FTC settlement with MySpace, where the agency held that allowing third parties to derive someone’s identity through a unique ID was a privacy violation: “Syncing and the FTC’s MySpace Settlement.”) California is not alone in having this type of legislation directed at retailers in place. Here is a similar example from Massachusetts: “Mass. Court: ZIP Code is personal identification info under credit card statute but plaintiff must still allege harm—Tyler v. Michaels Stores.” (Interestingly, the retailer defeated the plaintiffs' lawsuit in Massachusetts where the court concluded that the collection of information in that case did not result in any harm.)

OfficeMax made some reasonable procedural and fairness based arguments for why it should not be in the hook for its past conduct, but given the prophylactic nature of the statute, the court was not persuaded. This illustrates that when it comes to privacy statutes and regulation, while companies have done fairly well in defending against privacy lawsuits (and numerous lawsuit have been dismissed due to lack of harm) overall, companies may want to exercise caution where a statute that specifically prohibits the collection of certain information is implicated.

[cross-posted at IAPP's Daily Dashboard]

Posted by Venkat at 08:30 AM | E-Commerce , Privacy/Security

July 28, 2012

4th Circuit Limits the Reach of the Computer Fraud and Abuse Act – WEC Carolina Energy Solutions v. Miller

[Post by Venkat Balasubramani, with comments from Eric]

WEC Carolina Energy Solutions LLC v. Miller, et al., 2012 WL 3039213 (4th Cir.; July 26, 2012)

We’ve blogged about the Computer Fraud and Abuse Act being stretched by plaintiffs in civil (particularly employment) cases. The Ninth Circuit in Nosal recently gave the statute a more limited interpretation, although it left some things unclear. (Here's our blog post on the Nosal en banc panel opinion: "Comments on the Ninth Circuit's En Banc Ruling in U.S. v. Nosal.") The Fourth Circuit recently followed Nosal’s approach and went one step further. Both of these rulings make it much more difficult for employers to use the Computer Fraud and Abuse Act against departing employees.

Miller worked at WEC. He resigned and made a proposal to a WEC customer on behalf of WEC's competitor, Arc Energy Services. WEC alleged that Miller used WEC proprietary information when he made this presentation and that, at Arc’s direction, he downloaded these materials before he left WEC.

Like most companies, WEC had a policy in place that restricted employees from misusing confidential information and trade secrets. The policy prohibited employees from using WEC information without authorization and also prohibited them from downloading the information to their personal computers. The key question was whether use of information in violation of the policy--but which was obtained from a computer that Miller was otherwise authorized to access--violated the access “without authorization” or “exceed[ed] authorized access” provisions of the CFAA.

The court notes the differing schools of thought on this issue, including the narrower interpretation embraced by the Ninth Circuit in Nosal. Given the CFAA is a criminal statute that also provides for a civil cause of action, the court says it should be construed strictly and courts should avoid interpretations “not clearly warranted by the text” (so potential defendants get fair warning that their conduct is unauthorized). Looking to the dictionary definition of “authorization” and the CFAA’s definition of “exceeds authorized access,” the court says that (1) without authorization refers to a situation where someone is not authorized to access a computer and accesses it, and (2) exceeds authorized access refers to when someone:

Has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access. . . . Notably, neither of these definitions extends to the improper use of information validly accessed.

WEC pushed the position embraced by the original Nosal panel (that was subsequently vacated on rehearing) that inclusion of the word “so” in the definition of exceeds authorized access referred to the manner of access. Under this theory, if you violate a company policy when you use information, you have accessed the information “in a manner” that you are not authorized to do so. The Fourth Circuit says this conclusion is a “non sequitur.” In any event, the Fourth Circuit says that the Ninth Circuit’s en banc decision abandoning this approach made more sense.

The Fourth Circuit actually goes one step further and says that although Miller and the other defendants downloaded the information to their personal computers (which is arguably a “manner of access” expressly not authorized under WEC’s network policy and may even under the Nosal en banc panel's approach be enough to state a claim), even this is insufficient to state a cause of action under the CFAA. The Fourt Circuit says that inclusion of the word “so” in the definition of “exceeds authorized access” could just be a connector or included for emphasis, and doesn’t necessarily indicate an intent to prohibit the manner of access. Given that this is a criminal statute, the court is reluctant to construe it in a way that creates liability where the language is not 100% clear. (The court also notes that Nosal’s approach—that focuses on the manner of access—would capture the well intentioned employee who has no fraudulent intent but happens to download materials to his or her personal computer in order to work from home.)

The court also expressly rejects the “cessation-of-agency” theory espoused by the Seventh Circuit. Under this theory, if you use the network in breach of your implied duties, or you technically violate the policy and therefore are no longer authorized to utilize your employer’s network, your ongoing access of your employer’s network is in violation of the CFAA. The court says that this approach would suck in “millions of ordinary citizens” who happen to check Facebook or sporting event scores while at work.
_____

As the court acknowledges at the end of its opinion, this basically (mostly) shuts the door on employers using the Computer Fraud and Abuse Act against employees. While acknowledging that the decision will "likely will disappoint employers hoping for a means to rein in rogue employees," the court notes that employers are not necessarily out of luck. They have a panoply of other claims available to them, including misappropriation of trade secrets, conversion, tortious interference, and civil conspiracy.

I'm not a Court watcher, but the CFAA cases were long thought to have been likely candidates for Supreme Court review, given the differing interpretations of the Circuit courts. I would think this case makes the possibility of such review even more likely.

I'm curious about how this case affects the availability of a CFAA claim in the scraping context. I thought the court's comment about the viability of a CFAA claim where an employee is authorized to access a computer or network but not necessarily authorized to access certain categories of information left things somewhat unclear. Is the court talking about technical restrictions on the access to information or a policy-based restriction? Obviously the latter approach still leaves some room for employers to limit authorization for the access to information by certain employees and bring CFAA claims when these employees access such information.
_____

Eric's Comments

1) This case answers one of the open questions from the Nosal case: was Nosal limited to criminal CFAA prosecutions, or would it extend to civil cases as well? Following in Nosal's footsteps, this court interprets the civil CFAA claim narrowly in light of the statute's criminal angle. This bodes well for reining in the CFAA's footprints across all types of CFAA cases, not just employment cases.

2) Overall, this case illustrates how the CFAA wasn't designed for the employment context, and especially not for an era when many employees have company-issued computing devices (computers, laptops, tablets, PDAs, cellphones, etc., etc.). Like Nosal, this court implicitly rejects the argument that the CFAA automatically regulates the workplace simply because everyone uses company-supplied technology as part of their ordinary work patterns.

3) As a result, although plaintiff lawyers will keep pleading CFAA in employment cases for years, I think we're nearing the end of the CFAA as a standard claim in employer lawsuits against ex-employees.

4) While that may be good news, readers should pay close attention to the Protecting American Trade Secrets and Innovation Act of 2012. Perhaps the bill will go nowhere, but if it does, it would be a major step towards creating a general purpose federal cause of action for trade secret misappropriation. So as the CFAA wanes in importance in the employment context, a new federal trade secret claim ultimately could eclipse it.
_____

Other coverage:

Fourth Circuit: Computer Use Policies Don't Create CFAA Liability (Tom O'Toole)

Related posts:

Posted by Venkat at 09:14 AM | Privacy/Security , Trade Secrets , Trespass to Chattels

July 25, 2012

Franchisor Isn't Liable Under the TCPA for Franchisees' Text Message Campaign – Thomas v. Taco Bell

[Post by Venkat Balasubramani with comments from Eric]

Thomas v. Taco Bell Corp., SACV 09-01097-CJC(ANx) (C.D. Cal.; June 25, 2012)

Thomas allegedly received unauthorized text messages as part of an advertising campaign for Taco Bell's Nachos BellGrande ("[a] large platter of crisp, freshly prepared tortilla chips covered with hearty beans, seasoned ground beef, warm nacho cheese sauce, diced ripe tomatoes, and reduced fat sour cream"--I'm sure they taste as glorious as they sound).

The text messages in question were organized by the “Taco Bell Local Owners Advertising” association, an Illinois entity comprised of 12 owners of Taco Bell stores in the Chicago area. The Association retained ESW Partners, an advertising agency, who then contracted with ipsh!net, who actually sent the messages. Taco Bell Corp., the national franchisor, had some influence over the Association’s activities through a seat on the Association’s Board of Directors, and control of the pursestrings (the funds that were used by the Association for advertising were controlled by a division of the national franchisor). While the Association was free to conduct its own separate advertising, where funds from Taco Bell (the franchisor) were used to pay for a campaign, approval from Taco Bell was required. In this case, a division of Taco Bell ended up paying for the advertising campaign.

She sued several different entities in the chain alleging violations of the TCPA, but amended the complaint to name only two defendants: Taco Bell (the national franchisor) and the Association. The Association was dismissed on jurisdictional grounds. Another defendant was dismissed earlier on jurisdictional grounds as well. The key question was whether Taco Bell (the franchisor) could be on the hook for any alleged TCPA violations.

The court says that the TCPA imposes liability on someone who actually “makes” a call that violates the statute. While Thomas argued that the TCPA also imposes liability on someone on whose behalf the call was made (i.e., any party that “receives benefit from the text message”) but the court says that the language and intent of the TCPA does not envision derivative liability on such a broad standard. In the absence of a specific basis of vicarious liability, traditional (agency) standards govern. A principal-agent relationship, the court says, “means more than passive permission; it involves request, instruction, or command.”

The court says that Thomas’s evidence falls short in this regard. Thomas did not present any evidence that Taco Bell (the franchisor)

directed or supervised the manner and means of the text message campaign conducted by the Association, and its two agents, ESW and ipsh!. She presented no evidence . . . that Taco Bell created or developed the text message. Nor did she present any evidence . . . that Taco Bell played any role in the decision to distribute the message by way of a blast text.

Thomas argued that the existence of a policy under which Taco Bell would pay for the Association’s advertising demonstrated that Taco Bell controlled the advertising, but the court says that approval of the campaign is different from control over “the manner of marketing”. Thomas also argued that the presence of a Taco Bell employee on the Association’s Board of Directors and the fact that the employee cast a vote to approve this campaign also reflected the requisite control. The court says this is insufficient to create the type of agency relationship required for derivative liability under the TCPA. Thomas tried to marshal some other evidence in support of agency liability, but the court says this is all anecdotal and doesn’t reflect Taco Bell’s control over the means of marketing.

This could be somewhat of a blockbuster ruling under the TCPA. The big TCPA case out of the Ninth Circuit didn’t rule on derivative liability but made it painfully easy to sue anyone who sent an unsolicited text. (See Satterfield v. Simon & Schuster.) Incidentally, ipsh!, the entity that sent the messages in this case, was also involved in Satterfield and was actually a defendant in that case, but the Ninth Circuit did not delve into the relationship between ipsh! and Simon & Schuster from the standpoint of legal liability.

In the context of unsolicited text messages, Satterfield has been a boon for plaintiffs, and they have taken full advantage of the resulting litigation bonanza. We've blogged a bunch about TCPA cases, but this post from Tom O'Toole talks about a hockey team being sued for sending text messages ... to its fans!

The big question this case raises is whether this is just an instance of a plaintiff not having the right defendant available on the other side of the v., or whether it somehow changes things as far as plaintiffs’ attempts to hold advertisers—rather than their marketing agencies—liable. I would think it’s more of the former. Here, the plaintiffs sued multiple entities and at one point amended the complaint to name only the parent entity and the association. I'm not 100% clear as to why the plaintiff did not name ipsh. (It's possible plaintiffs settled with ipsh or there's some other explanation, other than the obvious issue of personal jurisdiction, for why the franchisor and association ended up being the only defendants.)

Interestingly, plaintiffs have been stymied consistently in trying to smack defendants with affiliate liability in lawsuits under CAN-SPAM. (See the cases mentioned in this post.) Might we see a similar dynamic play out in future TCPA lawsuits? (See also Anderson v. Domino's Pizza, Inc., et al., for a similar result under state law in a text spam case brought in Washington.)

FWIW, I predict this one will be appealed.
_________

Eric's Comments

Even though Ipsh wasn't in the courtroom, the ruling throws Ipsh under the bus, saying that Ipsh pushed the button on the campaign and therefore would be the prime mover behind any TCPA violation. If the campaign violated the TCPA, Ipsh would have been legally liable--perhaps along with other defendants, but possibly as the only defendant left holding the bag. Ipsh can try to put into place an airtight indemnity agreement with its customers (though those are rarer than unicorns), but this ruling can't be a confidence-booster about the vitality of its text-messaging business line. I further wonder if this ruling will spook the marketing services companies providing email campaign outsourcing? They are governed by a different statute, but they too are the ones who "push the button."

Meanwhile, assuming the facts are true, I don't understand how this text-messaging campaign got greenlighted given the obvious legal risks. Sure, it would be great to reach texting young adults who have the munchies via their most precious device, but text-messaging campaigns are always fraught with legal peril. When you add in the Grande legal costs of defending the resulting lawsuits--and the plaintiff lawyers love these kinds of lawsuits--the per-text-message costs of reaching 17,000 consumers never had a chance of being profitable no matter what the conversion rate of such ads. Plus, this isn't Taco Bell's first ride at the text-messaging litigation rodeo.

To me, the message is clear: text-messaging ad campaigns are lawsuit bait. Until the law becomes clearer and more favorable, marketers should permanently retire text-messages from their marketing campaign toolkits.

Related posts:

Posted by Venkat at 09:45 AM | Content Regulation , Derivative Liability , Marketing , Privacy/Security , Spam

July 23, 2012

Ex-Spouse Hit With 20K in Damages for Email Eavesdropping – Klumb v. Goan

[Post by Venkat Balasubramani]

Klumb v. Goan, 09-cv-115 (E.D. Tenn.; July 19, 2012)

Klumb, described by the court as “a wealthy man,” met and married Crystal Goan, a law student who later became a lawyer. As the court describes it, the relationship was “fraught with concerns of fidelity from the very beginning.” Before the two were married, Goan purchased Spectorsoft’s eBlaster product. She surreptitiously installed copies of eBlaster on officer computers that Klumb regularly used. As the court notes, eBlaster is a software program “that can perform various spyware functions.”

Goan used eBlaster to keep track of Klumb’s emails. She also intercepted three emails sent to Klumb and altered the emails to make it look like “[the sender] and [Klumb] were having an affair.” Apparently a finding of infidelity altered the split of property between the parties under the prenuptial agreement in place between the parties and under an agreed order entered in the divorce case that was initiated when the marriage soured. (As a sidenote, the court finds that after Klumb and Goan signed the agreed order, “defendant substituted one or more pages of the agreed order with new pages which included paragraph 5 [the part of the agreement that altered the property split upon a finding of infidelity].” While the installation of eBlaster and email snooping was bad enough, the court's discussion about the various versions of the agreed order and the prenuptial agreement does not paint Goan in a very positive light.)

The court takes into account the overall context of the dispute, and after noting that focusing a “wide lens” on the dispute will result in the “regrettable and unavoidable airing of dirty laundry,” recounts the factual background and testimony in painful detail.

As far as the legal issues, the court does not have any trouble finding that Goan’s interception of Klumb’s email violates the federal Wiretap Act and its Tennessee counterpart. Goan argued that the software did not intercept Klumb’s emails while they were in transit, but citing to US v. Szymuszkiewicz the court says that interception contemporaneous with receipt is interception just the same. The court rejects Goan’s defenses based on consent and based on the divorce settlement between the parties.

The court awards statutory damages in the amount of $10,000. Klumb asked for a greater statutory amount--a separate damage award for each instance in which Goan installed eBlaster on Klumb’s computers--but the court says that a plaintiff can only get more than the $10,000 statutory amount if “violations . . . occurred on more than one hundred separate days.” The court also tacks on $10,000 in punitive damages based on Goan’s “egregious conduct,” and awards Klumb fees and costs.

There’s not a whole lot to say about this dispute. Spouses (and girlfriends/boyfriends) resist the temptation to eavesdrop on email. Just don’t do it! It goes without saying that if you’re a lawyer you should pay particular attention to this admonition. Also, the scenarios in which use of software such as eBlaster is legally in the clear are probably much narrower than you think. It’s worth consulting with a lawyer before deploying this software (although in this situation it probably would not have helped, given that Goan was herself a lawyer).

A final note is that we’ve seen a few cases of email eavesdropping where liability was established but the damage awards ended up being less than blockbuster (Pure Power Boot Camp v. Warrior Fitness Boot Camp; Van Alstyne v. Electronic Scriptorium; see also Hillstone Restaurant Group v. Pietrylo).

Posted by Venkat at 04:41 PM | Evidence/Discovery , Privacy/Security

July 19, 2012

Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action -- Low v. LinkedIn

[Post by Venkat Balasubramani]

Low v. LinkedIn, 11-CV-01468-LHK (N.D. Cal.; July 12, 2012)

This case involves the fact that LinkedIn put users' unique identifiers into its URLs, allowing advertisers (and others) to associate that unique identifier with users--and, potentially, access the info on their profile pages--when they clicked on a link on LinkedIn. Judge Koh had previously dismissed the case with leave to amend. Low amended his complaint, and the second time around Judge Koh dismisses it with prejudice. Here’s our blog post on the initial dismissal of the lawsuit: LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn.

Standing: citing to Edwards v. First American Corp. and Jewel v. NSA, the court says that plaintiffs have alleged violations of statutory rights as well as (state) constitutional rights and get over the standing hurdle.

Stored Communications Act: Plaintiffs’ claims under the Stored Communications Act claims require the plaintiffs to show that LinkedIn provides either “remote computing services” or “electronic communication services.” The court also says that the analysis looks to whether LinkedIn was acting in this capacity with respect to the particular information that was allegedly wrongfully disclosed. In this case, the court concludes that the LinkedIn was not functioning as a remote computing service with respect to the LinkedIn user ID and URL of the profile pages that the user used to view third party profiles. The unique IDs are created by LinkedIn for its own purposes and are not sent to LinkedIn for storage or processing by plaintiffs.

Invasion of Privacy: The court says that invasion of privacy claims must meet “high standards” for the types of invasion that are actionable—“there must be an egregious breach of the social norms underlying the privacy right.” The court says that disclosure of the LinkedIn ID and the profile page is not the type of information that amounts to a serious invasion. Additionally, although plaintiffs claimed that the information could be used to glean plaintiffs’ browsing history and used to identify plaintiffs, there was no allegation that this actually occurred.

False advertising law: Plaintiffs failed to allege reliance on any purported misrepresentations by LinkedIn. Although one of the named plaintiffs had paid for a premium LinkedIn subscription and satisfied the monetary loss elements, the court still finds that there was no allegation that plaintiffs viewed any representations within LinkedIn’s privacy policy and made a purchasing decision based on these representations.

Breach of contract: Plaintiffs’ breach of contract claims fails because they have not alleged sufficient damages. The sole basis for damages is the loss in value to plaintiffs’ information. The court again reiterates skepticism that this has value in plaintiffs’ hands to begin with, but she says that even if it does, any sort of diminution in value would not be a cognizable form of contract damages.

Other claims: The court also dismisses the claims for conversion (browsing history and personally identifiable information is not property); unjust enrichment (no standalone claim); and negligence (no damages).
__

In his comments to the original post about this case, Eric noted that this was a “low-merit” privacy lawsuit that had little chance of success the second time around. Sure enough, Judge Koh dismantles plaintiffs’ claims and sends them packing.

It’s worth noting that the FTC’s enforcement action against MySpace involved allegations against MySpace that were somewhat similar to the plaintiffs’ allegations against LinkedIn in this case: in both situations, the companies involved allowed third parties to tie the user’s unique identifiers with their public profiles. (See Ed Felten’s blog post on the MySpace settlement--"Syncing and the FTC's MySpace Settlement"):

What made the possible syncing problematic in the case of Myspace was that (1) Myspace enabled ad networks to use Myspace’s Friend ID pseudonym to get personal information about the associated user, and (2) Myspace promised its users that it would not share that personal information with third parties.

The FTC has been increasingly aggressive in its enforcement actions around the privacy practices of online entities. While the court ruled that LinkedIn could not be held liable in a civil lawsuit brought by plaintiffs, it’s an open question as to whether these practices could land it in the crosshairs of the FTC.

Other coverage:

InsidePrivacy: Low Case Against LinkedIn Dismissed In Its Entirety
FourthAmendment.com: N.D.Cal.: LinkedIn not a remote computing service and does not provide electronic communication services, so it can't be sued under SCA

Posted by Venkat at 08:57 AM | Licensing/Contracts , Marketing , Privacy/Security , Publicity/Privacy Rights

July 13, 2012

Court Dismisses Data Breach Claims Against Countrywide – Holmes v. Countrywide

[Post by Venkat Balasubramani]

Holmes v. Countrywide Financial Corp., et al., 08-CV-00205-R (W.D. Ky.; July 12, 2012)

In August 2008, a Countrywide employee engaged in a scheme to steal confidential customer information from Countrywide. An investigation found that the employee gained access to data from 2.4 million loan customers, and sold this information to unknown third parties for the whopping amount of $70,000. Countrywide sent notification letters to affected customers and offered two years worth of free credit monitoring.

Countrywide was hit with several class action lawsuits as a result of this data breach. The lawsuits were consolidated and eventually settled. Holmes and some members of his proposed class objected to the settlement which the court approved, notwithstanding the objections. Eventually, Holmes and Stiers (and their spouses) filed their own non-class complaint against Countrywide. One of the plaintiffs purchased credit monitoring services. The other expended sums for changing their telephone numbers due to the increased volume of telemarketing calls they received.

Standing: The court says that plaintiffs have standing under Sixth Circuit law (also citing to Krottner v. Starbucks). The credit monitoring and money spent to change the telephone number were sufficient to satisfy injury for Article III standing purposes.

The Merits: Plaintiffs don’t fare so well on the merits.

Risk of future identity theft:

It is an understatement to say that courts are skeptical of litigants’ claims for risk of future identity theft . . . . The animosity toward these types of lawsuits encompasses the most common scenarios where financial information is put at risk: instances where personal information is lost or misplaced through carelessness . . . and instances where criminals penetrate a company’s computer system and steal information.

The court cites to Pinero v. Jackson Hewitt as a prime example of this skepticism and also notes that Kentucky and New Jersey law both preclude recover for speculative or illusory damages.

Credit monitoring:

The court says that credit monitoring expenses are not recoverable as a general rule: “[c]onstruing the reach of state law and the requirements to show a compensable injury, case after case has discarded claims by litigants to collect damages for the electronic monitoring of their financial accounts and credit history.”

The court says that some courts have allowed recover for prophylactic measures by analogy to medical monitoring cases. However, Kentucky law does not allow recovery for risk of future injury, and federal courts construing New Jersey law have expressly rejected recovery for credit monitoring payments. Plaintiffs relied heavily on the Hannaford Brothers case, but the court distinguishes that case on the basis that in Hannaford, fraudulent charges were made to plaintiffs’ accounts, forcing them to pay fees for replacement cards (and other bank fees). In contrast, in this case, there was no allegation of such misuse (a single loan application in one of the plaintiff’s names were rejected) or out of pocket loss to plaintiffs.

Telephone cancellation fees:

The court says it’s unable to find any legal theory under which plaintiffs can recoup their phone cancellation fees. The court cites to a slew of cases holding that an increase in spam or unwanted calls is not compensable injury. In light of this, “[t]he court struggles to grasp how the cancellation of [plaintiffs’] telephone services to avoid the calls would be compensable . . . .”

Time spent monitoring credit:

Finally, the court says that time spent by plaintiffs monitoring credit also cannot form the basis of any legally compensable injury.

Causes of action:

After going through the categories of injury, the court ends up rejecting the causes of action asserted by plaintiffs: (1) unjust enrichment (plaintiffs can’t bring an unjust enrichment claim where there’s a contract and no breach of the agreement); (2) fraud (“the only financial damages [plaintiffs] suffered were self inflicted”); (3) breach of the duty of good faith (no injury); (4) data breach notification statutes (no private cause of action); (5) consumer fraud laws (no loss other than attorneys’ fees); and (6) Fair Credit Reporting Act (no consumer reports were “furnished” by Countrywide).

A fairly predictable result, given the precedent that has been built up over the past five or so years. No out of pocket loss equals no recovery. As I mentioned in my post about Hannaford, I would characterize that case as a “slight” win for the plaintiffs, and the result here bears that out. That case was not of much help to these plaintiffs. The class settlement probably did not provide much by way of monetary relief to the class, but these plaintiffs would have been better off opting in.

Previous posts:

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data -- Reilly v. Ceridian
First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing--Katz v Pershing
New Essay: The Irony of Privacy Class Action Lawsuits
Another Data Loss Case Tossed on Article III Grounds--Whitaker v. Health Net
Reidentification Theory Doesn't Save Privacy Lawsuit--Steinberg v. CVS Caremark
Men's Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute -- Boorstein v. Men’s Journal

Posted by Venkat at 04:08 PM | Privacy/Security

July 11, 2012

"Cloud Computing: Is Anything Private?" Talk Notes

By Eric Goldman

Last month, I spoke at Cal State Northridge to a group of academic computer users (i.e., faculty and staff) on the topic of "Cloud Computing: Is Anything Private?" My talk slides. Check out my "fun" with PowerPoint's clip art/photos!

I didn't pick the talk title, but it was a little liberating to step back and discuss the implications of being users of cloud services. As you may recall, I've had my issues with cloud services, such as my fracas with Scribd when it put users' older documents behind a Scribd paywall and vitiated the entire point of using Scribd (i.e., to archive documents for public consumption). I also gave the examples of Kodak Gallery blackmailing photo-hosting users to pay up or their photos go offline (my collection of 200+ photos from my 2008 trip to the Arctic National Wildlife Refuge were the casualty of that one) and when Pandora inadvertently disclosed playlists to the world at large. Furthermore, I called out Twitter as an example of a vendor I trust (although after their anti-user move to cut off LinkedIn's app, I'm not so sure), and I called out Facebook as a vendor that regularly provides textbook examples of what cloud vendors shouldn't do.

Posted by Eric at 04:45 PM | Privacy/Security | TrackBack

July 09, 2012

Court Orders Production of Five Years' Worth of Facebook and MySpace Posts – Thompson v. Autoliv

[Post by Venkat Balasubramani]

Thompson v. Autoliv ASP, Inc., et al., 09-cv-01375-PMP-VCF (D. Nev.; June 20, 2012)

Another discovery dispute over social networking evidence.

Thompson was involved in an automobile accident and suffered serious injuries. She asserted that she suffered a range of injuries and damages, including: ongoing medical treatment, therapy, a lost scholarship, the loss of ability to play the violin, emotional distress, depression, emotional volatility. Among other defendants, she sued the seatbelt and airbag manufacturers.

One of the defendants said it obtained wall posts and photographs from plaintiff’s “public Facebook profile” that depicted things including the following:

(i) Plaintiff's ability to swing on a swing set, dance, and engage in water sports; (ii) Plaintiff's ability to care for children and pets; (iii) Plaintiff's social activities, including consumption of alcohol, bowling with friends, and late night partying; (iv) Plaintiff's sleeping habits; (v) Plaintiff's personal relationships; (vi) Plaintiff's post accident physical recovery; (vii) Plaintiff's employment; (viii) the effect of Plaintiff's medications on her emotional, physical and sexual habits; (ix) offers by Plaintiff to share medications with others; and (x) Plaintiff's enrollment in institutions of higher education.

Defendant sought everything from plaintiff’s Facebook and MySpace account (wall posts, photographs, and messages from April 2007 to the present). In response, plaintiff provided a redacted copy of her Facebook account history and a few photographs. Defendant also sought to require plaintiff to produce her account for in camera inspection.

The court rejects the request for in camera inspection, but it says that based on the photographs and materials defendant already obtained, the requested materials from plaintiff’s Facebook account are clearly relevant. The court also notes that there is no applicable privilege. Nevertheless, the court acknowledges that litigation does not permit “complete and open public display of plaintiff’s life.” The court says that it’s appropriate to balance defendant’s need for the information against plaintiff’s rights under Rule 26 (to be free from annoyance, embarrassment, oppression, or undue burden in discovery).

The court orders plaintiff to disclose (to defense counsel only) all information from her Facebook and MySpace accounts in an electronic storage device along with an “index of redacted social networking site communications." If defense counsel believes that material is relevant and but hadn’t been previously provided, defense counsel should provide a list to plaintiff of such materials. If plaintiff disagrees and thinks those materials should not be discoverable, then the parties shall submit the material to the court for review along with their arguments as to discoverability. Defense counsel shall return the storage device and not disclose or copy the material.

___

Virtually every court to have addressed the issue agrees that something is not off-limits just because it's posted to Facebook and also that a party seeking discovery of social networking information should not be allowed to "rummage around" in the other party's account. Here there was a threshold showing of relevance, interestingly through access of publicly available photos and posts, and the issue in front of the court was a logistical one. Courts have tackled this logistical issue in a variety of ways, ranging from offering to friend the party whose account is at issue to requiring the party to turn over the passwords to opposing counsel. The court's solution in this case seems like a preferable method, although there are two drawbacks: (1) the defense lawyer is not supposed to turn over any information to the client, but lawyers and clients sometimes do not respect these boundaries in practice; and (2) the lawyer may be exposed to information that he or she would not appropriately have access to in discovery which may provide an unfair advantage with respect to categories of embarrassing or private information that may otherwise be off-limits.

I still think some sort of "index" is the best route, where the party whose information is sought produces something similar to a privilege log, and the party seeking discovery can argue why certain entries or photos should be produced.

[NB: I wasn't entirely clear on what the court meant by the "index of redacted social networking communications."]

Added: Bruce Boyden (@ Madisonian) has a post "detailing exactly what’s wrong with an order compelling production of an entire social networking account. . . ." ("The Proper Procedure for Facebook Discovery, Part I"). Also, Molly DiBianca has a post on a different Facebook discovery dispute (Trail v. Lesko): "Access to a Party’s Facebook Account During Discovery."

Previous posts:

"Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway"
"Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville"
"Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier"
"Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson"
"Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc."

Other posts on social media evidence undermining a litigant's position

* Protip: Kegstands and Vertigo Are Inconsistent With Each Other--Johnson v. Ingalls
* Social Media Photos Foil Yet Another Litigant--Clement v. Johnson's Warehouse
* YouTube Video Impeaches Witness' Credibility--Ensign Yacht v. Arrigoni
* Facebook Entries Negate Car Crash Victims' Physical Injury Claims
* Contrary MySpace Evidence Strikes a Litigant Again--HAC, Inc. v. Box
* MySpace Postings Foil Another Litigant--Sedie v. U.S.
* Disturbingly Humorous MySpace Posts Used as Impeaching Evidence in Spousal Abuse Case--Embry v. State
* Latest Example of Social Networking Site Evidence Contradicting In-Court Testimony--People v. Franco

Other coverage:

K&L Gates: Court Orders Production of Five Years of Content from Facebook, MySpace for Opposing Counsel's Review

Posted by Venkat at 10:19 AM | Evidence/Discovery , Privacy/Security

July 06, 2012

H1 2012 Quick Links, Part 3 (Advertising & Privacy)

By Eric Goldman

Advertising

* Gomez-Jimenez v. New York Law School: False advertising lawsuit against NYLS dismissed. Rebecca's coverage.

* Marketing Land: Pew Survey: 68% View Targeted Ads Negatively; 59% Have Noticed Targeting.

Partially related: Search Engine Land: Pew Report: 65% View Personalized Search As Bad; 73% See It As Privacy Invasion.

* Britain’s ASA holds an advertiser liable for user-posted YouTube videos.

Related: Cogent Solutions Group, LLC v. Hyalogic, LLC, 2012 WL 1083513 (E.D. Ky. March 30, 2012): "CSG cannot meet the high threshold of clear and convincing evidence to show that Hyalogic was responsible for posting the YouTube video. Hyalogic contends that the video was posted by an unrelated Malaysian company that was “acting independently” and uploaded the YouTube video to the Internet “without permission.”…CSG argues that Hyalogic's website provides contact information for many international retail partners, including partners located in Malaysia….This listing of “retail partners” referencing companies in Malaysia on Hyalogic's website merely supports a weak inference; it does not prove by clear and convincing evidence that Hyalogic caused the YouTube video to be uploaded to the Internet when the affidavit of Landis directly refutes this assertion. Landis states, “Hyalogic did not cause that video to be posted on YouTube—it was posted, without permission, by [a] user with the screen name “purewhiteclean,” operated by a Malaysian company which sells Hyalogic's products (the company is otherwise unrelated to Hyalogic).”…CSG offers no evidence, other than its own speculation, to show that this company is related to Hyalogic."

* AdAge: Class action lawyers are trolling through NAD proceedings looking for cases.

Related: Technology Review: Why Privacy Is Big Business for Trial Lawyers

* More evidence that search advertising provides substantial incremental lift in organic search referrals. Related from Search Engine Land: "even when advertisers show up in the number one organic search result position, 50% of clicks they get on ads are not replaced by clicks on organic search results when the ads don’t appear."

* Marketing Land: Study suggests clicks on display ads have almost no correlation with conversion.

* AdWeek: SheKnows.com editors caught encouraging staffers to click on ads shown on the website.

* Ascentive settles false advertising lawsuit that it was "scareware" for $9.6M.

* Adscend settles “clickjacking” lawsuit by Facebook. It also settled with the Washington state regulators for $100k, which Adscend claimed was a win for it.

Privacy

* Slaughter v. Aon Consulting, 10C-09-001 (Del. Superior Ct. Jan. 31, 2012). Dismissing a class action over a data breach because of "nationwide credit card theft trends, the potentially catastrophic effect of data breaches, and Chinese hacking methods. While Stump raises reasons for concern, his report never states Aon’s breach caused Plaintiffs’ actual harm, nor does it show there is a probability that harm will occur. No named plaintiff has suffered an actual, demonstrated injury."

The court continues: "In summary, the string of dismissals is unbroken. No court has allowed a similar case to go to trial. The fact that there is a string of cases is troubling. Perhaps, the legislature or the Restatement needs to consider this problem. Meanwhile, the court is unaware of a similar case where a plaintiff has gotten past the dismissal stage."

* U.S. v. Fulford, 2012 WL 750548 (S.D. Ala. March 7, 2012):

What we do know is that the Internet is a medium through which people can and routinely do assume fictitious identities. Some do it to heckle professional athletes or disparage musicians. Others do it to air unpopular political or social views, thus allowing their voices to be heard from behind a comforting veil of anonymity. Still others may fabricate a persona on the Web to promote nefarious objectives, such as trying to conceal unlawful activity or endeavoring to defraud or trick other users into providing confidential information, sending money, or distributing pornographic images. And, of course, law enforcement agents regularly go undercover on the Internet to identify and investigate criminal activity. The point is not whether, normatively speaking, Internet anonymity is inherently good or bad. The point is that it is pervasive. As a practical reality, surfing the Internet is akin to attending a masquerade ball in the land of Oz on Halloween. No one is who they seem to be.

* NYT: Verifying Ages Online Is a Daunting Task, Even for Experts

* Can "anonymous" website commenters be reidentified through linguistic analysis? If so, this could be huge.

* NY Times: Panopticon redux: kids have toned down their Spring Break revelries due to the ubiquity of cellphone cameras.

* To help prop up publisher paywalls, Google puts together an offering that makes consumers' private information the price of admission to paywalled content. AdWeek’s coverage. Wired's coverage.

* In re Facebook Privacy Litigation has been appealed to the 9th Circuit. Prior blog post.

* NY Times: On Facebook, the Semantics of Visibility vs. Privacy

* Valentine v. Wideopen West Finance, LLC, 2012 WL 1021809 (N.D. Ill. March 26, 2012). A deep packet inspection (DPI) case gets sent to arbitration.

* The FTC busts Wyndham for lax security based on language that is found in thousands of privacy policies. The FTC has been busting companies for a number of years for lax security, but I’m still questioning the basic premise of these enforcement actions.

* FCC ruling in Google Street View wi-fi case. NY Times coverage (1, 2).

* SJ Mercury News: Is an FTC investigation of Google's Safari/Google+ mistake coming imminently?

* ZDNet: State AGs affix target to online privacy issues

* MediaPost: the Bose v. Interclick case ends a little mysteriously. Prior blog post.

* IAPP on the F.A.A. v. Cooper ruling.

* The FTC approved its RockYou settlement.

* The average website has 14 third party tracking tags.

Posted by Eric at 02:43 PM | Marketing , Privacy/Security | TrackBack

The "I Didn't Understand Facebook's Privacy Settings" Argument Isn't Persuasive to Judges--Sumien v. CareFlite

By Eric Goldman

Sumien v. CareFlite, 2012 WL 2579525 (Tex. App. Ct. July 5, 2012). Appellate court docket.

Sumien and Roberts were CareFlite EMTs. Roberts posted on a third employee's Facebook wall how she wanted to slap a patient. Responding to pushback on that post, Roberts subsequently posted to her Facebook wall (presumably as a status update, although the court doesn't clarify that):

Yes, I DO get upset on some calls when my patient goes off in the house and I have to have a firefighter ride in with me because I fear for MY own safety. I think that is a valid excuse for wanting to use some sort of restraints. Just saying.

To which Sumien replied in a comment (thus readable to at least Roberts' friends):

"Yeah like a boot to the head.... Seriously yeah restraints or actual HELP from PD instead of the norm."

The opinion doesn't clarify exactly who was Facebook friends with each other, but at minimum Roberts and Haynes were friends, and Haynes was the sister of Calvert, CareFlite's compliance officer. The court says Haynes complained about the post. Haynes read Sumien's comment on Roberts' Facebook wall and then delivered Sumien's contents to Calvert. If Calvert and Roberts were friends (or if Roberts' wall was open to the public), Calvert also could have checked out Sumien's comments directly.

CareFlite subsequently fired both Roberts and Sumien. While Roberts' patient-slapping reference may have been troubling (it wasn't quoted in the court opinion), I don't see anything obviously problematic in Sumien's comment. The grammar makes it clear that the "boot to the head" reference was a joke (maybe not that funny, but I can see how it tried) and complaining about the workplace conditions seems like the kind of thing that the NLRB is hyper-sensitive about. I have to imagine there's a backstory to the employer's issues with Sumien. Otherwise, if this is the worst Sumien did, the employer apparently overreacted.

Sumien sued CareFlite for wrongful termination and privacy invasions. The lower court dismissed all of the claims. This ruling only addresses Sumien's appeal of his intrusion into seclusion claim (which appears to be the only issue Sumien appealed...?). The court efficiently rejected all of Sumien's arguments.

Sumien tried two arguments (his privacy interest in discussing patient issues outweighs public interest in disclosure; he can't be fired for discussing workplace issues online) that the court says are irrelevant to the intrusion into seclusion claim. Then, Sumien tries a last-ditch "I'm clueless about Facebook" argument:

Sumien contends that CareFlite intruded upon his seclusion because he did not realize that Roberts’s Facebook “friends” could view the comment that he posted on Roberts’s “wall.”

The court doesn't care, saying Sumien

did not present any evidence to show that his misunderstanding meant that CareFlite intentionally intruded upon his seclusion

Intrusion into seclusion claims are often weak, and it was a poor fit for this situation. The ruling reminded me a little of the court's rejection of Moreno's privacy claim in Moreno v. Hanford Sentinel, where Moreno posted a screed to her low-visibility MySpace page that had unrestricted public access, to which the court said that she had no privacy interest in that effectively public venue.

There are several lessons to reiterate here:

1) Not all communication platforms are equally appropriate for every discussion. If you don't understand how the communication platform works, don't use it for anything you don't want the world to know! Instead, stick to DMs or email, and recognize that even then "private" messages have a knack of leaking out to the wrong people.

2) In particular, commenting on someone else's Facebook status report is not a private communication to that person. That should be obvious to even casual Facebook users, but apparently Sumien didn't get it.

3) People in the healthcare industry (broadly conceived) should be especially careful about discussing patient-related matters in any online venue. We've seen problems with online discussions by people in the healthcare industry literally from cradle (Yoder, Byrnes) to grave (Tatro).

* Accessing an Employee's Facebook Posts by "Shoulder Surfing" a Coworker's Page States Privacy Claim -- Ehling v. Monmouth Ocean Hosp.
* Facebook "Likes" Aren't Speech Protected By the First Amendment–Bland v. Roberts
* Facebook Posts Complaining About Supervisor Conduct do Not Support Retaliation Claim – DeBord v. Mercy Health System
* Employee Wins Harassment Claim Based in Part on Co-Workers' Offsite Blog Posts
* Overreactive Guidance for Social Networking Du Jour -- NLRB Edition
* Private Employers and Employee Facebook Gaffes [Revisited] and the prior post Do Employers Really Tread a Minefield When Firing Employees for Facebook Gaffes?
* School District Didn't Violate First Amendment for Reassigning Teacher Who Blogged--Richerson v. Beckon
* Employee Blogging Risks

Posted by Eric at 11:03 AM | Content Regulation , Privacy/Security , Publicity/Privacy Rights | TrackBack

July 05, 2012

Men's Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute -- Boorstein v. Men’s Journal

[Post by Venkat Balasubramani with comments from Eric]

Boorstein v. Men’s Journal LLC, 12-771 DSF (Ex) (C.D. Cal.; June 14, 2012)

California’s Shine the Light (STL) statute is a little unusual in that it mandates that businesses make specific disclosures about their privacy practices. For the most part, when it comes to telling consumers what you will do with consumer information and restrictions on how you will use such information, your own privacy policy and the FTC Act are the main regulations that companies need to worry about. The STL law is designed to inform users as to how their information is being used for direct marketing purposes. It doesn’t necessarily impose any substantive restrictions on the use of such information, but it requires websites to disclose (at the consumer’s request) how their information is being used. To this end, businesses are supposed to designate contact information where consumers can request how their information is being distributed. Alternatively, the business can comply with the statute by allowing consumers to opt-in or opt-out of distribution of their information. It’s an interesting attempt by the California legislature to give consumers more control and choice, but as this case illustrates, things didn’t really work out that way.

Boorstein sued (on behalf of a putative class) alleging that Men’s Journal did not comply with the statute because it failed to provide consumers with the appropriate contact information to enable consumers to make requests under the STL statute. Boorstein did not allege that he took any steps to find out this information (or otherwise find out about Men's Journal's information sharing practices) by contacting Men’s Journal. Boorstein simply alleged that Men's Journal's failure to designate contact information alone was sufficient to allege a violation of the statute.

The court says no go.

No standing as a result of loss of economic value to Boorstein’s information: First, the court says that Boorstein did not suffer economic injury that was caused by a violation of the statute. It’s questionable in the first place whether Boorsteein’s information has economic value in Boorstein’s hands. (See, e.g., Del Vecchio v. Amazon, among other cases.) In any event, the court says the statute does not actually prohibit the exploitation of consumer information for marketing purposes. Additionally, the statute is backward looking, and only requires businesses to disclose their use of consumer information for the “immediately preceding calendar year.” End result: even to the extent plaintiff's personal information is property that can be appropriated by Men's Journal, any harm Boorstein suffered isn't caused by the alleged statutory violation.

Failure to provide contact information is not an “injury” under the STL law: The court also says that Men’s Journal’s failure to display the contact information alone does not state a claim under the STL law. The law requires some sort of “injury” flowing from a violation, and as mentioned above, the court says there’s no injury to the value of Boorstein's personal information that results from the alleged statutory violation. Case law only recognizes “information injury” (failure to provide required information) where the information is requested but not provided. Boorstein’s failure to allege that he requested the contact information from Men's Journal undermines his claim. The court also says that Boorstein’s injury is “procedural,” rather than “informational.”

Boorstein’s argument based on the Men’s Journal subscription fee fails: Boorstein also made the typical consumer protection argument that the price of the Men’s Journal subscription included the value of the designated contact information for STL law purposes, and Men’s Journal’s failure to provide this information means that he has been cheated out of his bargain. [Say what?] The court says that Boorstein’s allegation that Men’s Journal impliedly represented that it would "abide by all applicable laws" doesn’t mean that Men’s Journal agreed to provide contact information as part of the subscription price--or, more importantly, that Boorstein would not have subscribed had he known the contact information would not be forthcoming. The court also says that Boorstein cannot make out a UCL claim because he has not lost “money or property” as a result of Men’s Journal’s violations of the statute. As already mentioned, he would have subscribed anyway, so Boorstein can’t use the subscription price as part of his “money or other property” argument. Similarly, he also can’t use the value of his personal information in order to support his UCL claim.

A few observations:

1. The "personal information as property" meme is not gaining much traction. In fact, apart from an initial decision or two that recognized this as a possible theory (for standing purposes), courts have pretty resoundingly rejected it. (Del Vecchio v. Amazon and In re iPhone App Litigation are two recent examples.) Perhaps a blockbuster appellate ruling will come along to rescue privacy plaintiffs. Until then, the trial courts are not buying this argument at all.

2. The "privacy as part of the purchase price" argument is also something that plaintiffs often raise, but courts don’t like this either. It’s worth noting that in this case, even the plaintiff’s own allegations (as the court described them) didn’t expressly say that he would not have bought the magazine subscription had he known he would not have been provided contact information. There's an obvious reason for this.

3. The court doesn’t get into Article III standing here, and instead relies on lack of statutory standing. To me, the two standing concepts all run together into a big quagmire, but when dealing with a state law in federal court, it seems preferable to rely on statutory standing as a bar. (First American v. Edwards, the then-pending Supreme Court case in which Facebook and other companies weighed in on as amici, involved standing under a federal statute. But in an anticlimactic move, the Supreme Court dismissed the case without ruling on it. I didn't think a ruling in First American's favor in this case would have dramatically changed the landscape, but the lack of a decision from the Supreme Court moots this issue for now.)

4. Obviously, this ruling puts a slight crimp in the legislature’s vision of using STL to give consumers additional control over how their information is used. The court's ruling doesn’t leave consumers in a great position. Even if Boorstein had requested the information and it wasn’t provided, would he be able to obtain damages under the statute? STL provides for statutory penalties, but the tone of the ruling is that Boorstein hadn’t been damaged anyway (or damaged in a way that was tied to the statutory violation), so it’s possible that the court would have come out the same way even if Boorstein had made the necessary request.
____

Eric's Comments:

California's "Shine the Light" statute is a textbook example of a miscalibrated privacy statute (which I would argue describes almost all privacy statutes). It starts from a simple premise--consumers just want to know if a business is selling their personal information to marketers--and, to effectuate this premise, imposes substantial compliance costs and obligations on businesses (mostly just creating traps for the unwary) without any clear countervailing benefit for consumers or society at large. Not only do I question the basic premise that consumers "just want to know" about sales of their private info to marketers (see my Coasean Analysis of Marketing article), but as this and related cases illustrate, the private cause of action means that the statute almost certainly will be enforced by privacy class action lawyers who are more interested in their own quick profits than in advancing consumer welfare (see my Irony of Privacy Class Action Litigation article). There are a number of good cautionary lessons that legislators, and the privacy advocates who egg them on, could learn from this statute and this ruling, but I'm skeptical either legislators or privacy advocates will take the time to reflect on those lessons.
____

Venkat's follow-up comment:

I mildly dissent from Eric's position questioning "the basic premise that consumers 'just want to know' about sales of their private info to marketers." I may be idiosyncratic and in the minority in this regard, but particularly when it comes to magazine subscriptions I would love to know where my information ends up. (My instinct is that a big chunk of my junk mail is a result of the three or four magazine subscriptions I have in place.) I'm not sure I would change my purchasing decisions dramatically, but knowing this bit of information may tip the balance a bit or cause me to try to pressure the companies into not making my information available to third parties for direct marketing purposes. [On a loosely related note, those who are trying to get rid of junk mail may want to check out PaperKarma, an app that lets you take photos of and upload junk mail and then sends an unsubscribe request on your behalf.]

Other coverage:

First Reported Shine the Light Suit Dismissed for Failure to State Cognizable Injury
'Shine The Light' Lawsuit Against 'Men's Journal' Dismissed
Federal Judge Dismisses Shine-the-Light Suit

Posted by Venkat at 12:10 PM | E-Commerce , Marketing , Privacy/Security , Spam

July 04, 2012

Judge Koh Whittles Down iPhone App Privacy Lawsuit – In re iPhone Application Litig.

[Post by Venkat Balasubramani]

In re iPhone Application Litig., 11-MD-02250-LHK (N.D. Cal.; June 12, 2012)

Plaintiffs brought a putative class action against Apple and several “mobile industry defendants.” The basic allegations are that apps available for free in the app store improperly allowed for the disclosure of personal information to the mobile industry defendants, who have acquired personal details (addresses, current whereabouts, unique device identifier, gender, age, zip code, and time zone) from plaintiffs and tracked them. Judge Koh granted the bulk of defendants’ motion to dismiss with prejudice in open court and recently issued a written order setting forth the court’s reasons. It’s a thorough order that digs in to privacy claims under federal statutes, and well worth reading in its entirety. (Kudos to Judge Koh. She consistently cranks out some must-read orders in this corner of the blogosphere.)

Standing: Citing to the Ninth Circuit’s opinion in Edwards v. First American Corp., among other cases, the court says that plaintiffs’ allegations that defendants violated the Wiretap Act and Stored Communications Act in accessing plaintiffs’ own personal information is sufficient to confer standing. (See this post from Wendy Davis that talks about ongoing litigation involving Video Privacy Protection Act claims against Hulu and discusses the issue of how the Supreme Court's ruling in the Edwards case can affect other privacy cases. Between the time Judge Koh issued her order and I finished up this blog post, the Supreme Court dismissed Edwards without a ruling, leaving intact the Ninth Circuit's opinion.)

Stored Communications Act: The SCA requires plaintiff to show that defendants accessed “a facility through which an electronic communications service” is provided without authorization and accesses wire or electronic communications that are “in storage”.

Judge Koh says: (1) plaintiffs' iPhones are not “facilities through which electronic communications services” are provided; (2) the data in question is not in “storage” that is either incidental to transmission or for backup purposes; and (3) the exception allowing access by service providers applies to the mobile industry defendants (but not to Apple). The most interesting of these conclusions is the first one, and this conclusion is contrary to several cases that have gone the other way (that this court says “provide little analysis on this point of law”). Citing to Crowley v. Cybersource, the court says that treating computers or devices of end users (as opposed to service providers) as facilities would render other parts of the statute illogical.

Wiretap Act: Plaintiffs’ Wiretap Act claims require them to show that defendants intercepted “the content” of wire, oral, or electronic communications. The court agrees with Apple that the identities of parties to a communication and “other call data” is not “content” under the Wiretap Act. Plaintiffs cited to In re Pharmatrak for the proposition that the “contents” of a communication includes any personally identifiable information, but the court disagrees, noting that Pharmatrak relied on a Supreme Court case from the 70s that discussed an earlier version of the Wiretap Act. The statute was since amended to specifically take out “information concerning the identity of the parties” to a communication. [Apple also argued that it shouldn’t be held liable for any interception because it was an intended recipient of the information, but the court rejects this argument.]

Computer Fraud and Abuse Act: The court says there are two problems with plaintiffs’ claims under the Computer Fraud and Abuse Act. First, plaintiffs voluntarily downloaded the apps and thus would have “serious difficulty pleading a CFAA violation.” Additionally, the court says that plaintiffs will not be able to satisfy the $5,000 damage threshold necessary to assert a CFAA claim. The argument that the use of personal information benefited the mobile industry defendants and generated a benefit of over $5,000 to them does not fly with the court (citing In re Zynga and Del Vecchio v. Amazon). Second, the court also finds plaintiffs’ argument that creation of the location history files consumed the devices’ memory and shortened battery life to not be “plausible.” Damage means there has to be some notable impairment of performance, and the court says plaintiffs cannot demonstrate that here.

California Constitution: The California Constitution protects against privacy intrusions by both public and private actors. In order to be actionable, the defendant’s intrusion must be sufficiently serious in nature to constitute “an egregious breach of the social norms underlying the privacy right.” The court says plaintiffs’ allegations fall short on this score.

Other State Law Claims: Plaintiffs asserted a slew of other state law claims, the bulk of which fell by the wayside. These included conversion (personal data is not the type of property that can be converted); trespass (citing Intel v. Hamidi); negligence (as to negligence claims against Apple, hello, Section 230). The court did allow two state law claims to go forward: (1) Consumer Legal Remedies Act claims and (2) claims under California unfair competition statute.

Judge Koh's ruling is extremely thorough and holds the plaintiffs' claims up to some harsh scrutiny. It's not difficult to see that it will be widely cited in privacy cases. Two things that are most significant about this ruling (other than the fact that it thoroughly neuters a class action that at first glance seems like it would get over the motion to dismiss hurdle):

First, the court's ruling that plaintiffs' devices are not facilities under the Stored Communications Act will be relevant in a variety of scenarios. I recently blogged about claims brought against an employer for "shoulder surfing" an employee-co-worker's Facebook page, and a Stored Communications Act claim under this scenario doesn't look so promising in light of Judge Koh's ruling. (See “Accessing an Employee's Facebook Posts by "Shoulder Surfing" a Coworker's Page States Privacy Claim.”) It's worth noting that in the Computer Fraud and Abuse Act scenario, mobile phones have been found to constitute protected computers.

Second, the court also affirms that privacy plaintiffs will not be able to satisfy the jurisdictional threshold by asserting that they suffered $5,000 worth of loss to their personal information. The court's position that while personal information may be property in the metaphysical sense, this does not translate into loss for CFAA purposes, is part of a growing body of cases that have rejected attempts by privacy plaintiffs to rely on defendants' exploitation of personal information for the proposition that this information has economic value.

It's interesting that after blasting the federal claims, the court allows the UCL claims to proceed. Plaintiffs' allegations were pretty slim here and if this is all that is necessary, plaintiffs will be able to overcome a motion to dismiss every time.

Finally, I remain curious about the applicability of Section 230 in this scenario and why Apple doesn't push this issue. (I'm sure they have some reason for doing so; maybe Barnes v. Yahoo is an easy workaround for plaintiffs.)

Related posts:

Posted by Venkat at 02:44 PM | E-Commerce , Privacy/Security , Trespass to Chattels

June 24, 2012

Mortuary Student Can Be Disciplined for Facebook Posts--Tatro v. University of Minnesota

By Eric Goldman

Tatro v. University of Minnesota, 2012 WL 2328002 (Minn. June 20, 2012). My prior blog post on the appellate court ruling in this case.

This is one of the many lawsuits over a school disciplining a student for the student's social media posts. The two main twists are (1) the student was attending a university, not a K-12 school, and (2) the student was in the mortuary sciences program, where the subject matter of their studies (i.e., cadavers) means students may be held to higher professional expectations than your average college kid. Another key fact: Tatro already graduated in 2011, so the range of available remedies had shrunk by the time this case reached the Minnesota Supreme Court.

Based partly on both parties' agreement that “a university may regulate student speech on Facebook that violates established professional conduct standards,” the Minnesota Supreme Court held:

the University did not violate the free speech rights of Tatro by imposing sanctions for her Facebook posts that violated academic program rules where the academic program rules were narrowly tailored and directly related to established professional conduct standards.

Later, the court stresses:

Our decision is based on the specific circumstances of this case--a professional program that operates under established professional conduct standards, a program that gives students access to donated human cadavers and requires a high degree of sensitivity, written academic program rules requiring the respectful treatment of human cadavers, and measured discipline that was not arbitrary or a pretext for punishing the student's protected views.

As this narrow fact-specific holding demonstrates, the Supreme Court avoided any broad pronouncements about the legitimacy of schools regulating students’ social media posts. Consider the list of topics the court didn’t address:

* the applicability of the Tinker standard. The court said it didn’t apply because the school wasn't motivated by concerns about Tatro’s posts causing on-campus disruption.
* whether social networking activity is "on" or "off" campus (or if it matters)
* if free speech rules developed in K-12 cases equally apply to the college setting
* if Facebook posts are "public" or "private"? The court apparently assumes Tatro’s posts to her “open” Facebook account were public. The court says "the University is not sanctioning Tatro for a private conversation, but for Facebook posts that could be viewed by thousands of Facebook users and for sharing the Facebook posts with the news media." Compare Moreno v. Hanford Sentinel. It leaves open if the posts would have been “public” or “published” if her posts had been open only to her friends, and how many friends she could have and still treat her posts as private.

It seems the court was about as excited to address these cutting-edge issues as I am to blog such a milquetoast opinion. It might also have had something to do with the fact that FOUR of the Supreme Court judges recused themselves, presumably because they had ties to the University of Minnesota.

At most, this case tells us that students in professional degree programs--the Yoder and Byrnes cases involving nursing also come to mind--may be subject to greater speech restrictions online. This doesn't tell us much we didn’t already know. For example, of course law students exposed to client confidences cannot blog or tweet about those, and those that do should be subject to school discipline (and potentially state bar discipline) for doing so.

In this case, the court says "dignity and respect for the human cadaver constitutes an established professional conduct standard for mortuary science professionals." This reflects the unique context of mortuary studies, where cadaver donations could dry up if donors question the post-mortem respect afforded to the cadavers. Even without reference to that definition, I thought Tatro’s posts went one step too far and the university's discipline, while harsh, didn't overrespond--unlike a lot of the cases involving junior high or high school principals, who seems to regularly mete out punishment clearly disproportionate to the violation.

Other Coverage

* Pioneer Press
* FIRE

Posted by Eric at 10:11 AM | Content Regulation , Privacy/Security | TrackBack

June 12, 2012

State Privacy Claims not Preempted by ECPA -- Leong v. Carrier IQ

[Post by Venkat Balasubramani]

Leong v. Carrier IQ et al., CV 12-01562 GAF (NRWx) (C.D. Cal.; Apr. 27, 2012)

This case addresses the issue of whether claims under state privacy statutes are preempted by ECPA, the federal statute governing the interception, access, and disclosure or electronic communications. The lawsuit is one of the many filed against Carrier IQ, which allegedly “developed and maintain[ed] a software that is installed on cell phones and surreptitiously records the user’s keystrokes, text messages and passwords” (without the user’s consent). Plaintiffs sued on behalf of a California class, asserting state law claims against Carrier IQ. Carrier IQ moved to dismiss on the basis that the state law claims were preempted by ECPA.

Courts have come out differently on the preemption issue. Carrier IQ relied heavily on Judge Ware’s ruling in the Google Wi-Fi case for the proposition that ECPA represents a Congressional intent to comprehensively regulate the field of privacy in electronic communications. (Here’s is our previous post on Judge Ware’s ruling: “Google Not Entitled to "Readily Accessible to the General Public" Defense in Street View Class Action.”) The court disagrees with Judge Ware, noting that Judge Ware’s ruling embraces the minority position and there are several cases going the other way. The court also cites to the legislative history for the proposition that Congress actually intended to set a minimum floor for privacy in electronic communications (citing to Lane v. CBS and Valentine v. NebuAd [pdf]). The ECPA also contains a provision limiting remedies for the interception of communications where the interception does not comply with the statute, but the court says that this provision means that criminal defendants whose communications are obtained in violation of ECPA are only entitled to suppression as a remedy.

End result: the lawsuit is remanded to state court where the plaintiffs can pursue their state law claims against Carrier IQ.

The ECPA preemption argument is an important one, and will come up in a variety of contexts. While this case dealt with the interception of electronic communications, other scenarios where it may come into play is where someone accesses emails and other communications (e.g, social networking posts) or records conversations without consent authorization. The ECPA admittedly has some gaps when it comes to privacy protection for electronic communications (see, for example Anderson Consulting v. UOP and Charles Jones & Associates v. The H Group), and plaintiffs can be expected to use state law claims to fill the gaps.

It’s tough to be sympathetic with the argument from service providers or third parties who are making a preemption argument in this situation. Unlike laws regulating spam or that cover online content—where complying with a patchwork of regulation across 50 states would be untenable—complying with state laws governing the privacy of electronic communications sounds pretty doable. At least, the parties arguing preemption haven’t to date presented good examples of why this is not the case. On the other hand, it's easy to see that these types of rulings will pave the way for the class action machine to unleash state law claims, and have available yet another tool for extracting settlements.

Other coverage: Wendy Davis: “Carrier IQ Loses Preliminary Round in Privacy Lawsuit”

Inside Privacy: Carrier IQ Class Action Sent Back to State Court

Posted by Venkat at 03:05 PM | Adware/Spyware , Privacy/Security

June 08, 2012

Court Orders Facebooking Juror to Disclose Additional Facebook Posts--Juror No. 1 v. Superior Court

[Post by Venkat Balasubramani]

Juror Number One v. Superior Court, C067309 (Ca Ct. App.; May 31, 2012)

A California Appeals Court ruled that although a juror’s Facebook posts were covered by the Stored Communications Act, the juror can be compelled to give his consent to their production by Facebook.

Background: Juror No. 1 sat on a criminal trial lasting approximately two months. The jury returned guilty verdicts. During the trial, Juror No. 1 posted several times to Facebook, despite the court’s instructions to stay off the internet. Another juror filed a declaration saying that Juror No. 1 posted comments about the evidence on his Facebook wall, inviting his friends to respond.

The trial court conducted a hearing and Juror No. 1 acknowledged making multiple posts, including on one occasion a comment about the evidence. The trial court said that this was clearly misconduct, but the extent of the misconduct was still unclear. In response, the defendant subpoenaed Facebook. Facebook moved to quash the subpoena based on the Stored Communications Act. The defendant turned around and issued a subpoena to Juror No. 1, who also moved to quash the subpoena. The trial court issued an order requiring Juror No. 1 to turn over his Facebook posts (made during the trial) to the court for in camera review, and to consent to their disclosure by Facebook.

Analysis: The court canvasses the history of the Stored Communications act and acknowledges that because it was enacted in the 80s, its definitions do not track neatly to modern day social networks and things like cloud services. Nevertheless, the court says that the SCA was intended to protect things like private bulletin boards which can roughly be analogized to certain types of social networks. In Crispin v. Audigier, the district court said that Facebook posts may be protected by the SCA. However in Crispin, the court said that this depended on the privacy settings in question, and like in Crispin, in this case Juror No. 1 did not provide the court with enough detail to determine whether the posts were covered or not. (The court distinguishes Moreno v. Hartford Sentinel, a case involving the privacy of MySpace posts, on the basis that in that case, there was no dispute that the posts were open to the public.)

Even assuming the posts are protected, the court says that there is no bar on forced disclosure, since “the compulsion is on Juror No. 1, not Facebook.” The court cites to Flagg v. City of Detroit, a civil discovery dispute where a party sought disclosure of text messages. In Flagg, the court held that while the text messages were practically under the control of the service provider, they were “constructively” under the control of the party and “thus subject to discovery under the federal rules.” In Flagg, the court said that the party who could be forced to disclose the messages was required to execute a consent so the messages could be obtained from the service provider. The court also dismisses Juror No. 1’s other objections, based on the Fourth and Fifth Amendments and California statutes.

A concurring judge agrees with the result, noting that there was evidence of impropriety and the trial court appropriately took the necessary steps to rule out whether Juror No. 1’s Facebook posts prejudiced the proceedings. While “fishing expeditions” are not appropriate, in this case, there was enough evidence of misconduct that it made sense for the trial court to take the necessary steps to rule out prejudice. However, the concurring judge says that the issue of whether the posts could be obtained from Juror No. 1 is different from whether it can be obtained from Facebook itself. Importantly, the opinion also notes in a footnote that Facebook provided to Juror No. 1, copies of the posts in question, including presumably those posts that Juror No. 1 had deleted.

Oy. I bet Juror No. 1 wishes that he had heeded the court’s instructions to stay away from the internet during trial.

The court’s decision here can be contrasted with two recent cases (that I meant to blog about but never got around to).

• Commonwealth v. Werner involved a larceny conviction where one of the jurors posted on Facebook while the trial was ongoing. Although the court issued a subpoena to Facebook, Facebook never responded. The court held a hearing without the benefit of any response from Facebook and found that while there was misconduct, it was not prejudicial.

• Special Markets Ins. v. Lynch was a garden variety business/employment dispute. Plaintif subpoenaed emails from Yahoo and voice and text messages from Verizon. The court says that the information sought is available from the defendants and it was improper for plaintiff to issue “dragnet” subpoenas to third parties. (See also Theofel v. Farey Jones.) Not only does the court quash the subpoenas, the court issues a show cause order signaling that it’s willing to award fees to the defendants.

We’ve blogged about a slew of cases where courts struggle with whether and how a party seeking discovery can obtain social networking posts in civil litigation. To say that least, courts are across the board, but for the most part, courts all agree that just because something is posted to a relatively private social network it is not off limits. Courts also agree that defendants shouldn’t be able to rummage around in someone’s account and this presents privacy issues. Where courts have really struggled is with the logistics. This case is no different. The concurring opinion acknowledges that Facebook had provided the posts in question to Juror No. 1, I don’t see why the court makes him sign a consent to have Facebook produce the information. Here, of course, Juror No. 1 expressly disregarded the court’s instructions on the use of social networking, and could face other consequences. I’m surprised the appeals court couldn’t say that the trial court could have used its contempt power to force disclosure (by Juror No. 1) of the posts in question.

Other coverage:

“Juror One” revisited: Court holds that SCA does not apply

Posted by Venkat at 12:30 PM | Evidence/Discovery , Privacy/Security

June 07, 2012

Plaintiffs Squeak Past Motion to Dismiss in Amazon P3P Case – Del Vecchio v. Amazon

[Post by Venkat Balasubramani with comments from Eric]

Del Vecchio v. Amazon.com, 2012 WL 1997697 (W.D. Wash.; June 1, 2012)

I previously posted on Del Vecchio v. Amazon, a case that challenged Amazon’s alleged failure to respect the P3P protocol. P3P allows websites to summarize their privacy policies in machine readable code so that web browsers could be configured to automatically "determine a website's privacy settings and adjust its [own] security settings, including its level of cookie-filtering protection." (In theory, it allows users to control collection and use of their information through configuring their browser settings.) The plaintiffs allege that Amazon miscoded its P3P settings and used a token Amazon knew to be invalid, thus miscommunicating its policies to web browsers. Plaintiff sued on her own behalf and on behalf of a putative class, alleging claims under the Computer Fraud and Abuse Act and Washington consumer protection statutes. In the first round, the court granted Amazon’s motion to dismiss. (My prior blog post on the case: “The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon”; see also our post on Bose v. Interclick, a separate lawsuit challenging the use of flash cookies: “Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick.”)

CFAA Claims: The court dismisses plaintiffs' CFAA claims with prejudice due to plaintiffs’ failure to credibly allege that they satisfied the $5,000 damage threshold. Plaintiffs argued that they satisfied the damage threshold in two ways: (1) the value of their personal information was in excess of $5,000 and Amazon’s exploitation resulted in a “loss” to them, and (2) they purchased anti-virus software.

The court rejects the anti-virus software purchases, noting that the anti-virus program had nothing to do with the alleged exploitation of the P3P protocol by Amazon. Plaintiffs also alleged that they purchased the software prior to accessing Amazon’s site, so by their own allegations, Amazon’s conduct did not necessitate the purchase of the software.

The argument that gets a little more attention is the loss attributable to the exploitation of personal information by Amazon. One recent case (Claridge v. RockYou) recognized that personal information can be property for standing purposes. Most courts have been lukewarm to this theory, and this court rejects it as well, saying that the alleged exploitation of personal information by Amazon can’t satisfy the jurisdictional threshold in this context:

Plaintiffs do not allege that they attempted to sell their “private information” to one of the purchasers they identify . . . and were rebuffed because [Amazon] had already sold or publicized that information. . . . It is not enough to allege only that the information has value to [Amazon]; the term “loss” requires that plaintiffs suffer a detriment—a detriment amount to more than $5,000.

Consumer Protection Act Claims: Two key points with respect to the claims under the Washington CPA. First, the court says Washington law “does not require damages to show ‘injury’” (although the damage has to be to plaintiff’s “business or property”). Second, the court says that the issue of whether Amazon’s access of plaintiffs’ computers was “authorized” can’t be resolved on the pleadings. The court directs the parties to come up with a briefing schedule and (if necessary) conduct discovery on the issue of “authorization”.

Trespass to Chattels and Unjust Enrichment The court dismisses the first claim, finding no credible allegation that there was any diminution in performance of plaintiffs’ computers. The court says it’s skeptical of the unjust enrichment claim for the same reasons that it dismisses the CFAA claim. However, because plaintiffs’ unjust enrichment claim--that Amazon took property that was valuable (personal information) without authorization--depends on the resolution of the authorization issue, the court defers ruling on this until completion of discovery and further briefing.

Plaintiffs keep pressing the “personal information as property” argument, but courts remain unconvinced (a few exceptions notwithstanding).

On the issue of “authorization,” Amazon’s terms are less than clear about the use of Flash Cookies. They reference flash cookies, but the terms contain the typical language that without cookies users may not be able to take advantage of certain features of the site. Interestingly, the terms do reference browser settings and this may cut against Amazon’s overall argument here (e.g., “you can disable or delete . . . data used by browser add-ons, such as Flash cookies, by changing the add-on’s settings or visiting the Web site of its manufacturer . . . ."). The core of plaintiffs’ argument is that Amazon failed to respect the browser settings and P3P protocol. Language in the policy saying that the user can control the level of cookie placement or activity through the use of browser settings would, if anything, seem to reinforce plaintiffs’ argument. Plaintiffs would still face damages issues, that as Eric notes below will be tough to overcome, but I'm surprised to see the court say that plaintiffs' possible agreement to the terms would definitively resolve the issue of authorization.

This ruling could conceivably prompt a settlement. For their separate reasons, the parties may not want to litigate the issues of whether plaintiffs were truly harmed and what Amazon’s business practices were. It’s still curious that the alleged P3P shenanigans received so little attention from the court. Maybe plaintiffs will try to re-inject into the mix through discovery. We’ll see.

Eric's comments

As Venkat indicates, the judge shuts the door on the CFAA and trespass to chattels claims. The WA consumer protection act and unjust enrichment claims survive, but only out of an abundance of judicial caution (as the judge notes himself). The court says it's "very likely" that Amazon's privacy disclosures negate those claims. If I were in Amazon's shoes, I'd reject any settlements and litigate the crap out of this. The judge has made it clear that this lawsuit will fail.

As usual, the litigation circles around the harm suffered by the plaintiffs. Funny, because that's an easy issue to resolve. The plaintiffs have NONE. Not a scintilla of harm. NOTHING. Without any underlying harm, lawsuits like this aren't laudable in the least. For more on why I think privacy advocates should oppose lawsuits like this one rather than applaud them, see my article The Irony of Privacy Class Action Lawsuits.

The court wisely gets to the right point. For example, the judge properly rejects the argument that non-monetary harm can be counted towards the CFAA's $5k threshold. The court also gets the plaintiffs to admit that individuals' PII has no economic value to the individuals, even if it's commercializable by websites. Thus, showing that Amazon could make money from the data in its database does nothing to get the plaintiffs closer to the CFAA's $5k threshold. The judge, wielding Iqbal, lays into the plaintiffs for rehashing their assertions about harm without any factual evidence at all. If the judge really wants to tells plaintiffs to stop wasting everyone's time and resources, a whiff of sanctions would help a lot.

Posted by Venkat at 11:57 AM | E-Commerce , Privacy/Security , Trespass to Chattels

June 04, 2012

Accessing an Employee's Facebook Posts by "Shoulder Surfing" a Coworker's Page States Privacy Claim -- Ehling v. Monmouth Ocean Hosp.

[Post by Venkat Balasubramani]

Ehling v. Monmouth Ocean Hospital Service Cop., 11-cv-3305 (WJM) (D.N.J.; May 30, 2012)

The extent to which employers demand social media credentials of their current and prospective employees is unclear, but employers do get in trouble for snooping on the social media activities of their employees on occasion. Pietrylo v. Hillstone Restaurant Group is one early example, but there are others. (Maryland was first out of the gate, but several other states have passed or are currently considering legislation that would broadly prohibit the practice of asking for employee social networking passwords; we’ll address those in a separate post.)

The facts here are relatively straightforward. Ehling is a registered nurse and a paramedic who worked for Monmouth Ocean Hospital Service Corp., a non-profit hospital corporation. Ehling was in union leadership and alleged that Monmouth engaged in a pattern of retaliatory conduct against her based on her activities and statements. Ehling apparently maintained a Facebook account and was careful not to friend Monmouth management, although she was friends with many of her coworkers.

In 2009, Ehling posted comments in response to an incident where a white supremacist opened fire at the Holocaust Museum in Washington, D.C.:

The 88 yr old was shot, He survived. I blame the DC paramedics. I want to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a difference. WTF!!! And to the other guards….go to target practice.

Monmouth management did not have access to Ehling’s Facebook post but asked another Monmouth employee to pull up Ehling’s profile and posts while “in [a] supervisor’s presence.” As a result of this and other allegedly retaliatory action taken by Monmouth, Ehling brought a variety of claims against Monmouth. Monmouth moved to dismiss two counts: (1) the claim under New Jersey’s wiretapping and eavesdropping statute and (2) one for invasion of privacy.

New Jersey Wiretapping Statute: The court dismisses the claim under the New Jersey statute. New Jersey courts have construed the definition of “electronic storage” to cover only those messages that are “in the course of transmission or are backup to that course of transmission.” According to the court, case law interprets the statute to not cover communications that have been received and are in “post-transmission storage.” Since the posts were not intercepted while "in transmission," access of Ehling's post failed to state a claim under the statute.

Invasion of Privacy: The viability of the invasion of privacy claim turned on the familiar issue of whether Ehling had a “reasonable expectation of privacy” in her Facebook posts. Under New Jersey law, this required her to show that: (1) Monmouth intruded on her solitude, seclusion or private affairs and (2) the intrusion would be highly offensive to a reasonable person. The court says that privacy for social networking posts is an “emerging, but underdeveloped” area of the law. Viewing the spectrum of cases, the court says that on one end of the spectrum, there is clearly no expectation of privacy in material posted to an unprotected site that’s accessible by anyone. On the other end of the spectrum, courts have recognized an expectation of privacy for password-protected on-line communications. (Citing, among other cases, Pure Power Boot Camp v. Warrior Fitness Boot Camp). There is no consistent approach with respect to communications falling in between—i.e., where someone makes statements to a “limited group” of people, such as their Facebook friends. These cases should be resolved on a case-by-case basis and the court concludes that plaintiff states a plausible claim for invasion of privacy.

Ehling brought a claim under the Stored Communications Act but Monmouth did not move to dismiss this claim. It’s not clear whether accessing the Facebook post “over the shoulder” of Ehling’s co-worker constitutes unauthorized access under the SCA, but I would have guessed the court would have declined to resolve this issue at the motion to dismiss stage anyway.

Although it's unclear whether the Stored Communications Act covers Facebook posts, one early case in the discovery context--Crispin v. Audigier--said yes. In Crispin, the court said that Facebook posts may fall under the SCA, but this depended on the privacy settings in question. A couple of other cases have allowed SCA claims where an employer gains access to a privacy protected employee pages: (1) Pietrylo v. Hillstone Restaurant Group (MySpace page) and (2) Konop v. Hawaiian Airlines (private bulletin board). Both of these cases are somewhat distinguishable on the basis that in these cases, the employers obtained the credentials themselves and repeatedly accessed the sites or pages in question. (Accessing a communication that in storage requires the plaintiff to show that the employer "accessed a facility through which an electronic communication service is provided.") To my knowledge, there have been no rulings squarely addressing the practice of "shoulder surfing," an issue that will come up in the employment context, as well as in the context of school administration. To the extent the password laws aim to fill gaps in privacy protection, they should address this practice.

Setting the SCA statutory quagmire aside, there's also the issue of damages. Were this a run of the mill privacy lawsuit, Ehling would not necessarily stand a good chance of winning significant damages. It's not clear that the result should change just because the party who obtained access to the post happened to be Ehling's employer. (See for example Pure Power Boot Camp where the court awarded nominal damages for similar violations.) Interestingly, in Pietrylo, which was cited by the court on the privacy issue, the court allowed the Stored Communications Act, privacy claims, and claims under the New Jersey wiretapping statute to go forward. The jury returned a mixed verdict, but awarded a nominal amount of damages. (Check out the CMLP page on the case here.)

The court’s finding that access of the Facebook post may support an invasion of privacy claim is noteworthy, and adds to the small body of law dealing with invasion of privacy claims based on access to quasi-public posts. On the one hand, there is merit to the view that disclosure to a small group shouldn’t undermine privacy rights in personal communications. As the court recognized in Moreno v. Hanford Sentinel, the claim of a right of privacy is not "so much one of total secrecy as it is of the right to define one's circle of intimacy." Moreno involved a MySpace post which was made generally available on the internet, which distinguishes it from the post in this case which was ostensibly limited to Ehling's Facebook friends. On the other hand, you have to wonder how “private” users expect their communications to remain when they post to Facebook. Regardless of the privacy settings, which may restrict immediate availability of the post to a limited group of Facebook friends, a rant--such as the one at issue in this case--doesn’t seem like something that anyone would post online and necessarily expect to remain available only to a discrete or small group. (The number of Facebook friends she had will end up being relevant to the determination of whether the post should be accorded any privacy protection.)

A final point is that Ehling’s Facebook posts (it doesn’t seem like they were the one that was at issue in this case) were the subject of an NLRB memorandum [pdf]. The Office of the General Counsel recommended that the complaint should largely be dismissed. Lurking in the background of this case is whether the employer's actions chill the exercise of the employee's advocacy rights. The NLRB released yet another memorandum on employer social media policies, focusing on when policies allow insufficient breathing room for employee advocacy. See: "After NLRB’s Memo, Drafting Employment Policies Got Trickier."

A cautionary note to employers (and other administrators): while this order did not squarely address the issue of "shoulder surfing" under the Stored Communications Act, it does reaffirm that employees can bring invasion of privacy claims based on unauthorized access to non-public posts.

Other coverage:

Inside Privacy: N.J. Federal Court: Privacy Claim Based on Coerced Access to Employee's Facebook Posts May Proceed

Republishing MySpace Post in Local Paper Might Be Intentional Infliction of Emotional Distress--Moreno v. Hanford Sentinel
Ex-Employees Awarded $4,000 for Email Snooping by Employer -- Pure Power Boot Camp v. Warrior Fitness Boot Camp
Employee's Claims Against Employer for Unauthorized Use of Social Media Accounts Move Forward--Maremont v. SF Design Group
Ex-Employee Converted Social Media/Website Passwords by Keeping Them From Her Employer--Ardis Health v. Nankivell

Posted by Venkat at 09:00 AM | Privacy/Security

May 25, 2012

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing--Katz v Pershing

[Post by Venkat Balasubramani]

Katz v. Pershing, 11-1983 (1st Cir.; Feb. 28, 2012)

[This is an old catch up post that fell by the wayside.]

Pershing provides services to brokerage firms, and it makes available a platform (NetExchange Pro) for these firms to access information regarding the accounts of their customers. Katz's brokerage firm was one of those customers. She received a “disclosure statement” alerting her to the provisions of the agreement between her brokerage firm and Pershing. There was no breach as such, but because the disclosure statement advised of the risks of her information being made available through NetExchange Pro, she sued, asserting a variety of state law claims. The district court dismissed the lawsuit on the basis of either Article III or statutory standing. (Here’s my blog post on the trial court ruling: “Massachusetts Court Dismisses Lawsuit Alleging Failure to Adequately Safeguard Personal Information -- Katz v. Pershing.”) The First Circuit affirms.

Contract claims: the court says Katz can’t bring a contract claim because she is not a party to any agreement with Pershing. She tried to argue that she was a third party beneficiary to the agreement between her brokerage firm and Katz, but an express disclaimer of intent to benefit third parties kills her third party beneficiary argument. (See also Balsam v. Tucows, and the other cases mentioned in my blog post.) Katz also says public policy bars enforcement of this no-third party beneficiary provision but the court doesn’t buy the vague public policy argument. She also argued that the disclosure statement creates an implied contract between her and Pershing, but the court says there is no consideration and thus no implied contract.

Consumer Protection Act claims: The court says that she has to show Article III standing as well as that she fits under the category of individuals entitled to assert rights under a particular statute. The court divides her various alleged injuries into two groups and finds both insufficient.

The first category of injury consists of misrepresentation-related injuries: (1) that she overpaid for a product that didn’t have the requisite security measures, and (2) false advertisements induced her to pay too much for her brokerage services. Neither of these suffice because any overpayment is made by her to the brokerage firm. She hasn’t paid Pershing anything. There is also no allegation that any overpayment was tied to the alleged misstatements. Finally, she argued that her brokerage firm paid artificially high prices and passed these costs on to her, but the court rejects this as speculative.

The second type of injury includes “data-security” related claims, which are premised on Massachusetts data security law. She brings the typical litany of arguments that apprehension over the loss of her data caused her harm and required her to purchase identity theft insurance. The court says that the data security statute has two components. First, it directs various government entities to adopt standards for data protection. Second, in the event of a “breach of security,” persons and companies that handle personal information must notify government officials and affected parties. The key problem with Katz’s claim is that she fails to allege that her own information “ha[d] actually been accessed by any unauthorized user.”

The court also says that Katz’s purchase of identity theft insurance is insufficient for a related reason. Her decision to purchase this insurance was to “guard against a possibility, remote at best, that her nonpublic personal information might someday be pilfered.” The court finally addresses her argument that increased risk alone is sufficient harm. Although other courts have acknowledged that increased risk of harm can satisfy standing (citing to Reilly v. Ceridian, Krottner v. Starbucks, and Pisciotta v. Old Nat’l Bancorp), the court says these cases have one thing in common: there was an actual unauthorized access of the plaintiff’s data.

There's not a whole lot to add. Data security plaintiffs have tried to crack the code in a variety of different ways, but courts are unreceptive at best. One of these days, a class of plaintiffs will come along who have suffered out of pocket loss. Until then, expect to see more opinions like this one.

[NB: the opinion is worth reading, but be forewarned, keep a dictionary handy when you read it. I encountered more than a few words that I had to look up.]

Additional coverage:

Rebecca Tushnet: alleged privacy failures don't violate consumer protection law

Prior posts:

Reidentification Theory Doesn't Save Privacy Lawsuit--Steinberg v. CVS Caremark
Another Data Loss Case Tossed on Article III Grounds--Whitaker v. Health Net
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data -- Reilly v. Ceridian
Ikon Office Solutions Had no Duty to Disclose That Office Equipment Retained Data -- Putnam Bank v. Ikon Office Solutions
Mass Ct: ZIP Code is Personal Identification Info Under Credit Card Statute But Plaintiff Must Still Allege Harm -- Tyler v. Michaels Stores

Posted by Venkat at 09:47 AM | Licensing/Contracts , Privacy/Security

May 15, 2012

Granick on CISPA's Deficiencies (With Some of My Own Comments)

By guest-blogger Jennifer Granick (with comments from Eric)

[Eric's introduction: Some guest visitors to the blog need no introduction, and that surely describes Jennifer Granick (her Wikipedia page). She's cast huge shadows over cyberlaw in her various stints, including being a leading criminal defense attorney for technology crimes, an EFF attorney and director of Stanford's Cyberlaw Clinic. I'm so glad Jennifer was willing to share her unique perspective on CISPA. I have some remarks after hers. Jennifer has also posted a supplemental line-by-line commentary of CISPA.]

The Cyber Intelligence Sharing and Protection Act ("CISPA") is the latest example of a depressingly common situation in Washington DC -- well-meaning legislators unfamiliar with technology try to rush through a statute about a high-profile Internet issue (here, cybersecurity). Proponents of the bill say they want to faciliate information sharing between the federal government and the private sector. What they don't seem to understand is that existing laws already permit most kinds of cybersecurity information sharing. In their eagerness, the supporters of CISPA would undermine our existing system of accountability for sharing of private data and, by doing so, cause a number of unintended consequences that would harm both state and federal efforts to protect consumer privacy.

CISPA's Unintended Consequences: I firmly believe sharing cybersecurity information is a public good, which is why I have made a career of representing security professionals and hacker hobbyists who want to investigate and report on vulnerabilities. But CISPA (1) fails to comprehend the ways in which existing laws allow sharing, but with accountability; (2) runs roughshod over federal and state laws protecting privacy; (3) could inadvertently immunize retaliatory hack-back security techniques; and (4) creates an "inner circle" of private entities willing to share and share alike with the government, but leaves disfavored service providers in the cybersecurity dark.

(1) Current Law Does Not Interfere With Sharing for Security Purposes: The vast majority of what security professionals consider cybersecurity information is not personally identifing or protected from sharing by any law. Attack signatures, vulnerabilities, exploits and other classic computer security data are freely shareable. For the subset of data that may identify a particular individual, existing laws allow sharing. The most relevant laws, the Wiretap Act and the Electronic Communications Privacy Act, allow a provider to collect and share data for protection of the providers' rights or property. It is true that such sharing is subject to minor but long-standing privacy-enhancing conditions* which CISPA would simply dispose of.

[*FN: My line by line analysis of CISPA (link) highlights where in the text safeguards and dangers would be codified. I strongly oppose this legislation, but can envision a much better, streamlined, privacy respecting, bill that accomplishes the purported cybersecurity purpose.]

As for information protected by HIPAA, VPPA or FERPA, one would not ordinarily think such data is subject to CISPA disclosure and use, except that CISPA specifically calls out sensitive health, educational, firearms, library and bookstore records as the kind of information that private entities can be expected to disclose. Otherwise private information, including video rental records, book rentals, newspaper subscriptions, online reading or data protected by state consumer protection laws (like utility usage records) may freely be shared under CISPA, despite existing privacy rules and sharing safeguards.

(2) State Governments Should Oppose CISPA: States, especially California and New York, protect consumers and consumer privacy with statutes regulating the collection, use and disclosure of sensitive information. Such California laws include electronic surveillance statutes, Shine the Light notifications, Smart Meter utility data protection, the Financial Information Privacy Act, the Reader Privacy Act, Security of Personal Information Law and more. While a comprehensive review of state consumer protection rules that could be preempted by CISPA is beyond the scope of this blog post, it isn't hard to see how California, New York and other states might have serious, perhaps fatal, reservations about CISPA as it currently stands.

(3) CISPA Could Categorically Immunize Even Reckless, Privacy Invasive or Damaging Cybersecurity "Active Defense" Techniques. The definition of cybersecurity system is broad enough to include common "active defense" techniques like remote exploit of an attacking system in order to collect data about the attack, or denial of service attacks to take the offending system offline. For more discussion of those kinds of defenses, see this article in The Atlantic. The statute then categorically immunizes good faith use of such cybersecurity systems. So entities that recklessly use active defense or "hack back" technologies to exploit, disable or destroy attacking machines, even when those machines are innocent zombies controlled and misused by the actual attacker, have no incentive to behave responsibly.

(4) The Cybersecurity One Percent: CISPA sets up a heirarchy of network and service providers. At the bottom are those owned and operated by individuals, who get nothing out of the statute. Next are those entites the government doesn't feel like sharing with, for whatever reason--including the retaliatory motivation that the company hasn't been forthcoming with its own cybersecurity (and customer) data. At the top are the golden firms that get preferrential treatment in the form of state-of-the-art security information. The big businesses that support CISPA probably think they are going to be in the room and get the shiny apple. But CISPA instantiates inequities that the computer security community has been managing for over twenty years, problems which inevitably arise from secretive and selective distribution of important security information. See e.g. Schneier, "Full Disclosure of Security Vulnerabilities a 'Damned Good Idea" (Jan 2007); Microsoft Security Response Center: Announcing Coordinated Vulnerability Disclosure (July 22, 2010); National Infrastructure Advisory Counsel, Vulnerability Disclosure Framework (January 13, 2004); Andy Greenberg, Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees), Forbes, March 21, 2012. CISPA proponents neither understand nor address the complexities of acheiving the worthy goal of cybersecurity information sharing.
________

Comments from Eric

Many commentators have drawn parallels between CISPA and SOPA, even though they putatively address very different issues (cybersecurity and IP infringement, respectively). I'd like to unpack some of the parallels. The most obvious parallel between the two laws: who thinks up crazy shit like this? As a prize for their creative thinking, the architects of CISPA and SOPA should get a one-way ticket away from Washington DC. Two other parallels between CISPA and SOPA:

1) No use case. I never understood SOPA's use case. Only one target was named: The Pirate Bay. However, the way it was drafted, SOPA wouldn't have applied to The Pirate Bay. So if SOPA was intended to shut down The Pirate Bay but the statutory drafting didn't reach that far, then the statute lacked any clear justification--and especially no payoff that would justify its multitudinous adverse collateral consequences.

Similarly, I'm not clear what problem CISPA is designed to solve. Indeed, some have said CISPA is a solution in search of a problem. If we can't define the problem clearly and succinctly, it's a good sign that either there's no justification for the law, or (more likely) someone is gaming the legislative system for their own benefit.

CISPA and SOPA have another parallel on this front: we don't understand the use case because the proponents never thought they had to justify the statute. In SOPA's case, the copyright owners expected members of Congress to pass the law without serious questions, which almost happened. When the copyright owners have so many financially supported friends in the corridors of power, they don't need to provide specific rationales for their requests; it's simply enough that the copyright owners wanted it, and their patrons are expected to deliver the quid-pro-quo on demand.

CISPA may not been such a blatant case of rent-seeking, but it too was designed to proceed without opposition because it was part of an anti-cyberwar effort. For reasons that remain entirely unclear to me, many DC insiders apparently have convinced themselves that we are waging a surreptitious cyberwar that the bad guys are winning. Perhaps there really is a cyberwar raging behind the scenes, but evidence of a cyberwar sure hasn't leaked outside the DC insider community. This makes me wonder if maybe there's a little too much paranoia running around in DC. Or, maybe there's rent-seeking behind the efforts to hype the cyberwar threat?

Worse, to the extent CISPA is an anti-cyberwar effort, it is poorly designed for that effort. At minimum, its definitions are way too broad to address just cyberwar concerns. One of my biggest objections to CISPA is that it defines cybersecurity issues to include ordinary Internet activities such as competitive scraping and sharing of copyrighted materials. The broad sweep of the bill only reinforces the lack of a clear use case about the problem it's trying to solve.

2) Hack of the Internet's infrastructure. SOPA attacked the Internet's basic infrastructure. Putting aside the poorly conceived domain name cutoff provisions that would have undermined the DNS's stability, SOPA was designed to deputize intermediaries to resolve problems they had little financial incentive to handle carefully. The result would be a massive circumscribing of socially legitimate behavior by intermediaries asked to intervene in problems they didn't care about.

In a different way, CISPA also hacks up the Internet's infrastructure. Over the decades, we have developed a delicate system of checks and balances on the government's ability to monitor its citizens' behavior. CISPA would completely gut that system, giving the government virtually any online information it wanted whenever it wanted it without meaningful restrictions on the government's ability to misuse the information. Thus, CISPA engages in the worst kind of Internet exceptionalism by turning the Internet into an all-you-can-eat smorgasbord buffet of information for ever-curious government officials, while presumably a more robust checks-and-balance system would still be in place offline. Making the Internet worse is not what we as Internet users want!

The resulting public outcry against SOPA and CISPA demonstrates that. The public at large does not want technologically clueless members of Congress messing up the Internet's infrastructure for uncertain/unclear payoffs. We give a lot of deference to Congress to screw things up, but when it comes to wrecking the Internet, THAT'S worth fighting against.

Posted by Eric at 02:07 PM | Copyright , Derivative Liability , Privacy/Security | TrackBack

May 12, 2012

New York Judge Slams Bittorrent Copyright Plaintiffs – K-Beech; Malibu Media; and Patrick Collins v. Does

[Post by Venkat Balasubramani]

K-Beech, Inc. v. Does 1-37, CV 11-3995 (E.D.N.Y.)
Malibu Media, LLC v. Does 1-26, CV 11-1147 (E.D.N.Y.)
Malibu Media, LLC v. Does 1-11, CV 11-1150 (E.D.N.Y.)
Patrick Collins, Inc. v. Does 1-9, CV 11-1154 (E.D.N.Y.)

Order & Report & Recommendation (May 1, 2012)

A trio of bit torrent plaintiffs were smacked around (somewhat brutally) by a federal judge in New York last week. The order addressed requests for early discovery filed by plaintiffs in three separate copyright lawsuits involving approximately 50 Doe defendants. It also addressed the requests of Doe defendants to quash subpoenas which were issued in a fourth action after the plaintiff obtained leave to issue early discovery.

The order is scathing and takes more than a few shots at K-Beech’s “rambling motion papers [that] often lapse into the farcicial.”

End result: the court dismisses one case in its entirety, and cuts the remaining three cases down to one Doe defendant, finding that joinder is improper.

Here is a summary of the key points in the court’s order:

1. An IP address does not conclusively identify an infringer: the court says that unlike in a university setting or in earlier times, these days, given the proliferation of wi-fi, the fact that someone’s IP address was connected to allegedly infringing activity does not mean that the person whose IP address was used is the infringer. (“[A] single IP address usually supports multiple computer devices – which unlike traditional phones can be operated simultaneously by different individuals.”) Accord Johnson v. Microsoft Corp., 2009 WL 1794400 (W.D. Wash. June 23, 2009); in contrast, the FTC considers IP addresses to be personally identifiable information. (For what it's worth, more than a few courts have accepted the view--at least at the early stages of litigation--that an IP address identifies the putative infringer.)

2. Improper litigation tactics: at least one of the plaintiffs (K-Beech) engaged in improper litigation tactics. One of the Doe defendants contacted K-Beech to try to resolve the dispute. Apparently, K-Beech employed the usual threat that a defendant’s name could be tied to a porn lawsuit and persuaded the plaintiff to provide (under the auspices of settlement) “unfettered access to [Doe’s] computer . . . employment records [etc.]” K-Beech then failed to respond to the Doe defendant's communications regarding settlement. In response to Doe’s allegations, K-Beech’s counsel failed to present proof that it or its investigators didn't engage in this conduct. The court notes that Doe’s experience mirrors the experience of at least one other Doe defendant in a file-sharing case in New York. The court is not happy:

[t]his course of conduct indicates that the plaintiffs have used the offices of the Court as an inexpensive means to gain the Doe defendants’ personal information and coerce payment from them.

3. No copyright registration: the same plaintiff who engaged in the tactics referred to above did not have an actual copyright registration—it sought to rely on an application for registration (which is not sufficient in the Second Circuit). Although K-Beech was smacked down for this reason in another case in New York, it tried to remedy this by adding “conclusory trademark claims.” [??] When K-Beech's briefing veered into discussing reputational harm from unauthorized downloads, the court in a footnote points out that the owner of K-Beech doesn’t necessary have the most stellar reputation:

it is worth noting that the owner of K-Beech Inc. (and apparent inspiration for the K-Beech mark) is Kevin Beechum . . . . It appears that this is the same Kevin Beechum who testified in federal prosecutions about his experience vandalizing adult retail video stores to help extort protection payments from their owners.

D’oh!

4. Joinder is inappropriate: the court says that plaintiffs should not be able to sue multiple defendants in the same suit. Plaintiffs tried to rely on the “swarm” theory--which has been accepted by some courts and rejected by others--under which file-sharing defendants who were a part of the same interactions can be sued together in the same lawsuit. Here, the court notes that plaintiffs’ own allegations undermine their swarm theory. For example, the downloads were often weeks or months apart:

even assuming that the John Does are the actual infringers, the assertion that defendants were acting in concert rests upon a thin reed.

The court declines to exercise its discretion to join the Doe defendants together.

5. Plaintiffs trying to avoid separate filing fees: the court notes that plaintiffs have avoided more than $25,000 in filing fees by filing mass-defendant lawsuits, as opposed to suing the Doe defendants individually. When you take other cases in the same district into account, this amount is closer to $100,000. (The court notes that this approaches millions when the suits nationwide are considered.)

6. Don’t try to take the moral high-ground, porn plaintiffs:

In its papers, counsel for K-Beech equate its difficulties with alleged piracy of its adult films with those faced by the producers of the Harry Potter books, Beatles songs and Microsoft software, and compare its efforts to collect from alleged infringers of its rights to the efforts of the FBI to combat child pornography. In an ironic turn, the purveyors of such works as “Gang Bang Virgins,” explain how its efforts in this matter will help empower parents to prevent minors from watching “movies that are not age appropriate.” . . . It is difficult to accord plaintiff, which features “Teen” pornography on its website, the moral high-ground in this regard.

Ouch. As mentioned above, the court dismisses K-Beech’s lawsuit sua sponte in its entirety. The dismissal is without prejudice, but K-Beech should think twice about filing another file-sharing lawsuit in New York. The other defendants can pursue cases against defendants on an individual basis (they must file separately), and the Does (other than unlucky Doe No. 1) are dismissed from the three lawsuits. The court appears open to appointing counsel from its pro bono panel for Doe No. 1 (and I’m guessing future Doe plaintiffs).

There are a slew of these lawsuits pending around the country so it’s tough to say anything definitive, but courts certainly seem to be reaching the boiling point with bittorrent plaintiffs (the abusive litigation tactics don’t help). Check out the TorrentLawyer blog for a few recent examples:

- Malibu Media, LLC cases go down in FLAMES in Virginia

- THIRD DEGREE FILMS, INC. attorney perhaps facing a THIRD DEGREE FELONY

Also, as a follow up to the case in New York, Twitter user "fightcopyrighttrolls" reports on what seems to be an inexplicable strategic decision by lawyers for one of the plaintiffs in this case.

[A note to lawyers: judges compare notes, directly or indirectly.]

Other coverage:

Ars Technica: Furious judge decries "blizzard" of copyright troll lawsuits

Torrent-Freak: Judge: An IP-Address Doesn’t Identify a Person (or BitTorrent Pirate)

Previous posts:

Court Nukes Another Mass Defendant File-Sharing Lawsuit -- Digiprotect v. Does
Copyright Doe Defendant Can’t Quash Disclosure Subpoena Anonymously—Hard Drive Productions v. Does

Posted by Venkat at 09:48 AM | Copyright , Privacy/Security

May 10, 2012

An Unmasking Effort Gets Gutted Some More – Art of Living Foundation v. Does

[Post by Venkat Balasubramani]

Art of Living Foundation v. Does, 10-cv-05022-LHK (N.D. Cal.; May 1, 2012)

I posted earlier about the Art of Living Foundation’s (AOLF) efforts to unmask online critics (posting psueudonymously as ‘Skywalker’ and ‘Klim’). In early rulings, the court rebuffed AOLF’s efforts. AOLF originally brought defamation and trade secrets claims. The court held that any allegedly defamatory statements were protected opinion, and that AOLF failed to identify trade secrets with particularity. The court also stayed discovery of defendants’ identities, finding that the balance of equities favored the preservation of anonymity. (Here's my prior blog post on the case: "Spiritual Group's Attempt to Unmask Online Critics Goes South.")

AOLF filed an amended complaint, dropping the defamation claims but adding claims for copyright infringement. The amendment also specified the allegedly misappropriated trade secrets. With respect to the copyright claim, AOLF alleged that republication of certain “lesson plans” by the Doe defendants constituted copyright infringement and misappropriation of trade secrets.

In a further development in this lawsuit, the court granted the Does’ request to dismiss the copyright claims. The trade secrets claims largely survive, although the court notes that they aren’t the strongest.

Copyright claims: AOLF did not present any evidence that one of the two defendants was involved in any way in republishing the lesson plans, or related notes, so this defendant (Klim) is awarded summary judgment. Skywalker, the second Doe defendant, admitted to posting the text of the lesson plans on his blog. Although he wasn’t entitled to summary judgment on the same basis as Klim, he challenged AOLF’s ownership of the copyrights at issue.

The court finds that the registration certificate presented by AOLF was not prima facie evidence of ownership (because the registration was obtained more than five years after publication). The court goes on to find that the AOLF entity that brought the copyright claim was not the owner of the copyrighted material. There’s an Indian AOLF entity, and one of the declarations let slip that the lesson plans at issue were created “for the benefit of the Art of Living Foundation in India with the understanding that the Art of Living Foundation in India would own [all of the rights to the lesson plan].”

AOLF (US) also tried to argue that the Indian entity assigned the US entity the copyright, but AOLF (US) failed to produce any written record or an assignment, or even that such a writing existed. Even a confirming email would have been plenty, but for whatever reason AOLF (US) was unable to muster evidence on this point.

Trade secrets claims: Defendants continue to batter away at AOLF’s trade secrets, but the court finds that AOLF made the minimal necessary showing that its teaching methods: (1) have independent economic value and are not generally available; and (2) are the subject of reasonable confidentiality restrictions. In particular, AOLF came forward with evidence that although the teaching methods were drawn on “conventional concepts and terminology of Hindu mysticism,” AOLF “incorporate[d] many additional and novel elements.” With respect to confidentiality, AOLF alleged that it required its teachers to sign confidentiality agreements. Although the court expresses some skepticism about the overall merits of AOLF’s trade secrets claims, those claims are sufficient to move forward at this time. However, the court does include language in its order inviting defendants to move for summary judgment on the issue of whether AOLF’s information is truly a trade secret, or indistinguishable from general knowledge of the public or those skilled in the relevant field. The court also raps AOLF on the knuckles for trying to take a third bite at the designation of trade secrets apple. AOLF already submitted an amended designation of trade secrets and sought to amend this designation again. The court says that although it will allow the amendment, this is the last time (“the court puts [AOLF] on notice that this is its final opportunity to amend its trade secret designation with particularity”).

Finally, the court grants the motion to strike as to Klim, finding that AOLF put forth no evidence that Klim was involved in any way in the alleged dissemination of AOLF trade secrets.

SLAPP fees: Finally, the court grants defendants' request for fees as to the defamation/trade libel claim. Although AOLF amended its complaint and dropped the defamation and trade libel claims, there was no evidence that AOLF achieved its goals with respect to these claims through other means. AOLF’s amendment of its complaint to exclude the defamation and trade libel claims was “tantamount to a voluntary dismissal.” (Defendants brought a motion to dismiss and a motion to strike and the court earlier granted the motion to dismiss but declined to reach the merits of the motion to strike.) End result: defendants can seek fees for dismissal of the defamation and trade libel claims.
_____

This is another example of how things can go wrong when someone tries to squelch speech online. Granted, in countless other cases, these types of claims would have resulted in default judgments without anyone batting an eye, but the Does were represented by counsel (and both Public Citizen and EFF appeared as amici). As a result, the balance of power changed significantly. (It also helps to have a thoughtful judge—in this case Judge Koh—who takes a close look at the issues and seems mindful of the speech implications of the judge's rulings.)

It’s interesting that AOLF’s efforts to unmask the Does were premised in part on AOLF’s copyright claims. These turned out to be insufficient at the end of the day. Courts routinely grant requests to unmask Doe defendants when copyright claims are involved, but this ruling is a reminder that judges should take a close look at those requests, even when the other side may not be represented by counsel. For another example, see Maximized Living v. Google.

Finally, the court’s order makes a reference to how many times the webpages containing the alleged trade secrets were viewed: 147 and 351 in July and August 2010, respectively (before the pages were removed in response to a takedown request sent to WordPress). Given the cloud around AOLF’s copyrights and the multiple entities involved (the takedown request was sent from Vyakti Vikas Kendra India), one wonders about the propriety of the takedown requests. But setting this aside, these statistics raise the question of whether AOLF’s significant expenditure of fees to squelch criticism of it was even remotely worth it. (I would be shocked if their answer today was “yes”.) Compare Pitale v. Holstine.

Given the court’s ruling on the fees issue, and its hints around the strength of AOLF’s trade secrets claims, this case should quickly head towards a settlement. The big question is whether everyone will just go their separate ways, or if AOLF will be writing a check to the Does (or their counsel).

Posted by Venkat at 01:37 PM | Content Regulation , Copyright , Privacy/Security , Trade Secrets

May 03, 2012

Comments on the Ninth Circuit's En Banc Ruling in U.S. v. Nosal

[Post by Venkat Balasubramani, with comments from Eric]

US v. Nosal, 2012 WL 1176119 (9th Cir. Apr. 10, 2012)

Nosal was a Korn/Ferry employee who, after his departure, convinced some remaining employees to provide him with confidential information to help him start a competing business. Employees were authorized to access the company's network and information on it, but they were prohibited by the employer’s policy from disclosing confidential information. The key question was whether the employees “exceeded their authorized access,” and whether their access and use of the information constituted a criminal violation of the Computer Fraud and Abuse Act.

The 9th Circuit took the case en banc. In a typically clear and emphatic Judge Kozinski opinion, the Ninth Circuit says that exceeding authorized access to an employer's network does not support a conviction under the CFAA. (Judge Silverman's dissenting opinion is worth checking out as well.) The key distinction is whether the employees accessed data or information that they were totally prohibited from accessing, or whether they misused information that that were otherwise authorized to access. The first scenario supports a CFAA violation, but the second does not.

The parties wrangle over the statute’s wording and construction, and the court sides in favor of the defendant with respect to these arguments. The court notes that the government’s interpretation of the statute would transform everyday online “dalliances,” which arguably violate employer policies by using networks for non-“business purposes,” into federal crimes:

What exactly is a “nonbusiness purpose”? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii?

What swayed the court is that the government’s construction of the statute would expand the scope of the statute far beyond its intended purpose—hacking—and would “make criminals of large groups of people who would have limited reason to suspect that they are committing a federal crime.” Who might these people be? You and me, and every other person who surfs countless websites arguably in technical violation of the applicable terms of service. We use sites that are subject to terms of service but these terms of service are, as the court notes, “vague and generally unknown.” We routinely violate those terms of service:

Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds form their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.

Moreover, websites reserve the right to change terms of service “at any time and without notice.” This means that any use of a website in violation of the terms--that the user may not even have knowledge of--could constitute a federal crime. The court cites to the terms of service of various websites, including Facebook, craigslist, Twitter, Hulu, YouTube, Match.com, Netflix, Pandora, just to name a few. The government came back and said that it would be unlikely that any user would be prosecuted for these violations, but the court cites to US v. Drew and says that if the government has a reason to go after you, its interpretation of the statute allows it to do so.

The day after the Ninth Circuit's ruling in Nosal, the Second Circuit released its opinion in U.S. v. Aleynikov, explaining its rationale for setting aside Aleynikov's conviction under the National Stolen Property Act and the Economic Espionage Act of 1996. Aleynikov was a highly paid programmer who worked for Goldman Sachs. He was lured away by a competing business to develop the competing business's high frequency trading system. Prior to leaving Goldman, he transferred a chunk of the source code that he had developed while at Goldman. The Second Circuit sets aside his conviction, finding that source code alone is not a "product" for purposes of the EEA or a "good, ware, or merchandise" for purposes of the NSPA. Interestingly, Aleynikov was charged with a CFAA violation but the district court dismissed it, relying in part on Brekka. With respect to the CFAA claim, the district court said that because Aleynikov was authorized to access the source code at the time he accessed it, his subsequent misuse is not enough to support a CFAA charge. As it turns out, the government's attempted workarounds to the CFAA, the NSPA and EEA charges, were no more availing.

The Ninth Circuit's Nosal ruling is a big loss for employers, who in recent years have been pushing Computer Fraud and Abuse Act claims in the employment context. The court cites to Lee v. PMSI in a footnote, but there have been countless others. (Prior blog post on this topic: “No Computer Fraud and Abuse Act Violation for Access of Facebook and Personal Email by Employee -- Lee v. PMSI.”) It’s also a big loss for networks who will have a tougher time policing access based on terms of service violations. Facebook most recently went after Power Networks, and although it proceeded under California’s anti-hacking statute, this decision may affect similar lawsuits in the future. (The two statutes are not identical and it’s unclear as to whether a network could prohibit scraping or other unauthorized access.)

There's a key question left somewhat open by the court's opinion. If a network imposes use restrictions and says that users who access the network for improper purposes are not authorized to use the network at all (e.g., "if you provide false information when you register for an account, you are not authorized to access our service" or "you may not access our service via bots or other automated means"), does Nosal leave open the possibility of a CFAA violation in this context? Nosal (and LVRC v Brekka, an earlier Ninth Circuit case) do not appear to preclude this approach.

The Ninth Circuit's approach here diverges from the approaches of other circuit courts. I don't have a sense of whether this is a good candidate for Supreme Court review, but that's a possibility. For what it's worth, there's a draft bill currently pending to "fix" the CFAA. Check out this post from Jennifer Granick as to why the fixes won't be much of a fix: "Draft Bill to "Fix" CFAA Won't."

What steps can employers take post-Nosal? I'd consider the following: (1) make employee policies as explicit as possible, and don't rely on vague notions of fiduciary duties; (2) impose access restrictions that govern the means of access; and (3) password-protect stuff that is truly a trade secret and make it available only on a need-to-know basis. Even these steps don't guarantee a solid foundation for a CFAA claim. At the end of the day, it may be worth looking to other means of protecting your confidential information and restricting competition by employees.

Prior post:

9th Cir: Access of Computer in Violation of Employer's Use Policy Violates Computer Fraud and Abuse Act -- US v. Nosal

Other coverage:

* EFF (press release): Appeals Court Rules That Violating Corporate Policy Is Not a Computer Crime

* Jeff Neuburger: Ninth Circuit Ruling Trimming CFAA Claims for Misappropriation Reminds Employers that Technical Network Security is the First Defense

* Kim Zetter: Code Not Physical Property, Court Rules in Goldman Sachs Espionage Case

* David Kravets: Court Rebukes DOJ, Says Hacking Required to Be Prosecuted as Hacker
______

Eric's Comments

Judge Kozinski's opinion was highly entertaining (as usual) and full of pragmatic realpolitik, but I disagree with Venkat that the opinion was clear. In fact, I remain quite confused by the opinion and what it means for the CFAA. Among the questions I can't confidently answer after the opinion:

* does the en banc's definitional interpretation apply to both civil and criminal CFAA claims, or just criminal prosecutions? There are some reasons to believe the court's opinion would support reading the language the same in civil and criminal contexts. The court says: "Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute." Plus, a number cases endorsed by the majority are civil. However, the majority never clarifies this point, and there is some reason to believe the results aren't 100% extensible to civil cases. For example, the majority opinion repeatedly hammers on CFAA criminality interpretation problems and gives examples of ridiculous CFAA crimes (and doesn't give any countervailing examples of a CFAA civil case). The majority also concludes that criminal prosecutions turn on lenity, a consideration that wouldn't apply in the civil context. Finally, the Lori Drew court treated civil and criminal CFAA suits differently, so arguably that distinction could still crop up in other cases.

* as noted by Venkat, if a company policy says "we condition your access to our network on you not doing XYZ with any data you subsequently acquire," has the company drafted its way around the holding? This workaround should be too facile, but the majority opinion possibly sets up this bypass.

* how can a network operator properly communicate any limits of third party access to their networks? Historically, websites could delimit access for CFAA purposes via "terms of use" that were "browsewraps," i.e., pages that users weren't required to see in order to access the site. The majority's result doesn't depend on terms placement, but it uses some examples of non-clickthrough terms that it seemingly treats as binding. (e.g., "Not only are the terms of service vague and generally unknown—unless you look real hard at the small print at the bottom of a webpage—but website owners retain the right to change the terms at any time and without notice."). In light of its ruling, perhaps terms of use never can delimit server access, so placement of terms is irrelevant, i.e., even if the contract is presented as a clickthrough, it will be irrelevant to the CFAA analysis. But if that's the case, then the opinion has virtually eviscerated all civil CFAA claims in the Ninth Circuit--a good result IMO, but a perhaps unnecessarily overreaching one.

Obviously, future litigation will give us the answers to these questions. But it would have been better if the majority opinion had been clear enough to prevent the sorting-out process that will take place over the next couple of years.

Even with all of its ambiguities, I think the majority reaches a favorable policy outcome, and I for one would love to see the CFAA scale back its scope substantially. That isn't going to happen. The CFAA is one of the statutes Congress keeps "improving" as part of its wars on terror and cybersecurity, so I wonder if this opinion's result will survive Congress' next ham-fisted amendment of the CFAA.

Posted by Venkat at 12:02 PM | Licensing/Contracts , Privacy/Security , Trespass to Chattels

May 01, 2012

New Essay: The Irony of Privacy Class Action Lawsuits

By Eric Goldman

I’ve posted a new essay to SSRN titled The Irony of Privacy Class Action Lawsuits. It should be published later this year in the Journal of Telecommunications and High Technology Law at University of Colorado. The essay comes out of a panel discussion we had at Colorado Law in December on the Economics of Privacy. The version I’ve posted is still in draft form, so I should be able to make some changes. I welcome your comments.

The essay issues a challenge to privacy advocates who support enforcement of privacy violations via class action lawsuits. I argue that the structure of class action lawsuits contains a number of attributes that privacy advocates consider bad business practices, such as requiring consumers to opt-out and providing inadequate notice-and-choice. Privacy advocates’ reaction to the essay has almost universally been “D’oh!” However, I don’t think the irony (or, at least, my explication of it) is compelling enough to persuade privacy advocates to strike class action enforcement from their toolkit.

More generally, the essay suggests that there may be value to more closely examining the various enforcement institutions for privacy violations. Comparative enforcement institution analysis is a perennial topic in consumer/advertising law (and many other disciplines, I’m sure). Yet, I’m not aware of the institutional competence issue getting a lot of attention in the privacy scholarship, which is surprising given the vast volume of privacy scholarship. If I’ve missed something, please let me know.

The essay is a quick read, and one reader called the ironies "delicious." I hope you’ll check it out.
_______

The abstract:

In the past few years, publicized privacy violations have regularly spawned class action lawsuits in the United States, even when the company made a good faith mistake and no victim suffered any quantifiable harm. Privacy advocates often cheer these lawsuits because they generally favor vigorous enforcement of privacy violations, but this essay encourages privacy advocates to reconsider their support for privacy class action litigation. By its nature, class action litigation uses tactics that privacy advocates disavow. Thus, using class action litigation to remediate privacy violations proves to be unintentionally ironic.

Posted by Eric at 09:00 AM | Privacy/Security | TrackBack

April 24, 2012

Court Orders Disclosure of Psychic Chat Records in Retaliation Case – Glazer v. Fireman’s Fund

[Post by Venkat Balasubramani]

Glazer v. Fireman's Fund Ins. Co., 11 Civ. 4374 (PGG) (FM) (S.D.N.Y.; Apr. 4, 2012). The complaint.

Glazer (her LinkedIn page) sued Fireman’s Fund Insurance, alleging that Fireman’s Fund retaliated against her because she complained about “discrimination against non-African Americans.” Fireman’s Fund found out that Glazer had consulted with various psychics through LivePerson’s “on-line and professional consulting services” platform. It requested disclosure of the chat records from LivePerson, after Glazer said she could no longer access them.

LivePerson objected on the basis that Glazer could produce the documents herself and had agreed to do so. Glazer says that she closed her account and her old chats were inaccessible. At the discovery conference, LivePerson says that if Glazer were to open up a new account, all of her previous chats would be available to her (minus the chats that she was unable to pay for, which a LivePerson staff person could access).

The court notes the lurking Stored Communications Act issue, under which LivePerson may either be the provider of an “electronic communications service” or a “remote computing service” (citing, among other cases, Crispin v. Audigier and Theofel v. Farey-Jones). The court also flags the issue of whether LivePerson’s privacy policy bars or authorizes disclosure. The court says that LivePerson’s policies are inconsistent. The terms of service say that information transmitted through LivePerson.com is not confidential and that LivePerson is granted a license to reproduce and “publicly perform” this information. But LivePerson's privacy policy also says that member-expert communications will remain “confidential, personal, and private” unless both parties to the communications agree to disclosure.

Ultimately, the court says that the Stored Communications Act and privacy policy issues are irrelevant:

[t]he Court need not determine whether Glazer’s communications are electronically stored, or whether Glazer consented to the disclosure of her LivePerson chats by agreeing to the Terms and Conditions, because it may simply direct that she consent to disclosure if the chats are likely to contain information relevant to this case. [citing Romano v. Steelcase, among other cases]

The court orders Glazer to open a new LivePerson account, retrieve all available chat transcripts and produce them to Fireman’s Fund. In addition to the paid chats, Fireman’s Fund also argued for disclosure of free chats, and the court says Glazer should try to retrieve these as well. To the extent she cannot, the court directs Glazer to execute a consent form so LivePerson can retrieve the chats. The court also orders disclosure of LivePerson’s billing records for Glazer, which Glazer will be able to access when she opens a new account. Finally, Fireman’s Fund asked for any documents relating to chats between Glazer and psychics through sites other than LivePerson, including some that Fireman’s Fund says occurred as late as January 2012. The court says that these records will be cumulative.
__

Psychics make me think of the online harassment case Eric blogged about a couple of weeks ago: “What Do Soymilk and Nutella Have to Do With an Online Harassment Case?--Taylor v. Texas.” As in that case, the outcome here makes you question the efficacy of the psychics in question: one wonders why the psychics didn’t advise Glazer about the possibility of disclosure of the chats to Fireman’s Fund. I guess the psychics must have told Glazer that her litigation prospects were good; otherwise Glazer wouldn't be in court.

Glazer committed a classic miscue for employee-plaintiffs—she engaged in discussions regarding her dispute through her work email account. If not for this, Fireman’s Fund may not have ever found out about the chats in question. (Note to prospective employment plaintiffs: if there is even a whiff of a dispute with your employer, you should engage in all third-party communications through your own personal email accounts, on your own time, and off your employer's network.)

The court says that a party can be compelled to produce information that is protected from third party disclosure under the Stored Communications Act. This sounds like the right result, although this court, like the others that have addressed this issue, does not delve into the details. It's good to see that the court did not require Glazer to turn over her passwords or log-in credentials to Fireman's Fund. Other courts have taken this approach, ignoring the obvious dangers presented by allowing a litigant to freely rummage around in their opponent's Facebook account. (A recent decision in a New York worker's comp case found that postings in a firefighter's Facebook page was relevant to his claim of damages: Loparcaro v. City of New York. The court in that case took a similar approach and ordered the plaintiff to turn over copies of the relevant Facebook postings to the court so the court could assess privilege and relevance issues. Here's the Justia link to the court's order in that case.)

In the meantime, this case is a good reminder that your online communications are not off-limits and that you probably cannot take refuge in the protections of the Stored Communications Act . . . even if you are engaged in chats with psychics!

[NB: the court notes that LivePerson offered chats with lawyers but there was no evidence that Glazer had engaged in chats with lawyers via LivePerson.]

Additional coverage:

Bow Tie Law's Blog: Psychic Discovery

Previous posts:

Courts Continue to Grapple with Discovery Disputes Around Social Networking Evidence
Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway
Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson
Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc.
Pennsylvania Court Orders Personal Injury Plaintiff to Turn Over Facebook Password to Defendant -- Largent v. Reed
Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville

Posted by Venkat at 10:50 AM | Evidence/Discovery , Privacy/Security

April 07, 2012

Actress Suing IMDB Can Assert Claim Based on Privacy Policy – Hoang v. Amazon.com, Inc.

[Post by Venkat Balasubramani]

Hoang v. Amazon.com, Inc. & IMDB.com, Inc., C11-1709MJP (W.D. Wash.; Mar. 30, 2012)

Hoang sued IMDB, alleging that IMDB took information she provided when she paid for her subscription and used this information to derive her birthdate. She alleges IMDB then added her birthdate to her public profile and declined to remove it despite her request. She asserts claims for breach of contract, fraud, along with claims under the Washington Privacy Act and the Washington Consumer Protection Act. (She initially filed a Doe lawsuit and argued that she should be able to proceed pseudonymously, but the court rejected this request. See coverage from Matthew Belloni here: "Actress Suing IMDB Reveals Her Real Name.")

Breach of contract: The court declines to dismiss Hoang’s breach of contract claim, finding that statements in IMDB’s privacy policy could support a claim for breach of contract. What tripped up IMDB? Flowery language in its privacy policy saying that it would use customer information “carefully and sensibly.” While there was a section of the policy which informed users what the information would be used for, it did not encompass the use of information for targeting or using the information provided by customers to obtain other information about them:

You can choose not to provide certain information, but then you might not be able to take advantage of many of our features . . . . IMDB uses the information that you provide for such purposes as responding to your requests, customizing future browsing for you, improving our site, and communicating with you.

Remaining claims: The remaining claims are largely nuked, with one big exception. The court says that Hoang fails to identify any fraudulent statements, and her broad claims about IMDB’s misuse of her information is not sufficient to state a fraud claim. Her claim under the Washington Privacy Act fails as well because this statute covers the interception or recordation of private communications, and Hoang failed to identify any communications intercepted or recorded by IMDB. The one claim which the court did not dismiss which could turn into a problem for IMDB is the Consumer Protection Act claim under Washington law. This allows Hoang to ask for treble damages plus injunctive relief (which may be something IMDB is more worried about).

Quick thoughts:

* Re-identification is risky behavior for companies.

* Finally, a privacy plaintiff who does not have an Article III standing problem! Her damages may not seem like they are the easiest to prove and they may not be astronomical. However, she clearly gets past the Article III hurdle, and if she can get in front of a jury and argue that big bad IMDB (Amazon) played fast and loose with her information, and failed to remove it upon her request, she may find a sympathetic audience.

* Flowery privacy policy language that comes back to haunt a company. This has happened time and time again and is yet another example of a court or agency latching on to flowery language to find an obligation with respect to the use of information. Twitter's language about its security practices came back to haunt it when it was investigated by the FTC: "The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?" Language in RockYou's policy supported both a breach of contract claim and was cited by the FTC in an enforcement action (which recently settled).

* Here's the million dollar question: does Hoang's breach of contract claim require her to show that IMDB obtained information and caused her harm by publicly attaching this information to her profile, or would she have a claim merely based on IMDB's use of her information in a way that is not described in IMDB's privacy policy? The court does not address this issue since Hoang made the allegation that IMDB's public use of her information harmed her. I'm guessing Hoang can't make an argument that IMDB's contractual promises restricted IMDB from using the information she provided as part of the subscription process for any purpose other than to process payment (say for direct marketing or targeting)? This could be a somewhat far-reaching argument, but would run squarely into the Article III problem.

[It's also worth noting that IMDB did not try to force Hoang to arbitrate her claims. IMDB's terms do not contain an arbitration provision. I'm guessing they will consider adding one soon.]

Other coverage:

Eriq Gardner: "Judge Allows Actress Suing IMDb Over Age Revelation to Go Forward on Lawsuit"

Posted by Venkat at 01:24 PM | Licensing/Contracts , Privacy/Security

April 03, 2012

Data Security Breach Settlement Class of 130M Individuals Has 11 Claimants (at a Cost of $160k Per)--In re Heartland Payment Systems

By Eric Goldman

In re Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, 2012 WL 948365 (S.D. Tex. March 20, 2012). The settlement website.

[Note: I know that many big-scale class action lawsuits have similarly mockable numbers. But I thought the obvious dysfunction of this litigation was still worth deconstructing.]

At some point, I think all of those in the information security litigation industry (both plaintiff and defense) have to ask themselves--am I part of the solution, or part of the problem? I wonder that question even more after seeing the enormous transaction costs in providing de minimis relief in a case like this. Guys, what are we doing here?

Heartland is a payment-card processor. In 2007, it got hacked. The hackers got 130M credit card numbers and expiration dates, plus some cardholder names, but it didn't get mailing addresses, so the credit card numbers couldn't be used online. Heartland publicly announced the hack in 2009. Heartland preliminarily settled the lawsuits by promising to pay at least $1M to verified victims or (if not enough claims were made) to "non-profit organization(s) dedicated to the protection of consumers' privacy rights, with emphasis on advancing the implementation of end-to-end encryption of payment card authorization transactions or similar security enhancements." The named organizations are Smart Card Alliance, the Secure POS Vendor Alliance, and the Financial Services Information Sharing Analysis Center.

For sending a settlement notice, Heartland couldn't provide individual addresses because it's a payment processor, not an issuing bank. Nevertheless, advertising about the settlement allegedly "reached at least 81.4% of potential Settlement Class Members an estimated 2.5 times."

Class members tendered 290 claims, of which "Heartland estimated that perhaps 11 of those claims were valid." At a maximum payout of $175, the maximum amount of cash going to class members is less than $2k. Accordingly, effectively the entire $1M is going to cy pres, not class members. To be clear, Heartland was paying cold hard cash to affected consumers instead of issuing a coupon, but the response rates were worse than typical coupon settlements--by my math, a 0.00000846153846153846% response rate.

The opinion indicates Heartland spent $1.5M to advertise the settlement. Thus, it appears they spent over $130,000 to generate each legitimate claim. Surprisingly, the court blithely treats the $1.5M expenditure as a cost of doing business, but I can't wrap my head around it. What an obscene waste of money! Add in the $270k spent on claims administration, and it appears that the parties spent $160k per legitimate claimant. The court isn't bothered by the $270k expenses either, even though that cost about $1k per tendered claim (remember, there were 290 total claims).

Now, there are a lot of possible explanations why there was such a low response rate: maybe the hackers didn't actually capture any useful data; maybe the hackers didn't misuse the data they got; maybe the credit card companies' fraud detection systems screened out any bogus charges; maybe consumers never noticed bogus charges; maybe consumers did notice bogus charges but never saw the news about the settlement; maybe the hassle of pursuing the settlement wasn't worth the payoff or consumers couldn't figure out how to tender their claims. But whatever happened, neither plaintiffs' counsel nor anyone cheering for more information security enforcement can be particularly impressed by the minuscule response rate. It's a pretty good indicator of at least one deep structural problem with this litigation.

The court makes plaintiffs' counsel take a small haircut for their failure to deliver real value to the class. The parties had computed an attorneys' fee payoff of $725k predicated on a settlement value of $4.85M. After discounting the case value due to the cy pres payments, the court adjusts the attorneys' fee award down to a little over $600k. Still, the plaintiffs' counsel claimed they spent less than 2,000 hours on the case, so they got about $300 per average hour spent on the case--a pretty good overall rate when considering the number surely includes a good number of cheap junior associates and paralegals.

I have a forthcoming paper on privacy class action lawsuits (I'll be posting it soon) that will explicate some serious problems with class actions as a way of remediating privacy breaches. I carved out security breach litigation from the paper, but a case like this makes me wonder what in the world we're doing. As I discuss in my forthcoming paper, maybe the greater social ends justify the means, but examined in isolation, this mechanism looks horrible. In the end, to pay out $2k of actual relief to 11 people, Heartland paid over $2M in attorneys' fees and other transactions costs. Surely I'm not the only one bothered by this...am I?

Posted by Eric at 12:16 PM | Privacy/Security | TrackBack

March 31, 2012

Lawsuit Against Google for Putting Search Queries in Referral URLs Moves Forward – Gaos v. Google

By Venkat Balasubramani with comments from Eric

Gaos v. Google, 5:10-CV 4809 (N.D. Cal.; Mar. 29, 2012)

Gaos sued Google based on the theory that: (1) Google allows website owners (and third parties) to see what search terms a user inputted; and (2) through “reidentification,” search terms could be linked with a user’s identity. Chief Judge Ware granted Google’s motion to dismiss on Article III standing grounds in April 2011. Goas filed an amended complaint, alleging claims under the Stored Communications Act and variety of state law claims. (Here’s a link to the Amended Complaint.) In the interim, the case got reassigned to Judge Davila.

State law claims: As to the state law claims, the court again says that Gaos lacks Article III standing. She alleges only that she searched for her own name and her family names. In contrast to the allegations in Does v. AOL (the “search Valdez” case) where AOL released sensitive information—such as bank account information and social security numbers—in search queries, disclosure of Gaos’s search queries to third parties will not cause her harm. Although the court grants Google’s motion to dismiss, it grants Gaos leave to amend a second time.

Stored Communication Act claims: As to the Stored Communications Act claim, the court says that she does not need to allege any actual injury other than a violation of the statute: “injury required by Article III . . . can exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing.” The court does not reach the merits of whether Gaos’s allegations actually state a claim under the Stored Communications Act, finding that Google’s motion “[did] not place this . . . issue before the court.” (The court cites to Fraley v. Facebook and In re Facebook Privacy Litigation and notes that the fact that Gaos has standing is distinct from whether she has stated a claim.) Instead, the court focuses on whether Gaos corrected the deficiencies identified by Judge Ware in his initial dismissal order, which found Gaos’s initial allegations conclusory in nature. The court says that Gaos corrected these deficiencies by alleging what particular search queries Google improperly disclosed.

Yikes, this is not an optimal result for Google to say the least. A dismissal of the Stored Communications Act claims on Article III grounds would have avoided the question of whether search queries are covered under the SCA, whether Google’s disclosure amounts to a violation, and Google’s possible defenses based on consent. (Contrast this result with Low v. LinkedIn, where the court grants a dismissal on Article III grounds in another referrer header case against LinkedIn.) I’m not even sure whether Google can challenge the SCA claims until summary judgment. Google will try to whittle away at the lawsuit by attacking it at the class certification stage, but plaintiff has to be pretty happy with this ruling.

A big question is how the Supreme Court’s decision in the Privacy Act case will affect the outcome here, and on this score the outlook is bleak for Gaos and other similar plaintiffs, at least as far as damages goes. (See Kash Hill’s post on that case: “Humiliation After A Privacy Invasion Is Not An 'Actual Damage,' Rules Supreme Court.”) It will come down to similarities in statutory language between the two statutes, but I would imagine Google may argue shortly that the Supreme Court’s limitation of “actual damages” to pecuniary or economic harm requires a re-examination of Gaos’s claims for damages. Gaos could still assert claims for injunctive relief, so I’m not sure this will successfully put the brakes on this lawsuit.
________

Eric's Comments

I don't share Venkat's "yikes" reaction to this ruling. It seemed fairly straightforward to me. The court dismissed the bulk of Gaos' lawsuit on Article III standing grounds. This is consistent with the broad trend that most privacy "victims" lack sufficient harm to deserve a day in federal court.

The only claim that didn't get wiped out is the SCA claim, and that's only because Gaos alleged a statutory violation. This court is bound by the Ninth Circuit's opinion in the Edwards v. First American case saying (in a real estate case) that plaintiffs satisfy Article III standing when they allege statutory violations. The Edwards case is on appeal to the US Supreme Court, and based solely on the Ninth Circuit's track record in the Supreme Court, I wouldn't be surprised if the Supreme Court reverses--at which point simply alleging an SCA violation without any further harm won't survive an Article III standing challenge.

I'll also add that the SCA's poor drafting means that no one (including the judges) knows exactly what's covered by the statute, so it's not that surprising to see an SCA claim survive a motion to dismiss. As we know, virtually every privacy lawsuit alleges an ECPA/SCA violation because the statute is so murky that it could apply to anything. Obviously privacy defendants would prefer that ECPA/SCA suits get screened on Article III grounds, which is why the Edwards' SCOTUS case is of substantial interest to the Internet community.

As this case proceeds, it's going to fail for a long list of potential defects beyond the ones Venkat mentions, including statute of limitations/laches (after all, search engines have been putting search queries in the referral URL since the 1990s), searchers' consent (based on, say, disclosures in the privacy policy), and Google's "consent" as the presumptive recipient of the "communication" (the SCA lets either sender or recipient disclose the communication without permission from the other party). As Venkat notes, Google didn't raise these defenses yet. When Google advances those defenses, I see this lawsuit as unquestionably doomed--in a mockable kind of way--and the only bummer is that Google will have to spend more money to flatten this suit.

Finally, Google has made some technical changes that, in some cases, restrict its passing of search queries through referral URLs. Danny Sullivan's writeup of the issue from last Fall. I doubt the lawsuit will get that far, but if it does, I wonder if this development will take the wind out of the sails of any injunctive relief request. Note that while suppressing search queries in referral URLs might enhance individual searcher privacy, the loss of that information to publishers might ultimately degrade the overall ecosystem by hindering publishers' abilities to optimally respond to searchers' interests.

__________

Venkat's Surreply

After reading Eric's comments, I agree that a yikes reaction may not be warranted. Maybe this lawsuit will be swatted away in short order. I'm still curious as to how often the practice (of disclosing search queries in a way that is not sufficiently protective of user identity) occurs and whether Google has done anything to address it on the technical side. It looks like it has. This also raises the issue of whether this was mere inadvertence or something more. Feels like bad timing for bad PR on the privacy front for Google, especially when people may be looking for alternatives.

Posted by Venkat at 09:40 AM | Privacy/Security , Search Engines

March 25, 2012

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information--Sterk v. Redbox

[Post by Venkat Balasubramani]

Sterk v. Redbox Automated Retail, LLC, No. 12-8002 (7th Cir. March 6, 2012)

The Video Privacy Protection Act prohibits the disclosure of individuals' videotape viewing habits. The statute also contains a provision requiring “providers” to purge any covered information within certain time periods (one year from when the information is no longer required for the purpose for which it was collected). Class action lawyers sharpened their knives and came after videotape service providers—in this case Redbox—arguing that Redbox did not purge the information as required under the VPPA. Redbox moved to dismiss on the basis that the provision of the statute requiring records to be purged did not provide for a private cause of action. The district court disagreed and denied Redbox’s motion to dismiss. (Here is my earlier blog post on the case: "Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records.") Redbox filed an interlocutory appeal, and with lightning fast speed, the Seventh Circuit reversed the district court (the appeal was submitted on January 24, 2012 and the Seventh Circuit issued its order on March 6, 2012).

After slamming the VPPA drafters for sloppy drafting, the Seventh Circuit concludes that the overall statutory structure indicates that there is no private cause of action in this case. The court says the section which provides a civil cause of action appears immediately following the section which prohibits the disclosure of records and this indicates that the civil cause of action was intended to apply only to the section barring disclosure of records. Also, one of the subsections deals with the acceptance of videotape rental evidence; if the statute provides for a civil cause of action for a violation of all of the subsections (not just the subsection prohibiting disclosure), this would mean that a litigant would have a cause of action against a court for improperly receiving videotape rental records as evidence. (The district court focused on the statute's use of the word "section" as opposed to "sub-section" but Judge Posner is as dismissive of the district court's interpretation as he is of the drafters of the VPPA.)

In addition to the overall statutory structure, the court also highlights that there is no harm from wrongful retention:

Nor would it make a lot of sense to award damages for a violation of the requirement of timely destruction of personally identifiable information, in sub section (e)—the specific issue presented by this appeal. How could there be injury, unless the information, not having been destroyed, were disclosed? If, though not timely destroyed, it remained secreted in the video service provider’s files until it was destroyed, there would be no injury.

In Judge Posner's view, this is a terrible case for statutory damages in the absence of any actual injury. While other courts have held that plaintiffs proceeding under the Driver’s Privacy Protection Act need not prove actual damages in order to be entitled to statutory damages, these decisions involve “unlawful appropriation of private personal information.” Statutory damages would make sense in the event a service provider improperly disclosed the information, but according to Judge Posner, it doesn’t make much sense for the wrongful retention of information:

The injury inflicted by such a failure is enormously attenuated, and it would be no surprise if Congress had decided—as the placement of the damages section suggests—not to provide a damages remedy, let alone a damages remedy requiring no proof of injury.

The court says that plaintiffs aggrieved by a violation of the subsection requiring records to be purged should be able to enforce their rights by requesting an injunction. The court says this is a less “obviously inappropriate” form of relief and one that does not require express Congressional authorization.

Ouch. Another example of judicial hostility to claims made by class action privacy plaintiffs, with a focus on damages.

The court also mentions that plaintiffs added a claim for wrongful disclosure, and telegraphs the fact that in the absence of a showing of actual damages, at least this panel would view a claim for damages for violation of subsection (b)(1) (the disclosure provision) with similar skepticism.

Privacy class action plaintiffs have an uphill battle. Between Article III standing, the merits, judicial skepticism towards statutory damages, and I’m guessing a closer look at the private right of action in any newly enacted legislation, I would say that class action payouts for these types of lawsuits based on violations of federal statutes will become rarer than they already are. Were I a privacy activist, I would consider focusing my efforts on individual cases with clearly demonstrable damages, or on lobbying the companies, the public, or the FTC.

Additional coverage:

Digestible Law (Perkins Coie): "Seventh Circuit Limits Scope of Private Rights of Action under the VPPA"
InsidePrivacy: "Seventh Circuit Strikes VPPA Claim for Retention Damages"
THR, Esq. (Eriq Gardner): The Video Privacy Protection Act, or How Not to Write a Law

Posted by Venkat at 02:22 PM | Privacy/Security

March 20, 2012

Jan.-Feb. 2012 Quick Links, Part 6 (Privacy and more)

By Eric Goldman

Privacy

It was a really busy two months for privacy, and I'm sorry I didn't get to grok a number of these developments in more detail!

* State AGs are unhappy with Google's privacy integration of its services, especially that it doesn't have adequate opt-outs. In fact, every regulator is unhappy about this!

* The White House's Consumer Privacy Bill of Rights

* California AG signs an agreement with various app retailers requiring that the apps they distribute display privacy policies. News.com coverage.

* Browsers are going to incorporate do-not-track options in the software (whatever do-not-track means).

* Fraley v. Facebook, 2012 WL 555071 (N.D. Cal. Feb. 21, 2012) (footnotes omitted):

the court must conclude that Fraley's legitimate desire to protect her privacy does not outweigh the relevance or propriety of Facebook proceeding to take Fraley's deposition. As Fraley herself notes in her declaration, by agreeing to be a class representative, she understood that she would have to participate in discovery and provide testimony. Although the court is sympathetic to Fraley's concerns regarding the scope and intensity of Facebook's likely scrutiny during the course of discovery and particularly in a deposition setting, these are concerns that should have been addressed earlier in the process by Plaintiffs' counsel. Moreover, Plaintiffs have not shown that Facebook's attempts at discovery have been so intrusive or inappropriate, in light of the nature of the litigation and claims at issue, as to require the protection of the court up until this point. In addition, the protective order already in place between the parties is available to Plaintiffs for the specific reason that certain information disclosed during the course of discovery is not appropriate for public dissemination. The fact that other named plaintiffs remain in the case does not render Fraley's testimony concerning her allegations to be any less relevant. If anything, the fact that Fraley may soon be dismissed from the lawsuit makes even more relevant Facebook's discovery into the basis for Fraley's allegations that will be a part of the record in this case. Even if Fraley is dismissed from the case, the court may consider the relevance of her earlier testimony to Facebook's ongoing defense

* In re Facebook Internet Tracking Litigation, 2012 WL 432607 (U.S. Jud. Pan. Mult. Lit. Feb. 8, 2012). Facebook's tracking cases are consolidated in Northern District of California.

* Netflix is paying $9M to settle its Video Privacy Protection Act (VPPA) lawsuit.

* Some interesting work from Jane Yakowitz (incoming law professor at University of Arizona):
- On the EU Data Protection Directive: More Crap From the E.U.
- Jane Yakowitz, Tragedy of the Data Commons, 25 Harv. J.L. & Tech. 1 (Fall 2011). An important rely to Paul Ohm's reidentification paper.

* How offline retailers target their consumers, with some background on the science of neuromarketing: "we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons. She just assumes that everyone else on her block got the same mailer for diapers and cribs. As long as we don’t spook her, it works." A reminder that all of the panic about online data collection may be missing the point.

* WSJ: Is Google tracking iPhone users impermissibly? Plaintiffs' lawyers have already filed multiple suits.

* Gaos v. Google, Inc., 2011 WL 7295480 (N.D. Cal. April 7, 2011). This one just came through Westlaw. Court dismissed a privacy lawsuit over Google including search terms in referral URLs on Article III grounds.

* In re Indiana Newspapers Inc., 2012 WL 540796 (Ind. App. Ct. Feb. 21, 2012). "Under our Shield Law, we hold that an anonymous person who comments on an already-published online story and whose comment was not used by the news organization in carrying out its newsgathering and reporting function cannot be considered “the source of any information procured or obtained in the course of the person's employment or representation of a newspaper” "

* Red Tape: Govt. agencies, colleges demand applicants' Facebook passwords.

General

* Economists adopt a conflicts-of-interest statement for their academic publications. Law professors desperately need an equivalent.

* Smith v. eBay Corp., 2012 WL 27718 (N.D. Cal. Jan. 5, 2012): antitrust claim against eBay for tying PayPal with eBay's auction fees partially survives motion to dismiss.

* BNA (unfortunately paywalled) previews some of the key cases pending at federal appellate courts that might produce an opinion in 2012. The list includes:

- Viacom Int'l Inc. v. YouTube LLC, No. 10-32780 (2d Cir.)
- Capitol Records Inc. v. Thomas-Rasset, No. 11-2820 (8th Cir.)
- Flava Works v. Gunter d/b/a myVidster.com, No. 11-3190 (7th Cir.)
- Righthaven LLC v. Hoehn, No. 11-16751 (9th Cir.)
- United States v. Nosal, No. 10-10038 (9th Cir.)
- Rosetta Stone Ltd. v. Google Inc., No. 10-2007 (4th Cir.)
- Cohen v. Facebook, No. 11-17840 (9th Cir.)
- Stayart v. Google Inc., No. 11–3012 (7th Cir.)

Others include Graf v. Zynga, Levitt v. Yelp, Parisi v. Sinclair, Jones v. Dirty World and Maximized Living v. Google.

* Universal Grading Service v. eBay, Inc., 2012 WL 70644 (N.D.Cal, Jan. 9, 2012). Another antitrust lawsuit against eBay dismissed, this time involving eBay's use of third party coin grading services. This case has been appealed to the Ninth Circuit.

* WSJ on fine print in consumer contracts.

* NYT: Young, in Love and Sharing Everything, Including a Password. A spectacularly bad idea. Famous last words: “I know he’d never do anything to hurt my reputation” An adult is quoted: “I’ve known plenty of couples who have shared passwords, and not a single one has not regretted it,”

* Burgess v. eBay appealed.

* Only 20% like Facebook's new Timeline. I'm holding out as long as I can.

* LA Weekly: A gentlemen's hypersensitivity to how his name is spelled + a law degree = recipe for disaster.

* William Mitchell Law Review had a symposium issue on Contemporary Issues in Cyberlaw. I've posted the published version of my essay "Revisiting Search Engine Bias" on Google & antitrust issues.

* Ceglia v. Zuckerberg, 2012 WL 503810 (W.D.N.Y. February 14, 2012). "Defendants are awarded in connection with their Accelerated Motion to Compel $75,776.70 in attorney's fees, and are also entitled to an award of costs, including attorney's fees, incurred preparing and defending the Fee Application, but Defendants' request for an order prohibiting Plaintiff from filing any papers in support of this action until such fees are paid is DENIED."

Posted by Eric at 04:25 PM | Privacy/Security | TrackBack

March 17, 2012

Text Spam Class Action Against Jiffy Lube Moves Forward – In re Jiffy Lube Int’l, Inc., Text Spam Litigation

[Post by Venkat Balasubramani]

In re Jiffy Lube International, Inc., Text Spam Litigation, 11-md-2261-JM-JMA (N.D. Cal.; Mar. 9, 2012)

Plaintiffs filed a class action against Jiffy Lube (a multi-location franchisee Heartland Automotive Services) and TextMarks alleging TCPA violations based on text messages sent by TextMarks on behalf of Jiffy Lube:

JIFFY LUBE CUSTOMERS 1 TIME OFFER:REPLY Y TO JOIN OUR ECLUB FOR 45% OFF A SIGNATURE SERVICE OILCHANGE! STOP TO UNSUB MSG&DATA RATES MAY APPLY T&C:JIFFYTOS.COM.

The court denies Heartland’s motion to dismiss. The big takeaway from the order is that text message-based marketing is something that companies often screw up, and these screw-ups end up being costly. Given the draconian provisions of the TCPA (statutory damages, stringent consent provision, no free pass for the initial message, and liability for any unsolicited message that is sent with certain equipment), rulings like these make me think companies should consider avoiding text message-based marketing altogether.

TCPA Provides for Derivative Liability:

Heartland’s first argument was that it should not be held liable because it did not actually send out the text messages (TextMarks did). The court cites to Satterfield v. Simon & Schuster and notes that the Ninth Circuit had no problem imposing liability on Simon & Schuster despite the fact that Simon & Schuster did not physically send the messages. The court also cites to an unsolicited fax case for the proposition that “congressional tort actions implicitly include the doctrine of vicarious liability.” If advertisers were allowed to escape liability by not actually sending the messages, this would allow advertisers to make an end-run around the TCPA’s prohibitions.

Heartland also argued that plaintiffs failed to sufficiently plead vicarious liability, but the court says that plaintiffs’ allegation that Heartland "engaged TextMarks to send the messages" is sufficient.

Plaintiffs’ Prior Consent:

Heartland produced invoices and sought to rely on the invoices to demonstrate that plaintiffs consented to receive the messages. The court rejects Heartland’s request that the court take judicial notice of the invoices, saying they stand for the opposite of what plaintiffs allege in their complaint. The invoices are not central to plaintiffs’ claims; therefore, they are not properly the subject of judicial notice in the same way that contractual terms—which the plaintiff relies on in the complaint—are. In passing, the court expresses skepticism as to whether the invoices would satisfy the TCPA's strict consent requirements.

Were the Messages Sent Using an Auto-Dialer:

The TCPA only imposes liability for text messages that are sent using equipment that has the capacity to store or produce random numbers. Heartland argued that plaintiffs should only be permitted to allege the use of an auto-dialer on in formation and belief if (1) the content of the message was impersonal, and (2) the text message was sent by a specific SMS-short code. I think what Heartland is trying to argue is that only if the text messages bear indicia of being transmitted en masse should a TCPA plaintiff be entitled to allege the use of an auto-dialer on information and belief. The court rejects this, noting that in Simon & Schuster the Ninth Circuit only required that the equipment at issue have “the capacity” to store or produce numbers using a random or sequential number generator. Under Satterfield, it does not matter whether this capability was actually used to send the messages.

First Amendment Challenge:

Heartland also brings a First Amendment challenge, arguing that the broad definition of auto-dialer would mean that friends who text each other dinner invitations could incur TCPA liability, and this would render the statute overbroad. As expected, this argument doesn’t get much traction with the court. The court says that the statute is intended to protect consumers against the costs and privacy invasions that accompany unsolicited text messages, and regulating texts sent through auto-dialers adequately serves this interest. The court also says that the prospect of friends incurring liability under the TCPA for texting each other dinner invitations is fairly remote. At worst, this type of a text message lies at the fringe of the statute and thus the statute does not suffer from overbreadth issues.

Plaintiffs’ Cannot be Compelled to Arbitrate Their Claims:

Heartland finally argued that one of the plaintiffs who signed an agreement with Jiffy Lube (and other class members who fell into the same category) should be required to arbitrate their dispute. This plaintiff entered into an agreement while obtaining services at Jiffy Lube which contained the following provision:

[the parties] agree that any and all disputes, controversies or claims between Jiffy Lube and [the customer] (including breach of warranty, contract, tort or any other claim) will be resolved by mandatory arbitration according to the terms of this Mandatory Arbitration Agreement (“Agreement”), except that any such dispute can be resolved by a small claims court if and for so long as the dispute is within its jurisdiction. By this Agreement, Jiffy Lube and [customer] also agree to only bring disputes against each other in an individual capacity and not as a class representative or class member and waive the right to a jury trial.

The court says the arbitration language is “incredibly broad,” and application of the clause to disputes unrelated to the contract would raise conscionability issues. The court cites to a Judge Posner opinion and concludes that if enforced as drafted, “absurd results would ensue.” Heartland asked the court to construe it narrowly but the court declines, saying it is not authorized to do so. Even if the clause were construed to be limited to disputes “arising out of or relating” to the contract, the court says that the TCPA claims would not fall within the clause.
__

As mentioned above, text message litigation has been brutal for marketers and advertisers, and this decision is no different. (Liability for spam email in contrast has been much more limited.) To my knowledge, the issue of dervative liability hasn't been squarely argued by a TCPA defendant, but decisions have implicitly recognized that the TCPA provides for derivative liability in rejecting the requests to dismiss filed by advertisers who did not transmit the messages in question. From that standpoint, the ruling is not significant, but it is still worth nothing.

Outsourcing your text message-based marketing was a risky proposition to start with, but as this decision squarely allows for derivative liability (albeit under somewhat vague standards), this makes it an even riskier proposition. Marketers may labor under the perception that the initial text message is a freebie (from a liability standpoint) and including an opt-out from receiving future texts absolves the marketer or advertiser from liability under the TCPA. It's worth repeating that this is not the case.

Previous posts:

"Group Text Services Grapple with TCPA Class Actions"
"Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank"
"Court Rejects Constitutional Challenge to TCPA Based on Vagueness in "Prior Express Consent" Exception -- Kramer v. Autobytel, Inc."
"Another Court Finds that TCPA Applies to Text Messages -- Lozano v. Twentieth Century Fox Film Corp."
"Court Finds that SMS Spam Messages are Subject to the TCPA and Rejects First Amendment Defense -- Abbas v. Selling Source, LLC"
"Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster"
"Cellphone Spam Violates TCPA--Joffe v. Acacia Mortgage"

Posted by Venkat at 08:46 AM | Derivative Liability , Marketing , Privacy/Security , Spam

March 07, 2012

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]

[Post by Venkat Balasubramani]

In re Facebook Privacy Litigation, 10-02389 (N.D. Cal.; Nov. 22, 2011)

In re Zynga Privacy Litigation, 10-04680 (N.D. Cal.; Nov. 22, 2011)

These decisions are several months old, but they remain worth mentioning despite the fact they are well past their "blog-by" date. The court recently rejected plaintiffs’ motion to amend the judgment as to Facebook, so the cases are still active.

Facebook and Zynga scored an initial win last May against putative class action claims arising out of alleged data leakage from Facebook to its advertisers. The court expressed some skepticism about plaintiffs’ claims but gave plaintiffs a chance to amend their complaint. My blog post on the court’s earlier ruling: “Facebook Scores Initial Win Against Privacy Plaintiffs Over Data Leakage Claims -- In re Facebook Privacy Litigation.” This time around the court grants Facebook’s and Zynga’s motions to dismiss with prejudice. Plaintiffs appealed the ruling in the Zynga case to the Ninth Circuit. (See the link to the Justia page.) With respect to the Facebook dismissal, plaintiffs requested the correct to amend or alter the judgment, but the court refused this request.

Claims Against Facebook

Stored Communications Act

On the Stored Communications Act claim, the court says that the complaint contains inconsistent allegations regarding whether the communications in question were requests to connect to specific advertisements or whether Facebook acted as a “remote computing service” provider under the SCA:

On the one hand, Plaintiffs allege that the communications at issue in this case were requests to be connected to specific advertisements; that the requests were addressed to advertisers; and that Defendant merely acted as the "intermediary" for those communications.... On the other hand, Plaintiffs contend that Defendant acted as [a remote computing service ("RCS")] provider for purposes of Plaintiffs' claim under the SCA....

Analyzing claims under this statute leaves my head spinning, but the court ruling looks similar to its earlier conclusion (and reminds me of the court's analysis in the DoubleClick case). Suffice it to say that the court was not excited about plaintiffs' claims either the first or the second (or third) time around. Plaintiffs sought to further detail their claims in their request to amend the court's judgment, but the court says no to this. Whatever the merits of the plaintiffs' SCA claims, their pleadings were not apparently a model of clarity.

California Penal Code sec. 502

This statute creates a cause of action against someone who introduces a “computer contaminant” into the plaintiff’s computer or computer system. Plaintiffs' own allegations admitted that the “referrer header” (which plaintiffs allege Facebook improperly disclosed to advertisers) is a “standard web browser function provided by web browsers since . . . 1996.” The court says that this admission dooms plaintiffs' claims under section 502 since any allegedly improper transmission occurred as a result of the browser’s “normal operation” rather than any contaminant allegedly introduced by Facebook. (See also Amazon v. Del Vecchio.) Section 502 was the same section Facebook relied on when it sued Power.com, although Facebook relied on a different part of the statute. It did not come to pass in this case, among other reasons because Facebook relied on a different part of the statute, but this made me think of Eric’s frequent admonition about considering blowback from overzealous enforcement efforts.

Breach of Contract and Fraud

Plaintiffs sought to rely on the “personal information as property” theory to support their breach of contract claim. The court squarely rejects this argument. The court also rejects the fraud claim for lack of damages.

Claims Against Zynga

The court resolved the Stored Communications Act against Zynga on the same basis as against Facebook. Plaintiffs’ breach of contract claim against Zynga also suffered the same fate as the breach of contract claim against Facebook. With respect to Zynga, plaintiffs alleged that they were paying customers, but the court finds that any payments by plaintiffs were in exchange for virtual currency, and plaintiffs failed to allege that they did not receive the virtual currency which they paid for. Thus, the fact that plaintiffs were paying customers does not change the analysis. Plaintiffs also brought a breach of good faith claim against Zynga, but the court finds that these were merely re-packaged breach of contract claims and suffered from the same deficiencies.
__

It’s worth distinguishing data leakage claims from claims where Facebook is allegedly using likenesses or photographs of end users to promote itself or products or services. (See Eric’s discussion of Fraley v. Facebook: Facebook "Sponsored Stories" Publicity Rights Lawsuit Survives Motion to Dismiss--Fraley v. Facebook.) These claims have a much greater chance of proceeding, even if they do not succeed on the merits.

Unlike publicity rights claims, data leakage claims have routinely been kicked out of court, whether on the basis of standing or on the merits. Even appeal courts have been unfriendly towards these claims. I thought that the latest wave of privacy lawsuits could end up being salvaged or revived by a friendly appeals court decision, but I’m starting to think the chances of this are slim.

You have to give Facebook credit for staving off the numerous privacy lawsuits. Other than the Beacon lawsuit (the settlement approval of which is still on appeal to the 9th Circuit) and the publicity rights lawsuit which Eric blogged about in December, there have not been any other privacy plaintiff wins against Facebook. Maybe people should consider taking Facebook to small claims court? On the other hand, if they have been unable to get traction in different courts with different versions of their claims, this is a strong indicator that there's no "there" there. It seems like Facebook is fast and loose with its privacy practices, but it's another matter entirely as to whether Facebook's practices create liability under existing statutes. Of course, Facebook will still have to deal with the watchful eye of the FTC, but enforcement efforts by private plaintiffs look like a dead end.

Posted by Venkat at 09:05 AM | Licensing/Contracts , Privacy/Security , Trespass to Chattels

February 29, 2012

Healthcare Data Breach Victims' Lawsuit Tossed When They Can't Show Harm--Paul v. Providence

By Eric Goldman

Paul v. Providence Health Systems--Oregon, SC S059131 (Ore. Sup. Ct. Feb. 24, 2012)

A Providence employee left disks/tapes containing records for 365,000 patients in his/her car, and they were stolen. The opinion implicitly assumes that the data wasn't encrypted. The opinion doesn't explain why the employee had unencrypted patient data for a third of a million people lying around in a car. Unlike a deliberate security intrusion, there's no evidence that the thief sought the data or had criminal intent towards the data.

Nevertheless, the Oregon Attorney General couldn't ignore a data loss of this magnitude/ineptitude, and Providence settled with the AG by agreeing:

to contract with a credit monitoring company to provide two years of credit monitoring and restoration services to any patient who requested it, to reimburse any patient for any financial loss resulting from the misuse of credit or identity theft, and to establish a website and toll-free call center to assist patients with questions related to the theft. Under the agreement, defendant also paid the Attorney General more than $95,000. Defendant estimated the cost of the credit monitoring and other services that it agreed to provide at approximately $7 million.

Apparently, the AG's deal wasn't good enough for the privacy plaintiff's bar (at least, not to their personal fortunes), because 6 years after the settlement--the breach occurred in 2005; the AG settlement in 2006--the Oregon Supreme Court finally kiboshed the class action lawsuit.

The plaintiffs marshaled the following statements of loss:

* "financial injury in the form of past and future costs of credit monitoring, maintaining fraud alerts, and notifying various government agencies regarding the theft, as well as possible future costs related to identity theft"
* "noneconomic damages for the emotional distress caused by the theft of the records and attendant worry over possible identity theft"

However, the plaintiffs had to contend with the following facts:

* the AG settlement already provided some meaningful relief to affected patients, including some credit monitoring and a promise to financially compensate patients for adverse data misuse
* there was no evidence that any patient had suffered any financial loss or other adverse consequence due to the data loss. Indeed, there's no evidence that anyone had ever accessed the data on the disks/tapes (the court says doing so would require "specialized equipment").

The latter bullet point proves to be fatal to the plaintiffs' claims for common law negligence and the Oregon consumer protection act. Under both doctrines, the plaintiffs didn't allege a legally cognizable loss. The economic losses alleged by plaintiffs are simply mitigation steps to reduce the risk of future harm, and negligence law doesn't recognize these anticipatory steps:

the cost of credit monitoring that results...from the risk of possible future harm...is insufficient to state a negligence claim

Citing (among others) the Third Circuit's Reilly case and Ruiz v. Gap, the court continues:

Every court that has addressed damage claims for credit monitoring following the theft of computer records containing personal information -- but no wrongful use of that information -- has reached a similar conclusion.

The Ninth Circuit's Krottner v. Starbucks opinion doesn't get a mention, but it supports this outcome too. The court distinguished the First Circuit's Hannaford case on the basis that some data breach victims had actually experienced bogus credit card charges.

The nonfinancial harm allegations don't fare any better. Citing (among others) the Reilly, Amburgy and Pinero cases, the court summarizes:

We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiff's personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm.

Just to clarify, the court dismissed the claims based on the substantive elements, not on standing grounds. Article III standing doesn't apply given this was in state court. However, this ruling is consistent with the numerous cases dismissing data breach claims on Article III grounds.

I'd like to think we're nearing the tail end of data breach lawsuits like this where, irrespective of the data holder's malfeasance, nothing bad actually happened to the victims or (at this late date) is likely to happen. The plaintiffs' lawyers who brought this claim might be partially excused for their optimism because they filed the case so long ago, when it wasn't totally clear they would lose. Newly filed lawsuits can't claim that excuse. Going forward, I hope plaintiffs' lawyers are getting the very clear message from the courts: Make sure you have at least one truly injured data breach victim, or don't waste your time and money.

More of our extensive coverage of this topic.

Posted by Eric at 11:55 AM | Privacy/Security | TrackBack

February 28, 2012

Reidentification Theory Doesn't Save Privacy Lawsuit--Steinberg v. CVS Caremark

By Eric Goldman

Steinberg v. CVS Caremark Corp., 2012 WL 507807 (E.D. Pa. Feb. 16, 2012)

CVS Caremark provided consumer data to pharma companies and data brokers. The plaintiffs alleged that the data transfers violated CVS's privacy policies, but CVS apparently disclosed only "de-identified" data as contemplated by HIPAA. Plaintiffs couldn't sue under HIPAA, both because CVS complied with HIPAA and because HIPAA doesn't enable a private cause of action for these violations. Although these facts implicate Sorrell v. IMS, that case didn't come up because the plaintiffs didn't sue under an analogous statute specifically pharmaceutical data transfers.

Instead, the plaintiffs sued under Pennsylvania's consumer protection act, claiming that CVS made material misrepresentations in its privacy policies about its data handling. The court dismisses the suit--with prejudice!--on two principal grounds.

First, it says that CVS told the truth in its privacy policies:

The plaintiffs do not allege that the defendants disclose Protected Health Information to third parties. Rather, they disclose de-identified information, which (a) federal regulations do not prohibit; and (b) is consistent with the defendants' statements that they safeguard information that "may identify" consumers.

To salvage the situation, the plaintiffs' lawyer tried to argue that the de-identified information could be re-identified by recipients, but apparently the plaintiffs' lawyer couldn't make the argument very cogently:

Although they admit that the information the defendants disclose to third parties is de-identified within the meaning of HIPAA, the plaintiffs have argued that it can be "re-identified." There is no such contention in the CAC, and plaintiffs' counsel admitted that the basis for such an argument comes from a single journal article and would take the form of expert testimony that a re-identification risk exists with respect to de-identified information generally, not as to the plaintiffs in this case.

It seems pretty clear that the lawyer didn't fully understand re-identification--at least, not well enough to explain how it might trump CVS's privacy promises. Thus, the court never really gets to the merits of the re-identification theory, but clearly it did not pique the judge's interest. Presumably the "single journal article" referenced is Paul Ohm's Broken Promises of Privacy article. Looks like Paul missed out on a potentially lucrative expert gig.

Second, the court rejects the consumer protection claim on two different standing grounds:

1) the named plaintiff didn't suffer any cognizable loss. The best the plaintiffs' lawyer could do was claim "the loss of the value of his demographic information, or the loss of an opportunity to pay less for his prescriptions with the understanding that the defendants would be profiting from the sale of his information." These types of losses have flopped repeatedly before, and they do so again (citing, among others, LaCourt, JetBlue and Low v. LinkedIn).

2) the named plaintiff didn't allege justifiably reliance on CVS's representations. To get around this specific requirement in Pennsylvania law, Plaintiffs tried to allege that CVS was a fiduciary; that goes nowhere.

The unjust enrichment claim fails because there was no expectation that the information provided to CVS would be compensated. The intrusion into seclusion claim fails because the plaintiffs voluntarily provided their data to CVS.

As we've already seen, privacy plaintiffs' lawyers are avid readers of the privacy scholarly literature, looking for new theories to help them grind their axes. Privacy scholars should be gratified by this practitioner attention. As we know, most law review articles never get read (my mom won't even read mine). As this case illustrates, privacy plaintiffs' lawyers may build their entire cases around the academic literature. Personally, I think this fact means privacy scholars need to ensure that their articles are ready for the rough-and-tumble world of profit-seeking class action litigation. It would be irresponsible for a privacy scholar to toss out a half-baked academic thought about new ways of suing over privacy, knowing that the plaintiffs' bar is looking for fresh meat--anything--to get past 12(b)(6) motions irrespective of the case's true merit. I'm not accusing Paul Ohm's article of being half-baked (far from it, it's one of the most interesting articles I've read in years); but I couldn't be as complimentary towards some of the other privacy scholarship I see, and I hope the thought of being potentially responsible for lots of wasted litigation activity will encourage all privacy scholars to honestly reflect on the social merits of their arguments.

Although the re-identification theory doesn't go anywhere in this case, arguably CVS dodged a bullet. Ever since I read Paul's paper, I have been recommending that companies stop making PII/non-PII distinctions in their privacy policies. It was instantly clear to me from reading Paul's paper that plaintiffs could attack a privacy policy's promise not to disclose "PII" using a reidentification theory because we don't reliably know which bits of data can be used to uniquely identify individuals. Indeed, the language CVS used (it wouldn't disclose information that "may identify" consumers) was especially dangerous, because any bit of information, in combination with the right set of other data, has the theoretical capacity to uniquely identify individuals. The plaintiffs' lawyer in this case was sniffing around the issue but didn't nail it; but other cases--especially after goofy rulings like Pineda treating zip codes as PII--will raise the issue better and pose significant danger to defendants. This case is a warning sign that CVS, and everyone else, should carefully reexamine the PII/non-PII distinctions in their privacy policies.

Posted by Eric at 11:57 AM | Licensing/Contracts , Privacy/Security , Publicity/Privacy Rights | TrackBack

February 24, 2012

RadioShack May Be Liable for Accessing Images from Recycled Customer Cellphone -- Steele v. RadioShack

[Post by Venkat Balasubramani]

Steele v. RadioShack Corp., 11-14021 (E.D. Mich.; Feb. 3, 2012)

Steele bought a new phone at RadioShack, after which a RadioShack employee transferred the data from Steele’s old phone to his new one. Steele also left his old phone at RadioShack for recycling. After Steele left, RadioShack accessed his old phone and viewed personal information, including photographs which Steele took at his worksite. RadioShack forwarded these photos to Steele’s employer. As a result, Steele was fired.

The parties' arguments are muddled, and the court expresses its displeasure at the “inaccurate, insufficient, and jumbled arguments from both sides.” Steele at least brought a claim for common law intrusion into seclusion, which required him to show (1) the existence of private and secret subject matter; (2) that the plaintiff had a right to keep private; and (3) access of the information by defendant through means objectionable to a reasonable person.

The court focuses on the second and third elements, finding that RadioShack did not raise the first element sufficiently in its initial moving papers. As to the second element, RadioShack appeared to argue that giving the phone to RadioShack for recycling somehow terminated Steele’s right to keep the information private, but the court rejects this argument:

[RadioShack’s argument] is illogical – it says that a customer has no right to keep personal information private once he allows RadioShack access to it during the course of business. If his court embraces this argument, then RadioShack would not have any liability for disclosing personal credit card information it obtained while processing a sale. Customers routinely give personal information in order to process transactions – information that they would expect to be disposed of and kept private, not distributed to whomever the store feels like giving it to.

RadioShack also argued that Steele fails to satisfy the third element (that the information was accessed in a way that was offensive to the reasonable person). The court rejects this argument as well, noting that a reasonable person who gave his or her cellular phone to someone with the understanding that the device would be destroyed or recycled does not consent to access of the personal information on the device. The court says that this is a question for the jury and not amenable to resolution at the motion to dismiss stage.
__

In contrast to the privacy tracking lawsuits, the plaintiff in this case alleges that his private information was actually disclosed to a third party and ended up causing him harm. The case brought to mind other cases where customer information was not properly disposed of: Pinero v. Jackson Hewitt and Putnam Bank v. Ikon Office Solutions. In both of those cases the claims failed for lack of out-of-pocket loss or even actual disclosure of the data to third parties. Here, the plaintiff alleged both of these things.

I'm surprised RadioShack made the argument that something in its privacy policy absolved it from claims that it improperly disclosed information. Even if its policy contained a provision absolving RadioShack from improperly accessing information, I wonder how RadioShack will show that Steele agreed to the terms prior to turning in his cell phone. (See Kwan v. Clearwire for a discussion of Clearwire's difficulties in enforcing terms of service for equipment and internet services. RadioShack will likely have an even more difficult time than Clearwire.) I would imagine RadioShack will end up writing a check. It's just a question of how much.

Posted by Venkat at 09:40 AM | Privacy/Security

February 22, 2012

Courts Continue to Grapple with Discovery Disputes Around Social Networking Evidence

[Post by Venkat Balasubramani]

Tompkins v. Detroit Metro Airport, 10-10413 (E.D. Mich.; Jan. 18, 2012)

This is a slip and fall case where the plaintiff alleges that injuries she suffered at Detroit’s Metro airport affected her quality of life and ability to work. Defendant asked plaintiff to release her medical records and records from her Facebook account. She refused as to the Facebook account, arguing that the private portions of her account should not be turned over in discovery.

The court says (citing to McMillen v. Hummingbird and Romano v. Steelcase) that there’s no privilege as to information contained in social networking accounts. Access to this information by an opponent in litigation is governed by traditional discovery principles. The court notes that in both Romano and McMillen the plaintiffs made injury claims that were inconsistent with information contained in the public portions of their social networking accounts. The court says that while there is no privilege protecting private (or quasi-private) information in a social networking account, “the [d]efendant does not have a generalized right to rummage at will through information that [p]laintiff has limited from public view.” The court says there has to be a threshold showing that “the requested information is likely to lead to the discovery of admissible evidence.” [Translation: a standard argument in every personal injury case that the plaintiff must have posted pictures of herself frolicking on the beach will not fly.]

Here, defendant argued that the public postings and surveillance photographs satisfied this standard. The court says no. The picture of plaintiff holding a “very small dog and smiling” is not inconsistent with plaintiff’s claims of being injured. (“The dog in the photograph appears to weigh no more than five pounds and could be lifted with minimal effort.”) The surveillance photograph showing plaintiff pushing a grocery cart similarly is not inconsistent with plaintiff’s claim of being injured. The court rejects defendant’s attempt to access the private portion of plaintiff’s Facebook account:

If the Plaintiff’s public Facebook page contained pictures of her playing golf or riding horseback, Defendant might have a stronger argument for delving into the non-public section of her account. But based on what has been provided to this Court, Defendant has not made a sufficient predicate showing that the material it seeks is reasonably calculated to lead to the discovery of admissible evidence.

The court also says that the request for the entirety of the account will sweep in information that is in no way relevant to the case and is thus overly broad.

Davenport v. State Farm Mutual Auto Ins., 2012 U.S. Dist. LEXIS 20944 (M.D. Fla; Feb. 21, 2012)

Here, the insurance company defendant sent a request to plaintiff seeking all photographs posted to social networking sites, whether posted by plaintiff or by a third party. As in Tompkins, the court says there’s no special privilege that attaches to social networking content, but the rules of discovery limit an opponent’s ability to request this information.

Plaintiff proposed that she be required to produce only photographs taken by her that depict her. She says the photos she has been “tagged” in do not satisfy the Rule 26 relevance standard, but the court disagrees. The court says plaintiff has to produce all photographs which depict her, whether she posted them or she had been tagged in the picture. The court does limit this by saying the default discovery rules only require a party to produce information that is within the party’s “possession, custody, or control.” The court says this “likely” means that plaintiff will “need to produce only photographs that she posted or in which she was tagged.” The court does not offer any additional details on whether material posted to a social networking site is still within that party’s “possession, custody, or control.”

Separately, defendant had asked to inspect any devices used to post any material to social networking sites, but the court shoots this down.
__

Courts are really all over the place on issues relating to the discovery of information posted to social networks. The decisions grapple with (but none coherently address) the following issues:

• whether any of the communications are covered under the Stored Communications Act and how this affects discoverability;
• whether an opponent can obtain direct access a non-party or witnesses social networking site (several decisions have ordered password swaps, waivers, or in-camera reviews);
• whether the discovery request should be directed to the social network directly or to the party whose information is sought;
• what threshold showing is required form a party seeking discovery;
• whether information posted to a social networking site is within the control, possession or custody of the party who posted it (for purposes of Rule 26).

Courts appear perfectly willing to smack down discovery requests that overreach, but continue to struggle with finding a balance and dealing with the logistical issues inherent in these types of discovery disputes.

Previous posts:

Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway
Deleted Facebook and MySpace Posts Are Discoverable--Romano v. Steelcase
Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville
Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson
Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc.
Pennsylvania Court Orders Personal Injury Plaintiff to Turn Over Facebook Password to Defendant -- Largent v. Reed

Posted by Venkat at 12:33 PM | Evidence/Discovery , Privacy/Security

February 21, 2012

Facebook Gets Decisive Win Against Pseudo-Competitor Power Ventures -- Facebook v. Power Ventures

[Post by Venkat Balasubramani, with comments from Eric]

Facebook, Inc. v. Power Ventures, Inc., et al., C 08-05780 JW (N.D. Cal.; Feb. 16, 2012)

The long-running dispute between Facebook and Power Ventures came to a close last week, with Judge Ware granting Facebook’s motion for summary judgment on Facebook's claims under CAN-SPAM, California Penal Code section 502, and the Computer Fraud and Abuse Act. The power.com domain name went up for auction in 2011 and it appears that the domain name was not owned by Power Ventures, the defendant in this lawsuit. The court deferred ruling on the liability of individual defendant Steve Vachani. [Update: see an update below regarding the ownership of the domain name and its relationship to this dispute.]

Facebook alleged that Power Ventures allowed Power.com users to access their Facebook profiles through Power.com’s interface, and also induced its users to send emails to other Facebook users telling them to try out Power.com. The specifics of how Power Ventures' conduct differed from other Facebook apps isn't entirely clear, although it is clear that Power Ventures did not participate in Facebook’s authorized developer program, and Facebook undertook some technical efforts to prevent the access of Facebook by Power Ventures and Power.com users. As with the enforcement efforts of many networks, Facebook’s approach here raises some questions as to how courts will view other similar efforts of people who are a part of the Facebook ecosystem. The big question Professor Goldman always raises--and I think is relevant here--is to what extent there may be blowback from this ruling to Facebook (or its partners) in other cases. The case also raised data portability issues and issues relating to the scope of California Penal Code section 502. Likely for this reason, EFF participated as an amicus.

CAN-SPAM

Standing: The first question regarding Facebook’s CAN-SPAM claims was whether Facebook had standing to sue. Citing Gordon v. Virtumundo, the court says that Facebook has standing under CAN-SPAM to the extent it can show that it suffered harm that is of the type “uniquely encountered by” providers of internet access services. Virtumundo said end users don’t have standing under CAN-SPAM, and end users cannot manufacture standing by casting themselves as ISPs. The plaintiff in that case signed up for hosting services provided by third parties and did not suffer any particular “adverse effects” from the spam, other than the annoyance of having to delete it. Here the court says that the evidence produced by Facebook demonstrates that it suffered unique adverse effects as an ISP: (1) Power.com users sent approximately 60,000 emails, and (2) Facebook undertook specific efforts to stop these emails. (The evidence offered by Facebook seemed equivocal as to whether it was directed to stopping unwanted communications from Power.com end users or whether Facebook was concerned with restricting Power Ventures' access of Facebook's networks. Facebook's enforcement efforts spilled over into both categories, but the evidence seemed more suited to a Computer Fraud and Abuse Act claim than a CAN-SPAM claim.)

Did Power Ventuers ‘Initiate’ the Messages: CAN-SPAM defines "initiate" to include those who “originate or transit” a message, or “procure” its origination or transmission. Routine conveyance of a message is excluded from the definition of initiate. Facebook argued that Power Ventures initiated the messages because it ran a contest for Power.com users signing up their Facebook friends (if you signed up more than 100 users, Power Ventures would pay you $100). The court concludes that this inducement is sufficient to categorize Power Ventures as one of those who “initiated” the messages, even though end users selected which friends would be emailed, and Facebook’s servers filled in the header information when the user requested an email to be sent.

Were the Emails Misleading: The final question with respect to the CAN-SPAM claims were whether the messages were misleading in any way. Power Ventures understandably argued that the messages were sent through Facebook, came from a Facebookmail.com email address, and therefore the messages could not contain any misleading header information. Power Ventures also argued that text of the messages contained information about Power.com, and Power Ventures could not have changed the headers of the emails because it did not have any control over the headers. The court says all of this is irrelevant:

[the] emails did not contain any return address, or any address anywhere in the e-mail, that would allow a recipient to respond to [Power Ventures]. Thus, as the header information does not accurately identify the party that actually initiated the e-mail within the meaning of [CAN-SPAM], the Court finds that the header information is materially misleading as to who initiated the email.

Whoa. The court does not cite to Mummagraphics, where the 4th Circuit rejected the same basic argument. (See "Fourth Circuit Rejects Anti-Spam Lawsuit--Omega World Travel v. Mummagraphics.") Mummagraphics' key holding is that in order to be actionable, an email header must be materially misleading, and if there the recipient would reasonably know where the email was coming from then there should be no CAN-SPAM violation. Here the emails were sent through Facebook's platform by end users, so Power Ventures has an even better argument than the defendant in Mummagraphics that the header information was not misleading.

California Penal Code Section 502

On the Section 502 issue, the court already ruled that access to a network in violation of the terms of use alone does not support a claim for unauthorized access under section 502, but access in circumvention of a “technical or code-based barrier” is enough. The court grants Facebook summary judgment on its claim under this statute. Although Power Ventures did not react to any particular measures and circumvent them, the software Power Ventures used to access Facebook’s site was designed to evade IP address blocks. Facebook also put forth a damning email from Power Ventures' founder that indicated awareness of the general need to access third party sites in a way that avoids IP address blocks:

We also need to do some planning to make sure we [access data from Orkut] in a way where we are not really detected. Possible rotating IP’s or something. Don’t really understand this too well. . . . . We need to plan this very carefully since we will have only one chance to do it.

[Ouch!] In granting summary judgment, the court says there is no reason “to distinguish between methods of circumvention built into a software system to render barriers ineffective and those which respond to barriers after they have been imposed.”

Computer Fraud and Abuse Act Claim

The court also grants summary judgment on the Computer Fraud and Abuse Act claim, finding that the access of Facebook’s servers by Power Ventures was “without authorization,” and Facebook satisfies the $5,000 damage threshold.
__

This case looked like it was teed up to highlight a data portability issue and the question of whether Facebook can keep third parties who don’t go through its authorized developer channels but who act at the request of end users out of its network. The court’s decision gives short shrift to both of those issues. There is probably not much precedent to the contrary (if any), but Power Ventures' access of “information” from Facebook’s servers was ostensibly done at the request of Facebook end users, and the information that Power Ventures extracted was the contact information (friend lists) of Facebook end users. Thus, Facebook's allegations regarding Power Ventures' actions shouldn't in theory come within the Computer Fraud and Abuse Act. True, there were some additional facts which made Power Ventures' arguments tougher from an optics standpoint, but the end result is that if users want to access data, they have to do so on Facebook’s terms, and may not do so using a third party tool that is not a part of Facebook’s developer platform. (To my knowledge, the Computer Fraud and Abuse Act as written does not look to whose data is accessed, so the statute allows the result achieved by Facebook in this case.)

The CAN-SPAM ruling is remarkable--and screwy--on a number of levels. Several courts have ruled that emails sent through networks (such as MySpace or Facebook) are covered by CAN-SPAM, but those decisions did not confront the practical issue of how an emailer can comply with CAN-SPAM with respect to emails that are sent by an end user via a network such as Facebook--i.e., where those who "initiate" a message cannot alter the content of the messages. (See "N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM -- Facebook v. Maxbounty.") I wonder whether Facebook considered the practical aspects of this ruling: retailers who send messages through Facebook are not CAN-SPAM compliant! End users don’t have standing to sue, but retailers and companies who induce end users to send messages through their friends can be considered to "initiate" these messages, and under the court’s ruling, since the messages come from Facebook (via facebookmail.com) and do not contain the retailer's header information, these message are materially misleading under CAN-SPAM.

Update: I originally speculated whether Facebook would try to go after the power.com domain name or the proceeds of the auction. Via email, Scott Smith, the CEO of RokME Inc., who is brokering the sale of the power.com domain name, reminded me that the power.com domain name was leased to Power Ventures and therefore the domain name is not a part of this dispute:

Several years ago Power Assist Inc. the owner of Power.com leased the domain to Power Ventures Inc. During the course of the lease Power Ventures Inc. operated Power.com as a social network aggregation site and did some things that Facebook disagreed with. At that time Facebook sued Power Ventures Inc. and by association, Power.com was noted in the filings. That is the only connection.

The lease on the domain Power.com ended last February. Once the lease ended the owner was free of any further obligations and decided to sell the domain. My company - RokMe Inc. was hired to broker the sale. . . .

Since that time there has been no connection with Power Ventures Inc. or its owner Steve Vachani. It has taken this long for the case to wind its way through the courts and because of the earlier association, the domain Power.com was unfortunately caught up in the web of their legal wrangling.

_____

Eric's Comments

Ugh. Bad facts make bad law, and this case has plenty of badness to go around. Power Ventures was a lousy poster child for a test case on data liberation. Yet, the court's results are troubling for everyone--including Facebook!--and I can only hope future courts recognize the opinion's goofiness when deciding whether to accord it any weight.

The CAN-SPAM ruling is the most troubling. Running through the elements tendentiously, the judge finds a technical violation of the CAN-SPAM elements, but this element-by-element review leads to a tone-deaf outcome overall. Stripping away the detail, users were using Facebook's messaging tools to talk with each other. Sure, Power Ventures was interested in that conversation and facilitated it in a number of ways, but calling Power Ventures a spammer because users talked to other users is baffling. It's a little like the misguided underpinnings of the FTC Endorsement and Testimonial Guidelines; this case similarly treats Power Ventures like an "advertiser" and thus makes it liable for how users talked to each other. Huh?

As Venkat points out regarding retailers, this ruling could set up other Facebook users for a similar fate if they get Facebook users to use Facebook's native tools to talk to each other. This could be counterproductive for Facebook's long-term interests if businesses (and others) start to fear that Facebook now has the discretion to sue them as a spammer whenever it wants.

Similarly counterproductive to Facebook's interests is the expansive interpretations of the CFAA and Penal Code 502. Facebook grabs a lot of content from third parties without permission--for example, every time a user posts a link, Facebook grabs and republishes snippets of the linked page without permission. Is that a CFAA/502 violation BY FACEBOOK? Facebook might have other defenses, but it seems to have negated any "we're just a proxy for the users" defense. Because I'm a cyberlaw purist, I hope Facebook doesn't get hoisted on its own petard; but if it ever does happen, it will be hard to suppress a slight schadenfreude smile.

Clearly, though, Facebook is signalling that it won't download email addresses from third party sources like Gmail without the third party's permission--like for its "find a friend" feature. After all, even if Facebook has the user's permission to access the user's own data, that's legally meaningless without the data source's permission as well. The net result is that data sources can erect fences around user data despite the user's wishes.

Indeed, the most tone-deaf aspect of the ruling is the anti-competitive backdrop to Facebook's enforcement action, which doesn't even get a nod from this opinion. Personally, I would not have trusted Power Ventures with my personal data, so losing them as a competitive option is no big deal to me. Facebook positions this case about user protection. Their formal statement: "We are pleased that the court ruled in our favor. We will continue to enforce our rights against bad actors who attempt to circumvent Facebook's privacy and security protections and spam people," said Craig Clark, Lead Litigation Counsel, Facebook. But I don't find it all that credible that Facebook was motivated solely by a desire to protect us as users from a dangerous Power Ventures (Indeed, I believe Power Ventures could have sucked down an immense amount of user data through Facebook's APIs with, at most, minimal oversight by Facebook). The other obvious possible motivation: Facebook didn't like Power Ventures competition, so it shut down Power Ventures' access to Facebook's users. With its massive leadership in its niche, it seems only a matter of time before antitrust regulators start sniffing around Facebook. Its enforcement action against Power Ventures probably won't spur that, but Facebook will have to tread cautiously with future blatant shutdowns of competitors.

Posted by Venkat at 11:30 AM | Privacy/Security , Spam , Trespass to Chattels

February 19, 2012

Another Data Loss Case Tossed on Article III Grounds--Whitaker v. Health Net

[Post by Venkat Balasubramani]

Whitaker v. Health Net of California, Inc., Civ S-11-0910 KHM-DAD (E.D. Cal.; Jan. 19, 2012)

This is another data breach class action. Plaintiffs tried to squeeze their claims through a narrow opening left by Ninth Circuit precedent, but the court dismisses the claims for lack of standing.

IBM manages Health Net's information technology infrastructure. In January 2011, IBM informed Health Net that it lost 9 Health Net server drives, which contained the personal and health information of approximately 800,000 Health Net customers. Health Net sent a letter to the affected invidiauls in March 2011. The opinion does not mention whether Health Net offered credit monitoring or other preventive services. At the time the parties finished briefing the motion to dismiss, three of the nine servers had been recovered. The other six remained missing. The defendants both filed motions to dismiss.

The court focuses on whether plaintiffs sufficiently alleged “injury in fact.” Plaintiffs argued that they satisfied the standing requirements established by the Ninth Circuit in Krottner v. Starbuck and Ruiz v. Gap. (Here are blog posts on Krottner ("Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit") and Ruiz ("9th Circuit Affirms Rejection of Data Breach Claims Against Gap").) The court distinguishes Krottner and Ruiz on the basis that, in both of those cases, the data breach occurred due to theft and not loss of the data. The court also highlights that the plaintiffs did not allege any actual harm, apart from the loss of data and the risk that the data would be misused. Although one of the plaintiffs received a letter informing them that the social security number of their minor child had been misused, the court says that this does not confer standing on plaintiffs, who have to satisfy standing on their own (unless they are asserting third party rights).

The court also relies on Low v. LinkedIn for the proposition that speculative allegations regarding disclosure or harm is not sufficient to support Article III standing. (See also Reilly v. Ceridian.)

End result: the court dismisses with leave to amend. The plaintiffs have thirty days to amend their complaint to allege sufficient harm.
__

It’s worth keeping in mind that although plaintiffs cited to Krottner and Ruiz, the plaintiffs in those cases did not prevail. Despite finding that the allegations sufficient from the perspective of Article III standing, plaintiffs lost on the merits in both cases. Plaintiffs have tried every possible combination of allegations (theft of information; misplacement of information; employment information; health information) but courts simply refuse to find a cognizable claim unless the plaintiff can allege that his or her data has been misused in a way that causes out-of-pocket losses. A few cases have pointed to credit monitoring services as recoverable mitigation, but where the defendant offers up this relief to consumers voluntarily, a plaintiff is pretty much out of luck.

It’s also interesting to note that this case involved claims under California statutes which provide for the confidentiality of medical records. Given that the court did not discuss statutory damages, I would assume the statutes in question did not provide for these damages. Even if they did, failure to satisfy Article III standing could still undermine the claims. (A case pending in front of the United States Supreme Court may answer this question. See "'Sleeper" Case Asks Whether Plaintiffs Can Sue Without An Injury.")

Posted by Venkat at 09:15 AM | Privacy/Security

February 14, 2012

Posting Family Photos to Facebook With Snarky Comments Isn't Harassment of Family Member -- Olson v. LaBrie

[Post by Venkat Balasubramani with comments from Eric]

Olson v. LaBrie, 2012 WL 426585 (Minn. App. Ct. Feb. 13, 2012)

This case is what happens when a headline from The Onion comes to life. Aaron Olson sought a harassment restraining order against his uncle Randall LaBrie. Olson argued that Labrie harassed Olson by...get this...posting “innocuous [but surely awkward] family photographs” to Facebook and making mean comments directed toward Olson. The photos included Olson as a child, “posing in front of a Christmas tree.” LaBrie also tagged Olson in the photos. When Olson became aware of the photos, he requested they be removed or “altered to erase” Olson. Labrie demurred, although he untagged Olson. Understandably, LaBrie told Olson that if he did not like the photos, “he should stay off Facebook.”

Olson was not “friends” (in the Facebook sense, or apparently, in any sense) with LaBrie, and accessed the photos via his mother’s Facebook account. The parties had a peripheral argument about how the photos were accessed. LaBrie said that the photos were meant for his inner circle, but Olson said they were accessibble to the general public. At the end of the day, it turns out to not matter. The court says that posting these types of photos to Facebook does not amount to harassment, and the comments offered by Olson as evidence were nothing nore than “mean, disrespectful comments,” which cannot form the basis for liability. The Minnesota anti-harassment statute is directed at:

repeated incidents of unwanted acts, words, or gestures” that have a substantial effect on the “safety, security, or privacy of another."

On appeal, Olson tried to argue that LaBrie conduct had a substantial effect on his privacy, but he did not raise that issue in the trial court and the appeals court says he waived it. Even assuming he had raised it, the court says that Minnesota law recognizes three types of common law privacy violations: intrusion, appropriation, and the publication of private facts. Minnesota law does not recognize “false light publicity.” Olson argued that one of these common law privacy violations could have supported issuance of the anti-harassment order, but the court says that the statute defines harassment, and there’s no need to look to case law for additional definitions.

Olson raised two other issues that are worth noting, and really makes me wonder whether this wasn’t some Onion editor’s attempt to generate a story. First he argued that the trial court erred in not crediting the testimony of his mother, who testified that Labrie’s conduct was offensive. Second, Olson tried to get the record sealed. Hello, Streisand Effect!

The only thing that would have kicked this opinion up a notch would have been a cite to awkwardfamilyphotos.com.

Related posts:

Private Facebook Group's Conversations Aren't Defamatory--Finkel v. Dauber
Revenge Blogger Ordered to Remove Blog--Johnson v. Arlotta (also from Minnesota--is there something in the water there?)
_____________

Eric's Comments

This case demonstrates that the family that Facebooks together doesn't necessarily stay together. I don't understand why Olson was so concerned about the posting of old "innocuous" family photos, although I can understand why Olson might object to "mean, disrespectful comments." At the same time, I also don't understand LaBrie's response that if Olson didn't like it, he should stay off Facebook; nor does it make sense that LaBrie said he didn't intend for Olson to see the photos because they weren't Facebook friends. It seems fair for someone to object to the publication of photos even on a service the person doesn't use or can't see the photos. Obviously there's a backstory to this family squabble that got washed out in the appellate opinion. I guess it goes to show that you can pick your Facebook friends but you can't pick your family. A protip of general applicability: never allow sharp objects at family reunions.

Posted by Venkat at 08:38 PM | Content Regulation , Privacy/Security , Publicity/Privacy Rights

January 27, 2012

Top Internet Law Developments of 2011

By Eric Goldman

As usual, I'm running late with my year-end recap. This post begins with my countdown of the top 5 Internet Law developments of 2011, then it lists other interesting developments and cases. It concludes with some of the most linked posts and then my editor's choice of some posts in 2011 that might have been a little overlooked. As usual, thanks for reading the blog in 2011!

Countdown: My Top 5 List of Developments in 2011

#5: Righthaven Implodes. Since the beginning, I've been skeptical of Righthaven's business model. Seriously, who else thinks it's a good idea to sue small-time mom-and-pop bloggers and non-profits on a one-by-one basis? However, even I had no idea that Righthaven would accelerate their own demise by routinely making basic litigation errors. A sketchy business model + a litigation shop that isn't very good at litigation = one dead start-up. It's always fun (in a bloodsporty way) to watch hubristic bullies get their just desserts, but watching the Randazza firm school the Righthaven litigators in Litigation 101 has been amazing. THAT'S how you litigate.

Righthaven lost often in 2011 (see my August reset). They lost fair use rulings (e.g., CIO, Choudry). They lost on standing grounds (e.g., Democratic Underground, Wolf). They were hit with sanctions. They were hit with hundreds of thousands of dollars of attorney fee shifts (e.g., Leon, Wolf, DiBiase). They even lost their domain name in an auction--a delicious irony given that Righthaven's complaints improperly demanded its defendants' domain names on the theory that it might need the domain name to satisfy a judgment against the defendant, when in fact it was Righthaven's domain name that was used to help satisfy a judgment against it!

Righthaven ended 2011 on death's door, but the trend of newspapers trolling for copyright litigation isn't going away. I'll be watching NewsRight closely in 2012.

#4: Medical Justice Gives Up. Speaking of hubristic bullies... You recall Medical Justice, the organization that helped doctors and other medical service providers take copyright assignments from patients in their as-yet-unwritten reviews so that the doctors could expeditiously remove unwanted reviews by sending 512(c)(3) takedown notices to review sites. It's an interesting legal hack, but it has some bad side-effects, including the fact that patients hated it, the copyright assignments almost certainly were void (for public policy reasons and others), doctors were hurting themselves by discouraging patient reviews (patients prefer to choose doctors when there's a critical mass of patient reviews), and (as our research uncovered) most consumer review sites ignored the doctors' 512(c)(3) takedown notices. Obviously, with those defects, Medical Justice wasn't exactly adding a ton of value to its clients. Medical Justice finally gave up, but too late to prevent a lawsuit against one of its clients and a complaint to the FTC. Chances are Medical Justice will be living with a long-term hangover from this entrepreneurial foray.

Seeing Medical Justice stop peddling anti-patient review tools was slightly satisfying, but that result was always a fait accompli. The reason Medical Justice's change of heart matters is that shady or clueless vendors keep developing new ways to suppress unwanted consumer reviews, and I hope Medical Justice's experiences will discourage other vendors from trying the copyright hack. I talk about these dynamics more in my paper on regulating reputational information.

#3: gTLD Expansion. It remains unclear exactly what ICANN's rollout of unlimited top level domains will do. Due to the expansion of new namespaces, brand owners face a long list of complicated--and potentially expensive--choices to make. Unfortunately, these choices don't really benefit society; instead, the gTLDs tax businesses while the benefits accrue to a small number of service providers (and, of course, ICANN itself). I think many businesses will reserve their name in multiple new gTLDs to prevent squatting--with the net effect that businesses will spend more money just to preserve the status quo. Meanwhile, most consumers are likely to be bewildered by the unlimited number of TLDs, which is just going to increase their tendency to rely on search engines and link directories rather than domain names to navigate to their desired destinations.

#2: Internet Consumer Privacy Lawsuits Tank. 2011 initially looked like the year of the Privacy Plaintiff. A torrent of privacy lawsuits had been filed, plaintiffs had wrested a few important and lucrative settlements, and Internet companies continue to make questionable privacy decisions that create a steady supply of potential new lawsuits.

But the path to riches didn't materialize. Instead, 2011 emerged as the year when privacy class action lawsuits mostly failed miserably. Courts principally rejected the lawsuits on standing grounds for lack of cognizable harm, but plaintiffs failed on other related grounds, such as a lack of damages negating the prima facie case. There were some exceptions where plaintiffs made a little progress (see, e.g., Claridge v. RockYou, Anderson v. Hannaford, Fraley v. Facebook). I'm sure the privacy plaintiffs' bar will be studying those rare successes to formulate a better battle plan--and to better prepare their cases and find strong named plaintiffs, a recurring omission that hasn't gotten a lot better over the year. However, for now, it's clear that the privacy plaintiffs' bar can't just show up in court and hold out their hands for a payday.

#1: Regulators Broke the Internet. We've always known that regulators could combat bad online activity by working "up the chain," i.e., by making upstream service providers liable for the bad acts or obligated to cut off the activity. However, for the most part, we've shared a tacit understanding that systematically going up the chain was a "nuclear" option--it would fix the specific problem but only at significant collateral cost that, on balance, makes the option unattractive.

I think we'll look back at 2011 as the year that tacit understanding broke down. In 2011, regulators around the world showed a seemingly insatiable demand for working up the chain. Although we in the USA like to think we're different from other repressive regimes, the evidence suggests otherwise. Some examples of "up the chain" activity in 2011:

* Arab Spring. Repressive regimes got local Internet access providers to turn off Internet access in the country.
* Operation in Our Sites. The Immigrations and Customs Enforcement (ICE) agency keeps seizing domain names of suspected foreign rogue websites on an ex parte basis, making errors and breaking the law in the process. Mike Masnick blew open the story on Dajaz1.com, which ICE seized on an ex parte basis, conducted secret proceedings for a year, and then gave back the domain name with no explanation.
* Graduated Response. Copyright owners got Internet access providers to voluntarily (?) agree to restrict, and eventually terminate, their users' accounts.
* Secondary liability against intermediaries. Rightowners keep expanding their intermediary targets, including lawsuits against ad networks and SEOs/web designers. To be fair, some of these lawsuits aren't going very far, and expansive secondary liability theories aren't new in 2011.
* Ex Parte Seizures. Rightsowners are asking for the moon against third party service providers in ex parte proceedings, and courts are giving it to them because the third parties aren't there to represent their own interests. We recap this epidemic in this post.
* SOPA and PIPA. These proposed bills were the finest examples of rightsowners pursuing the nuclear option regardless of the collateral damage. The bills' basic architecture was to attack a wide range of intermediaries for third party actions--domain name registrars, search engines, payment service providers, ad networks. By seeking to deputize the intermediaries, the bills sought to instantiate "up the chain" duties across virtually the entire Internet. Putting aside their other policy deficiencies, I think we should resist all laws predicated on that fundamental assumption of intermediary deputization. See my post on the OPEN bill for why I reject the compromise "follow the money" solution. Sadly, I stand virtually alone in my stance.

Other Interesting Developments.

Some other interesting developments this year:

* Patent Reform. The America Invents Act is the most dramatic patent reform bill in years, and it has many provisions that may affect Internet companies, including the joinder standards, the prior user defense, and the novelty/priority standards. The law doesn't fix the overall problems with bad Internet patents or unmeritorious assertions of those patents, but it nevertheless could make some dramatic changes in what Internet companies do.

* Google and Antitrust. Google has become the incumbent in search, and all of its rivals--especially the companies Google is disintermediating--are desperately seeking to knock it off its perch. I believe Google and antitrust was the #1 topic prompting reporter phone calls to me in 2011. We are waiting to see what comes from the FTC investigation into Google's practices, and the list of Google-haters keeps growing daily. At the same time, the anti-Google forces made surprisingly little actual progress in 2011, including suffering a conspicuous (and not even close) loss in the myTriggers case. See my paper on why I am so over the Google antitrust battles.

* DC's Obsession with Busting Silicon Valley Companies. Sometimes, it feels like DC insiders wake up in the morning and wonder, "What Silicon Valley company do I feel like busting today?" Drive down the 101 from San Francisco to San Jose and play the "Spot the FTC/DOJ Bust" bingo game. Some of DC's targets in 2011: Google Buzz, Twitter (finalized in 2011), Facebook, Google pharma ads, Apple and others for no-poaching restrictions, and others. Good times!

* Judges Order Litigants to Hand Over Passwords to Social Networking Sites. This year, several judges ordered litigants to turn over their Facebook passwords to their litigation opponents for discovery purposes. See, e.g., Zimmerman v. Weis (which I added to my Internet Law reader this year). In 10 years, we'll look back at this mini-trend and shake our heads at the judicial cluelessness. Social networking sites contain a mix of public and private information, and letting a litigation opponent root around the account is just as objectionable as making a litigant hand over the keys to his/her house so the opponent can rummage around.

Other Key Court Rulings in 2011

Some other interesting court decisions this year:

* Author's Guild v. Google. The court rejected the Google Book Search settlement agreement for good reasons, but it sent the parties back to square 1. Why the parties haven't been able to broker a legislative compromise is beyond me.

* Barclays v. theflyonthewall. The Second Circuit took a big bite out of the hot news doctrine. Unfortunately, the Second Circuit didn't kill the hot news doctrine outright, but the opinion leaves open very little room for hot news plaintiffs.

* Network Automation v. Advanced System Concepts. The most important keyword advertising ruling to come out in several years. While the ruling itself was a mixed bag for the litigants, the opinion tore down a number of crusty plaintiff-favorable legal doctrines that had cluttered up trademark jurisprudence for years--including virtually mooting the initial interest confusion doctrine and killing the "Internet trinity" bypass to the standard multi-factor likelihood of consumer confusion test. I've noticed that the opinion has already noticeably tilted courts towards more defense-favorable rulings.

* Betty Boop case (Fleischer Studio v. AVELA). For a few months, it looked like the Ninth Circuit had eliminated trademark merchandising rights in characters that were out-of-copyright. Then it changed its mind; but still it liberated Betty Boop to the world.

* PhoneDog v Kravitz. An interesting battle over ownership of a Twitter account.

* Levitt v Yelp/Ascentive v. PissedConsumer. 47 USC 230 still works really, really well as an immunity. In Levitt, Yelp got a 230 dismissal that Yelp had tried to get advertisers to pay to manage consumer reviews. In Ascentive, the court rebuffed a plaintiff's effort to use a trademark infringement claim against a consumer review website to work around 230.

* Habush v Cannon. Buying a person's name as the trigger for keyword advertising doesn't violate their publicity rights.

* UMG v. Shelter Capital. While everyone waits for the Second Circuit's decision in Viacom v. YouTube, the Ninth Circuit stole some of that thunder with a powerful endorsement of the 17 USC 512 safe harbor. Too bad Veoh didn't live long enough to enjoy the win.

* In re Rolando S. Rolando was convicted of felony identity theft for taking a classmate's Facebook page for a joyride. My vote for the most interesting Internet Law case of 2011, and an instant cyberlaw classic. I've already added it to my Internet Law reader, and the students seemed to enjoy discussing the case.

Some of the Most Linked Blog Posts in 2011 (Per Topsy)

* New Advertising & Marketing Law Casebook Available for Review
* Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc.
* "App Store" Isn't Generic, But Apple Can't Enforce Its Purported Trademark in the Term--Apple v. Amazon (Apple legal issues are always good link bait)
* Twitpic Modifies Terms and Claims Exclusive Rights to Distribute Photos Uploaded to Twitpic
* Republishing Entire Newspaper Story is Fair Use--Righthaven v. CIO
* Court Rules That Instant Message Conversation Modified the Terms of a Written Contract -- CX Digital v. Smoking Everywhere (the most popular post of the year by far--a modern Contract Law classic)
* Second Life Ordered to Stop Honoring a Copyright Owner's Takedown Notices--Amaretto Ranch Breedables v. Ozimals

Favorite "Overlooked" Posts

A few posts that maybe got overlooked a little:

* Cyberbullying and Restorative Justice [a Long-Delayed Post on DC v. RR]
* Racy Teen Photos Posted to Facebook Are Constitutionally Protected Speech--TV v. Smith-Green
* Marijuana Activist Can't Change His Name to "NJWeedman.com" -- In re Forchion
* Free-to-Consumers Ad-Supported Website Isn't Illegally Priced--Cammarata v. Bright Imperial
* What Would a Government-Operated Search Engine Look Like in the US?

Lists of Yore

Previous top 10 lists from 2010, 2009, 2008, 2007 and 2006. Before that, John Ottaviani and I put together a list of top Internet IP cases for 2005, 2004 and 2003.

Posted by Eric at 09:45 AM | Copyright , Derivative Liability , Domain Names , Evidence/Discovery , Internet History , Patents , Privacy/Security , Search Engines , Trademark | TrackBack

January 24, 2012

Comments on United States vs. Jones: What's Old is New Again (Guest Blog Post)

By Ethan Ackerman with comments from Eric

U.S. v. Jones No. 10–1259 (U.S. Supreme Court; Jan 23, 2012)

In 2005 federal agents convinced a judge to issue a warrant so they could affix a cellular-based GPS tracker to the underside of Antoine Jones' wife's car, which the agents then tracked constantly for almost a month. Unfortunately for the federal agents' subsequent criminal prosecution of Jones on cocaine distribution and conspiracy charges, the agents did so after the warrant had expired, and in a different state than the warrant permitted. After an unsuccessful trial, Jones appealed his conviction to the D.C Circuit, which suppressed the warrantless surveillance, finding it was obtained through a Fourth Amendment violation.

In so holding, the D.C. Circuit split with the Seventh, Eighth and Ninth Circuits on the matter. Importantly for the Supreme Court, each of these Circuits found no search occurred (or in the case of the D.C. Circuit, a search had occurred) when analyzing the 'search' under the 'reasonableness' test of Fourth Amendment law developed from Katz v. United States.

Yesterday, the Supreme Court held that the government's search was a Fourth Amendment violation. Importantly, the five-member majority opinion by Justice Scalia reaches that result by effectively resurrecting the 'trespass' element of Fourth Amendment law that has been dormant for almost 50 years--and wasn't a part of any of the underlying Circuits' opinions. I don't want to denigrate the significance of that holding, and I suspect it will dominate much of the scholarly commentary about the ruling. Already, the universally-cited Orin Kerr, blogging at the Volokh Conspiracy, has several posts up already about the trespass and mosaic theories aspects of Jones.]

However, my biggest surprises from the opinions were the unanimity of support for the idea that this was a constitutionally-suspect search, and the numerical majority that also found this search unreasonable for non-tresspassory "reasonableness" reasons. It's kind of a big deal that all nine Justices found this case to be a Constitutionally-infirm search, disagreeing with a significant portion (probably a majority) of the Circuit Courts' benches. Even more so, it's truly a big deal that five (a numerical majority) found this search "unreasonable" under a reasonableness test that looked to the intent of the searching officers and so casually dismissed the atomistic arguments of the government that at each moment the searching was being done in a public place. Both of these arguments have been mainstays in earlier Fourth Amendment decisions.

Additionally, much of the earlier commentary on the D.C. Circuit's unreasonableness rationale, somewhat pejoratively nicknamed a "mosaic theory," had focused on its novelty and un-testedness. However, five justices appear ready to apply it in this case. In particular, Justice Sotomayor 's concurrence makes clear that she agrees with Justice Alito's four-member opinion adopting the D.C. Circuit's reasonableness rationale. In that concurrence, she amplifies the majority opinion's holding relying on trespass principles, but indicates this is an "irreducible constitutional minimum," above which Katz's reasonableness rationale (which Justice Scalia's majority opinion doesn't denigrate, even if it declines to evaluate the applicability of) still controls. Tom Goldstein shares my conclusion that there are effectively two majority opinions in this case. His excellent observations are here and also illuminate just how much was not resolved in the decision.

Eric's Comments

I really only learned two things in my Criminal Procedure class from law school: (1) every fact matters, and (2) the Supreme Court makes up the rules from case-to-case. At the time, I didn't feel I got very much from my class, but in retrospect, perhaps I actually learned everything that really mattered in Fourth Amendment jurisprudence. As Ethan recaps and as Paul Ohm indicated (United States v. Jones is a Near-Optimal Result), this opinion is a mix of good news (get a warrant before GPSing my car) and unresolved issues (basically everything else--ranging from practical questions like the legitimacy of warrantless tracking of cellphone movements to theory battles over whether the Fourth Amendment protects against trespass, violations of reasonable expectations of privacy or both).

Putting aside those important questions, the opinions articulated some deep distrust of government motives. I am always perplexed when the privacy community loses sight that the government is the real privacy threat, not the private sector. It also seemed that the judges did, in fact, internalize the personal threat that police could monitor their own cars without a warrant. It reminded me a little of the RIM case where the judges tried to envision their personal situation without their Crackberries.

Posted by Ethan Ackerman at 03:37 PM | Privacy/Security | TrackBack

January 18, 2012

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data -- Reilly v. Ceridian

[Post by Venkat Balasubramani]

Reilly v. Ceridian Corp, 11-1738 (3rd Cir. Dec. 12, 2011)

Ceridian is a payroll processing firm. Reilly and Pluemacher were employees of a law firm that was a Ceridian customer. In December 2009, Ceridian suffered a “security breach.” A hacker infiltrated Ceridian’s system and gained access to information belonging to 27,000 employees at 1,900 companies. After investigating, Ceridian sent a letter to the affected individuals, letting them know that their personal information, including “first name, last name, social security number and, in several cases, birth date and/or bank account” information was accessed. Ceridian provided the affected inviduals one year of free credit monitoring and identity theft protection. (It’s unclear as to whether plaintiffs took advantage of this, but they alleged that they spent money for monitoring efforts.)

The Third Circuit focuses on the issue of whether plaintiffs have standing. The court canvasses the precedent and says most courts addressing standing for data breach plaintiffs have concluded that plaintiffs lack standing because the harm is too speculative. The court agrees:

Here, no evidence suggests that the data has been--or will ever be--misused. The present test is actuality, not hypothetical speculations concerning the possiblity of future injury.

Plaintiffs relied on Pisciotta v. Old National Bancorp and Krottner v. Starbucks for the proposition that the increased risk of identity theft is sufficient to confer Article III standing. The court distinguishes these cases on the basis that, in those cases, the threatened harms were “more imminent”. In Pisciotta there was evidence that the hacker’s intrusion was sophisticated, and in Krottner, there was evidence that someone attempted to misuse the purloined information.

Plaintiffs also cited, by analogy, where courts have broadened standing requirements in other contexts (toxic tort, defective medical devices, and environmental injury). The court is not persuaded. The court says that, in those cases, an injury has occurred, even if it has not manifested itself and it cannot be presently quantified. In contrast, in the data breach context, “any damages that may occur here are entirely speculative and dependent on the skill and intent of the hacker.” Second, the court says that the medical device and toxic tort cases raise “human health concerns.” Courts relax the test for standing where human “suffering” is involved. The injury in those cases cannot be remedied by money. This is similar to the environmental injury cases where courts say that plaintiffs challenging actions on the basis of environmental regulation should be allowed to proceed because monetary compensation may not fix the harm that will occur:

unlike priceless “mountains majesty,” the thing feared lost here is simple cash, which is easily and precisely compensable with a monetary award.

The court finally says that the amounts expended by plaintiffs is not sufficient to confer standing because the money was not spent to avert or deal with any “actual injuries.”
__

Courts have pretty uniformly rejected data breach lawsuits, but the recent trend is to do so on the basis of Article III standing, rather than on the merits. This case looks like it's on the more restrictive end of the spectrum as far as standing goes.

The court’s attempt to distinguish other data breach cases on the basis that the harms in other cases were imminent or more obviously likely to occur isn’t the most convincing. Hackers have been known to compromise data in order to demonstrate security vulnerabilities, but if this is not the case, isn’t it fair to assume that data will be misused in some way? Aren't all hackers by definition sophisticated? Aren't all data breaches presumptively malicious? On the other hand, the data breach plaintiffs never seem to have adequate data to present to the court that the information in question is being misused. Even data pointing to the frequency of misuse in other breach cases would be useful to sway a court, but it's either not available or not being highlighted by plaintiffs. It's also surprising to see plaintiffs' counsel not include someone in the lawsuit who has had their information misused. (Maybe data breach cases are not well suited to resolution on a class basis?)

Some courts (In re Hannaford; Ruiz v. Gap) have said that basic monitoring services are reasonable mitigation efforts and as a result, companies that suffer breaches are offering to affected individuals this as a matter of course. Here it’s unclear as to whether plaintiffs took advantage of this but also took efforts of their own. Although it's not clear, it looks like in this court's view, even basic monitoring is not necessary and a failure to provide it would not form the basis for standing.

While the cases are across the board in how they get there, one thing is for sure. Data breach plaintiffs have gotten little or no relief in the courts.

Other coverage:

Federal Appeals Court: Risk of ID Theft Does Not Confer Standing for Data Breach Suit

Previous posts:

"9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap"
"The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt"
"Acxiom Not Liable for Security Breach"
"When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue"
"Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks"
"In Hannaford Data Breach Case, First Circuit Says Card Replacement and ID Theft Insurance are Reasonable Mitigation Damages and Compensable--Anderson v. Hannaford Bros"

Posted by Venkat at 09:31 AM | Privacy/Security

January 16, 2012

Copyright Doe Defendant Can’t Quash Disclosure Subpoena Anonymously—Hard Drive Productions v. Does (Guest Blog Post)

By Guest Blogger Elliott Alderman with brief comments from Eric

[Eric’s introductory note: Elliott Alderman is an IP attorney in Washington DC. I asked if he could guest-blog this opinion after calling it to my attention.]

Hard Drive Productions, Inc. v. Does 1-1,495, Civil Action No. 11-1741 (D.C. D.C. Dec. 21, 2011)

Overview: A DC Magistrate Judge recently ruled that a defendant cannot file anonymous motions to quash disclosure subpoenas in copyright file-sharing case. This ruling invites discovery abuses--and kicks due process.

The fragile balance between copyright owners enforcing their rights and the privacy interests of IP address owners was upended recently in Hard Drive Productions, Inc. v. Does 1-1,495, Civil Action No. 11-1741 (2011). There, the magistrate held that individuals who subscribe to the Internet through ISPs have no expectation of privacy in their subscriber information, since they have already disclosed this information to their service providers. So when copyright owners file disclosure subpoenas seeking subscriber information, local district court rules require that responding IP address owners must publicly identify themselves as part of filing a motion to quash.

There are two separate levels of privacy involved here: (1) public knowledge (including opposing counsel) of the IP address owner’s identity, and (2) the court’s knowledge of the parties involved in an action before it. A simple solution to the considerable detriment posed to subpoenaed parties is to allow motions to be filed under seal. At this stage, it is only discovery, not adjudication on the merits of the underlying claims, and there is no public benefit to disclosure before consideration of the motions.

Some background: As content owners move from suing download sites for inducement liability to a model of filing reverse class actions against unnamed individual users of P2P networks, discovery of infringers becomes crucial. However, content monitoring software, at best, may associate a digitally marked file with an IP address, but does not identify the owner of the account. And, significantly, the owner of the account is not, by definition, an infringer. So with IP addresses in hand, copyright owners must file disclosure subpoenas with ISPs to get the subscriber information associated with the identified IP addresses.

Typically, consistent with due process (and common sense), IP address owners responding to a disclosure subpoena have the right to preserve their anonymity while a judge reviews the propriety of the class action and the corresponding subpoena. Without the protection of anonymity, a motion to quash a disclosure subpoena is rendered moot, since disclosure of personal information on a public docket reveals the name and address information sought by the subpoena. See Achte/Neunte Boll Kino Beteiligungs GMBH & Co. v. Does 1-4,577, 736 F. Supp. 2d 212, 215 (D.D.C. 2010). Ironically, Achte/Neunte is one of the cases cited by the magistrate in support of public disclosure.

For a number of reasons, Hard Drive makes no sense. A subpoenaed owner essentially no longer has a right to contest disclosure, since challenging the merits of the discovery process reveals the very thing sought in discovery – his identity. And even if the judge later holds that the owner was misjoined, that an IP address is not an infringer, or any of the other bases that courts throughout the country are using to dismiss file-sharing defendants and kill these suits, plaintiffs have the personal information that they need to harass presumptively innocent parties. Worse still, plaintiffs will be encouraged to withdraw subpoenas before judges evaluate their merits, since the subpoenaed information will already be in hand.

As noted above, the Hard Drive magistrate also based his holding on Local Rule 5.1, which requires that all parties who file pleadings and papers with the district court must provide their name and full residence address, even if they are seeking to proceed anonymously. Judge Bates, who had assigned the case to the magistrate, originally ordered that motions to quash would remain under seal even if the moving party lost. How about a Solomonic compromise? Allow motions to be filed under seal, then only if the motion is denied would subscriber information be released, since the ISP is going to disclose the information anyway. Certainly there are policy reasons supporting the requirement that parties identify themselves to the court -- not the least of which is that it has no way of communicating with unrepresented Does – but permitting sealed motions balances the interests of copyright owners seeking to vindicate their rights against the privacy rights of IP address owners.

Moreover, the central premise of the decision, that there is no expectation of privacy in business transactions where information is disclosed to a third party, defies logic. One also shares information with telephone and insurance companies, and medical doctors – third parties all – but an expectation of privacy remains. Moreover, courts have implicitly recognized a privacy interest in ISP subscriber information, holding that copyright owners may not use the DMCA’s takedown notice-subpoena provisions to discover subscriber identities. See Recording Industry Association of America v. Verizon Internet Services, Inc., 351 F.3d 1299 (D.C. Cir 2003); In re Charter Communications, Inc., 393 F.3d 771 (8th Cir. 2005). And although it may be argued that when copyright infringement is at issue there is no free speech right to anonymity, see e.g. Sony Music Entertainment, Inc. v. Does, 326 F. Supp. 2d 556 (S.D.N.Y. 2004), the extortionate nature of the file-sharing cases is such that fairness would dictate that IP address owners should be able to anonymously defend against inclusion in classes of unrelated others.

Further, even assuming that an individual has no reasonable expectation of privacy in his subscriber information, he certainly does in his choice of movies. Part of the copyright troll business model, particularly for pornographic films, is the threat of publicly associating an individual with his private tastes. I have represented a number of owners who have had their routers hacked or had tenants or other unauthorized parties who used their Wi-Fi connections. With or without legal liability, too many of these parties have settled because privacy is a more expensive currency than cash.

In fact, in other contexts where there is the potential for stigma or embarrassment, courts typically evaluate the merits of the underlying case before requiring disclosure of confidential information, like a person’s identity. See, e.g. Doe v. Smith, 429 F3d 706 (7th Cir. 2005). The potential for harm to defendants in file-sharing cases is worse, however, because in addition to whatever shame or stigma attaches to being labeled an infringer or, worse, a porn hound (I think that’s the legal term), there are immediate legal consequences to stripping anonymity. Not permitting sealed motions is like having discovery first, then later evaluating its legitimacy.

Finally, the importance of the anonymous motion is intertwined with the architectural problems with the reverse class action model generally. This is not a white hat/black hat debate between content creators and piracy. Rather, the file-sharing cases are about the economics of joining unrelated parties in a class as a cost-effective way to pursue often non-meritorious actions, where secondary parties who are not infringers become the collateral damage. A number of court have dismissed these actions on a variety of grounds, including that:

* IP address owners are not intrinsically infringers. See VPR Internationale v. Does 1-1017, 2:2011cv02068 (C.D. Ill. 2011) (an IP address is not a person)
* different owners have different defenses; and
* unrelated owners do not act in concert by using a P2P program. K-Beech, Inc. v. John Does 1-85, Civil Action No. 3:11cv469 (E.D. Va. 2011); Raw Films, Ltd. V. John Does 1-32, Civil Action No. 3:11cv532 (E.D. Va. 2011); Hard Drive Productions, Inc. v. Does, No. C-11-01566 (N.D. Cal. 2011).

Moreover, the reliability of monitoring programs is suspect, Challenges and directions for monitoring P2P File Sharing Networks, University of Washington Technical Report, UW-CSE-08-06-01, and because a number of ISPs use dynamic IP addresses (where an IP address is rotated between several users) and “infringements” are generally date- and time-stamped, the odds of mistakenly associating a particular IP address with the “infringement” is greatly increased.

All this for want of a sealing motion!
___________

Eric’s Comments

This is a bad ruling. The court has guaranteed that the copyright plaintiff can unmask defendants simply by asking for a subpoena—either the subpoena is granted or the defendant reveals him/herself to fight the subpoena. That’s not the way the system is supposed to work. By creating a no-recourse situation for anonymous/pseudonymous defendants, the court has stripped them of essential due process rights. And, as we know, plaintiffs able to unmask defendants often can take advantage of substantial extra-judicial remedies, such as the public embarrassment factor in porn copyright cases. Thus, this ruling unfairly screws over anonymous defendants in these cases. It needs to be fixed.

For more on the topic, see Lior Strahilevitz’s paper Pseudonymous Litigation.

Posted by Eric at 10:00 AM | Copyright , Evidence/Discovery , Privacy/Security | TrackBack

January 10, 2012

Mass Ct: ZIP Code is Personal Identification Info Under Credit Card Statute But Plaintiff Must Still Allege Harm -- Tyler v. Michaels Stores

[Post by Venkat Balasubramani]

Tyler v. Michaels Stores, Inc., 2012 WL 32208 (D. Mass.; Jan. 6, 2012)

Last year, the California Supreme Court held that a ZIP Code is personal identification information for purposes of a statute which restricted the type of information a retailer could collect: "California Supreme Court Rules That a ZIP Code is Personal Identification Information -- Pineda v. Williams-Sonoma." A federal court in Massachusetts recently construed a similar Massachusetts statute to reach the same conclusion, albeit for different reasons. But having found that the retailer in this case technically violated the statute, the court dismisses the case on the basis that the plaintiff failed to allege a cognizable injury.

Is a ZIP Code Personal Identification Information?: Section 105(a) of Massachusetts General Laws provides:

No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number.

The court looks to the legislative history behind the statute and says that the Massachusetts legislature’s intent was different from California’s. While the California legislature was concerned with retailers obtaining personal identification information and using it for marketing purposes, the Massachusetts legislature was more concerned about security and fraud prevention. Thus, while Pineda looked to whether a ZIP Code could be used (together with the customer’s name) to locate the individual, the court in this case focused on whether recordation of this information by a retailer poses the risk of identity theft or fraud. The court looks to Massachusetts’ identity theft statute, which defines personal identifying information as “any name or number that may be used . . . to assume the identity of an individual.” The court says that inputting a ZIP code in the context of a credit card transaction is similar to inputting a PIN number in the context of a debit card transaction. Because the ZIP code is information that can be used along with other card holder information to commit identity theft and criminal fraud, the court says that the ZIP code is personal identification information for purposes of the statute.

Did the Retailer Write the Information on a Transaction Form?: Michaels argued that the statute does not cover electronically stored information and that the transaction form has to be a paper document. The court rejects this argument for several reasons. First, the statute applies to all credit card transactions, whether they are processed manually, electronically, or through other means. The act does not distinguish between paper and electronic forms, and the court says that the risk of identity theft is present regardless of the type of transaction. The statute also permits the retailer to include information in the transaction form that is required by the credit card issuer. The retailer collects information during the transaction process (as required by the credit card issuer) and then issues the receipt, which may contain information different from the transaction form. (For example, the card number has to be truncated on the receipt under FACTA.) “The receipt is a printout of the permissible information on the transaction form, but it is not the transaction form itself.” (For what it’s worth, FACTA is also a statute aimed at curbing identity theft, but does not cover emailed receipts: “FACTA Does Not Cover Emailed Receipts.”)

Has Plaintiff Alleged Cognizable Injury?: The statute in question does not provide for statutory damages. It only says that a violation of the statute is “deemed to be an unfair and deceptive trade practice.” A claim for unfair and deceptive trade practice requires a showing of “injury and loss” and a causal connection between defendant's practices and plaintiff's injury. Plaintiff had not been subject to identity theft, so she had to prove injury or loss in other ways. She does not argue that she has an increased risk of identity theft. Instead, she argues that Michaels used her name and ZIP code in conjunction with a commercially available database to determine her address and phone number. The court says that her allegations are insufficient because she does not allege that Michaels acted illegally in accessing the database. She also alleged that she was injured because she received “a deluge of unwanted mail.” The court says that this is not an injury cognizable under the statute since the statute was enacted to prevent fraud. [Although not cited in the order, see Cherny v. Emigrant Bank, for the proposition that the receipt of spam is not in itself a compensable harm.]

Unjust Enrichment: Plaintiff also brought a claim for unjust enrichment. This claim is similar to the "PII-as-valuable-property" claim brought by the RockYou plaintiffs. ("Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou.") Under this theory, her personal information is a valuable piece of property so plaintiff should receive some compensation when she 'exchanges' this information with the retailer. The court says there are two problems with this argument. First, the ZIP code is not itself valuable to Michaels. It derives value only due to “the independent work and cross-referencing necessary to obtain the full address.” Second, the court says that reasonable people would not expect compensation for turning over their ZIP code, and plaintiff did not allege that, had she known all the facts, she would have “charged” Michaels for the ZIP code.
__

The conclusion that plaintiff did not state a cognizable injury was the most interesting. The court drops a giant footnote saying that it’s not deciding this case the basis of Article III standing, but even if it were, the result would be the same (citing In re iPhone App Litigation; Specific Media; In re Facebook Privacy Litigation). There is a big grey area here, which is whether a violation of a state law alone is enough to support standing, or whether even when plaintiff makes out a prima facie violation of a state statute, a plaintiff has to separately prove damages as a threshold matter. Can state legislatures circumvent Article III standing requirements? Can Congress? The court says that these issues are not implicated since the unfair trade practice statute only confers standing upon those who show that they have been injured. (My gut feeling is that Congress and state legislatures should have the power to define when a plaintiff can sue; at least they do so routinely. The court says that clarity on the standing question is forthcoming, since the Supreme Court granted cert. in Edwards v. First Am. Corp.)

The court’s conclusion on the unjust enrichment claim is also interesting. While one or two decisions accepted (at the motion to dismiss stage) the theory that personal information must be valuable because the defendant monetized it, later decisions, like this one, require plaintiff to more clearly articulate their misappropriation theories. Just because information is valuable in someone else’s hands, does not mean that their use of that information is a misappropriation of your property.

It’s unclear whether the court’s rejection of plaintiff’s injuries is a result of the court’s construction of the credit card statute as aimed to combat identity theft and fraud, or whether it’s because Massachusetts unfair trade practices statute (like California’s) requires some out of pocket loss.

Overall, this decision, like many of the privacy lawsuits we’ve blogged about reflects a reluctance by courts to recognize informational privacy claims where they don't easily see out-of-pocket losses. The risk of future identity theft is not getting much traction in courts. (See also, Reilly v. Ceridian, a recent 3rd Circuit case which is in the blogging queue.) The “personal information as currency” is also not getting much traction in courts either. When those two theories are taken out of the mix, the plaintiff is left only to allege that the defendant violated the statute and therefore plaintiff is entitled to damages. Courts are requiring privacy plaintiffs to allege more than this.

Posted by Venkat at 07:51 AM | Privacy/Security

January 06, 2012

Did a Court Eliminate 512(h) Subpoenas?--Maximized Living v. Google

By Eric Goldman with additional comments from David Gingras

Maximized Living, Inc. v. Google, Inc., 2011 WL 6749017 (N.D. Cal. Dec. 22, 2011). The initial 512(h) subpoena. The Justia page.

17 USC 512(h) is a relic of a different era. The basic architecture of 17 USC 512 seeks to put copyright liability on users instead of their service providers. However, for that scheme to work, anonymous/pseudonymous infringers must be identifiable so the copyright owners can sue them instead of the intermediaries. 512(h) seeks to expedite the identification of alleged infringers by allowing copyright owners to get an unmasking subpoena super-easily. All copyright owners need to do is file a subpoena request with a court clerk, and in response the court clerk *must* issue the subpoena--the copyright owners don't need to file a lawsuit, and no judge reviews or approves the subpoena's issuance.

Indeed, neither the clerk nor a judge have any statutorily provided discretion to refuse the subpoena. As a result, 512(h) is now badly out-of-step with the law governing anonymous/pseudonymous online defendants that has developed over the past decade in response to unmasking abuses. In other areas than copyright, plaintiffs usually must make some showing that their substantive claims are meritorious before a judge will issue an unmasking subpoena. (The level of the plaintiff's showing depends on a variety of factors). In contrast, a 512(h) subpoena issues irrespective of the substantive merits of the plaintiff's claims--thus opening up a backdoor channel to unmasking abuses. For example, last year I got anecdotal reports that doctors used 512(h) to unmask patients that anonymously/pseudonymously reviewed doctors in contravention of the Medical Justice-supplied contract. If we were redrafting 17 USC 512 today, we would pay a lot more attention to 512(h) and its privacy implications than we did in 1998. [On that front, I have a latent empirical research project to investigate what happened after 512(h) subpoenas issued, but this case may have mooted it.]

With that background, let me turn to this case. Maximized Living sells copyrighted material to chiropractors. Anonymous blogger Doe allegedly infringed Maximized Living's copyrights via a Blogspot blog post. Maximized Living submitted an apparently overbroad 512(h) subpoena request to Google to identify Doe, and Doe successfully quashed the subpoena for its irregularities. Nevertheless, Doe apparently removed the infringing material from the blog. After that removal, Maximized Living sent Google a putatively corrected 512(h) subpoena request to unmask Doe. In this ruling, the court quashes Maximized Living's 512(h) subpoena for a second time.

The court does something goofy to reach this result. The court holds "that the subpoena power of s 512(h) is limited to currently infringing activity and does not reach former infringing activity that has ceased and thus can no longer be removed or disabled." Thus, because Doe had removed the infringing material after the first 512(h) subpoena was quashed, there was no infringing activity taking place when the second 512(h) subpoena request was made.

The problem with this result is that copyright owners must submit a 512(c)(3) takedown notice to service providers before seeking a 512(h) subpoena. Most service providers will take down the allegedly infringing material in response to the 512(c)(3) notice, so unless the copyright owner moves really fast to make its 512(h) request, the infringing material invariably will be down before the 512(h) subpoena request gets filed with the court--leaving those copyright owner in the same place as this one (i.e., submitting a 512(h) request when there's no current infringement). Below, David Gingras explains why the court may have misread the statute.

As a practical matter, this case's result may not be earth-shattering even if it survives appeal. I believe most service providers honor 512(h) subpoenas without much scrutiny and perhaps without notifying the targeted individual. This case will only help if the targeted individual challenges the subpoena, which will only happen if the service provider notifies the individual before releasing the unmasking information and the individual gets to court quickly enough. Because the service providers are a critical player in this process, how they handle 512(h) subpoenas warrants careful attention. I'd be game to work with you to try to get service providers to tell us more about their 512(h) handling procedure and if they give notice to the users--and wait for any quashing effort to materialize--before forking over unmasking info. [FWIW, Google appears to have done both, so they get a gold star for the day.]

Copyright owners also can avoid this result by filing the 512(h) subpoena request basically at the same time as they send the 512(c)(3) notice. That way, when the 512(h) subpoena is filed, there is still infringing activity occurring, even if it's quickly eliminated by the service provider responding to the 512(c)(3) notice. My guess is that many copyright owners will be reluctant to do this because it will increase the cost and time required to target infringing material when quick-filing of a 512(h) request will help in only a small number of situations. Thus, changing the takedown protocol to add a 512(h) filing probably isn't cost-effective.

Finally, even if 512(h) isn't available, the copyright owner can still seek unmasking through a John Doe lawsuit. This isn't as low-cost as 512(h) and will trigger judicial screening of the subpoena request before issuance, so 512(h) is better for copyright owners if they qualify. Nevertheless, copyright owners can still achieve unmasking, and perhaps this case simply indicates that 512(h) is a much more highly specialized solution than we thought.

Finally, a personnel note: one of the plaintiff's lawyers is Kenton Hutcherson. You may recall that last year I blasted an article by Kenton for advocating that plaintiffs scrub search results by taking advantage of Google's apparently lax policy towards court orders. Here, it looks like the judge didn't respond well to at least two of the plaintiff counsels' choices:

1) the overreach in the initial 512(h) subpoena request
2) the submission of a second 512(h) without the court's permission, as specified when the court quashed the first subpoena

One possibility is that the court reached its odd substantive conclusion in response to the plaintiff lawyers' errors.

________________

Comments by David Gingras

[Eric's introduction: Many of you already know David Gingras due to his positions as General Counsel for Ripoff Report and litigation counsel for thedirty.com. While drafting this post, I sent this opinion to David for his thoughts, and his statutory analysis in response was so useful that I asked his permission to share it]

I think it’s extremely clear the court make the wrong decision here. I think the court should have found that the subpoena was entirely appropriate under § 512(h) even if the allegedly infringing material had been removed and the infringing activity stopped.

The court’s premise seemed to be that you could only use a pre-suit subpoena under § 512(h) to identify current infringers, not a former infringer who had stopped infringing. By itself, this seems like a very dubious distinction. What’s the difference?

As far as I can see, the conclusion was based on the fact that you obviously can only use what is commonly referred to as a “DMCA notice” (i.e., a takedown demand under § 512(c)(3)(A)) to address active infringements. In turn, that sounded correct because § 512(c)(3)(A) requires the party submitting the notice to identify, inter alia: “the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled." By using the present and future tenses here, it’s beyond obvious that this section doesn’t apply to past acts of infringement. In other words, you can only use a § 512(c)(3)(A) notice to address current/ongoing infringements (DUH – if the material was already removed, you wouldn’t need to a send a takedown notice anyway, right?)

Up to this point, the court interprets the DMCA in a common sense way, but then it erred when it assumed (incorrectly), that because § 512(h) subpoenas are necessarily premised on a § 512(c)(3)(A) takedown notice, that requires the court to find that where the infringement has stopped, the right to pursue a § 512(h) subpoena also stops. That’s just totally inconsistent with the plain language of § 512(h)(5) which talks about the duties of a party on the receiving end of a DMCA notice (like Google) once they receive the follow-up subpoena:

(5) Actions of service provider receiving subpoena.--Upon receipt of the issued subpoena, either accompanying or subsequent to the receipt of a notification described in subsection (c)(3)(A), the service provider shall expeditiously disclose to the copyright owner or person authorized by the copyright owner the information required by the subpoena, notwithstanding any other provision of law and regardless of whether the service provider responds to the notification. [italics added]

The way I read that section, it seems pretty simple – you can get and serve a § 512(h) subpoena either contemporaneously with the § 512(c)(3)(A) takedown notice, or the subpoena may be issued subsequent to that notice; i.e., at a later time when the infringement has already stopped. Either way is perfectly fine, which makes sense.

In this instance, the way the court interpreted § 512(h) makes the words “or subsequent to” totally superfluous, so we know the court’s conclusion is incorrect. Furthermore, the last few words of § 512(h)(5) seem to suggest that § 512(h) subpoenas may or may not come after a service provider has already “responded” to the takedown demand; i.e., after the material has already been removed – that’s another strong indicator that the right to pursue a § 512(h) subpoena may start with a § 512(c)(3)(A) takedown notice, but it does not stop simply because the infringing material was removed.

Posted by Eric at 09:18 AM | Copyright , Derivative Liability , Privacy/Security | TrackBack

January 04, 2012

Nov.-Dec. 2011 Quick Links, Part 3

By Eric Goldman

Marketing and Advertising

* Facebook is putting Sponsored Stories in user newsfeeds. Naturally, they will make the ad label almost invisible. Yet another reason to hate Facebook, and what a desperate act of financial overreaching to goose their IPO. FWIW, I absolutely hate that Twitter does the same thing. It's terribly marked as an ad, and it takes me more time than it should to figure out why it's appearing in my stream. Boo for Twitter, and boo for Facebook.

* Then again, not all Twitter ads are objectionable. The most popular tweet of 2011? An ad from Wendy’s.

* Interesting NAD decision involving Coastal Contacts' offer of "free" glasses in exchange for Facebook likes. Compare the subsequent ruling in Fraley v. Facebook.

* Top 10 PR Blunders of 2011.

* FTC does another bust of health marketers who allegedly used affiliates to create fake news sites. Prior blog post.

* Rebecca reports on a lawsuit over marketing that chickens were “raised humanely.” Note to meat eaters: there's no such thing as mass-raising of animals "humanely" for our food consumption. Invariably, meat-eaters who actually take the effort to understand the process of manufacturing meat decide to reduce their meat consumption.

* NYT on caller ID spoofing. The FTC just announced another bust on this front.

* AdAge: FDA's Social-Media 'Guidelines' Befuddle Big Pharma.

* Yahoo Inc. v. XYZ Companies, 2011 WL 6072263 (S.D.N.Y. Dec 5, 2011). Yahoo gets a huge and uncollectable default judgment of $610M under CAN-SPAM against Nigerian spammers.

* Adware déjà vu: Facebook bitches about adware. Prior blog post.

* A table manufacturer tinkers with his AdWords account and discovers a correlation between AdWords and clicks on his organic links (1, 2). Prior blog post.

* Pom loses a jury trial against Ocean Spray over false advertising.

* Washington Post: An inside look at the world of TV news payola/“plugola.”

* Ad Naseum on reverse product placement, i.e., manufacturing virtual brands created for TVs and movies.

* NYT: In China, car brands have very different meanings to consumers than they do in the US (except for BMW, where the brand attributes are surprisingly the same).

* Cracked: 5 Black Friday Myths The Media Wants You to Believe.

Privacy

* In re Facebook Privacy Litigation, 2011 WL 6176208 (N.D. Cal. Nov. 22, 2011). Prior blog post. Judge Ware dismisses the Facebook/Zynga referrer ID case with prejudice. Wendy Davis' coverage. It appears the plaintiffs have appealed (sub nom Graf v. Zynga) to the Ninth Circuit.

* Facebook will make 45 privacy-related changes—almost none of them “important”—to appease the Irish Data Protection bureaucrats.

* Mark Zuckerberg has extensive experience apologizing to Facebook users for Facebook's privacy transgressions.

* USA Today on how Facebook tracks user activity at websites other than its own.

* Cohen v. Facebook appealed to the Ninth Circuit. I'm not sure how the Fraley v. Facebook ruling affects this. Prior blog post.

* Interesting visualization of Facebook’s creeping degradation of privacy for user-provided info.

* In the Matter of ScanScout, Inc., FTC File No. 1023185:

According to the FTC complaint, from at least April 2007 to December 2010, ScanScout’s website privacy policy discussed how it used cookies to track users’ behavior. The privacy policy stated, “You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.” However, changing browser settings did not remove or block the Flash cookies used by ScanScout, the FTC charged. The claims by ScanScout were deceptive and violated the FTC Act, the complaint alleged.

* FTC bust of Skid-e-Kids for COPPA violations.

* Another cookie litigation settlement where the lawyers get almost all of the settlement value. PaidContent and MediaPost coverage.

* Weber v. Google, over Google toolbar snooping, was quietly dropped.

* Incorp Services, Inc. v. Does 1-10, 2011 WL 5444789 (N.D. Cal. Nov. 9, 2011). The court orders unmasking of alleged click fraudders:

By tracking the clicks over the course of several weeks and narrowing a substantial portion of the activity to only two IP addresses—both owned by the same ISP—Incorp has provided sufficient information to indicate that the responsible parties are “real person(s)” who may be sued in federal court. Incorp also has demonstrated that it took reasonable steps to identify Defendants. Because information pertaining to the assignee of an IP address is maintained by the third-party ISP, the only way in which Incorp is able to identify definitively the parties associated with the suspect IP addresses is by subpoena to the ISP.

* In re Application of the USA for an Order Pursuant to 2703(d), 1:11-dm-00003-TCB –LO (E.D. Va. Nov. 10, 2011). No Fourth Amendment privacy protection for IP addresses.

* NYT provides yet another update on some European regulators' efforts to kill Silicon Valley.

* Peter Fleischer: Harsher data protection sanctions are coming.

Contracts

* Stebbins v. Texas, 2011 WL 6130403 (N.D. Tex. October 24, 2011). Another court calls David Stebbins’ attempt to manufacture an arbitration award “frivolous,” saying “his factual assertions that the alleged contract was formed when Plaintiff sent an e-mail to Defendant with a blog link and a dollar bill describe fantastic or delusional scenarios that are clearly irrational and incredible.” Prior blog coverage (1, 2).

* Garon v. eBay, Inc., 2011 WL 6329089 (N.D.Cal. Nov. 30, 2011). No antitrust claims for vendors who eBay terminated for low ratings. I think eBay should have been able to use 47 USC 230(c)(2) (not discussed by the judge).

* Fadal Machining Centers, LLC v. Compumachine, Inc., 2011 WL 6254979 (9th Cir. Dec.15, 2011). In a B2B context, enforcing an arbitration clause posted to the web that was incorporated by reference in the vendor’s invoices.

* Spam Arrest v. Marketingesquire complaint: Spam Arrest sues an email marketer for violating its TOS by sending "spam."

* Wofford v. Apple Inc. (S.D. Cal. Nov. 9, 2011). Free software update to iPhone software did not constitute a "tangible good or service" for California CLRA purposes.

* How plaintiff firms are adapting to Concepcion.

* WSJ: Are We All Online Criminals?

Posted by Eric at 03:04 PM | Marketing , Privacy/Security , Spam | TrackBack

January 02, 2012

UGC Website Hit With Spoliation Sanctions--Io v. GLBT

By Eric Goldman

[This is one of those blog posts that got stuck in queue. It's still pretty interesting, so I'm sharing at this relatively late date. Happy new year!]

Io Group Inc. v. GLBT Ltd., 2011 WL 4974337 (N.D. Cal. Oct. 19, 2011)

This case involves Io, the pornography company that lost Io v. Veoh, the main 17 USC 512 case I teach in my Internet law course. The defendants in this case are British. They run a series of UGC porn websites where users can get some porn for free and then must pay for additional access either with cash or by uploading their own content. The plaintiffs seek to hold the defendants liable for copyright and trademark infringement because users are allegedly committing copyright infringement by uploading the plaintiffs' porn. The defendants are defending on 17 USC 512 and other grounds.

Being in Britain, the defendants are governed by the Data Protection Act. They interpreted that act to require them to flush lots of data very quickly. Perhaps they have been overly zealous about implementing the DPA such that their interpretation isn't so credible. For example, they automatically deleted all incoming and outgoing email after 3-4 days, and they didn't change this for more than a year into the lawsuit. They also completely deleted all files that were subject to a takedown notice, so it wasn't possible for plaintiffs to see which files had been removed. Their answers to the judge's pointed questions apparently weren't very satisfying, and eventually the defendants went AWOL. So it's a little hard to tease out any legitimate DPA-based objections the defendants might have had from their other questionable choices.

FWIW, I'm not a DPA expert, but the DPA requires that the service provider keep data only so long as reasonably necessary. I would think legal obligations/discovery rules satisfy that standard.

The court's opinion gives some insights into the evidence that would be useful for the 512 safe harbor. The defendants completely wiped away any UGC files they disabled. The court says:

With respect to the deleted audiovisual files, Plaintiffs are prejudiced by not being able to examine the files and related metadata for any "red flags" indicating that infringement was likely. Such red flags could render Defendants ineligible for safe harbor protections of the Copyright Act.

This is consistent with language in the Ninth Circuit's subsequent ruling in UMG v. Shelter Capital. The court continues:

The loss of takedown notices and corresponding removal notification emails also prejudices Plaintiffs. First, the trier of fact may consider the extent of copyright infringement on Defendants' websites when analyzing a claim of inducement to infringe....Although the number of takedown notices does not alone determine the amount of actual infringement on the site, a large number of notices could indicate that a large portion of the material on the site is infringing. In addition, in order to be eligible for safe harbor protection, Defendants must show that they have policy in place providing for the termination of repeat infringers. 17 U.S.C. § 512(i)(1)(A). Defendants claim that they have such a policy in place, but without the ability to examine the takedown notices and corresponding emails, Plaintiffs have no way of challenging the implementation and enforcement of the policy because they cannot examine whether Defendants actually terminated individual users who repeatedly posted infringing material.

I'm not clear about the relevance of the percentage of infringing activity, but for more on the evidentiary issues associated with inducement, see the Grokster ruling. Finally, the court says:

the destruction of Defendants' internal emails renders it impossible for Plaintiffs to explore Defendants' motivation and state of mind in operating their websites; this is key to Plaintiffs' claim of secondary infringement based on inducement

For the evidence spoliation, the court hits the defendants with adverse inference sanctions:

Plaintiffs are entitled to adverse inference instructions in the form of rebuttable presumptions. Given the specific evidence destroyed by Defendants, the court orders the following rebuttable factual presumptions: 1) third parties posted material on Defendants' websites that infringed Plaintiffs' copyrights; 2) Plaintiffs submitted takedown notices to Defendants regarding the infringing material; and 3) Defendants did not take steps to remove Plaintiffs' infringing material from their websites.

Unless the defendants magically find some exculpatory evidence, it sounds like those inferences will nail them on the substantive rulings. The court also awarded $15,000 in attorneys' fees.

This case raises a number of interesting issues.

First, exactly what evidence is plaintiffs entitled to when trying to overcome a service provider's 512 defense? As far as I can tell, there are few limits because just about anything might support an inducement finding. The otherwise defense-favorable ruling in UMG v. Shelter Capital provides some other ideas about information that plaintiffs can seek. Summing all this up, as a practical matter, 512's safe harbor is nifty, but it's an increasingly expensive proposition for both parties. Contrast this with 47 USC 230, where many immunized lawsuits are tossed on a motion to dismiss without any discovery at all. Not only does that allow judges to issue clean and quick rulings, but it saves both plaintiffs and defendants a lot of coin. Note to statutory drafters: it's so important to consider the evidentiary implications of your legislative drafting. The way the statute implicitly allocates discovery costs has a huge substantive effect--especially if the goal is to create a safe harbor or immunity. On this point, even if 512 usually gets to the right result, the safe harbor is miscalibrated from an evidentiary standpoint.

Second, service providers hoping for a 512 safe harbor are often uncertain about what data they should or must retain. After Grokster, UGC sites became nervous about potential inducement liability. As a result, I believe it's become common to recommend that UGC sites flush as much material as quickly as possible (and before litigation becomes "reasonably anticipatable") to reduce the risk that the material will be cited as evidence of inducement or otherwise disqualify the 512 safe harbor. However, UGC sites don't want to look like they are trying to evade the truth or, worse, disrespecting the court (as the defendants in this case might be perceived as doing) or engaged in evidence spoliation, so how should UGC sites strike an appropriate balance? I'd welcome your thoughts about that.

Third, irrespective of how we feel about these particular defendants, their underlying point about the intersection between 17 USC 512 and user privacy is worth considering. 17 USC 512(m) is entitled "Protection of Privacy," so the drafters of 512 recognized the push-pull issue here. Assume for a moment that the defendants in this case honestly wanted to provide their users with private browsing/uploading/downloading, something that might be desirable in the context of these defendants' service. It seems logical that the service provider seeking a privacy-enhanced UGC service would flush its logs, email and disabled files promptly and make those representations to its users. Here, it appears the court would undo those promises, forcing the service provider to retain data it didn't want to keep for the benefit of copyright plaintiffs. I understand that may be our current state of play, but I see the potential for mischief too.

Posted by Eric at 08:20 AM | Copyright , Derivative Liability , Evidence/Discovery , Privacy/Security | TrackBack

December 23, 2011

Academic Literature Recap, Q4 2011

By Eric Goldman

I'm mired in grading heck, slogging my way through 146 exams. As a result, blogging has taken a back seat. I have several key items to blog, including the UMG v. Shelter Capital and Ascentive v. Opinion Corp. rulings. I'll get to these and other topics soon.

In the interim, just in time for the holidays, let me call your attention to some recent academic articles that caught my eye this quarter. They may be worth checking out during your holidays. Happy reading!
____________

Bevin Ashenmiller and Catherine Shelley Norman, Measuring the Impact of Anti-SLAPP Legislation on Monitoring and Enforcement, The B.E. Journal of Economic Analysis & Policy: Vol. 11: Iss. 1 (Topics), Article 67 (2011). The abstract:

We examine changes in environmental monitoring and enforcement activity in the presence of state legislation prohibiting Strategic Lawsuits Against Public Participation (anti-SLAPP laws). Using data on the Clean Air Act from the Environmental Protection Agency’s ECHO database, we find evidence that state inspections increase by almost 50% after a state passes anti-SLAPP legislation. In addition, we find strong evidence that the ratio of findings of noncompliance to inspections more than doubles in the presence of anti-SLAPP legislation.

____________

danah boyd, Eszter Hargittai, Jason Schultz & John Palfrey, Why parents help their children lie to Facebook about age: Unintended consequences of the ‘Children’s Online Privacy Protection Act’, First Monday, Volume 16, Number 11 - 7 November 2011. The abstract:

Facebook, like many communication services and social media sites, uses its Terms of Service (ToS) to forbid children under the age of 13 from creating an account. Such prohibitions are not uncommon in response to the Children’s Online Privacy Protection Act (COPPA), which seeks to empower parents by requiring commercial Web site operators to obtain parental consent before collecting data from children under 13. Given economic costs, social concerns, and technical issues, most general–purpose sites opt to restrict underage access through their ToS. Yet in spite of such restrictions, research suggests that millions of underage users circumvent this rule and sign up for accounts on Facebook. Given strong evidence of parental concern about children’s online activity, this raises questions of whether or not parents understand ToS restrictions for children, how they view children’s practices of circumventing age restrictions, and how they feel about children’s access being regulated. In this paper, we provide survey data that show that many parents know that their underage children are on Facebook in violation of the site’s restrictions and that they are often complicit in helping their children join the site. Our data suggest that, by creating a context in which companies choose to restrict access to children, COPPA inadvertently undermines parents’ ability to make choices and protect their children’s data. Our data have significant implications for policy–makers, particularly in light of ongoing discussions surrounding COPPA and other age–based privacy laws.

This article stirred up a fair amount of discussion. See, e.g., the CNET coverage.

Some notes about this article:

* no one looks good here: not the kids, parents, Facebook or Congress.
- Parents teach children how to lie to get what they want online
- Gilmore’s law that the Internet interprets censorship as damage and routes around it. COPPA has been a success at getting websites to shun kids 12 and under, but it’s been a complete failure at protecting kids online.
- all of the lying kids are presumptively engaged in criminal activity

* when kids are asked to represent themselves as older than they actually are, do they inadvertently put themselves in more adult situations than they can handle? See my post on mistake of age defenses.

* the policy implications of this report cut in both directions. Pro-regulation: the only way to keep kids off Facebook is to do mandatory age authentication that parents can’t game; or do comprehensive privacy regulation. Anti-regulation: COPPA was a bust, so we should repeal it or structurally modify it.
____________

Felix T. Wu, Collateral Censorship and the Limits of Intermediary Immunity, 87 Notre Dame L. Rev. 101 (2011). We don't have too many law professor papers really grokking 47 USC 230, which makes this paper instantly noteworthy. Felix presented this paper at our 47 USC 230 fiesta earlier this year. His conclusion:

Intermediary immunity can and should play an important role in protecting speech on the Internet. Immunity prevents the application of laws targeted at original speakers to intermediaries that lack the incentives of original speakers to speak. Immunity can thus be used to avoid the collateral censorship of lawful, socially desirable speech that poses a real or perceived risk of liability to intermediaries. At the same time, immunity can and should be limited. When intermediaries are actually original speakers, and have the incentives of original speakers, immunity is no longer appropriate. Similarly, immunity as to causes of action that are specifically targeted at intermediaries inappropriately prejudges the reasonableness of such liability.

Even ardent supporters of intermediary immunity would be well-served to recognize its limits. When immunity becomes unbounded, it begins to seem increasingly unfair, stimulating calls to cut back on the immunity, or even eliminate it entirely. The framework developed here demonstrates how, without any need to amend current law, we can limit the immunity, while still serving its core purposes.

James Grimmelmann's comments about the paper.
____________

Sandra L. Rierson, The Myth and Reality of Dilution, 2012 Duke Law & Tech. Rev. ___ (forthcoming 2012). From the introduction:

This Article advances three claims. First, statutory dilution erroneously assumes that the source-identifying function of a trademark is a rivalrous good and one that is dissipated by use. This assumption lacks empirical support, and is assuredly not categorically true despite the contrary principle that underlies the federal dilution statute. If marks are nonrivalrous, as they often are, no cause of action for dilution should exist.

Second, even were particular marks indeed rivalrous, the social and transaction costs imposed by the federal dilution statute would still outweigh the supposed harm to trademark holders. Dilution claims inflict profound anticompetitive burdens, preclude beneficial comparative advertising, and entrench dominant (often oligopolist) firms at the expense of market entrants. Dilution has serious non-economic costs as well and prohibits protected First Amendment speech without justification. For these reasons and others, the federal dilution statute imposes substantially more harm than it (allegedly) prevents.

Finally, the true foundation for the federal dilution statute lies not in alleged economic harms, but rather results from an entirely misplaced fiction of corporate personality. We do not require trademark holders to prove actual economic injury in the context of a dilution claim because, in truth, there is none. Instead, we have granted the holders of famous trademarks the equivalent of a “moral” right to these marks: an extension of the rights granted to a creator of an expressive work in the copyright context. Trademark owners feel vested in their brands, many of which are deliberately anthropomorphized, and the dilution statute reifies and protects these rights as a matter of federal law.

Stacey Dogan's cogent critique of the article. You may recall that in 2007, SCU convened a major academic conference on trademark dilution.
____________

Lydia Pallas Loren, Deterring Abuse of the Copyright Takedown Regime by Taking Misrepresentation Claims Seriously, 46 Wake Forest L. Rev. ___ (forthcoming 2011). A nice in-depth look into one of my favorite topics, 17 USC 512(f), by one of my favorite authors. The conclusion:

The takedown provisions of the Copyright Act are a powerful tool that copyright owners may use to obtain prompt removal of infringing material from the Internet without judicial assessment of the assertion of infringement. Congress provided a mechanism to deter abuse of this extrajudicial enforcement mechanism in the form of a new cause of action for material misrepresentation. Courts should interpret the requirements for prevailing on a claim of misrepresentation with an eye toward fulfilling Congressional intent. This means using a standard that would hold copyright owners liable not only when they had actual knowledge that the material targeted for takedown was not infringing, but also when the copyright owner should have known if it acted with reasonable care or diligence that the material was lawful. It also means interpreting the injury requirement broadly and awarding attorney’s fees to prevailing plaintiffs. Taking the claims of misrepresentation seriously will shape the behavior of copyright owners who seek removal of material through takedown notices.

Posted by Eric at 07:55 AM | Content Regulation , Copyright , Derivative Liability , Privacy/Security , Trademark | TrackBack

December 12, 2011

“Economics of Privacy” Conference Recap

By Eric Goldman

Earlier this month, I attended an event at University of Colorado Boulder called “The Economics of Privacy,” sponsored by the Silicon Flatirons center. A couple photos from the event: 1, 2. As usual, these notes reflect my impressions of the discussion. They aren’t verbatim transcriptions, so please double-check before attributing anything to anyone.

Paul Ohm was the principal event organizer. He offered a thesis: the legal academy has ignored economics and markets in its privacy scholarship. This is because a decade ago, privacy scholarship got rooted in consumer autonomy. As a result, we are letting waves of new economics discussions go past without incorporating into the privacy scholarship. He thinks this is a missed opportunity. This conference was intended to fix that.

Keynote: Alessandro Acquisti

Can market forces adequately “protect” information privacy? Answer: a resounding “it depends.”

Notifying consumers isn’t good enough. Less than 3% read privacy policies; people don’t understand them; people assume “privacy policy” implies privacy protection; if people actually read the policies, we lose significant social resources in the opportunity costs of their time; and outright deceptive bypassing of policies can go unpunished.

Consumer control is illusory. In fact, by making people feel more in control, consumers may take greater privacy risks.

Can self-regulation protect privacy? Alessandro thinks probably not. Hyperbolic discounting means consumers will take the immediate benefits and ignore future costs/risks. Further, technology keeps changing. Consumers who try to optimize for current technology are required to learn the newer technology. It’s overwhelming for consumers. Thus, the empirics of privacy shows that hurdles in decision-making render self-regulatory solutions untenable.

Where do we go from here? Currently, unless there’s a quantifiable economic harm, there’s no legally recognizable harm. However, by focusing on tradeoffs, we’ve lost the non-economic benefits of privacy, like personal autonomy. The lack of adequate consumer protection also leads to socially wasteful investments, ex post damages, shrinking share of consumer surplus, others. We can do better than telling consumers that they need “quantify the privacy costs incurred or be quiet.” Privacy enhancing technologies allow both data sharing and data protection. We should put burden of proof on data holders: prove you can’t provide same services with less data, or be quiet. Finally, he rejects the privacy fatalism that “data is price for content.” In fact, consumers pay when advertisers use the data to develop manipulative marketing.

First Panel

Lior Strahilevitz. Information asymmetries led to19th century English workhouses (like homeless shelters). The government wouldn’t provide welfare payments because recipients knew better than the government if they were worthy, so workhouses were an alternative to providing wasted welfare. The consequence of this information asymmetry was the growth of government services and poor living conditions.

India is experiencing something similar. To address this, India is collecting biometric information on its poor (the “AADHAAR”). Some Indians feel this data collection is empowering—it gives them an identity.

Homogeneity enables mass-market products, but precludes catering to idiosyncratic needs. On the other hand, we should favor serendipitous exchanges between disparate people, and that’s essential for us to function as a society.

Lior is concerned that people will buy products for signaling purposes, not because they want the goods. For example, it turns out that people who buy felt pads for their furniture are good credit risks. Knowing this, people might buy felt pads to send false signals. Peppet’s comment: signaling is exhausting. We’re always communicating through our actions, and that’s tiring. It’s rational for consumers to respond by just deleting their Facebook accounts entirely.

Alessandro’s comment: matching systems will never be perfect; they will always make errors. But if decision-makers overly rely on the technologies, we may not be able to protect ourselves from these errors.

Lorrie Cranor. In 1996, there was a lot of talk about notice-and-choice and that privacy policies were unreadable, but the thought was that privacy seals and P3P could save privacy policies. We're at that exact same place today, but the technology hasn’t changed much. In fact, the current Do-Not-Track technology is lower-tech than P3P was.

What went wrong with P3P? 5 years of haggling led to a computer-readable language for privacy policies. It’s still incorporated into Microsoft Internet Explorer, but it only focuses on cookie-blocking decisions. To avoid Microsoft’s cookie blocking, sites enacted P3P policies. At least a third of P3P policies had errors, including major sites (Amazon, Facebook), so P3P may be counterproductive (i.e., consumers relying on P3P will not have their preferences effectuated). She hopes regulators will investigate.

Based on our experiences with P3P, online behavioral advertising tools aren’t promising. Companies aren’t providing clear policies to consumers or working opt-outs; consumers don’t recognize the icon; and consumers won’t click on it because they expect to get more ads, not to opt-out. She has a feeling of déjà vu: privacy tools empower consumers, but when people inevitably lose interest in developing the tools, privacy issues will become moribund again.

In contrast, incorporating automated privacy information into search results made consumers more aware of privacy concerns, and consumers showed they were willing to pay extra for additional privacy benefits.

Julie Cohen. The term “information privacy market” is weird. The market doesn’t produce information privacy; it produces information that’s used for market segmentation and risk management. There are social costs of information privacy markets—do we need less of the outputs from this markets?

Deeply-held ideological considerations drives privacy norms. Many of us are socialized to believe that more information is better. This skews the discussion as privacy advocates try to get around this norm.

We should be skeptical of information collection practices. Social benefits don’t necessarily grow as information becomes more precise. Gaps in knowledge lead to serendipitous matches that benefit society.

Innovation is used as an excuse to stiff-arm regulators because it’s too complicated for regulators. We’re bad at valuing systemic risks.

Scott Peppet. He sees parallels between Occupy Wall Street and the concerns about privacy. We don’t know how companies are tracking us, and that lack of knowledge makes us uncomfortable. Our economy is built on data, but we don’t understand how that system works. Data collectors are getting big, and we don’t know what they are doing. Perhaps some data collectors get too big to fail—we couldn’t let Facebook’s database go through bankruptcy.

Q from Berin Szoka: why isn’t the common law system adequate to deal with exigencies? For example, the FTC can enforce P3P misrepresentations even if the private lawsuit fails in court? Why do we need additional regulation?

Q&A on self-regulation

Lorrie: self-regulatory model requires enforcement. We have some leaders in the industry doing a great job, but they aren’t getting the requisite enforcement backup.

Alessandro: self-regulation doesn’t work because it relies on notice-and-consent, and that doesn’t work. Instead, he would like to see self-regulation include broader deployment of PETs.

Peppet: he expected, but has failed, to find role-modeling privacy intermediaries such as infomediaries (see my 2005 blog post on the absence of infomediaries). Even companies that are leaders on privacy have unreadable privacy policies. His hypothesis: it’s more profitable to disrespect privacy.

Strahilevitz: self-regulation is best for handling data that’s been recently collected, not on historical data. No one has a good response to deal with new data uses enabled by evolving technologies. Data retention may be an appropriate place for government regulation.

Keynote: Joe Farrell (speaking for himself, not the FTC)

Economics assumes consumer sovereignty. Consumers have wants; the marketplace supplies them. His starting point: consumers value privacy. It’s hard to measure how much. We shouldn’t ask why or how much. We should ensure the market doesn’t thwart their desires.

If we focus on consumer sovereignty, notice-and-choice should work. This minimizes the need to figure out how much consumers value privacy and why; it enables competition on privacy; and the market can cater to consumers’ preference heterogeneity. Notice-and-choice is difficult, but we should try to fix it. However, even experts can’t tell what will happen to privacy in the future; and consumers can’t tell how their information disclosures are affected by information disclosures of other consumers.

Taxonomy of consumer data uses:

• order fulfillment (responding to consumer request). For consumers’ mail orders, it’s not surprising that retailer will tell shipper your address. This directly serves the transaction the consumer wanted, and it’s unthreatening. Leave this out of the regulation.
• Profitable re-uses that consumer may not directly like. Need to distinguish between deals consumer would be willing to strike (data-for-content) and unacceptable deals.

When marketers deceives consumers, it trains them not to trust anyone. This is a harm to society. Ad hoc case-based enforcement doesn’t fix this harm.

Teaching consumers is hard, even if both parties are motivated. This is the basic problem with “disclosures.” But when advertisers don’t have full incentive to be forthcoming, consumers are even less likely to learn.

When the market price is zero, it’s hard for consumers to discount the price further to reflect the costs of privacy risks. Micro-payments actually solve this problem (we saw some of these advantages with the move from broadcast TV to cable TV) but micro-payment service providers create their own privacy paradox.

We should be open to private law solutions, such as trustworthy intermediaries or the adoption of liability-type commitments.

Panel 2

Ryan Calo moderated this discussion, which didn’t have presentations. Because I was part of the panel, my notes are a little sketchy.

Aleecia McDonald: Definition of behavioral advertising = advertising that’s based on data collected about individuals about the websites they visited and their search terms and used to create a profile to trigger ads. Behavioral advertising can be done on a third-party or first-party (e.g., Amazon) basis. Some folks believe that online behavioral advertising only means third party behavior.

Laura Kornish: Can self-regulation work? The Behavioral Advertising icon has been around a year. The icon and linked information doesn’t answer the Qs very well of why the ads are appearing. It’s not working so well, and she’s not sure why. It depends on whether educating consumers about behavioral advertising is a technical challenge. If it is, the icon probably isn’t salvageable. In contrast, it would work if consumers get clear information about why they are getting the ads.

Eric Goldman: the point of advertising is a conversation between marketers who want to sell and consumers who want to buy. If behavioral advertising improves the conversation, there’s no problem that regulation needs to fix.

Seth Levine: He doesn’t favor regulation. As an investor, we don’t see companies trying to create containers for consumer data to give marketers. He does see entrepreneurs trying to fix the fact that publishers let a lot of data leak out to advertisers.

Eric: publishers need to manage the trust relationship on behalf of readers. It’s weird to me how few publishers take this responsibility seriously.

Aleecia: There's currently a schism between EU and US about holding first party data controllers responsible for third party actions.

Catherine Tucker discussed her paper. The punchline: EU advertising effectiveness decreased by 65% compared to the US due to privacy regulations. Small unobtrusive ads were particularly affected because these are more informational and need to be more relevant. Blaring intrusive ads weren’t affected. Most adversely affected websites: general news sites, not niche-y sites (probably because contextual targeting on niche sites was a passable substitute for behavioral advertising).

Seth: an ad impression based on data about the consumer is 3x-10x more valuable than an ad impression without consumer data. Online brand advertising isn’t very effective, so the Internet relies on direct response advertising. If brand advertising worked online, there would be less motivation for behavioral advertising.

Aleecia: Q to Catherine. What legislation caused the difference in ad performance, especially because the EU directive isn’t being enforced?

Catherine: She focused on the 2002 EU directive but the rules were rolled in over time, and advertisers were uncertain about its implementation. Some advertisers pulled away from using cookies due to the uncertainty. Health ads, in particularly, were much less effective.

Aleecia: Catherine’s study is good news for privacy advocates. It shows regulation can work.

Eric: it “worked” how? Some of the adverse consequences from privacy regulation: more intrusive ads, and some matches were foreclosed in the marketplace.

Aleecia: if regulation results in fewer beacons and tracking, this is a good result for healthcare data.

Seth: the advertising marketplace is big enough to incent investment in innovation.

Eric: the best way to spur innovation: give immunities and safe harbors. [I have a more detailed blog post in process making this point in greater detail.] The privacy plaintiffs’ bar is imposing a huge tax on advertising privacy innovation today.

Seth: existing technologies allow private/anonymous browsing. Less than 5% turn it on, and usually turn it on in the middle of the day, perhaps to hide information from their employers.

Aleecia: some consumers want to block ads, but the dominant reason for blocking ads is privacy concerns. Many of the tools are flat-out unusable. 6% of browsers have adopted DNT. On mobile, 17% have adopted DNT (and this is hard for them to do). Definition of DNT = allows users to put up their hand and request privacy. It’s not a technical mechanism; it’s just an HTTP header. What should websites do when the header is present? That's still being discussed.

Eric: the devil of DNT is in the details. We’ll know how important/useful DNT is when we see what websites do when they know consumers have raised their hand.

Catherine: consumers don’t understand online behavioral advertising, so they need protection, but maybe consumers are ahead of regulation and thus regulation would be redundant.

Seth: Solutions to privacy issues should be technology-based. If you’re 18 and don’t have a Facebook account, you’re dead. But Facebook does a terrible job with monetization: they have a huge audience and but get only a small percentage of online ad dollars.

Peter Swire Q: getting consumers adopt PETs is hard, so 5%-17% adoption is huge. Also, Julie Cohen’s right to read anonymously.

Seth: we would all agree that we should have user-driven right to read anonymously.

Panel 3

Scott Peppet. Ways to connect digital identity to physical identity:
• facial recognition. We can now do searches using a face as the search query.
• iris recognition. The technology can read irises on the run. If the technology became widely installed, it can do highly accurate individual identification.
• Car chips measure usage of cars. Insurance companies will find this information useful.
• Biometric. Your scale can broadcast your weight; it can even post to Twitter. It may be entertaining to measure oneself; but that data has substantial commercial value, and marketers may be willing to pay to get it.
• Smart goods. A sweater has been chipped to provide interested consumers background information about the exact sheep whose wool was used.

Ways to tie Digital Space to Physical Space
• Augmented reality. Smartphone can provide this functionality. Car can display information on the windshield.
• Pranav Mistry’s Sixth Sense.

Berin Szoka. Lessig outlined a dystopian view that code will become a perfect form of control. In contrast, the Supreme Court has said that technology expands consumers’ capacity to choose. So, does technology empower or enslave?

First Amendment is baseline for the (lack of) regulation of information. Government can and should punish fraud and deception. Government can validly compel disclosure of objective factual statements (Cass Sunstein’s “smart disclosure”). With proper narrow tailoring, government can intervene in other situations—user empowerment tools, limiting government, educating consumers.

Chris Hoofnagle. He favors competition-enhancing enforcement. Problem: privacy policies that are internally inconsistent; they say “we don’t share” and then say they work with third-party marketers. He also favors an enforcement action that says companies can’t force tracking onto consumers. If consumer manifested their intent not to be tracked, companies can’t undo that. Also, companies are resistant to working with privacy agents where consumers pay someone to help them opt-out; they want to confirm this intent. Companies can’t imagine that consumers don’t want their advertising.

Peter Swire. He worries about security. There’s no way to fix theft of biometrics. Iris scans can be defeated by high-quality print of a third party’s iris.

What if data = speech? (IMS v. Sorrell). He reads Sorrell to say that many privacy laws are subject to heightened scrutiny. Ex: the FCRA says CRAs can’t report credit data more than 7 years old. This limits speech by limiting data. Thus, arguably it’s both a speaker- and content-based restriction.

Berin: he hopes Sorrell will bring more rigor to legislative drafting. The Vermont statute didn’t have any showing of harm. He doesn’t think all privacy statutes are dead, but he hopes the ruling will encourage an emphasis on less restrictive measures.

Chris: Sorrell involved a dumb law, but most privacy laws are dumb because corporate lobbyists muck up well-meaning legislative proposals. He thinks libertarians should hate the Sorrell ruling—the government forced the collection of information and then it was shared with the private sector.

Berin: He doesn’t mind the government data collection in Sorrell because he believes the private sector would have generated the information anyway. Sorrell has no bearing on government-compelled disclosure.

Fernando Laguarda. The Sorrell decision was a reaction to a poorly drafted statute. Information dissemination is speech.

Paul Ohm Conversation with Julie Brill

Paul: it’s the 1 year anniversary of the FTC’s privacy report. What’s happened since then?

Julie: the FTC has spoken loud and clear on social networks (Facebook, Google Buzz). It’s brought some good cases on behavioral advertising and COPPA. The report didn’t preview the FTC’s directions; instead, it describes the problems the FTC has been running into when it brings enforcement actions, especially with notice-and-choice and consumer harm. It sums up where the FTC has been.

The report’s basic principles:
• Companies should build privacy into their foundation
• Simplify notice-and-choice. For example, on mobile devices, privacy policies are too long and not readable. Give more layered notices. Companies are burying the most important disclosures in the policy.
• Transparency. Give consumers more information about the company’s practices, but also show the data that the company has collected about the consumer and give them the right to correct. Analogy: FCRA. Data brokers that don’t come under FCRA should still give access to consumers.

What’s happened since the report? A majority of commissioners have embraced “Do Not Track.” A lot of technological development has occurred in a year—DNT technology, browser-based restrictions, BA icon.

Paul: What does Do Not Track mean, and who enforces any violations?

Julie: there

Search

Archives

Recent Entries

May 24, 2013

Court Denies Restraining Order Against Ex-Boyfriend Who Threatened to Post Revenge Porn -- EC v. CBT

May 17, 2013

Judge’s Facebook Friendship With Victim’s Parent Does not Taint Proceeding -- Youkers v. Texas

May 14, 2013

UK's New Defamation Law May Accelerate the Death of Anonymous User-Generated Content Internationally (Forbes Cross-Post)

May 09, 2013

Yahoo's User Agreement Fails in Battle Over Dead User's Email Account--Ajemian v. Yahoo

May 03, 2013

Recap of Washington State’s Employer Social Media Password Bill

April 26, 2013

Nosal Convicted of Computer Fraud and Abuse Act Crime Despite His Ninth Circuit Win – US v. Nosal

April 24, 2013

Misguided Catfishing Scheme Leads to Discipline of College Students -- Zimmerman v. Ball State

April 18, 2013

Cynthia Moreno Guest Lecture to My Internet Law Course

April 16, 2013

No Claim Based on Perez Hilton’s Publication of Unsolicited but Inflammatory Reader Email – Wargo v. Lavandeira

April 11, 2013

Privacy on Trial: Reflections on Hoang v. IMDb

April 07, 2013

Accessing Ex-girlfriend's MySpace Account and Posting Offensive Content Results in Conviction

March 27, 2013

Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora

March 22, 2013

Another Credit Card Breach Lawsuit Fails – Willingham v. Global Payments

March 19, 2013

IMDB's Disclosure of Actress’s Age Will Go To Trial – Hoang v. Amazon

March 14, 2013

Court Rejects Attempt to Hold Software Company Liable for Surveillance Conducted by Its Customer – Luis v. Zang

March 12, 2013

"Regulation of Social Media and Mobile Media" Talk Slides

March 07, 2013

Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation

February 28, 2013

Employer Fails to State Stored Communications Act Claims Absent Allegations That Employees Interfered With Company Accounts – Castle Megastore v. Wilson

February 25, 2013

Building Owner Can't Discover the Identity of Tenant Who Writes Bashing Yelp Review (Forbes Cross-Post)

February 09, 2013

Washington State's Proposed Employer Social Media Law: The Legislature Should Take a Cautious Approach -- SB 5211

February 06, 2013

"Privacy Policies in the United States" Presentation Slides

February 05, 2013

California Supreme Court: Retail Privacy Statute Doesn't Apply to Download Transactions – Apple v Superior Court (Krescent)

January 28, 2013

State Laws Restricting Social Media Use by Sex Offenders Are Failing in Court

January 22, 2013

My Talk to High Schoolers About Accountability for Online Content

January 19, 2013

Is Recusal Required When a Judge is Facebook "Friends" With a Prosecutor? Question Certified to Florida Supreme Court -- Domville v. State

January 14, 2013

Tenured Teacher Properly Fired for Facebook Quips About Her Students–In re Tenure Hearing of Jennifer O’Brien

January 11, 2013

Top Ten Internet Law Developments of 2012 (Forbes Cross-Post)

January 09, 2013

Q4 2012 Quick Links, Part 2 (Privacy, Advertising, Content)

January 07, 2013

Privacy Plaintiffs in Deep Packet Inspection Case Get No Love From the Tenth Circuit -- Kirch v. Embarq Managmenet

January 02, 2013

Section 230 Still Keeping the Pro Se Plaintiffs at Bay--Klayman v. Facebook, and More

December 31, 2012

Google's Privacy Policy Integration Initially Defeats Legal Challenge -- In re Google Privacy Policy Litigation

December 27, 2012

Court Dismisses Class Action Against Apple Over Its App Developers’ Information Collection Practices – Pirozzi v. Apple

The FTC's New Kid Privacy Rules (COPPA) Are a Big Mess (Forbes Cross-Post)

December 26, 2012

Facebook Isn't--and Shouldn't Be--A Democracy (Forbes Cross-Post)

November 30, 2012

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

November 28, 2012

Lawsuit Over "Google Tags" Dismissed--Frezza v. Google

November 25, 2012

Online Data Broker Need not Comply With Licensing Requirements for Private Investigators – Brown v. Intelius

November 20, 2012

Court Kicks Data Breach Claim Against Valve – Grigsby v. Valve

November 18, 2012

Court Orders Password Turnover and In Camera Review of Social Media Accounts – EEOC v. Original Honeybaked Ham Co.