May 15, 2012
Granick on CISPA's Deficiencies (With Some of My Own Comments)
By guest-blogger Jennifer Granick (with comments from Eric)
[Eric's introduction: Some guest visitors to the blog need no introduction, and that surely describes Jennifer Granick (her Wikipedia page). She's cast huge shadows over cyberlaw in her various stints, including being a leading criminal defense attorney for technology crimes, an EFF attorney and director of Stanford's Cyberlaw Clinic. I'm so glad Jennifer was willing to share her unique perspective on CISPA. I have some remarks after hers. Jennifer has also posted a supplemental line-by-line commentary of CISPA.]
The Cyber Intelligence Sharing and Protection Act ("CISPA") is the latest example of a depressingly common situation in Washington DC -- well-meaning legislators unfamiliar with technology try to rush through a statute about a high-profile Internet issue (here, cybersecurity). Proponents of the bill say they want to faciliate information sharing between the federal government and the private sector. What they don't seem to understand is that existing laws already permit most kinds of cybersecurity information sharing. In their eagerness, the supporters of CISPA would undermine our existing system of accountability for sharing of private data and, by doing so, cause a number of unintended consequences that would harm both state and federal efforts to protect consumer privacy.
CISPA's Unintended Consequences: I firmly believe sharing cybersecurity information is a public good, which is why I have made a career of representing security professionals and hacker hobbyists who want to investigate and report on vulnerabilities. But CISPA (1) fails to comprehend the ways in which existing laws allow sharing, but with accountability; (2) runs roughshod over federal and state laws protecting privacy; (3) could inadvertently immunize retaliatory hack-back security techniques; and (4) creates an "inner circle" of private entities willing to share and share alike with the government, but leaves disfavored service providers in the cybersecurity dark.
(1) Current Law Does Not Interfere With Sharing for Security Purposes: The vast majority of what security professionals consider cybersecurity information is not personally identifing or protected from sharing by any law. Attack signatures, vulnerabilities, exploits and other classic computer security data are freely shareable. For the subset of data that may identify a particular individual, existing laws allow sharing. The most relevant laws, the Wiretap Act and the Electronic Communications Privacy Act, allow a provider to collect and share data for protection of the providers' rights or property. It is true that such sharing is subject to minor but long-standing privacy-enhancing conditions* which CISPA would simply dispose of.
[*FN: My line by line analysis of CISPA (link) highlights where in the text safeguards and dangers would be codified. I strongly oppose this legislation, but can envision a much better, streamlined, privacy respecting, bill that accomplishes the purported cybersecurity purpose.]
As for information protected by HIPAA, VPPA or FERPA, one would not ordinarily think such data is subject to CISPA disclosure and use, except that CISPA specifically calls out sensitive health, educational, firearms, library and bookstore records as the kind of information that private entities can be expected to disclose. Otherwise private information, including video rental records, book rentals, newspaper subscriptions, online reading or data protected by state consumer protection laws (like utility usage records) may freely be shared under CISPA, despite existing privacy rules and sharing safeguards.
(2) State Governments Should Oppose CISPA: States, especially California and New York, protect consumers and consumer privacy with statutes regulating the collection, use and disclosure of sensitive information. Such California laws include electronic surveillance statutes, Shine the Light notifications, Smart Meter utility data protection, the Financial Information Privacy Act, the Reader Privacy Act, Security of Personal Information Law and more. While a comprehensive review of state consumer protection rules that could be preempted by CISPA is beyond the scope of this blog post, it isn't hard to see how California, New York and other states might have serious, perhaps fatal, reservations about CISPA as it currently stands.
(3) CISPA Could Categorically Immunize Even Reckless, Privacy Invasive or Damaging Cybersecurity "Active Defense" Techniques. The definition of cybersecurity system is broad enough to include common "active defense" techniques like remote exploit of an attacking system in order to collect data about the attack, or denial of service attacks to take the offending system offline. For more discussion of those kinds of defenses, see this article in The Atlantic. The statute then categorically immunizes good faith use of such cybersecurity systems. So entities that recklessly use active defense or "hack back" technologies to exploit, disable or destroy attacking machines, even when those machines are innocent zombies controlled and misused by the actual attacker, have no incentive to behave responsibly.
(4) The Cybersecurity One Percent: CISPA sets up a heirarchy of network and service providers. At the bottom are those owned and operated by individuals, who get nothing out of the statute. Next are those entites the government doesn't feel like sharing with, for whatever reason--including the retaliatory motivation that the company hasn't been forthcoming with its own cybersecurity (and customer) data. At the top are the golden firms that get preferrential treatment in the form of state-of-the-art security information. The big businesses that support CISPA probably think they are going to be in the room and get the shiny apple. But CISPA instantiates inequities that the computer security community has been managing for over twenty years, problems which inevitably arise from secretive and selective distribution of important security information. See e.g. Schneier, "Full Disclosure of Security Vulnerabilities a 'Damned Good Idea" (Jan 2007); Microsoft Security Response Center: Announcing Coordinated Vulnerability Disclosure (July 22, 2010); National Infrastructure Advisory Counsel, Vulnerability Disclosure Framework (January 13, 2004); Andy Greenberg, Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees), Forbes, March 21, 2012. CISPA proponents neither understand nor address the complexities of acheiving the worthy goal of cybersecurity information sharing.
________
Comments from Eric
Many commentators have drawn parallels between CISPA and SOPA, even though they putatively address very different issues (cybersecurity and IP infringement, respectively). I'd like to unpack some of the parallels. The most obvious parallel between the two laws: who thinks up crazy shit like this? As a prize for their creative thinking, the architects of CISPA and SOPA should get a one-way ticket away from Washington DC. Two other parallels between CISPA and SOPA:
1) No use case. I never understood SOPA's use case. Only one target was named: The Pirate Bay. However, the way it was drafted, SOPA wouldn't have applied to The Pirate Bay. So if SOPA was intended to shut down The Pirate Bay but the statutory drafting didn't reach that far, then the statute lacked any clear justification--and especially no payoff that would justify its multitudinous adverse collateral consequences.
Similarly, I'm not clear what problem CISPA is designed to solve. Indeed, some have said CISPA is a solution in search of a problem. If we can't define the problem clearly and succinctly, it's a good sign that either there's no justification for the law, or (more likely) someone is gaming the legislative system for their own benefit.
CISPA and SOPA have another parallel on this front: we don't understand the use case because the proponents never thought they had to justify the statute. In SOPA's case, the copyright owners expected members of Congress to pass the law without serious questions, which almost happened. When the copyright owners have so many financially supported friends in the corridors of power, they don't need to provide specific rationales for their requests; it's simply enough that the copyright owners wanted it, and their patrons are expected to deliver the quid-pro-quo on demand.
CISPA may not been such a blatant case of rent-seeking, but it too was designed to proceed without opposition because it was part of an anti-cyberwar effort. For reasons that remain entirely unclear to me, many DC insiders apparently have convinced themselves that we are waging a surreptitious cyberwar that the bad guys are winning. Perhaps there really is a cyberwar raging behind the scenes, but evidence of a cyberwar sure hasn't leaked outside the DC insider community. This makes me wonder if maybe there's a little too much paranoia running around in DC. Or, maybe there's rent-seeking behind the efforts to hype the cyberwar threat?
Worse, to the extent CISPA is an anti-cyberwar effort, it is poorly designed for that effort. At minimum, its definitions are way too broad to address just cyberwar concerns. One of my biggest objections to CISPA is that it defines cybersecurity issues to include ordinary Internet activities such as competitive scraping and sharing of copyrighted materials. The broad sweep of the bill only reinforces the lack of a clear use case about the problem it's trying to solve.
2) Hack of the Internet's infrastructure. SOPA attacked the Internet's basic infrastructure. Putting aside the poorly conceived domain name cutoff provisions that would have undermined the DNS's stability, SOPA was designed to deputize intermediaries to resolve problems they had little financial incentive to handle carefully. The result would be a massive circumscribing of socially legitimate behavior by intermediaries asked to intervene in problems they didn't care about.
In a different way, CISPA also hacks up the Internet's infrastructure. Over the decades, we have developed a delicate system of checks and balances on the government's ability to monitor its citizens' behavior. CISPA would completely gut that system, giving the government virtually any online information it wanted whenever it wanted it without meaningful restrictions on the government's ability to misuse the information. Thus, CISPA engages in the worst kind of Internet exceptionalism by turning the Internet into an all-you-can-eat smorgasbord buffet of information for ever-curious government officials, while presumably a more robust checks-and-balance system would still be in place offline. Making the Internet worse is not what we as Internet users want!
The resulting public outcry against SOPA and CISPA demonstrates that. The public at large does not want technologically clueless members of Congress messing up the Internet's infrastructure for uncertain/unclear payoffs. We give a lot of deference to Congress to screw things up, but when it comes to wrecking the Internet, THAT'S worth fighting against.
Posted by Eric at 02:07 PM | Copyright , Derivative Liability , Privacy/Security | TrackBack
May 12, 2012
New York Judge *Slams* Bittorrent Copyright Plaintiffs – K-Beech; Malibu Media; and Patrick Collins v. Does
[Post by Venkat Balasubramani]
K-Beech, Inc. v. Does 1-37, CV 11-3995 (E.D.N.Y.)
Malibu Media, LLC v. Does 1-26, CV 11-1147 (E.D.N.Y.)
Malibu Media, LLC v. Does 1-11, CV 11-1150 (E.D.N.Y.)
Patrick Collins, Inc. v. Does 1-9, CV 11-1154 (E.D.N.Y.)
Order & Report & Recommendation (May 1, 2012)
A trio of bit torrent plaintiffs were smacked around (somewhat brutally) by a federal judge in New York last week. The order addressed requests for early discovery filed by plaintiffs in three separate copyright lawsuits involving approximately 50 Doe defendants. It also addressed the requests of Doe defendants to quash subpoenas which were issued in a fourth action after the plaintiff obtained leave to issue early discovery.
The order is scathing and takes more than a few shots at K-Beech’s “rambling motion papers [that] often lapse into the farcicial.”
End result: the court dismisses one case in its entirety, and cuts the remaining three cases down to one Doe defendant, finding that joinder is improper.
Here is a summary of the key points in the court’s order:
1. An IP address does not conclusively identify an infringer: the court says that unlike in a university setting or in earlier times, these days, given the proliferation of wi-fi, the fact that someone’s IP address was connected to allegedly infringing activity does not mean that the person whose IP address was used is the infringer. (“[A] single IP address usually supports multiple computer devices – which unlike traditional phones can be operated simultaneously by different individuals.”) Accord Johnson v. Microsoft Corp., 2009 WL 1794400 (W.D. Wash. June 23, 2009); in contrast, the FTC considers IP addresses to be personally identifiable information. (For what it's worth, more than a few courts have accepted the view--at least at the early stages of litigation--that an IP address identifies the putative infringer.)
2. Improper litigation tactics: at least one of the plaintiffs (K-Beech) engaged in improper litigation tactics. One of the Doe defendants contacted K-Beech to try to resolve the dispute. Apparently, K-Beech employed the usual threat that a defendant’s name could be tied to a porn lawsuit and persuaded the plaintiff to provide (under the auspices of settlement) “unfettered access to [Doe’s] computer . . . employment records [etc.]” K-Beech then failed to respond to the Doe defendant's communications regarding settlement. In response to Doe’s allegations, K-Beech’s counsel failed to present proof that it or its investigators didn't engage in this conduct. The court notes that Doe’s experience mirrors the experience of at least one other Doe defendant in a file-sharing case in New York. The court is not happy:
[t]his course of conduct indicates that the plaintiffs have used the offices of the Court as an inexpensive means to gain the Doe defendants’ personal information and coerce payment from them.
3. No copyright registration: the same plaintiff who engaged in the tactics referred to above did not have an actual copyright registration—it sought to rely on an application for registration (which is not sufficient in the Second Circuit). Although K-Beech was smacked down for this reason in another case in New York, it tried to remedy this by adding “conclusory trademark claims.” [??] When K-Beech's briefing veered into discussing reputational harm from unauthorized downloads, the court in a footnote points out that the owner of K-Beech doesn’t necessary have the most stellar reputation:
it is worth noting that the owner of K-Beech Inc. (and apparent inspiration for the K-Beech mark) is Kevin Beechum . . . . It appears that this is the same Kevin Beechum who testified in federal prosecutions about his experience vandalizing adult retail video stores to help extort protection payments from their owners.
D’oh!
4. Joinder is inappropriate: the court says that plaintiffs should not be able to sue multiple defendants in the same suit. Plaintiffs tried to rely on the “swarm” theory--which has been accepted by some courts and rejected by others--under which file-sharing defendants who were a part of the same interactions can be sued together in the same lawsuit. Here, the court notes that plaintiffs’ own allegations undermine their swarm theory. For example, the downloads were often weeks or months apart:
even assuming that the John Does are the actual infringers, the assertion that defendants were acting in concert rests upon a thin reed.
The court declines to exercise its discretion to join the Doe defendants together.
5. Plaintiffs trying to avoid separate filing fees: the court notes that plaintiffs have avoided more than $25,000 in filing fees by filing mass-defendant lawsuits, as opposed to suing the Doe defendants individually. When you take other cases in the same district into account, this amount is closer to $100,000. (The court notes that this approaches millions when the suits nationwide are considered.)
6. Don’t try to take the moral high-ground, porn plaintiffs:
In its papers, counsel for K-Beech equate its difficulties with alleged piracy of its adult films with those faced by the producers of the Harry Potter books, Beatles songs and Microsoft software, and compare its efforts to collect from alleged infringers of its rights to the efforts of the FBI to combat child pornography. In an ironic turn, the purveyors of such works as “Gang Bang Virgins,” explain how its efforts in this matter will help empower parents to prevent minors from watching “movies that are not age appropriate.” . . . It is difficult to accord plaintiff, which features “Teen” pornography on its website, the moral high-ground in this regard.
__
Ouch. As mentioned above, the court dismisses K-Beech’s lawsuit sua sponte in its entirety. The dismissal is without prejudice, but K-Beech should think twice about filing another file-sharing lawsuit in New York. The other defendants can pursue cases against defendants on an individual basis (they must file separately), and the Does (other than unlucky Doe No. 1) are dismissed from the three lawsuits. The court appears open to appointing counsel from its pro bono panel for Doe No. 1 (and I’m guessing future Doe plaintiffs).
There are a slew of these lawsuits pending around the country so it’s tough to say anything definitive, but courts certainly seem to be reaching the boiling point with bittorrent plaintiffs (the abusive litigation tactics don’t help). Check out the TorrentLawyer blog for a few recent examples:
- Malibu Media, LLC cases go down in FLAMES in Virginia
- THIRD DEGREE FILMS, INC. attorney perhaps facing a THIRD DEGREE FELONY
Also, as a follow up to the case in New York, Twitter user "fightcopyrighttrolls" reports on what seems to be an inexplicable strategic decision by lawyers for one of the plaintiffs in this case.
[A note to lawyers: judges compare notes, directly or indirectly.]
Other coverage:
Ars Technica: Furious judge decries "blizzard" of copyright troll lawsuits
Torrent-Freak: Judge: An IP-Address Doesn’t Identify a Person (or BitTorrent Pirate)
Previous posts:
Court Nukes Another Mass Defendant File-Sharing Lawsuit -- Digiprotect v. Does
Copyright Doe Defendant Can’t Quash Disclosure Subpoena Anonymously—Hard Drive Productions v. Does
Posted by Venkat at 09:48 AM | Copyright , Privacy/Security
May 10, 2012
An Unmasking Effort Gets Gutted Some More – Art of Living Foundation v. Does
[Post by Venkat Balasubramani]
Art of Living Foundation v. Does, 10-cv-05022-LHK (N.D. Cal.; May 1, 2012)
I posted earlier about the Art of Living Foundation’s (AOLF) efforts to unmask online critics (posting psueudonymously as ‘Skywalker’ and ‘Klim’). In early rulings, the court rebuffed AOLF’s efforts. AOLF originally brought defamation and trade secrets claims. The court held that any allegedly defamatory statements were protected opinion, and that AOLF failed to identify trade secrets with particularity. The court also stayed discovery of defendants’ identities, finding that the balance of equities favored the preservation of anonymity. (Here's my prior blog post on the case: "Spiritual Group's Attempt to Unmask Online Critics Goes South.")
AOLF filed an amended complaint, dropping the defamation claims but adding claims for copyright infringement. The amendment also specified the allegedly misappropriated trade secrets. With respect to the copyright claim, AOLF alleged that republication of certain “lesson plans” by the Doe defendants constituted copyright infringement and misappropriation of trade secrets.
In a further development in this lawsuit, the court granted the Does’ request to dismiss the copyright claims. The trade secrets claims largely survive, although the court notes that they aren’t the strongest.
Copyright claims: AOLF did not present any evidence that one of the two defendants was involved in any way in republishing the lesson plans, or related notes, so this defendant (Klim) is awarded summary judgment. Skywalker, the second Doe defendant, admitted to posting the text of the lesson plans on his blog. Although he wasn’t entitled to summary judgment on the same basis as Klim, he challenged AOLF’s ownership of the copyrights at issue.
The court finds that the registration certificate presented by AOLF was not prima facie evidence of ownership (because the registration was obtained more than five years after publication). The court goes on to find that the AOLF entity that brought the copyright claim was not the owner of the copyrighted material. There’s an Indian AOLF entity, and one of the declarations let slip that the lesson plans at issue were created “for the benefit of the Art of Living Foundation in India with the understanding that the Art of Living Foundation in India would own [all of the rights to the lesson plan].”
AOLF (US) also tried to argue that the Indian entity assigned the US entity the copyright, but AOLF (US) failed to produce any written record or an assignment, or even that such a writing existed. Even a confirming email would have been plenty, but for whatever reason AOLF (US) was unable to muster evidence on this point.
Trade secrets claims: Defendants continue to batter away at AOLF’s trade secrets, but the court finds that AOLF made the minimal necessary showing that its teaching methods: (1) have independent economic value and are not generally available; and (2) are the subject of reasonable confidentiality restrictions. In particular, AOLF came forward with evidence that although the teaching methods were drawn on “conventional concepts and terminology of Hindu mysticism,” AOLF “incorporate[d] many additional and novel elements.” With respect to confidentiality, AOLF alleged that it required its teachers to sign confidentiality agreements. Although the court expresses some skepticism about the overall merits of AOLF’s trade secrets claims, those claims are sufficient to move forward at this time. However, the court does include language in its order inviting defendants to move for summary judgment on the issue of whether AOLF’s information is truly a trade secret, or indistinguishable from general knowledge of the public or those skilled in the relevant field. The court also raps AOLF on the knuckles for trying to take a third bite at the designation of trade secrets apple. AOLF already submitted an amended designation of trade secrets and sought to amend this designation again. The court says that although it will allow the amendment, this is the last time (“the court puts [AOLF] on notice that this is its final opportunity to amend its trade secret designation with particularity”).
Finally, the court grants the motion to strike as to Klim, finding that AOLF put forth no evidence that Klim was involved in any way in the alleged dissemination of AOLF trade secrets.
SLAPP fees: Finally, the court grants defendants' request for fees as to the defamation/trade libel claim. Although AOLF amended its complaint and dropped the defamation and trade libel claims, there was no evidence that AOLF achieved its goals with respect to these claims through other means. AOLF’s amendment of its complaint to exclude the defamation and trade libel claims was “tantamount to a voluntary dismissal.” (Defendants brought a motion to dismiss and a motion to strike and the court earlier granted the motion to dismiss but declined to reach the merits of the motion to strike.) End result: defendants can seek fees for dismissal of the defamation and trade libel claims.
_____
This is another example of how things can go wrong when someone tries to squelch speech online. Granted, in countless other cases, these types of claims would have resulted in default judgments without anyone batting an eye, but the Does were represented by counsel (and both Public Citizen and EFF appeared as amici). As a result, the balance of power changed significantly. (It also helps to have a thoughtful judge—in this case Judge Koh—who takes a close look at the issues and seems mindful of the speech implications of the judge's rulings.)
It’s interesting that AOLF’s efforts to unmask the Does were premised in part on AOLF’s copyright claims. These turned out to be insufficient at the end of the day. Courts routinely grant requests to unmask Doe defendants when copyright claims are involved, but this ruling is a reminder that judges should take a close look at those requests, even when the other side may not be represented by counsel. For another example, see Maximized Living v. Google.
Finally, the court’s order makes a reference to how many times the webpages containing the alleged trade secrets were viewed: 147 and 351 in July and August 2010, respectively (before the pages were removed in response to a takedown request sent to WordPress). Given the cloud around AOLF’s copyrights and the multiple entities involved (the takedown request was sent from Vyakti Vikas Kendra India), one wonders about the propriety of the takedown requests. But setting this aside, these statistics raise the question of whether AOLF’s significant expenditure of fees to squelch criticism of it was even remotely worth it. (I would be shocked if their answer today was “yes”.) Compare Pitale v. Holstine.
Given the court’s ruling on the fees issue, and its hints around the strength of AOLF’s trade secrets claims, this case should quickly head towards a settlement. The big question is whether everyone will just go their separate ways, or if AOLF will be writing a check to the Does (or their counsel).
Posted by Venkat at 01:37 PM | Content Regulation , Copyright , Privacy/Security , Trade Secrets
May 03, 2012
Comments on the Ninth Circuit's En Banc Ruling in U.S. v. Nosal
[Post by Venkat Balasubramani, with comments from Eric]
US v. Nosal, 2012 WL 1176119 (9th Cir. Apr. 10, 2012)
Nosal was a Korn/Ferry employee who, after his departure, convinced some remaining employees to provide him with confidential information to help him start a competing business. Employees were authorized to access the company's network and information on it, but they were prohibited by the employer’s policy from disclosing confidential information. The key question was whether the employees “exceeded their authorized access,” and whether their access and use of the information constituted a criminal violation of the Computer Fraud and Abuse Act.
The 9th Circuit took the case en banc. In a typically clear and emphatic Judge Kozinski opinion, the Ninth Circuit says that exceeding authorized access to an employer's network does not support a conviction under the CFAA. (Judge Silverman's dissenting opinion is worth checking out as well.) The key distinction is whether the employees accessed data or information that they were totally prohibited from accessing, or whether they misused information that that were otherwise authorized to access. The first scenario supports a CFAA violation, but the second does not.
The parties wrangle over the statute’s wording and construction, and the court sides in favor of the defendant with respect to these arguments. The court notes that the government’s interpretation of the statute would transform everyday online “dalliances,” which arguably violate employer policies by using networks for non-“business purposes,” into federal crimes:
What exactly is a “nonbusiness purpose”? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii?
What swayed the court is that the government’s construction of the statute would expand the scope of the statute far beyond its intended purpose—hacking—and would “make criminals of large groups of people who would have limited reason to suspect that they are committing a federal crime.” Who might these people be? You and me, and every other person who surfs countless websites arguably in technical violation of the applicable terms of service. We use sites that are subject to terms of service but these terms of service are, as the court notes, “vague and generally unknown.” We routinely violate those terms of service:
Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds form their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.
Moreover, websites reserve the right to change terms of service “at any time and without notice.” This means that any use of a website in violation of the terms--that the user may not even have knowledge of--could constitute a federal crime. The court cites to the terms of service of various websites, including Facebook, craigslist, Twitter, Hulu, YouTube, Match.com, Netflix, Pandora, just to name a few. The government came back and said that it would be unlikely that any user would be prosecuted for these violations, but the court cites to US v. Drew and says that if the government has a reason to go after you, its interpretation of the statute allows it to do so.
The day after the Ninth Circuit's ruling in Nosal, the Second Circuit released its opinion in U.S. v. Aleynikov, explaining its rationale for setting aside Aleynikov's conviction under the National Stolen Property Act and the Economic Espionage Act of 1996. Aleynikov was a highly paid programmer who worked for Goldman Sachs. He was lured away by a competing business to develop the competing business's high frequency trading system. Prior to leaving Goldman, he transferred a chunk of the source code that he had developed while at Goldman. The Second Circuit sets aside his conviction, finding that source code alone is not a "product" for purposes of the EEA or a "good, ware, or merchandise" for purposes of the NSPA. Interestingly, Aleynikov was charged with a CFAA violation but the district court dismissed it, relying in part on Brekka. With respect to the CFAA claim, the district court said that because Aleynikov was authorized to access the source code at the time he accessed it, his subsequent misuse is not enough to support a CFAA charge. As it turns out, the government's attempted workarounds to the CFAA, the NSPA and EEA charges, were no more availing.
__
The Ninth Circuit's Nosal ruling is a big loss for employers, who in recent years have been pushing Computer Fraud and Abuse Act claims in the employment context. The court cites to Lee v. PMSI in a footnote, but there have been countless others. (Prior blog post on this topic: “No Computer Fraud and Abuse Act Violation for Access of Facebook and Personal Email by Employee -- Lee v. PMSI.”) It’s also a big loss for networks who will have a tougher time policing access based on terms of service violations. Facebook most recently went after Power Networks, and although it proceeded under California’s anti-hacking statute, this decision may affect similar lawsuits in the future. (The two statutes are not identical and it’s unclear as to whether a network could prohibit scraping or other unauthorized access.)
There's a key question left somewhat open by the court's opinion. If a network imposes use restrictions and says that users who access the network for improper purposes are not authorized to use the network at all (e.g., "if you provide false information when you register for an account, you are not authorized to access our service" or "you may not access our service via bots or other automated means"), does Nosal leave open the possibility of a CFAA violation in this context? Nosal (and LVRC v Brekka, an earlier Ninth Circuit case) do not appear to preclude this approach.
The Ninth Circuit's approach here diverges from the approaches of other circuit courts. I don't have a sense of whether this is a good candidate for Supreme Court review, but that's a possibility. For what it's worth, there's a draft bill currently pending to "fix" the CFAA. Check out this post from Jennifer Granick as to why the fixes won't be much of a fix: "Draft Bill to "Fix" CFAA Won't."
What steps can employers take post-Nosal? I'd consider the following: (1) make employee policies as explicit as possible, and don't rely on vague notions of fiduciary duties; (2) impose access restrictions that govern the means of access; and (3) password-protect stuff that is truly a trade secret and make it available only on a need-to-know basis. Even these steps don't guarantee a solid foundation for a CFAA claim. At the end of the day, it may be worth looking to other means of protecting your confidential information and restricting competition by employees.
Prior post:
Other coverage:
* EFF (press release): Appeals Court Rules That Violating Corporate Policy Is Not a Computer Crime
* Jeff Neuburger: Ninth Circuit Ruling Trimming CFAA Claims for Misappropriation Reminds Employers that Technical Network Security is the First Defense
* Kim Zetter: Code Not Physical Property, Court Rules in Goldman Sachs Espionage Case
* David Kravets: Court Rebukes DOJ, Says Hacking Required to Be Prosecuted as Hacker
______
Eric's Comments
Judge Kozinski's opinion was highly entertaining (as usual) and full of pragmatic realpolitik, but I disagree with Venkat that the opinion was clear. In fact, I remain quite confused by the opinion and what it means for the CFAA. Among the questions I can't confidently answer after the opinion:
* does the en banc's definitional interpretation apply to both civil and criminal CFAA claims, or just criminal prosecutions? There are some reasons to believe the court's opinion would support reading the language the same in civil and criminal contexts. The court says: "Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute." Plus, a number cases endorsed by the majority are civil. However, the majority never clarifies this point, and there is some reason to believe the results aren't 100% extensible to civil cases. For example, the majority opinion repeatedly hammers on CFAA criminality interpretation problems and gives examples of ridiculous CFAA crimes (and doesn't give any countervailing examples of a CFAA civil case). The majority also concludes that criminal prosecutions turn on lenity, a consideration that wouldn't apply in the civil context. Finally, the Lori Drew court treated civil and criminal CFAA suits differently, so arguably that distinction could still crop up in other cases.
* as noted by Venkat, if a company policy says "we condition your access to our network on you not doing XYZ with any data you subsequently acquire," has the company drafted its way around the holding? This workaround should be too facile, but the majority opinion possibly sets up this bypass.
* how can a network operator properly communicate any limits of third party access to their networks? Historically, websites could delimit access for CFAA purposes via "terms of use" that were "browsewraps," i.e., pages that users weren't required to see in order to access the site. The majority's result doesn't depend on terms placement, but it uses some examples of non-clickthrough terms that it seemingly treats as binding. (e.g., "Not only are the terms of service vague and generally unknown—unless you look real hard at the small print at the bottom of a webpage—but website owners retain the right to change the terms at any time and without notice."). In light of its ruling, perhaps terms of use never can delimit server access, so placement of terms is irrelevant, i.e., even if the contract is presented as a clickthrough, it will be irrelevant to the CFAA analysis. But if that's the case, then the opinion has virtually eviscerated all civil CFAA claims in the Ninth Circuit--a good result IMO, but a perhaps unnecessarily overreaching one.
Obviously, future litigation will give us the answers to these questions. But it would have been better if the majority opinion had been clear enough to prevent the sorting-out process that will take place over the next couple of years.
Even with all of its ambiguities, I think the majority reaches a favorable policy outcome, and I for one would love to see the CFAA scale back its scope substantially. That isn't going to happen. The CFAA is one of the statutes Congress keeps "improving" as part of its wars on terror and cybersecurity, so I wonder if this opinion's result will survive Congress' next ham-fisted amendment of the CFAA.
Posted by Venkat at 12:02 PM | Licensing/Contracts , Privacy/Security , Trespass to Chattels
May 01, 2012
New Essay: The Irony of Privacy Class Action Lawsuits
By Eric Goldman
I’ve posted a new essay to SSRN titled The Irony of Privacy Class Action Lawsuits. It should be published later this year in the Journal of Telecommunications and High Technology Law at University of Colorado. The essay comes out of a panel discussion we had at Colorado Law in December on the Economics of Privacy. The version I’ve posted is still in draft form, so I should be able to make some changes. I welcome your comments.
The essay issues a challenge to privacy advocates who support enforcement of privacy violations via class action lawsuits. I argue that the structure of class action lawsuits contains a number of attributes that privacy advocates consider bad business practices, such as requiring consumers to opt-out and providing inadequate notice-and-choice. Privacy advocates’ reaction to the essay has almost universally been “D’oh!” However, I don’t think the irony (or, at least, my explication of it) is compelling enough to persuade privacy advocates to strike class action enforcement from their toolkit.
More generally, the essay suggests that there may be value to more closely examining the various enforcement institutions for privacy violations. Comparative enforcement institution analysis is a perennial topic in consumer/advertising law (and many other disciplines, I’m sure). Yet, I’m not aware of the institutional competence issue getting a lot of attention in the privacy scholarship, which is surprising given the vast volume of privacy scholarship. If I’ve missed something, please let me know.
The essay is a quick read, and one reader called the ironies "delicious." I hope you’ll check it out.
_______
The abstract:
In the past few years, publicized privacy violations have regularly spawned class action lawsuits in the United States, even when the company made a good faith mistake and no victim suffered any quantifiable harm. Privacy advocates often cheer these lawsuits because they generally favor vigorous enforcement of privacy violations, but this essay encourages privacy advocates to reconsider their support for privacy class action litigation. By its nature, class action litigation uses tactics that privacy advocates disavow. Thus, using class action litigation to remediate privacy violations proves to be unintentionally ironic.
Posted by Eric at 09:00 AM | Privacy/Security | TrackBack
April 24, 2012
Court Orders Disclosure of Psychic Chat Records in Retaliation Case – Glazer v. Fireman’s Fund
[Post by Venkat Balasubramani]
Glazer v. Fireman's Fund Ins. Co., 11 Civ. 4374 (PGG) (FM) (S.D.N.Y.; Apr. 4, 2012). The complaint.
Glazer (her LinkedIn page) sued Fireman’s Fund Insurance, alleging that Fireman’s Fund retaliated against her because she complained about “discrimination against non-African Americans.” Fireman’s Fund found out that Glazer had consulted with various psychics through LivePerson’s “on-line and professional consulting services” platform. It requested disclosure of the chat records from LivePerson, after Glazer said she could no longer access them.
LivePerson objected on the basis that Glazer could produce the documents herself and had agreed to do so. Glazer says that she closed her account and her old chats were inaccessible. At the discovery conference, LivePerson says that if Glazer were to open up a new account, all of her previous chats would be available to her (minus the chats that she was unable to pay for, which a LivePerson staff person could access).
The court notes the lurking Stored Communications Act issue, under which LivePerson may either be the provider of an “electronic communications service” or a “remote computing service” (citing, among other cases, Crispin v. Audigier and Theofel v. Farey-Jones). The court also flags the issue of whether LivePerson’s privacy policy bars or authorizes disclosure. The court says that LivePerson’s policies are inconsistent. The terms of service say that information transmitted through LivePerson.com is not confidential and that LivePerson is granted a license to reproduce and “publicly perform” this information. But LivePerson's privacy policy also says that member-expert communications will remain “confidential, personal, and private” unless both parties to the communications agree to disclosure.
Ultimately, the court says that the Stored Communications Act and privacy policy issues are irrelevant:
[t]he Court need not determine whether Glazer’s communications are electronically stored, or whether Glazer consented to the disclosure of her LivePerson chats by agreeing to the Terms and Conditions, because it may simply direct that she consent to disclosure if the chats are likely to contain information relevant to this case. [citing Romano v. Steelcase, among other cases]
The court orders Glazer to open a new LivePerson account, retrieve all available chat transcripts and produce them to Fireman’s Fund. In addition to the paid chats, Fireman’s Fund also argued for disclosure of free chats, and the court says Glazer should try to retrieve these as well. To the extent she cannot, the court directs Glazer to execute a consent form so LivePerson can retrieve the chats. The court also orders disclosure of LivePerson’s billing records for Glazer, which Glazer will be able to access when she opens a new account. Finally, Fireman’s Fund asked for any documents relating to chats between Glazer and psychics through sites other than LivePerson, including some that Fireman’s Fund says occurred as late as January 2012. The court says that these records will be cumulative.
__
Psychics make me think of the online harassment case Eric blogged about a couple of weeks ago: “What Do Soymilk and Nutella Have to Do With an Online Harassment Case?--Taylor v. Texas.” As in that case, the outcome here makes you question the efficacy of the psychics in question: one wonders why the psychics didn’t advise Glazer about the possibility of disclosure of the chats to Fireman’s Fund. I guess the psychics must have told Glazer that her litigation prospects were good; otherwise Glazer wouldn't be in court.
Glazer committed a classic miscue for employee-plaintiffs—she engaged in discussions regarding her dispute through her work email account. If not for this, Fireman’s Fund may not have ever found out about the chats in question. (Note to prospective employment plaintiffs: if there is even a whiff of a dispute with your employer, you should engage in all third-party communications through your own personal email accounts, on your own time, and off your employer's network.)
The court says that a party can be compelled to produce information that is protected from third party disclosure under the Stored Communications Act. This sounds like the right result, although this court, like the others that have addressed this issue, does not delve into the details. It's good to see that the court did not require Glazer to turn over her passwords or log-in credentials to Fireman's Fund. Other courts have taken this approach, ignoring the obvious dangers presented by allowing a litigant to freely rummage around in their opponent's Facebook account. (A recent decision in a New York worker's comp case found that postings in a firefighter's Facebook page was relevant to his claim of damages: Loparcaro v. City of New York. The court in that case took a similar approach and ordered the plaintiff to turn over copies of the relevant Facebook postings to the court so the court could assess privilege and relevance issues. Here's the Justia link to the court's order in that case.)
In the meantime, this case is a good reminder that your online communications are not off-limits and that you probably cannot take refuge in the protections of the Stored Communications Act . . . even if you are engaged in chats with psychics!
[NB: the court notes that LivePerson offered chats with lawyers but there was no evidence that Glazer had engaged in chats with lawyers via LivePerson.]
Additional coverage:
Bow Tie Law's Blog: Psychic Discovery
Previous posts:
Courts Continue to Grapple with Discovery Disputes Around Social Networking Evidence
Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway
Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson
Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc.
Pennsylvania Court Orders Personal Injury Plaintiff to Turn Over Facebook Password to Defendant -- Largent v. Reed
Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville
Posted by Venkat at 10:50 AM | Evidence/Discovery , Privacy/Security
April 07, 2012
Actress Suing IMDB Can Assert Claim Based on Privacy Policy – Hoang v. Amazon.com, Inc.
[Post by Venkat Balasubramani]
Hoang v. Amazon.com, Inc. & IMDB.com, Inc., C11-1709MJP (W.D. Wash.; Mar. 30, 2012)
Hoang sued IMDB, alleging that IMDB took information she provided when she paid for her subscription and used this information to derive her birthdate. She alleges IMDB then added her birthdate to her public profile and declined to remove it despite her request. She asserts claims for breach of contract, fraud, along with claims under the Washington Privacy Act and the Washington Consumer Protection Act. (She initially filed a Doe lawsuit and argued that she should be able to proceed pseudonymously, but the court rejected this request. See coverage from Matthew Belloni here: "Actress Suing IMDB Reveals Her Real Name.")
Breach of contract: The court declines to dismiss Hoang’s breach of contract claim, finding that statements in IMDB’s privacy policy could support a claim for breach of contract. What tripped up IMDB? Flowery language in its privacy policy saying that it would use customer information “carefully and sensibly.” While there was a section of the policy which informed users what the information would be used for, it did not encompass the use of information for targeting or using the information provided by customers to obtain other information about them:
You can choose not to provide certain information, but then you might not be able to take advantage of many of our features . . . . IMDB uses the information that you provide for such purposes as responding to your requests, customizing future browsing for you, improving our site, and communicating with you.
Remaining claims: The remaining claims are largely nuked, with one big exception. The court says that Hoang fails to identify any fraudulent statements, and her broad claims about IMDB’s misuse of her information is not sufficient to state a fraud claim. Her claim under the Washington Privacy Act fails as well because this statute covers the interception or recordation of private communications, and Hoang failed to identify any communications intercepted or recorded by IMDB. The one claim which the court did not dismiss which could turn into a problem for IMDB is the Consumer Protection Act claim under Washington law. This allows Hoang to ask for treble damages plus injunctive relief (which may be something IMDB is more worried about).
Quick thoughts:
* Re-identification is risky behavior for companies.
* Finally, a privacy plaintiff who does not have an Article III standing problem! Her damages may not seem like they are the easiest to prove and they may not be astronomical. However, she clearly gets past the Article III hurdle, and if she can get in front of a jury and argue that big bad IMDB (Amazon) played fast and loose with her information, and failed to remove it upon her request, she may find a sympathetic audience.
* Flowery privacy policy language that comes back to haunt a company. This has happened time and time again and is yet another example of a court or agency latching on to flowery language to find an obligation with respect to the use of information. Twitter's language about its security practices came back to haunt it when it was investigated by the FTC: "The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?" Language in RockYou's policy supported both a breach of contract claim and was cited by the FTC in an enforcement action (which recently settled).
* Here's the million dollar question: does Hoang's breach of contract claim require her to show that IMDB obtained information and caused her harm by publicly attaching this information to her profile, or would she have a claim merely based on IMDB's use of her information in a way that is not described in IMDB's privacy policy? The court does not address this issue since Hoang made the allegation that IMDB's public use of her information harmed her. I'm guessing Hoang can't make an argument that IMDB's contractual promises restricted IMDB from using the information she provided as part of the subscription process for any purpose other than to process payment (say for direct marketing or targeting)? This could be a somewhat far-reaching argument, but would run squarely into the Article III problem.
[It's also worth noting that IMDB did not try to force Hoang to arbitrate her claims. IMDB's terms do not contain an arbitration provision. I'm guessing they will consider adding one soon.]
Other coverage:
Eriq Gardner: "Judge Allows Actress Suing IMDb Over Age Revelation to Go Forward on Lawsuit"
Posted by Venkat at 01:24 PM | Licensing/Contracts , Privacy/Security
April 03, 2012
Data Security Breach Settlement Class of 130M Individuals Has 11 Claimants (at a Cost of $160k Per)--In re Heartland Payment Systems
By Eric Goldman
In re Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, 2012 WL 948365 (S.D. Tex. March 20, 2012). The settlement website.
[Note: I know that many big-scale class action lawsuits have similarly mockable numbers. But I thought the obvious dysfunction of this litigation was still worth deconstructing.]
At some point, I think all of those in the information security litigation industry (both plaintiff and defense) have to ask themselves--am I part of the solution, or part of the problem? I wonder that question even more after seeing the enormous transaction costs in providing de minimis relief in a case like this. Guys, what are we doing here?
Heartland is a payment-card processor. In 2007, it got hacked. The hackers got 130M credit card numbers and expiration dates, plus some cardholder names, but it didn't get mailing addresses, so the credit card numbers couldn't be used online. Heartland publicly announced the hack in 2009. Heartland preliminarily settled the lawsuits by promising to pay at least $1M to verified victims or (if not enough claims were made) to "non-profit organization(s) dedicated to the protection of consumers' privacy rights, with emphasis on advancing the implementation of end-to-end encryption of payment card authorization transactions or similar security enhancements." The named organizations are Smart Card Alliance, the Secure POS Vendor Alliance, and the Financial Services Information Sharing Analysis Center.
For sending a settlement notice, Heartland couldn't provide individual addresses because it's a payment processor, not an issuing bank. Nevertheless, advertising about the settlement allegedly "reached at least 81.4% of potential Settlement Class Members an estimated 2.5 times."
Class members tendered 290 claims, of which "Heartland estimated that perhaps 11 of those claims were valid." At a maximum payout of $175, the maximum amount of cash going to class members is less than $2k. Accordingly, effectively the entire $1M is going to cy pres, not class members. To be clear, Heartland was paying cold hard cash to affected consumers instead of issuing a coupon, but the response rates were worse than typical coupon settlements--by my math, a 0.00000846153846153846% response rate.
The opinion indicates Heartland spent $1.5M to advertise the settlement. Thus, it appears they spent over $130,000 to generate each legitimate claim. Surprisingly, the court blithely treats the $1.5M expenditure as a cost of doing business, but I can't wrap my head around it. What an obscene waste of money! Add in the $270k spent on claims administration, and it appears that the parties spent $160k per legitimate claimant. The court isn't bothered by the $270k expenses either, even though that cost about $1k per tendered claim (remember, there were 290 total claims).
Now, there are a lot of possible explanations why there was such a low response rate: maybe the hackers didn't actually capture any useful data; maybe the hackers didn't misuse the data they got; maybe the credit card companies' fraud detection systems screened out any bogus charges; maybe consumers never noticed bogus charges; maybe consumers did notice bogus charges but never saw the news about the settlement; maybe the hassle of pursuing the settlement wasn't worth the payoff or consumers couldn't figure out how to tender their claims. But whatever happened, neither plaintiffs' counsel nor anyone cheering for more information security enforcement can be particularly impressed by the minuscule response rate. It's a pretty good indicator of at least one deep structural problem with this litigation.
The court makes plaintiffs' counsel take a small haircut for their failure to deliver real value to the class. The parties had computed an attorneys' fee payoff of $725k predicated on a settlement value of $4.85M. After discounting the case value due to the cy pres payments, the court adjusts the attorneys' fee award down to a little over $600k. Still, the plaintiffs' counsel claimed they spent less than 2,000 hours on the case, so they got about $300 per average hour spent on the case--a pretty good overall rate when considering the number surely includes a good number of cheap junior associates and paralegals.
I have a forthcoming paper on privacy class action lawsuits (I'll be posting it soon) that will explicate some serious problems with class actions as a way of remediating privacy breaches. I carved out security breach litigation from the paper, but a case like this makes me wonder what in the world we're doing. As I discuss in my forthcoming paper, maybe the greater social ends justify the means, but examined in isolation, this mechanism looks horrible. In the end, to pay out $2k of actual relief to 11 people, Heartland paid over $2M in attorneys' fees and other transactions costs. Surely I'm not the only one bothered by this...am I?
Posted by Eric at 12:16 PM | Privacy/Security | TrackBack
March 31, 2012
Lawsuit Against Google for Putting Search Queries in Referral URLs Moves Forward – Gaos v. Google
By Venkat Balasubramani with comments from Eric
Gaos v. Google, 5:10-CV 4809 (N.D. Cal.; Mar. 29, 2012)
Gaos sued Google based on the theory that: (1) Google allows website owners (and third parties) to see what search terms a user inputted; and (2) through “reidentification,” search terms could be linked with a user’s identity. Chief Judge Ware granted Google’s motion to dismiss on Article III standing grounds in April 2011. Goas filed an amended complaint, alleging claims under the Stored Communications Act and variety of state law claims. (Here’s a link to the Amended Complaint.) In the interim, the case got reassigned to Judge Davila.
State law claims: As to the state law claims, the court again says that Gaos lacks Article III standing. She alleges only that she searched for her own name and her family names. In contrast to the allegations in Does v. AOL (the “search Valdez” case) where AOL released sensitive information—such as bank account information and social security numbers—in search queries, disclosure of Gaos’s search queries to third parties will not cause her harm. Although the court grants Google’s motion to dismiss, it grants Gaos leave to amend a second time.
Stored Communication Act claims: As to the Stored Communications Act claim, the court says that she does not need to allege any actual injury other than a violation of the statute: “injury required by Article III . . . can exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing.” The court does not reach the merits of whether Gaos’s allegations actually state a claim under the Stored Communications Act, finding that Google’s motion “[did] not place this . . . issue before the court.” (The court cites to Fraley v. Facebook and In re Facebook Privacy Litigation and notes that the fact that Gaos has standing is distinct from whether she has stated a claim.) Instead, the court focuses on whether Gaos corrected the deficiencies identified by Judge Ware in his initial dismissal order, which found Gaos’s initial allegations conclusory in nature. The court says that Gaos corrected these deficiencies by alleging what particular search queries Google improperly disclosed.
__
Yikes, this is not an optimal result for Google to say the least. A dismissal of the Stored Communications Act claims on Article III grounds would have avoided the question of whether search queries are covered under the SCA, whether Google’s disclosure amounts to a violation, and Google’s possible defenses based on consent. (Contrast this result with Low v. LinkedIn, where the court grants a dismissal on Article III grounds in another referrer header case against LinkedIn.) I’m not even sure whether Google can challenge the SCA claims until summary judgment. Google will try to whittle away at the lawsuit by attacking it at the class certification stage, but plaintiff has to be pretty happy with this ruling.
A big question is how the Supreme Court’s decision in the Privacy Act case will affect the outcome here, and on this score the outlook is bleak for Gaos and other similar plaintiffs, at least as far as damages goes. (See Kash Hill’s post on that case: “Humiliation After A Privacy Invasion Is Not An 'Actual Damage,' Rules Supreme Court.”) It will come down to similarities in statutory language between the two statutes, but I would imagine Google may argue shortly that the Supreme Court’s limitation of “actual damages” to pecuniary or economic harm requires a re-examination of Gaos’s claims for damages. Gaos could still assert claims for injunctive relief, so I’m not sure this will successfully put the brakes on this lawsuit.
________
Eric's Comments
I don't share Venkat's "yikes" reaction to this ruling. It seemed fairly straightforward to me. The court dismissed the bulk of Gaos' lawsuit on Article III standing grounds. This is consistent with the broad trend that most privacy "victims" lack sufficient harm to deserve a day in federal court.
The only claim that didn't get wiped out is the SCA claim, and that's only because Gaos alleged a statutory violation. This court is bound by the Ninth Circuit's opinion in the Edwards v. First American case saying (in a real estate case) that plaintiffs satisfy Article III standing when they allege statutory violations. The Edwards case is on appeal to the US Supreme Court, and based solely on the Ninth Circuit's track record in the Supreme Court, I wouldn't be surprised if the Supreme Court reverses--at which point simply alleging an SCA violation without any further harm won't survive an Article III standing challenge.
I'll also add that the SCA's poor drafting means that no one (including the judges) knows exactly what's covered by the statute, so it's not that surprising to see an SCA claim survive a motion to dismiss. As we know, virtually every privacy lawsuit alleges an ECPA/SCA violation because the statute is so murky that it could apply to anything. Obviously privacy defendants would prefer that ECPA/SCA suits get screened on Article III grounds, which is why the Edwards' SCOTUS case is of substantial interest to the Internet community.
As this case proceeds, it's going to fail for a long list of potential defects beyond the ones Venkat mentions, including statute of limitations/laches (after all, search engines have been putting search queries in the referral URL since the 1990s), searchers' consent (based on, say, disclosures in the privacy policy), and Google's "consent" as the presumptive recipient of the "communication" (the SCA lets either sender or recipient disclose the communication without permission from the other party). As Venkat notes, Google didn't raise these defenses yet. When Google advances those defenses, I see this lawsuit as unquestionably doomed--in a mockable kind of way--and the only bummer is that Google will have to spend more money to flatten this suit.
Finally, Google has made some technical changes that, in some cases, restrict its passing of search queries through referral URLs. Danny Sullivan's writeup of the issue from last Fall. I doubt the lawsuit will get that far, but if it does, I wonder if this development will take the wind out of the sails of any injunctive relief request. Note that while suppressing search queries in referral URLs might enhance individual searcher privacy, the loss of that information to publishers might ultimately degrade the overall ecosystem by hindering publishers' abilities to optimally respond to searchers' interests.
__________
Venkat's Surreply
After reading Eric's comments, I agree that a yikes reaction may not be warranted. Maybe this lawsuit will be swatted away in short order. I'm still curious as to how often the practice (of disclosing search queries in a way that is not sufficiently protective of user identity) occurs and whether Google has done anything to address it on the technical side. It looks like it has. This also raises the issue of whether this was mere inadvertence or something more. Feels like bad timing for bad PR on the privacy front for Google, especially when people may be looking for alternatives.
Posted by Venkat at 09:40 AM | Privacy/Security , Search Engines
March 25, 2012
Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information--Sterk v. Redbox
[Post by Venkat Balasubramani]
Sterk v. Redbox Automated Retail, LLC, No. 12-8002 (7th Cir. March 6, 2012)
The Video Privacy Protection Act prohibits the disclosure of individuals' videotape viewing habits. The statute also contains a provision requiring “providers” to purge any covered information within certain time periods (one year from when the information is no longer required for the purpose for which it was collected). Class action lawyers sharpened their knives and came after videotape service providers—in this case Redbox—arguing that Redbox did not purge the information as required under the VPPA. Redbox moved to dismiss on the basis that the provision of the statute requiring records to be purged did not provide for a private cause of action. The district court disagreed and denied Redbox’s motion to dismiss. (Here is my earlier blog post on the case: "Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records.") Redbox filed an interlocutory appeal, and with lightning fast speed, the Seventh Circuit reversed the district court (the appeal was submitted on January 24, 2012 and the Seventh Circuit issued its order on March 6, 2012).
After slamming the VPPA drafters for sloppy drafting, the Seventh Circuit concludes that the overall statutory structure indicates that there is no private cause of action in this case. The court says the section which provides a civil cause of action appears immediately following the section which prohibits the disclosure of records and this indicates that the civil cause of action was intended to apply only to the section barring disclosure of records. Also, one of the subsections deals with the acceptance of videotape rental evidence; if the statute provides for a civil cause of action for a violation of all of the subsections (not just the subsection prohibiting disclosure), this would mean that a litigant would have a cause of action against a court for improperly receiving videotape rental records as evidence. (The district court focused on the statute's use of the word "section" as opposed to "sub-section" but Judge Posner is as dismissive of the district court's interpretation as he is of the drafters of the VPPA.)
In addition to the overall statutory structure, the court also highlights that there is no harm from wrongful retention:
Nor would it make a lot of sense to award damages for a violation of the requirement of timely destruction of personally identifiable information, in sub section (e)—the specific issue presented by this appeal. How could there be injury, unless the information, not having been destroyed, were disclosed? If, though not timely destroyed, it remained secreted in the video service provider’s files until it was destroyed, there would be no injury.
In Judge Posner's view, this is a terrible case for statutory damages in the absence of any actual injury. While other courts have held that plaintiffs proceeding under the Driver’s Privacy Protection Act need not prove actual damages in order to be entitled to statutory damages, these decisions involve “unlawful appropriation of private personal information.” Statutory damages would make sense in the event a service provider improperly disclosed the information, but according to Judge Posner, it doesn’t make much sense for the wrongful retention of information:
The injury inflicted by such a failure is enormously attenuated, and it would be no surprise if Congress had decided—as the placement of the damages section suggests—not to provide a damages remedy, let alone a damages remedy requiring no proof of injury.
The court says that plaintiffs aggrieved by a violation of the subsection requiring records to be purged should be able to enforce their rights by requesting an injunction. The court says this is a less “obviously inappropriate” form of relief and one that does not require express Congressional authorization.
__
Ouch. Another example of judicial hostility to claims made by class action privacy plaintiffs, with a focus on damages.
The court also mentions that plaintiffs added a claim for wrongful disclosure, and telegraphs the fact that in the absence of a showing of actual damages, at least this panel would view a claim for damages for violation of subsection (b)(1) (the disclosure provision) with similar skepticism.
Privacy class action plaintiffs have an uphill battle. Between Article III standing, the merits, judicial skepticism towards statutory damages, and I’m guessing a closer look at the private right of action in any newly enacted legislation, I would say that class action payouts for these types of lawsuits based on violations of federal statutes will become rarer than they already are. Were I a privacy activist, I would consider focusing my efforts on individual cases with clearly demonstrable damages, or on lobbying the companies, the public, or the FTC.
Additional coverage:
Digestible Law (Perkins Coie): "Seventh Circuit Limits Scope of Private Rights of Action under the VPPA"
InsidePrivacy: "Seventh Circuit Strikes VPPA Claim for Retention Damages"
THR, Esq. (Eriq Gardner): The Video Privacy Protection Act, or How Not to Write a Law
Posted by Venkat at 02:22 PM | Privacy/Security
March 20, 2012
Jan.-Feb. 2012 Quick Links, Part 6 (Privacy and more)
By Eric Goldman
Privacy
It was a really busy two months for privacy, and I'm sorry I didn't get to grok a number of these developments in more detail!
* State AGs are unhappy with Google's privacy integration of its services, especially that it doesn't have adequate opt-outs. In fact, every regulator is unhappy about this!
* The White House's Consumer Privacy Bill of Rights
* California AG signs an agreement with various app retailers requiring that the apps they distribute display privacy policies. News.com coverage.
* Browsers are going to incorporate do-not-track options in the software (whatever do-not-track means).
* Fraley v. Facebook, 2012 WL 555071 (N.D. Cal. Feb. 21, 2012) (footnotes omitted):
the court must conclude that Fraley's legitimate desire to protect her privacy does not outweigh the relevance or propriety of Facebook proceeding to take Fraley's deposition. As Fraley herself notes in her declaration, by agreeing to be a class representative, she understood that she would have to participate in discovery and provide testimony. Although the court is sympathetic to Fraley's concerns regarding the scope and intensity of Facebook's likely scrutiny during the course of discovery and particularly in a deposition setting, these are concerns that should have been addressed earlier in the process by Plaintiffs' counsel. Moreover, Plaintiffs have not shown that Facebook's attempts at discovery have been so intrusive or inappropriate, in light of the nature of the litigation and claims at issue, as to require the protection of the court up until this point. In addition, the protective order already in place between the parties is available to Plaintiffs for the specific reason that certain information disclosed during the course of discovery is not appropriate for public dissemination. The fact that other named plaintiffs remain in the case does not render Fraley's testimony concerning her allegations to be any less relevant. If anything, the fact that Fraley may soon be dismissed from the lawsuit makes even more relevant Facebook's discovery into the basis for Fraley's allegations that will be a part of the record in this case. Even if Fraley is dismissed from the case, the court may consider the relevance of her earlier testimony to Facebook's ongoing defense
* In re Facebook Internet Tracking Litigation, 2012 WL 432607 (U.S. Jud. Pan. Mult. Lit. Feb. 8, 2012). Facebook's tracking cases are consolidated in Northern District of California.
* Netflix is paying $9M to settle its Video Privacy Protection Act (VPPA) lawsuit.
* Some interesting work from Jane Yakowitz (incoming law professor at University of Arizona):
- On the EU Data Protection Directive: More Crap From the E.U.
- Jane Yakowitz, Tragedy of the Data Commons, 25 Harv. J.L. & Tech. 1 (Fall 2011). An important rely to Paul Ohm's reidentification paper.
* How
* WSJ: Is Google tracking iPhone users impermissibly? Plaintiffs' lawyers have already filed multiple suits.
* Gaos v. Google, Inc., 2011 WL 7295480 (N.D. Cal. April 7, 2011). This one just came through Westlaw. Court dismissed a privacy lawsuit over Google including search terms in referral URLs on Article III grounds.
* In re Indiana Newspapers Inc., 2012 WL 540796 (Ind. App. Ct. Feb. 21, 2012). "Under our Shield Law, we hold that an anonymous person who comments on an already-published online story and whose comment was not used by the news organization in carrying out its newsgathering and reporting function cannot be considered “the source of any information procured or obtained in the course of the person's employment or representation of a newspaper” "
* Red Tape: Govt. agencies, colleges demand applicants' Facebook passwords.
General
* Economists adopt a conflicts-of-interest statement for their academic publications. Law professors desperately need an equivalent.
* Smith v. eBay Corp., 2012 WL 27718 (N.D. Cal. Jan. 5, 2012): antitrust claim against eBay for tying PayPal with eBay's auction fees partially survives motion to dismiss.
* BNA (unfortunately paywalled) previews some of the key cases pending at federal appellate courts that might produce an opinion in 2012. The list includes:
- Viacom Int'l Inc. v. YouTube LLC, No. 10-32780 (2d Cir.)
- Capitol Records Inc. v. Thomas-Rasset, No. 11-2820 (8th Cir.)
- Flava Works v. Gunter d/b/a myVidster.com, No. 11-3190 (7th Cir.)
- Righthaven LLC v. Hoehn, No. 11-16751 (9th Cir.)
- United States v. Nosal, No. 10-10038 (9th Cir.)
- Rosetta Stone Ltd. v. Google Inc., No. 10-2007 (4th Cir.)
- Cohen v. Facebook, No. 11-17840 (9th Cir.)
- Stayart v. Google Inc., No. 11–3012 (7th Cir.)
Others include Graf v. Zynga, Levitt v. Yelp, Parisi v. Sinclair, Jones v. Dirty World and Maximized Living v. Google.
* Universal Grading Service v. eBay, Inc., 2012 WL 70644 (N.D.Cal, Jan. 9, 2012). Another antitrust lawsuit against eBay dismissed, this time involving eBay's use of third party coin grading services. This case has been appealed to the Ninth Circuit.
* WSJ on fine print in consumer contracts.
* NYT: Young, in Love and Sharing Everything, Including a Password. A spectacularly bad idea. Famous last words: “I know he’d never do anything to hurt my reputation” An adult is quoted: “I’ve known plenty of couples who have shared passwords, and not a single one has not regretted it,”
* Burgess v. eBay appealed.
* Only 20% like Facebook's new Timeline. I'm holding out as long as I can.
* LA Weekly: A gentlemen's hypersensitivity to how his name is spelled + a law degree = recipe for disaster.
* William Mitchell Law Review had a symposium issue on Contemporary Issues in Cyberlaw. I've posted the published version of my essay "Revisiting Search Engine Bias" on Google & antitrust issues.
* Ceglia v. Zuckerberg, 2012 WL 503810 (W.D.N.Y. February 14, 2012). "Defendants are awarded in connection with their Accelerated Motion to Compel $75,776.70 in attorney's fees, and are also entitled to an award of costs, including attorney's fees, incurred preparing and defending the Fee Application, but Defendants' request for an order prohibiting Plaintiff from filing any papers in support of this action until such fees are paid is DENIED."
Posted by Eric at 04:25 PM | Privacy/Security | TrackBack
March 17, 2012
Text Spam Class Action Against Jiffy Lube Moves Forward – In re Jiffy Lube Int’l, Inc., Text Spam Litigation
[Post by Venkat Balasubramani]
In re Jiffy Lube International, Inc., Text Spam Litigation, 11-md-2261-JM-JMA (N.D. Cal.; Mar. 9, 2012)
Plaintiffs filed a class action against Jiffy Lube (a multi-location franchisee Heartland Automotive Services) and TextMarks alleging TCPA violations based on text messages sent by TextMarks on behalf of Jiffy Lube:
JIFFY LUBE CUSTOMERS 1 TIME OFFER:REPLY Y TO JOIN OUR ECLUB FOR 45% OFF A SIGNATURE SERVICE OILCHANGE! STOP TO UNSUB MSG&DATA RATES MAY APPLY T&C:JIFFYTOS.COM.
The court denies Heartland’s motion to dismiss. The big takeaway from the order is that text message-based marketing is something that companies often screw up, and these screw-ups end up being costly. Given the draconian provisions of the TCPA (statutory damages, stringent consent provision, no free pass for the initial message, and liability for any unsolicited message that is sent with certain equipment), rulings like these make me think companies should consider avoiding text message-based marketing altogether.
TCPA Provides for Derivative Liability:
Heartland’s first argument was that it should not be held liable because it did not actually send out the text messages (TextMarks did). The court cites to Satterfield v. Simon & Schuster and notes that the Ninth Circuit had no problem imposing liability on Simon & Schuster despite the fact that Simon & Schuster did not physically send the messages. The court also cites to an unsolicited fax case for the proposition that “congressional tort actions implicitly include the doctrine of vicarious liability.” If advertisers were allowed to escape liability by not actually sending the messages, this would allow advertisers to make an end-run around the TCPA’s prohibitions.
Heartland also argued that plaintiffs failed to sufficiently plead vicarious liability, but the court says that plaintiffs’ allegation that Heartland "engaged TextMarks to send the messages" is sufficient.
Plaintiffs’ Prior Consent:
Heartland produced invoices and sought to rely on the invoices to demonstrate that plaintiffs consented to receive the messages. The court rejects Heartland’s request that the court take judicial notice of the invoices, saying they stand for the opposite of what plaintiffs allege in their complaint. The invoices are not central to plaintiffs’ claims; therefore, they are not properly the subject of judicial notice in the same way that contractual terms—which the plaintiff relies on in the complaint—are. In passing, the court expresses skepticism as to whether the invoices would satisfy the TCPA's strict consent requirements.
Were the Messages Sent Using an Auto-Dialer:
The TCPA only imposes liability for text messages that are sent using equipment that has the capacity to store or produce random numbers. Heartland argued that plaintiffs should only be permitted to allege the use of an auto-dialer on in formation and belief if (1) the content of the message was impersonal, and (2) the text message was sent by a specific SMS-short code. I think what Heartland is trying to argue is that only if the text messages bear indicia of being transmitted en masse should a TCPA plaintiff be entitled to allege the use of an auto-dialer on information and belief. The court rejects this, noting that in Simon & Schuster the Ninth Circuit only required that the equipment at issue have “the capacity” to store or produce numbers using a random or sequential number generator. Under Satterfield, it does not matter whether this capability was actually used to send the messages.
First Amendment Challenge:
Heartland also brings a First Amendment challenge, arguing that the broad definition of auto-dialer would mean that friends who text each other dinner invitations could incur TCPA liability, and this would render the statute overbroad. As expected, this argument doesn’t get much traction with the court. The court says that the statute is intended to protect consumers against the costs and privacy invasions that accompany unsolicited text messages, and regulating texts sent through auto-dialers adequately serves this interest. The court also says that the prospect of friends incurring liability under the TCPA for texting each other dinner invitations is fairly remote. At worst, this type of a text message lies at the fringe of the statute and thus the statute does not suffer from overbreadth issues.
Plaintiffs’ Cannot be Compelled to Arbitrate Their Claims:
Heartland finally argued that one of the plaintiffs who signed an agreement with Jiffy Lube (and other class members who fell into the same category) should be required to arbitrate their dispute. This plaintiff entered into an agreement while obtaining services at Jiffy Lube which contained the following provision:
[the parties] agree that any and all disputes, controversies or claims between Jiffy Lube and [the customer] (including breach of warranty, contract, tort or any other claim) will be resolved by mandatory arbitration according to the terms of this Mandatory Arbitration Agreement (“Agreement”), except that any such dispute can be resolved by a small claims court if and for so long as the dispute is within its jurisdiction. By this Agreement, Jiffy Lube and [customer] also agree to only bring disputes against each other in an individual capacity and not as a class representative or class member and waive the right to a jury trial.
The court says the arbitration language is “incredibly broad,” and application of the clause to disputes unrelated to the contract would raise conscionability issues. The court cites to a Judge Posner opinion and concludes that if enforced as drafted, “absurd results would ensue.” Heartland asked the court to construe it narrowly but the court declines, saying it is not authorized to do so. Even if the clause were construed to be limited to disputes “arising out of or relating” to the contract, the court says that the TCPA claims would not fall within the clause.
__
As mentioned above, text message litigation has been brutal for marketers and advertisers, and this decision is no different. (Liability for spam email in contrast has been much more limited.) To my knowledge, the issue of dervative liability hasn't been squarely argued by a TCPA defendant, but decisions have implicitly recognized that the TCPA provides for derivative liability in rejecting the requests to dismiss filed by advertisers who did not transmit the messages in question. From that standpoint, the ruling is not significant, but it is still worth nothing.
Outsourcing your text message-based marketing was a risky proposition to start with, but as this decision squarely allows for derivative liability (albeit under somewhat vague standards), this makes it an even riskier proposition. Marketers may labor under the perception that the initial text message is a freebie (from a liability standpoint) and including an opt-out from receiving future texts absolves the marketer or advertiser from liability under the TCPA. It's worth repeating that this is not the case.
Previous posts:
"Group Text Services Grapple with TCPA Class Actions"
"Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank"
"Court Rejects Constitutional Challenge to TCPA Based on Vagueness in "Prior Express Consent" Exception -- Kramer v. Autobytel, Inc."
"Another Court Finds that TCPA Applies to Text Messages -- Lozano v. Twentieth Century Fox Film Corp."
"Court Finds that SMS Spam Messages are Subject to the TCPA and Rejects First Amendment Defense -- Abbas v. Selling Source, LLC"
"Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster"
"Cellphone Spam Violates TCPA--Joffe v. Acacia Mortgage"
Posted by Venkat at 08:46 AM | Derivative Liability , Marketing , Privacy/Security , Spam
March 07, 2012
Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]
[Post by Venkat Balasubramani]
In re Facebook Privacy Litigation, 10-02389 (N.D. Cal.; Nov. 22, 2011)
In re Zynga Privacy Litigation, 10-04680 (N.D. Cal.; Nov. 22, 2011)
These decisions are several months old, but they remain worth mentioning despite the fact they are well past their "blog-by" date. The court recently rejected plaintiffs’ motion to amend the judgment as to Facebook, so the cases are still active.
Facebook and Zynga scored an initial win last May against putative class action claims arising out of alleged data leakage from Facebook to its advertisers. The court expressed some skepticism about plaintiffs’ claims but gave plaintiffs a chance to amend their complaint. My blog post on the court’s earlier ruling: “Facebook Scores Initial Win Against Privacy Plaintiffs Over Data Leakage Claims -- In re Facebook Privacy Litigation.” This time around the court grants Facebook’s and Zynga’s motions to dismiss with prejudice. Plaintiffs appealed the ruling in the Zynga case to the Ninth Circuit. (See the link to the Justia page.) With respect to the Facebook dismissal, plaintiffs requested the correct to amend or alter the judgment, but the court refused this request.
Claims Against Facebook
Stored Communications Act
On the Stored Communications Act claim, the court says that the complaint contains inconsistent allegations regarding whether the communications in question were requests to connect to specific advertisements or whether Facebook acted as a “remote computing service” provider under the SCA:
On the one hand, Plaintiffs allege that the communications at issue in this case were requests to be connected to specific advertisements; that the requests were addressed to advertisers; and that Defendant merely acted as the "intermediary" for those communications.... On the other hand, Plaintiffs contend that Defendant acted as [a remote computing service ("RCS")] provider for purposes of Plaintiffs' claim under the SCA....
Analyzing claims under this statute leaves my head spinning, but the court ruling looks similar to its earlier conclusion (and reminds me of the court's analysis in the DoubleClick case). Suffice it to say that the court was not excited about plaintiffs' claims either the first or the second (or third) time around. Plaintiffs sought to further detail their claims in their request to amend the court's judgment, but the court says no to this. Whatever the merits of the plaintiffs' SCA claims, their pleadings were not apparently a model of clarity.
California Penal Code sec. 502
This statute creates a cause of action against someone who introduces a “computer contaminant” into the plaintiff’s computer or computer system. Plaintiffs' own allegations admitted that the “referrer header” (which plaintiffs allege Facebook improperly disclosed to advertisers) is a “standard web browser function provided by web browsers since . . . 1996.” The court says that this admission dooms plaintiffs' claims under section 502 since any allegedly improper transmission occurred as a result of the browser’s “normal operation” rather than any contaminant allegedly introduced by Facebook. (See also Amazon v. Del Vecchio.) Section 502 was the same section Facebook relied on when it sued Power.com, although Facebook relied on a different part of the statute. It did not come to pass in this case, among other reasons because Facebook relied on a different part of the statute, but this made me think of Eric’s frequent admonition about considering blowback from overzealous enforcement efforts.
Breach of Contract and Fraud
Plaintiffs sought to rely on the “personal information as property” theory to support their breach of contract claim. The court squarely rejects this argument. The court also rejects the fraud claim for lack of damages.
Claims Against Zynga
The court resolved the Stored Communications Act against Zynga on the same basis as against Facebook. Plaintiffs’ breach of contract claim against Zynga also suffered the same fate as the breach of contract claim against Facebook. With respect to Zynga, plaintiffs alleged that they were paying customers, but the court finds that any payments by plaintiffs were in exchange for virtual currency, and plaintiffs failed to allege that they did not receive the virtual currency which they paid for. Thus, the fact that plaintiffs were paying customers does not change the analysis. Plaintiffs also brought a breach of good faith claim against Zynga, but the court finds that these were merely re-packaged breach of contract claims and suffered from the same deficiencies.
__
It’s worth distinguishing data leakage claims from claims where Facebook is allegedly using likenesses or photographs of end users to promote itself or products or services. (See Eric’s discussion of Fraley v. Facebook: Facebook "Sponsored Stories" Publicity Rights Lawsuit Survives Motion to Dismiss--Fraley v. Facebook.) These claims have a much greater chance of proceeding, even if they do not succeed on the merits.
Unlike publicity rights claims, data leakage claims have routinely been kicked out of court, whether on the basis of standing or on the merits. Even appeal courts have been unfriendly towards these claims. I thought that the latest wave of privacy lawsuits could end up being salvaged or revived by a friendly appeals court decision, but I’m starting to think the chances of this are slim.
You have to give Facebook credit for staving off the numerous privacy lawsuits. Other than the Beacon lawsuit (the settlement approval of which is still on appeal to the 9th Circuit) and the publicity rights lawsuit which Eric blogged about in December, there have not been any other privacy plaintiff wins against Facebook. Maybe people should consider taking Facebook to small claims court? On the other hand, if they have been unable to get traction in different courts with different versions of their claims, this is a strong indicator that there's no "there" there. It seems like Facebook is fast and loose with its privacy practices, but it's another matter entirely as to whether Facebook's practices create liability under existing statutes. Of course, Facebook will still have to deal with the watchful eye of the FTC, but enforcement efforts by private plaintiffs look like a dead end.
Posted by Venkat at 09:05 AM | Licensing/Contracts , Privacy/Security , Trespass to Chattels
February 29, 2012
Healthcare Data Breach Victims' Lawsuit Tossed When They Can't Show Harm--Paul v. Providence
By Eric Goldman
Paul v. Providence Health Systems--Oregon, SC S059131 (Ore. Sup. Ct. Feb. 24, 2012)
A Providence employee left disks/tapes containing records for 365,000 patients in his/her car, and they were stolen. The opinion implicitly assumes that the data wasn't encrypted. The opinion doesn't explain why the employee had unencrypted patient data for a third of a million people lying around in a car. Unlike a deliberate security intrusion, there's no evidence that the thief sought the data or had criminal intent towards the data.
Nevertheless, the Oregon Attorney General couldn't ignore a data loss of this magnitude/ineptitude, and Providence settled with the AG by agreeing:
to contract with a credit monitoring company to provide two years of credit monitoring and restoration services to any patient who requested it, to reimburse any patient for any financial loss resulting from the misuse of credit or identity theft, and to establish a website and toll-free call center to assist patients with questions related to the theft. Under the agreement, defendant also paid the Attorney General more than $95,000. Defendant estimated the cost of the credit monitoring and other services that it agreed to provide at approximately $7 million.
Apparently, the AG's deal wasn't good enough for the privacy plaintiff's bar (at least, not to their personal fortunes), because 6 years after the settlement--the breach occurred in 2005; the AG settlement in 2006--the Oregon Supreme Court finally kiboshed the class action lawsuit.
The plaintiffs marshaled the following statements of loss:
* "financial injury in the form of past and future costs of credit monitoring, maintaining fraud alerts, and notifying various government agencies regarding the theft, as well as possible future costs related to identity theft"
* "noneconomic damages for the emotional distress caused by the theft of the records and attendant worry over possible identity theft"
However, the plaintiffs had to contend with the following facts:
* the AG settlement already provided some meaningful relief to affected patients, including some credit monitoring and a promise to financially compensate patients for adverse data misuse
* there was no evidence that any patient had suffered any financial loss or other adverse consequence due to the data loss. Indeed, there's no evidence that anyone had ever accessed the data on the disks/tapes (the court says doing so would require "specialized equipment").
The latter bullet point proves to be fatal to the plaintiffs' claims for common law negligence and the Oregon consumer protection act. Under both doctrines, the plaintiffs didn't allege a legally cognizable loss. The economic losses alleged by plaintiffs are simply mitigation steps to reduce the risk of future harm, and negligence law doesn't recognize these anticipatory steps:
the cost of credit monitoring that results...from the risk of possible future harm...is insufficient to state a negligence claim
Citing (among others) the Third Circuit's Reilly case and Ruiz v. Gap, the court continues:
Every court that has addressed damage claims for credit monitoring following the theft of computer records containing personal information -- but no wrongful use of that information -- has reached a similar conclusion.
The Ninth Circuit's Krottner v. Starbucks opinion doesn't get a mention, but it supports this outcome too. The court distinguished the First Circuit's Hannaford case on the basis that some data breach victims had actually experienced bogus credit card charges.
The nonfinancial harm allegations don't fare any better. Citing (among others) the Reilly, Amburgy and Pinero cases, the court summarizes:
We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiff's personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm.
Just to clarify, the court dismissed the claims based on the substantive elements, not on standing grounds. Article III standing doesn't apply given this was in state court. However, this ruling is consistent with the numerous cases dismissing data breach claims on Article III grounds.
I'd like to think we're nearing the tail end of data breach lawsuits like this where, irrespective of the data holder's malfeasance, nothing bad actually happened to the victims or (at this late date) is likely to happen. The plaintiffs' lawyers who brought this claim might be partially excused for their optimism because they filed the case so long ago, when it wasn't totally clear they would lose. Newly filed lawsuits can't claim that excuse. Going forward, I hope plaintiffs' lawyers are getting the very clear message from the courts: Make sure you have at least one truly injured data breach victim, or don't waste your time and money.
More of our extensive coverage of this topic.
Posted by Eric at 11:55 AM | Privacy/Security | TrackBack
February 28, 2012
Reidentification Theory Doesn't Save Privacy Lawsuit--Steinberg v. CVS Caremark
By Eric Goldman
Steinberg v. CVS Caremark Corp., 2012 WL 507807 (E.D. Pa. Feb. 16, 2012)
CVS Caremark provided consumer data to pharma companies and data brokers. The plaintiffs alleged that the data transfers violated CVS's privacy policies, but CVS apparently disclosed only "de-identified" data as contemplated by HIPAA. Plaintiffs couldn't sue under HIPAA, both because CVS complied with HIPAA and because HIPAA doesn't enable a private cause of action for these violations. Although these facts implicate Sorrell v. IMS, that case didn't come up because the plaintiffs didn't sue under an analogous statute specifically pharmaceutical data transfers.
Instead, the plaintiffs sued under Pennsylvania's consumer protection act, claiming that CVS made material misrepresentations in its privacy policies about its data handling. The court dismisses the suit--with prejudice!--on two principal grounds.
First, it says that CVS told the truth in its privacy policies:
The plaintiffs do not allege that the defendants disclose Protected Health Information to third parties. Rather, they disclose de-identified information, which (a) federal regulations do not prohibit; and (b) is consistent with the defendants' statements that they safeguard information that "may identify" consumers.
To salvage the situation, the plaintiffs' lawyer tried to argue that the de-identified information could be re-identified by recipients, but apparently the plaintiffs' lawyer couldn't make the argument very cogently:
Although they admit that the information the defendants disclose to third parties is de-identified within the meaning of HIPAA, the plaintiffs have argued that it can be "re-identified." There is no such contention in the CAC, and plaintiffs' counsel admitted that the basis for such an argument comes from a single journal article and would take the form of expert testimony that a re-identification risk exists with respect to de-identified information generally, not as to the plaintiffs in this case.
It seems pretty clear that the lawyer didn't fully understand re-identification--at least, not well enough to explain how it might trump CVS's privacy promises. Thus, the court never really gets to the merits of the re-identification theory, but clearly it did not pique the judge's interest. Presumably the "single journal article" referenced is Paul Ohm's Broken Promises of Privacy article. Looks like Paul missed out on a potentially lucrative expert gig.
Second, the court rejects the consumer protection claim on two different standing grounds:
1) the named plaintiff didn't suffer any cognizable loss. The best the plaintiffs' lawyer could do was claim "the loss of the value of his demographic information, or the loss of an opportunity to pay less for his prescriptions with the understanding that the defendants would be profiting from the sale of his information." These types of losses have flopped repeatedly before, and they do so again (citing, among others, LaCourt, JetBlue and Low v. LinkedIn).
2) the named plaintiff didn't allege justifiably reliance on CVS's representations. To get around this specific requirement in Pennsylvania law, Plaintiffs tried to allege that CVS was a fiduciary; that goes nowhere.
The unjust enrichment claim fails because there was no expectation that the information provided to CVS would be compensated. The intrusion into seclusion claim fails because the plaintiffs voluntarily provided their data to CVS.
As we've already seen, privacy plaintiffs' lawyers are avid readers of the privacy scholarly literature, looking for new theories to help them grind their axes. Privacy scholars should be gratified by this practitioner attention. As we know, most law review articles never get read (my mom won't even read mine). As this case illustrates, privacy plaintiffs' lawyers may build their entire cases around the academic literature. Personally, I think this fact means privacy scholars need to ensure that their articles are ready for the rough-and-tumble world of profit-seeking class action litigation. It would be irresponsible for a privacy scholar to toss out a half-baked academic thought about new ways of suing over privacy, knowing that the plaintiffs' bar is looking for fresh meat--anything--to get past 12(b)(6) motions irrespective of the case's true merit. I'm not accusing Paul Ohm's article of being half-baked (far from it, it's one of the most interesting articles I've read in years); but I couldn't be as complimentary towards some of the other privacy scholarship I see, and I hope the thought of being potentially responsible for lots of wasted litigation activity will encourage all privacy scholars to honestly reflect on the social merits of their arguments.
Although the re-identification theory doesn't go anywhere in this case, arguably CVS dodged a bullet. Ever since I read Paul's paper, I have been recommending that companies stop making PII/non-PII distinctions in their privacy policies. It was instantly clear to me from reading Paul's paper that plaintiffs could attack a privacy policy's promise not to disclose "PII" using a reidentification theory because we don't reliably know which bits of data can be used to uniquely identify individuals. Indeed, the language CVS used (it wouldn't disclose information that "may identify" consumers) was especially dangerous, because any bit of information, in combination with the right set of other data, has the theoretical capacity to uniquely identify individuals. The plaintiffs' lawyer in this case was sniffing around the issue but didn't nail it; but other cases--especially after goofy rulings like Pineda treating zip codes as PII--will raise the issue better and pose significant danger to defendants. This case is a warning sign that CVS, and everyone else, should carefully reexamine the PII/non-PII distinctions in their privacy policies.
Posted by Eric at 11:57 AM | Licensing/Contracts , Privacy/Security , Publicity/Privacy Rights | TrackBack
February 24, 2012
RadioShack May Be Liable for Accessing Images from Recycled Customer Cellphone -- Steele v. RadioShack
[Post by Venkat Balasubramani]
Steele v. RadioShack Corp., 11-14021 (E.D. Mich.; Feb. 3, 2012)
Steele bought a new phone at RadioShack, after which a RadioShack employee transferred the data from Steele’s old phone to his new one. Steele also left his old phone at RadioShack for recycling. After Steele left, RadioShack accessed his old phone and viewed personal information, including photographs which Steele took at his worksite. RadioShack forwarded these photos to Steele’s employer. As a result, Steele was fired.
The parties' arguments are muddled, and the court expresses its displeasure at the “inaccurate, insufficient, and jumbled arguments from both sides.” Steele at least brought a claim for common law intrusion into seclusion, which required him to show (1) the existence of private and secret subject matter; (2) that the plaintiff had a right to keep private; and (3) access of the information by defendant through means objectionable to a reasonable person.
The court focuses on the second and third elements, finding that RadioShack did not raise the first element sufficiently in its initial moving papers. As to the second element, RadioShack appeared to argue that giving the phone to RadioShack for recycling somehow terminated Steele’s right to keep the information private, but the court rejects this argument:
[RadioShack’s argument] is illogical – it says that a customer has no right to keep personal information private once he allows RadioShack access to it during the course of business. If his court embraces this argument, then RadioShack would not have any liability for disclosing personal credit card information it obtained while processing a sale. Customers routinely give personal information in order to process transactions – information that they would expect to be disposed of and kept private, not distributed to whomever the store feels like giving it to.
RadioShack also argued that Steele fails to satisfy the third element (that the information was accessed in a way that was offensive to the reasonable person). The court rejects this argument as well, noting that a reasonable person who gave his or her cellular phone to someone with the understanding that the device would be destroyed or recycled does not consent to access of the personal information on the device. The court says that this is a question for the jury and not amenable to resolution at the motion to dismiss stage.
__
In contrast to the privacy tracking lawsuits, the plaintiff in this case alleges that his private information was actually disclosed to a third party and ended up causing him harm. The case brought to mind other cases where customer information was not properly disposed of: Pinero v. Jackson Hewitt and Putnam Bank v. Ikon Office Solutions. In both of those cases the claims failed for lack of out-of-pocket loss or even actual disclosure of the data to third parties. Here, the plaintiff alleged both of these things.
I'm surprised RadioShack made the argument that something in its privacy policy absolved it from claims that it improperly disclosed information. Even if its policy contained a provision absolving RadioShack from improperly accessing information, I wonder how RadioShack will show that Steele agreed to the terms prior to turning in his cell phone. (See Kwan v. Clearwire for a discussion of Clearwire's difficulties in enforcing terms of service for equipment and internet services. RadioShack will likely have an even more difficult time than Clearwire.) I would imagine RadioShack will end up writing a check. It's just a question of how much.
Posted by Venkat at 09:40 AM | Privacy/Security
February 22, 2012
Courts Continue to Grapple with Discovery Disputes Around Social Networking Evidence
[Post by Venkat Balasubramani]
Tompkins v. Detroit Metro Airport, 10-10413 (E.D. Mich.; Jan. 18, 2012)
This is a slip and fall case where the plaintiff alleges that injuries she suffered at Detroit’s Metro airport affected her quality of life and ability to work. Defendant asked plaintiff to release her medical records and records from her Facebook account. She refused as to the Facebook account, arguing that the private portions of her account should not be turned over in discovery.
The court says (citing to McMillen v. Hummingbird and Romano v. Steelcase) that there’s no privilege as to information contained in social networking accounts. Access to this information by an opponent in litigation is governed by traditional discovery principles. The court notes that in both Romano and McMillen the plaintiffs made injury claims that were inconsistent with information contained in the public portions of their social networking accounts. The court says that while there is no privilege protecting private (or quasi-private) information in a social networking account, “the [d]efendant does not have a generalized right to rummage at will through information that [p]laintiff has limited from public view.” The court says there has to be a threshold showing that “the requested information is likely to lead to the discovery of admissible evidence.” [Translation: a standard argument in every personal injury case that the plaintiff must have posted pictures of herself frolicking on the beach will not fly.]
Here, defendant argued that the public postings and surveillance photographs satisfied this standard. The court says no. The picture of plaintiff holding a “very small dog and smiling” is not inconsistent with plaintiff’s claims of being injured. (“The dog in the photograph appears to weigh no more than five pounds and could be lifted with minimal effort.”) The surveillance photograph showing plaintiff pushing a grocery cart similarly is not inconsistent with plaintiff’s claim of being injured. The court rejects defendant’s attempt to access the private portion of plaintiff’s Facebook account:
If the Plaintiff’s public Facebook page contained pictures of her playing golf or riding horseback, Defendant might have a stronger argument for delving into the non-public section of her account. But based on what has been provided to this Court, Defendant has not made a sufficient predicate showing that the material it seeks is reasonably calculated to lead to the discovery of admissible evidence.
The court also says that the request for the entirety of the account will sweep in information that is in no way relevant to the case and is thus overly broad.
Davenport v. State Farm Mutual Auto Ins., 2012 U.S. Dist. LEXIS 20944 (M.D. Fla; Feb. 21, 2012)
Here, the insurance company defendant sent a request to plaintiff seeking all photographs posted to social networking sites, whether posted by plaintiff or by a third party. As in Tompkins, the court says there’s no special privilege that attaches to social networking content, but the rules of discovery limit an opponent’s ability to request this information.
Plaintiff proposed that she be required to produce only photographs taken by her that depict her. She says the photos she has been “tagged” in do not satisfy the Rule 26 relevance standard, but the court disagrees. The court says plaintiff has to produce all photographs which depict her, whether she posted them or she had been tagged in the picture. The court does limit this by saying the default discovery rules only require a party to produce information that is within the party’s “possession, custody, or control.” The court says this “likely” means that plaintiff will “need to produce only photographs that she posted or in which she was tagged.” The court does not offer any additional details on whether material posted to a social networking site is still within that party’s “possession, custody, or control.”
Separately, defendant had asked to inspect any devices used to post any material to social networking sites, but the court shoots this down.
__
Courts are really all over the place on issues relating to the discovery of information posted to social networks. The decisions grapple with (but none coherently address) the following issues:
• whether any of the communications are covered under the Stored Communications Act and how this affects discoverability;
• whether an opponent can obtain direct access a non-party or witnesses social networking site (several decisions have ordered password swaps, waivers, or in-camera reviews);
• whether the discovery request should be directed to the social network directly or to the party whose information is sought;
• what threshold showing is required form a party seeking discovery;
• whether information posted to a social networking site is within the control, possession or custody of the party who posted it (for purposes of Rule 26).
Courts appear perfectly willing to smack down discovery requests that overreach, but continue to struggle with finding a balance and dealing with the logistical issues inherent in these types of discovery disputes.
Previous posts:
Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway
Deleted Facebook and MySpace Posts Are Discoverable--Romano v. Steelcase
Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville
Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson
Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc.
Pennsylvania Court Orders Personal Injury Plaintiff to Turn Over Facebook Password to Defendant -- Largent v. Reed
Posted by Venkat at 12:33 PM | Evidence/Discovery , Privacy/Security
February 21, 2012
Facebook Gets Decisive Win Against Pseudo-Competitor Power Ventures -- Facebook v. Power Ventures
[Post by Venkat Balasubramani, with comments from Eric]
Facebook, Inc. v. Power Ventures, Inc., et al., C 08-05780 JW (N.D. Cal.; Feb. 16, 2012)
The long-running dispute between Facebook and Power Ventures came to a close last week, with Judge Ware granting Facebook’s motion for summary judgment on Facebook's claims under CAN-SPAM, California Penal Code section 502, and the Computer Fraud and Abuse Act. The power.com domain name went up for auction in 2011 and it appears that the domain name was not owned by Power Ventures, the defendant in this lawsuit. The court deferred ruling on the liability of individual defendant Steve Vachani. [Update: see an update below regarding the ownership of the domain name and its relationship to this dispute.]
Facebook alleged that Power Ventures allowed Power.com users to access their Facebook profiles through Power.com’s interface, and also induced its users to send emails to other Facebook users telling them to try out Power.com. The specifics of how Power Ventures' conduct differed from other Facebook apps isn't entirely clear, although it is clear that Power Ventures did not participate in Facebook’s authorized developer program, and Facebook undertook some technical efforts to prevent the access of Facebook by Power Ventures and Power.com users. As with the enforcement efforts of many networks, Facebook’s approach here raises some questions as to how courts will view other similar efforts of people who are a part of the Facebook ecosystem. The big question Professor Goldman always raises--and I think is relevant here--is to what extent there may be blowback from this ruling to Facebook (or its partners) in other cases. The case also raised data portability issues and issues relating to the scope of California Penal Code section 502. Likely for this reason, EFF participated as an amicus.
CAN-SPAM
Standing: The first question regarding Facebook’s CAN-SPAM claims was whether Facebook had standing to sue. Citing Gordon v. Virtumundo, the court says that Facebook has standing under CAN-SPAM to the extent it can show that it suffered harm that is of the type “uniquely encountered by” providers of internet access services. Virtumundo said end users don’t have standing under CAN-SPAM, and end users cannot manufacture standing by casting themselves as ISPs. The plaintiff in that case signed up for hosting services provided by third parties and did not suffer any particular “adverse effects” from the spam, other than the annoyance of having to delete it. Here the court says that the evidence produced by Facebook demonstrates that it suffered unique adverse effects as an ISP: (1) Power.com users sent approximately 60,000 emails, and (2) Facebook undertook specific efforts to stop these emails. (The evidence offered by Facebook seemed equivocal as to whether it was directed to stopping unwanted communications from Power.com end users or whether Facebook was concerned with restricting Power Ventures' access of Facebook's networks. Facebook's enforcement efforts spilled over into both categories, but the evidence seemed more suited to a Computer Fraud and Abuse Act claim than a CAN-SPAM claim.)
Did Power Ventuers ‘Initiate’ the Messages: CAN-SPAM defines "initiate" to include those who “originate or transit” a message, or “procure” its origination or transmission. Routine conveyance of a message is excluded from the definition of initiate. Facebook argued that Power Ventures initiated the messages because it ran a contest for Power.com users signing up their Facebook friends (if you signed up more than 100 users, Power Ventures would pay you $100). The court concludes that this inducement is sufficient to categorize Power Ventures as one of those who “initiated” the messages, even though end users selected which friends would be emailed, and Facebook’s servers filled in the header information when the user requested an email to be sent.
Were the Emails Misleading: The final question with respect to the CAN-SPAM claims were whether the messages were misleading in any way. Power Ventures understandably argued that the messages were sent through Facebook, came from a Facebookmail.com email address, and therefore the messages could not contain any misleading header information. Power Ventures also argued that text of the messages contained information about Power.com, and Power Ventures could not have changed the headers of the emails because it did not have any control over the headers. The court says all of this is irrelevant:
[the] emails did not contain any return address, or any address anywhere in the e-mail, that would allow a recipient to respond to [Power Ventures]. Thus, as the header information does not accurately identify the party that actually initiated the e-mail within the meaning of [CAN-SPAM], the Court finds that the header information is materially misleading as to who initiated the email.
Whoa. The court does not cite to Mummagraphics, where the 4th Circuit rejected the same basic argument. (See "Fourth Circuit Rejects Anti-Spam Lawsuit--Omega World Travel v. Mummagraphics.") Mummagraphics' key holding is that in order to be actionable, an email header must be materially misleading, and if there the recipient would reasonably know where the email was coming from then there should be no CAN-SPAM violation. Here the emails were sent through Facebook's platform by end users, so Power Ventures has an even better argument than the defendant in Mummagraphics that the header information was not misleading.
California Penal Code Section 502
On the Section 502 issue, the court already ruled that access to a network in violation of the terms of use alone does not support a claim for unauthorized access under section 502, but access in circumvention of a “technical or code-based barrier” is enough. The court grants Facebook summary judgment on its claim under this statute. Although Power Ventures did not react to any particular measures and circumvent them, the software Power Ventures used to access Facebook’s site was designed to evade IP address blocks. Facebook also put forth a damning email from Power Ventures' founder that indicated awareness of the general need to access third party sites in a way that avoids IP address blocks:
We also need to do some planning to make sure we [access data from Orkut] in a way where we are not really detected. Possible rotating IP’s or something. Don’t really understand this too well. . . . . We need to plan this very carefully since we will have only one chance to do it.
[Ouch!] In granting summary judgment, the court says there is no reason “to distinguish between methods of circumvention built into a software system to render barriers ineffective and those which respond to barriers after they have been imposed.”
Computer Fraud and Abuse Act Claim
The court also grants summary judgment on the Computer Fraud and Abuse Act claim, finding that the access of Facebook’s servers by Power Ventures was “without authorization,” and Facebook satisfies the $5,000 damage threshold.
__
This case looked like it was teed up to highlight a data portability issue and the question of whether Facebook can keep third parties who don’t go through its authorized developer channels but who act at the request of end users out of its network. The court’s decision gives short shrift to both of those issues. There is probably not much precedent to the contrary (if any), but Power Ventures' access of “information” from Facebook’s servers was ostensibly done at the request of Facebook end users, and the information that Power Ventures extracted was the contact information (friend lists) of Facebook end users. Thus, Facebook's allegations regarding Power Ventures' actions shouldn't in theory come within the Computer Fraud and Abuse Act. True, there were some additional facts which made Power Ventures' arguments tougher from an optics standpoint, but the end result is that if users want to access data, they have to do so on Facebook’s terms, and may not do so using a third party tool that is not a part of Facebook’s developer platform. (To my knowledge, the Computer Fraud and Abuse Act as written does not look to whose data is accessed, so the statute allows the result achieved by Facebook in this case.)
The CAN-SPAM ruling is remarkable--and screwy--on a number of levels. Several courts have ruled that emails sent through networks (such as MySpace or Facebook) are covered by CAN-SPAM, but those decisions did not confront the practical issue of how an emailer can comply with CAN-SPAM with respect to emails that are sent by an end user via a network such as Facebook--i.e., where those who "initiate" a message cannot alter the content of the messages. (See "N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM -- Facebook v. Maxbounty.") I wonder whether Facebook considered the practical aspects of this ruling: retailers who send messages through Facebook are not CAN-SPAM compliant! End users don’t have standing to sue, but retailers and companies who induce end users to send messages through their friends can be considered to "initiate" these messages, and under the court’s ruling, since the messages come from Facebook (via facebookmail.com) and do not contain the retailer's header information, these message are materially misleading under CAN-SPAM.
Update: I originally speculated whether Facebook would try to go after the power.com domain name or the proceeds of the auction. Via email, Scott Smith, the CEO of RokME Inc., who is brokering the sale of the power.com domain name, reminded me that the power.com domain name was leased to Power Ventures and therefore the domain name is not a part of this dispute:
Several years ago Power Assist Inc. the owner of Power.com leased the domain to Power Ventures Inc. During the course of the lease Power Ventures Inc. operated Power.com as a social network aggregation site and did some things that Facebook disagreed with. At that time Facebook sued Power Ventures Inc. and by association, Power.com was noted in the filings. That is the only connection.
The lease on the domain Power.com ended last February. Once the lease ended the owner was free of any further obligations and decided to sell the domain. My company - RokMe Inc. was hired to broker the sale. . . .
Since that time there has been no connection with Power Ventures Inc. or its owner Steve Vachani. It has taken this long for the case to wind its way through the courts and because of the earlier association, the domain Power.com was unfortunately caught up in the web of their legal wrangling.
_____
Eric's Comments
Ugh. Bad facts make bad law, and this case has plenty of badness to go around. Power Ventures was a lousy poster child for a test case on data liberation. Yet, the court's results are troubling for everyone--including Facebook!--and I can only hope future courts recognize the opinion's goofiness when deciding whether to accord it any weight.
The CAN-SPAM ruling is the most troubling. Running through the elements tendentiously, the judge finds a technical violation of the CAN-SPAM elements, but this element-by-element review leads to a tone-deaf outcome overall. Stripping away the detail, users were using Facebook's messaging tools to talk with each other. Sure, Power Ventures was interested in that conversation and facilitated it in a number of ways, but calling Power Ventures a spammer because users talked to other users is baffling. It's a little like the misguided underpinnings of the FTC Endorsement and Testimonial Guidelines; this case similarly treats Power Ventures like an "advertiser" and thus makes it liable for how users talked to each other. Huh?
As Venkat points out regarding retailers, this ruling could set up other Facebook users for a similar fate if they get Facebook users to use Facebook's native tools to talk to each other. This could be counterproductive for Facebook's long-term interests if businesses (and others) start to fear that Facebook now has the discretion to sue them as a spammer whenever it wants.
Similarly counterproductive to Facebook's interests is the expansive interpretations of the CFAA and Penal Code 502. Facebook grabs a lot of content from third parties without permission--for example, every time a user posts a link, Facebook grabs and republishes snippets of the linked page without permission. Is that a CFAA/502 violation BY FACEBOOK? Facebook might have other defenses, but it seems to have negated any "we're just a proxy for the users" defense. Because I'm a cyberlaw purist, I hope Facebook doesn't get hoisted on its own petard; but if it ever does happen, it will be hard to suppress a slight schadenfreude smile.
Clearly, though, Facebook is signalling that it won't download email addresses from third party sources like Gmail without the third party's permission--like for its "find a friend" feature. After all, even if Facebook has the user's permission to access the user's own data, that's legally meaningless without the data source's permission as well. The net result is that data sources can erect fences around user data despite the user's wishes.
Indeed, the most tone-deaf aspect of the ruling is the anti-competitive backdrop to Facebook's enforcement action, which doesn't even get a nod from this opinion. Personally, I would not have trusted Power Ventures with my personal data, so losing them as a competitive option is no big deal to me. Facebook positions this case about user protection. Their formal statement: "We are pleased that the court ruled in our favor. We will continue to enforce our rights against bad actors who attempt to circumvent Facebook's privacy and security protections and spam people," said Craig Clark, Lead Litigation Counsel, Facebook. But I don't find it all that credible that Facebook was motivated solely by a desire to protect us as users from a dangerous Power Ventures (Indeed, I believe Power Ventures could have sucked down an immense amount of user data through Facebook's APIs with, at most, minimal oversight by Facebook). The other obvious possible motivation: Facebook didn't like Power Ventures competition, so it shut down Power Ventures' access to Facebook's users. With its massive leadership in its niche, it seems only a matter of time before antitrust regulators start sniffing around Facebook. Its enforcement action against Power Ventures probably won't spur that, but Facebook will have to tread cautiously with future blatant shutdowns of competitors.
Posted by Venkat at 11:30 AM | Privacy/Security , Spam , Trespass to Chattels
February 19, 2012
Another Data Loss Case Tossed on Article III Grounds--Whitaker v. Health Net
[Post by Venkat Balasubramani]
Whitaker v. Health Net of California, Inc., Civ S-11-0910 KHM-DAD (E.D. Cal.; Jan. 19, 2012)
This is another data breach class action. Plaintiffs tried to squeeze their claims through a narrow opening left by Ninth Circuit precedent, but the court dismisses the claims for lack of standing.
IBM manages Health Net's information technology infrastructure. In January 2011, IBM informed Health Net that it lost 9 Health Net server drives, which contained the personal and health information of approximately 800,000 Health Net customers. Health Net sent a letter to the affected invidiauls in March 2011. The opinion does not mention whether Health Net offered credit monitoring or other preventive services. At the time the parties finished briefing the motion to dismiss, three of the nine servers had been recovered. The other six remained missing. The defendants both filed motions to dismiss.
The court focuses on whether plaintiffs sufficiently alleged “injury in fact.” Plaintiffs argued that they satisfied the standing requirements established by the Ninth Circuit in Krottner v. Starbuck and Ruiz v. Gap. (Here are blog posts on Krottner ("Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit") and Ruiz ("9th Circuit Affirms Rejection of Data Breach Claims Against Gap").) The court distinguishes Krottner and Ruiz on the basis that, in both of those cases, the data breach occurred due to theft and not loss of the data. The court also highlights that the plaintiffs did not allege any actual harm, apart from the loss of data and the risk that the data would be misused. Although one of the plaintiffs received a letter informing them that the social security number of their minor child had been misused, the court says that this does not confer standing on plaintiffs, who have to satisfy standing on their own (unless they are asserting third party rights).
The court also relies on Low v. LinkedIn for the proposition that speculative allegations regarding disclosure or harm is not sufficient to support Article III standing. (See also Reilly v. Ceridian.)
End result: the court dismisses with leave to amend. The plaintiffs have thirty days to amend their complaint to allege sufficient harm.
__
It’s worth keeping in mind that although plaintiffs cited to Krottner and Ruiz, the plaintiffs in those cases did not prevail. Despite finding that the allegations sufficient from the perspective of Article III standing, plaintiffs lost on the merits in both cases. Plaintiffs have tried every possible combination of allegations (theft of information; misplacement of information; employment information; health information) but courts simply refuse to find a cognizable claim unless the plaintiff can allege that his or her data has been misused in a way that causes out-of-pocket losses. A few cases have pointed to credit monitoring services as recoverable mitigation, but where the defendant offers up this relief to consumers voluntarily, a plaintiff is pretty much out of luck.
It’s also interesting to note that this case involved claims under California statutes which provide for the confidentiality of medical records. Given that the court did not discuss statutory damages, I would assume the statutes in question did not provide for these damages. Even if they did, failure to satisfy Article III standing could still undermine the claims. (A case pending in front of the United States Supreme Court may answer this question. See "'Sleeper" Case Asks Whether Plaintiffs Can Sue Without An Injury.")
Previous posts:
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data -- Reilly v. Ceridian
Posted by Venkat at 09:15 AM | Privacy/Security
February 14, 2012
Posting Family Photos to Facebook With Snarky Comments Isn't Harassment of Family Member -- Olson v. LaBrie
[Post by Venkat Balasubramani with comments from Eric]
Olson v. LaBrie, 2012 WL 426585 (Minn. App. Ct. Feb. 13, 2012)
This case is what happens when a headline from The Onion comes to life. Aaron Olson sought a harassment restraining order against his uncle Randall LaBrie. Olson argued that Labrie harassed Olson by...get this...posting “innocuous [but surely awkward] family photographs” to Facebook and making mean comments directed toward Olson. The photos included Olson as a child, “posing in front of a Christmas tree.” LaBrie also tagged Olson in the photos. When Olson became aware of the photos, he requested they be removed or “altered to erase” Olson. Labrie demurred, although he untagged Olson. Understandably, LaBrie told Olson that if he did not like the photos, “he should stay off Facebook.”
Olson was not “friends” (in the Facebook sense, or apparently, in any sense) with LaBrie, and accessed the photos via his mother’s Facebook account. The parties had a peripheral argument about how the photos were accessed. LaBrie said that the photos were meant for his inner circle, but Olson said they were accessibble to the general public. At the end of the day, it turns out to not matter. The court says that posting these types of photos to Facebook does not amount to harassment, and the comments offered by Olson as evidence were nothing nore than “mean, disrespectful comments,” which cannot form the basis for liability. The Minnesota anti-harassment statute is directed at:
repeated incidents of unwanted acts, words, or gestures” that have a substantial effect on the “safety, security, or privacy of another."
On appeal, Olson tried to argue that LaBrie conduct had a substantial effect on his privacy, but he did not raise that issue in the trial court and the appeals court says he waived it. Even assuming he had raised it, the court says that Minnesota law recognizes three types of common law privacy violations: intrusion, appropriation, and the publication of private facts. Minnesota law does not recognize “false light publicity.” Olson argued that one of these common law privacy violations could have supported issuance of the anti-harassment order, but the court says that the statute defines harassment, and there’s no need to look to case law for additional definitions.
Olson raised two other issues that are worth noting, and really makes me wonder whether this wasn’t some Onion editor’s attempt to generate a story. First he argued that the trial court erred in not crediting the testimony of his mother, who testified that Labrie’s conduct was offensive. Second, Olson tried to get the record sealed. Hello, Streisand Effect!
The only thing that would have kicked this opinion up a notch would have been a cite to awkwardfamilyphotos.com.
Related posts:
Private Facebook Group's Conversations Aren't Defamatory--Finkel v. Dauber
Revenge Blogger Ordered to Remove Blog--Johnson v. Arlotta (also from Minnesota--is there something in the water there?)
_____________
Eric's Comments
This case demonstrates that the family that Facebooks together doesn't necessarily stay together. I don't understand why Olson was so concerned about the posting of old "innocuous" family photos, although I can understand why Olson might object to "mean, disrespectful comments." At the same time, I also don't understand LaBrie's response that if Olson didn't like it, he should stay off Facebook; nor does it make sense that LaBrie said he didn't intend for Olson to see the photos because they weren't Facebook friends. It seems fair for someone to object to the publication of photos even on a service the person doesn't use or can't see the photos. Obviously there's a backstory to this family squabble that got washed out in the appellate opinion. I guess it goes to show that you can pick your Facebook friends but you can't pick your family. A protip of general applicability: never allow sharp objects at family reunions.
Posted by Venkat at 08:38 PM | Content Regulation , Privacy/Security , Publicity/Privacy Rights
January 27, 2012
Top Internet Law Developments of 2011
By Eric Goldman
As usual, I'm running late with my year-end recap. This post begins with my countdown of the top 5 Internet Law developments of 2011, then it lists other interesting developments and cases. It concludes with some of the most linked posts and then my editor's choice of some posts in 2011 that might have been a little overlooked. As usual, thanks for reading the blog in 2011!
Countdown: My Top 5 List of Developments in 2011
#5: Righthaven Implodes. Since the beginning, I've been skeptical of Righthaven's business model. Seriously, who else thinks it's a good idea to sue small-time mom-and-pop bloggers and non-profits on a one-by-one basis? However, even I had no idea that Righthaven would accelerate their own demise by routinely making basic litigation errors. A sketchy business model + a litigation shop that isn't very good at litigation = one dead start-up. It's always fun (in a bloodsporty way) to watch hubristic bullies get their just desserts, but watching the Randazza firm school the Righthaven litigators in Litigation 101 has been amazing. THAT'S how you litigate.
Righthaven lost often in 2011 (see my August reset). They lost fair use rulings (e.g., CIO, Choudry). They lost on standing grounds (e.g., Democratic Underground, Wolf). They were hit with sanctions. They were hit with hundreds of thousands of dollars of attorney fee shifts (e.g., Leon, Wolf, DiBiase). They even lost their domain name in an auction--a delicious irony given that Righthaven's complaints improperly demanded its defendants' domain names on the theory that it might need the domain name to satisfy a judgment against the defendant, when in fact it was Righthaven's domain name that was used to help satisfy a judgment against it!
Righthaven ended 2011 on death's door, but the trend of newspapers trolling for copyright litigation isn't going away. I'll be watching NewsRight closely in 2012.
#4: Medical Justice Gives Up. Speaking of hubristic bullies... You recall Medical Justice, the organization that helped doctors and other medical service providers take copyright assignments from patients in their as-yet-unwritten reviews so that the doctors could expeditiously remove unwanted reviews by sending 512(c)(3) takedown notices to review sites. It's an interesting legal hack, but it has some bad side-effects, including the fact that patients hated it, the copyright assignments almost certainly were void (for public policy reasons and others), doctors were hurting themselves by discouraging patient reviews (patients prefer to choose doctors when there's a critical mass of patient reviews), and (as our research uncovered) most consumer review sites ignored the doctors' 512(c)(3) takedown notices. Obviously, with those defects, Medical Justice wasn't exactly adding a ton of value to its clients. Medical Justice finally gave up, but too late to prevent a lawsuit against one of its clients and a complaint to the FTC. Chances are Medical Justice will be living with a long-term hangover from this entrepreneurial foray.
Seeing Medical Justice stop peddling anti-patient review tools was slightly satisfying, but that result was always a fait accompli. The reason Medical Justice's change of heart matters is that shady or clueless vendors keep developing new ways to suppress unwanted consumer reviews, and I hope Medical Justice's experiences will discourage other vendors from trying the copyright hack. I talk about these dynamics more in my paper on regulating reputational information.
#3: gTLD Expansion. It remains unclear exactly what ICANN's rollout of unlimited top level domains will do. Due to the expansion of new namespaces, brand owners face a long list of complicated--and potentially expensive--choices to make. Unfortunately, these choices don't really benefit society; instead, the gTLDs tax businesses while the benefits accrue to a small number of service providers (and, of course, ICANN itself). I think many businesses will reserve their name in multiple new gTLDs to prevent squatting--with the net effect that businesses will spend more money just to preserve the status quo. Meanwhile, most consumers are likely to be bewildered by the unlimited number of TLDs, which is just going to increase their tendency to rely on search engines and link directories rather than domain names to navigate to their desired destinations.
#2: Internet Consumer Privacy Lawsuits Tank. 2011 initially looked like the year of the Privacy Plaintiff. A torrent of privacy lawsuits had been filed, plaintiffs had wrested a few important and lucrative settlements, and Internet companies continue to make questionable privacy decisions that create a steady supply of potential new lawsuits.
But the path to riches didn't materialize. Instead, 2011 emerged as the year when privacy class action lawsuits mostly failed miserably. Courts principally rejected the lawsuits on standing grounds for lack of cognizable harm, but plaintiffs failed on other related grounds, such as a lack of damages negating the prima facie case. There were some exceptions where plaintiffs made a little progress (see, e.g., Claridge v. RockYou, Anderson v. Hannaford, Fraley v. Facebook). I'm sure the privacy plaintiffs' bar will be studying those rare successes to formulate a better battle plan--and to better prepare their cases and find strong named plaintiffs, a recurring omission that hasn't gotten a lot better over the year. However, for now, it's clear that the privacy plaintiffs' bar can't just show up in court and hold out their hands for a payday.
#1: Regulators Broke the Internet. We've always known that regulators could combat bad online activity by working "up the chain," i.e., by making upstream service providers liable for the bad acts or obligated to cut off the activity. However, for the most part, we've shared a tacit understanding that systematically going up the chain was a "nuclear" option--it would fix the specific problem but only at significant collateral cost that, on balance, makes the option unattractive.
I think we'll look back at 2011 as the year that tacit understanding broke down. In 2011, regulators around the world showed a seemingly insatiable demand for working up the chain. Although we in the USA like to think we're different from other repressive regimes, the evidence suggests otherwise. Some examples of "up the chain" activity in 2011:
* Arab Spring. Repressive regimes got local Internet access providers to turn off Internet access in the country.
* Operation in Our Sites. The Immigrations and Customs Enforcement (ICE) agency keeps seizing domain names of suspected foreign rogue websites on an ex parte basis, making errors and breaking the law in the process. Mike Masnick blew open the story on Dajaz1.com, which ICE seized on an ex parte basis, conducted secret proceedings for a year, and then gave back the domain name with no explanation.
* Graduated Response. Copyright owners got Internet access providers to voluntarily (?) agree to restrict, and eventually terminate, their users' accounts.
* Secondary liability against intermediaries. Rightowners keep expanding their intermediary targets, including lawsuits against ad networks and SEOs/web designers. To be fair, some of these lawsuits aren't going very far, and expansive secondary liability theories aren't new in 2011.
* Ex Parte Seizures. Rightsowners are asking for the moon against third party service providers in ex parte proceedings, and courts are giving it to them because the third parties aren't there to represent their own interests. We recap this epidemic in this post.
* SOPA and PIPA. These proposed bills were the finest examples of rightsowners pursuing the nuclear option regardless of the collateral damage. The bills' basic architecture was to attack a wide range of intermediaries for third party actions--domain name registrars, search engines, payment service providers, ad networks. By seeking to deputize the intermediaries, the bills sought to instantiate "up the chain" duties across virtually the entire Internet. Putting aside their other policy deficiencies, I think we should resist all laws predicated on that fundamental assumption of intermediary deputization. See my post on the OPEN bill for why I reject the compromise "follow the money" solution. Sadly, I stand virtually alone in my stance.
Other Interesting Developments.
Some other interesting developments this year:
* Patent Reform. The America Invents Act is the most dramatic patent reform bill in years, and it has many provisions that may affect Internet companies, including the joinder standards, the prior user defense, and the novelty/priority standards. The law doesn't fix the overall problems with bad Internet patents or unmeritorious assertions of those patents, but it nevertheless could make some dramatic changes in what Internet companies do.
* Google and Antitrust. Google has become the incumbent in search, and all of its rivals--especially the companies Google is disintermediating--are desperately seeking to knock it off its perch. I believe Google and antitrust was the #1 topic prompting reporter phone calls to me in 2011. We are waiting to see what comes from the FTC investigation into Google's practices, and the list of Google-haters keeps growing daily. At the same time, the anti-Google forces made surprisingly little actual progress in 2011, including suffering a conspicuous (and not even close) loss in the myTriggers case. See my paper on why I am so over the Google antitrust battles.
* DC's Obsession with Busting Silicon Valley Companies. Sometimes, it feels like DC insiders wake up in the morning and wonder, "What Silicon Valley company do I feel like busting today?" Drive down the 101 from San Francisco to San Jose and play the "Spot the FTC/DOJ Bust" bingo game. Some of DC's targets in 2011: Google Buzz, Twitter (finalized in 2011), Facebook, Google pharma ads, Apple and others for no-poaching restrictions, and others. Good times!
* Judges Order Litigants to Hand Over Passwords to Social Networking Sites. This year, several judges ordered litigants to turn over their Facebook passwords to their litigation opponents for discovery purposes. See, e.g., Zimmerman v. Weis (which I added to my Internet Law reader this year). In 10 years, we'll look back at this mini-trend and shake our heads at the judicial cluelessness. Social networking sites contain a mix of public and private information, and letting a litigation opponent root around the account is just as objectionable as making a litigant hand over the keys to his/her house so the opponent can rummage around.
Other Key Court Rulings in 2011
Some other interesting court decisions this year:
* Author's Guild v. Google. The court rejected the Google Book Search settlement agreement for good reasons, but it sent the parties back to square 1. Why the parties haven't been able to broker a legislative compromise is beyond me.
* Barclays v. theflyonthewall. The Second Circuit took a big bite out of the hot news doctrine. Unfortunately, the Second Circuit didn't kill the hot news doctrine outright, but the opinion leaves open very little room for hot news plaintiffs.
* Network Automation v. Advanced System Concepts. The most important keyword advertising ruling to come out in several years. While the ruling itself was a mixed bag for the litigants, the opinion tore down a number of crusty plaintiff-favorable legal doctrines that had cluttered up trademark jurisprudence for years--including virtually mooting the initial interest confusion doctrine and killing the "Internet trinity" bypass to the standard multi-factor likelihood of consumer confusion test. I've noticed that the opinion has already noticeably tilted courts towards more defense-favorable rulings.
* Betty Boop case (Fleischer Studio v. AVELA). For a few months, it looked like the Ninth Circuit had eliminated trademark merchandising rights in characters that were out-of-copyright. Then it changed its mind; but still it liberated Betty Boop to the world.
* PhoneDog v Kravitz. An interesting battle over ownership of a Twitter account.
* Levitt v Yelp/Ascentive v. PissedConsumer. 47 USC 230 still works really, really well as an immunity. In Levitt, Yelp got a 230 dismissal that Yelp had tried to get advertisers to pay to manage consumer reviews. In Ascentive, the court rebuffed a plaintiff's effort to use a trademark infringement claim against a consumer review website to work around 230.
* Habush v Cannon. Buying a person's name as the trigger for keyword advertising doesn't violate their publicity rights.
* UMG v. Shelter Capital. While everyone waits for the Second Circuit's decision in Viacom v. YouTube, the Ninth Circuit stole some of that thunder with a powerful endorsement of the 17 USC 512 safe harbor. Too bad Veoh didn't live long enough to enjoy the win.
* In re Rolando S. Rolando was convicted of felony identity theft for taking a classmate's Facebook page for a joyride. My vote for the most interesting Internet Law case of 2011, and an instant cyberlaw classic. I've already added it to my Internet Law reader, and the students seemed to enjoy discussing the case.
Some of the Most Linked Blog Posts in 2011 (Per Topsy)
* New Advertising & Marketing Law Casebook Available for Review
* Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc.
* "App Store" Isn't Generic, But Apple Can't Enforce Its Purported Trademark in the Term--Apple v. Amazon (Apple legal issues are always good link bait)
* Twitpic Modifies Terms and Claims Exclusive Rights to Distribute Photos Uploaded to Twitpic
* Republishing Entire Newspaper Story is Fair Use--Righthaven v. CIO
* Court Rules That Instant Message Conversation Modified the Terms of a Written Contract -- CX Digital v. Smoking Everywhere (the most popular post of the year by far--a modern Contract Law classic)
* Second Life Ordered to Stop Honoring a Copyright Owner's Takedown Notices--Amaretto Ranch Breedables v. Ozimals
Favorite "Overlooked" Posts
A few posts that maybe got overlooked a little:
* Cyberbullying and Restorative Justice [a Long-Delayed Post on DC v. RR]
* Racy Teen Photos Posted to Facebook Are Constitutionally Protected Speech--TV v. Smith-Green
* Marijuana Activist Can't Change His Name to "NJWeedman.com" -- In re Forchion
* Free-to-Consumers Ad-Supported Website Isn't Illegally Priced--Cammarata v. Bright Imperial
* What Would a Government-Operated Search Engine Look Like in the US?
Lists of Yore
Previous top 10 lists from 2010, 2009, 2008, 2007 and 2006. Before that, John Ottaviani and I put together a list of top Internet IP cases for 2005, 2004 and 2003.
Posted by Eric at 09:45 AM | Copyright , Derivative Liability , Domain Names , Evidence/Discovery , Internet History , Patents , Privacy/Security , Search Engines , Trademark | TrackBack
January 24, 2012
Comments on United States vs. Jones: What's Old is New Again (Guest Blog Post)
By Ethan Ackerman with comments from Eric
U.S. v. Jones No. 10–1259 (U.S. Supreme Court; Jan 23, 2012)
In 2005 federal agents convinced a judge to issue a warrant so they could affix a cellular-based GPS tracker to the underside of Antoine Jones' wife's car, which the agents then tracked constantly for almost a month. Unfortunately for the federal agents' subsequent criminal prosecution of Jones on cocaine distribution and conspiracy charges, the agents did so after the warrant had expired, and in a different state than the warrant permitted. After an unsuccessful trial, Jones appealed his conviction to the D.C Circuit, which suppressed the warrantless surveillance, finding it was obtained through a Fourth Amendment violation.
In so holding, the D.C. Circuit split with the Seventh, Eighth and Ninth Circuits on the matter. Importantly for the Supreme Court, each of these Circuits found no search occurred (or in the case of the D.C. Circuit, a search had occurred) when analyzing the 'search' under the 'reasonableness' test of Fourth Amendment law developed from Katz v. United States.
Yesterday, the Supreme Court held that the government's search was a Fourth Amendment violation. Importantly, the five-member majority opinion by Justice Scalia reaches that result by effectively resurrecting the 'trespass' element of Fourth Amendment law that has been dormant for almost 50 years--and wasn't a part of any of the underlying Circuits' opinions. I don't want to denigrate the significance of that holding, and I suspect it will dominate much of the scholarly commentary about the ruling. Already, the universally-cited Orin Kerr, blogging at the Volokh Conspiracy, has several posts up already about the trespass and mosaic theories aspects of Jones.]
However, my biggest surprises from the opinions were the unanimity of support for the idea that this was a constitutionally-suspect search, and the numerical majority that also found this search unreasonable for non-tresspassory "reasonableness" reasons. It's kind of a big deal that all nine Justices found this case to be a Constitutionally-infirm search, disagreeing with a significant portion (probably a majority) of the Circuit Courts' benches. Even more so, it's truly a big deal that five (a numerical majority) found this search "unreasonable" under a reasonableness test that looked to the intent of the searching officers and so casually dismissed the atomistic arguments of the government that at each moment the searching was being done in a public place. Both of these arguments have been mainstays in earlier Fourth Amendment decisions.
Additionally, much of the earlier commentary on the D.C. Circuit's unreasonableness rationale, somewhat pejoratively nicknamed a "mosaic theory," had focused on its novelty and un-testedness. However, five justices appear ready to apply it in this case. In particular, Justice Sotomayor 's concurrence makes clear that she agrees with Justice Alito's four-member opinion adopting the D.C. Circuit's reasonableness rationale. In that concurrence, she amplifies the majority opinion's holding relying on trespass principles, but indicates this is an "irreducible constitutional minimum," above which Katz's reasonableness rationale (which Justice Scalia's majority opinion doesn't denigrate, even if it declines to evaluate the applicability of) still controls. Tom Goldstein shares my conclusion that there are effectively two majority opinions in this case. His excellent observations are here and also illuminate just how much was not resolved in the decision.
Eric's Comments
I really only learned two things in my Criminal Procedure class from law school: (1) every fact matters, and (2) the Supreme Court makes up the rules from case-to-case. At the time, I didn't feel I got very much from my class, but in retrospect, perhaps I actually learned everything that really mattered in Fourth Amendment jurisprudence. As Ethan recaps and as Paul Ohm indicated (United States v. Jones is a Near-Optimal Result), this opinion is a mix of good news (get a warrant before GPSing my car) and unresolved issues (basically everything else--ranging from practical questions like the legitimacy of warrantless tracking of cellphone movements to theory battles over whether the Fourth Amendment protects against trespass, violations of reasonable expectations of privacy or both).
Putting aside those important questions, the opinions articulated some deep distrust of government motives. I am always perplexed when the privacy community loses sight that the government is the real privacy threat, not the private sector. It also seemed that the judges did, in fact, internalize the personal threat that police could monitor their own cars without a warrant. It reminded me a little of the RIM case where the judges tried to envision their personal situation without their Crackberries.
Posted by Ethan Ackerman at 03:37 PM | Privacy/Security | TrackBack
January 18, 2012
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data -- Reilly v. Ceridian
[Post by Venkat Balasubramani]
Reilly v. Ceridian Corp, 11-1738 (3rd Cir. Dec. 12, 2011)
Ceridian is a payroll processing firm. Reilly and Pluemacher were employees of a law firm that was a Ceridian customer. In December 2009, Ceridian suffered a “security breach.” A hacker infiltrated Ceridian’s system and gained access to information belonging to 27,000 employees at 1,900 companies. After investigating, Ceridian sent a letter to the affected individuals, letting them know that their personal information, including “first name, last name, social security number and, in several cases, birth date and/or bank account” information was accessed. Ceridian provided the affected inviduals one year of free credit monitoring and identity theft protection. (It’s unclear as to whether plaintiffs took advantage of this, but they alleged that they spent money for monitoring efforts.)
The Third Circuit focuses on the issue of whether plaintiffs have standing. The court canvasses the precedent and says most courts addressing standing for data breach plaintiffs have concluded that plaintiffs lack standing because the harm is too speculative. The court agrees:
Here, no evidence suggests that the data has been--or will ever be--misused. The present test is actuality, not hypothetical speculations concerning the possiblity of future injury.
Plaintiffs relied on Pisciotta v. Old National Bancorp and Krottner v. Starbucks for the proposition that the increased risk of identity theft is sufficient to confer Article III standing. The court distinguishes these cases on the basis that, in those cases, the threatened harms were “more imminent”. In Pisciotta there was evidence that the hacker’s intrusion was sophisticated, and in Krottner, there was evidence that someone attempted to misuse the purloined information.
Plaintiffs also cited, by analogy, where courts have broadened standing requirements in other contexts (toxic tort, defective medical devices, and environmental injury). The court is not persuaded. The court says that, in those cases, an injury has occurred, even if it has not manifested itself and it cannot be presently quantified. In contrast, in the data breach context, “any damages that may occur here are entirely speculative and dependent on the skill and intent of the hacker.” Second, the court says that the medical device and toxic tort cases raise “human health concerns.” Courts relax the test for standing where human “suffering” is involved. The injury in those cases cannot be remedied by money. This is similar to the environmental injury cases where courts say that plaintiffs challenging actions on the basis of environmental regulation should be allowed to proceed because monetary compensation may not fix the harm that will occur:
unlike priceless “mountains majesty,” the thing feared lost here is simple cash, which is easily and precisely compensable with a monetary award.
The court finally says that the amounts expended by plaintiffs is not sufficient to confer standing because the money was not spent to avert or deal with any “actual injuries.”
__
Courts have pretty uniformly rejected data breach lawsuits, but the recent trend is to do so on the basis of Article III standing, rather than on the merits. This case looks like it's on the more restrictive end of the spectrum as far as standing goes.
The court’s attempt to distinguish other data breach cases on the basis that the harms in other cases were imminent or more obviously likely to occur isn’t the most convincing. Hackers have been known to compromise data in order to demonstrate security vulnerabilities, but if this is not the case, isn’t it fair to assume that data will be misused in some way? Aren't all hackers by definition sophisticated? Aren't all data breaches presumptively malicious? On the other hand, the data breach plaintiffs never seem to have adequate data to present to the court that the information in question is being misused. Even data pointing to the frequency of misuse in other breach cases would be useful to sway a court, but it's either not available or not being highlighted by plaintiffs. It's also surprising to see plaintiffs' counsel not include someone in the lawsuit who has had their information misused. (Maybe data breach cases are not well suited to resolution on a class basis?)
Some courts (In re Hannaford; Ruiz v. Gap) have said that basic monitoring services are reasonable mitigation efforts and as a result, companies that suffer breaches are offering to affected individuals this as a matter of course. Here it’s unclear as to whether plaintiffs took advantage of this but also took efforts of their own. Although it's not clear, it looks like in this court's view, even basic monitoring is not necessary and a failure to provide it would not form the basis for standing.
While the cases are across the board in how they get there, one thing is for sure. Data breach plaintiffs have gotten little or no relief in the courts.
Other coverage:
Federal Appeals Court: Risk of ID Theft Does Not Confer Standing for Data Breach Suit
Previous posts:
"9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap"
"The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt"
"Acxiom Not Liable for Security Breach"
"When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue"
"Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks"
"In Hannaford Data Breach Case, First Circuit Says Card Replacement and ID Theft Insurance are Reasonable Mitigation Damages and Compensable--Anderson v. Hannaford Bros"
Posted by Venkat at 09:31 AM | Privacy/Security
January 16, 2012
Copyright Doe Defendant Can’t Quash Disclosure Subpoena Anonymously—Hard Drive Productions v. Does (Guest Blog Post)
By Guest Blogger Elliott Alderman with brief comments from Eric
[Eric’s introductory note: Elliott Alderman is an IP attorney in Washington DC. I asked if he could guest-blog this opinion after calling it to my attention.]
Hard Drive Productions, Inc. v. Does 1-1,495, Civil Action No. 11-1741 (D.C. D.C. Dec. 21, 2011)
Overview: A DC Magistrate Judge recently ruled that a defendant cannot file anonymous motions to quash disclosure subpoenas in copyright file-sharing case. This ruling invites discovery abuses--and kicks due process.
The fragile balance between copyright owners enforcing their rights and the privacy interests of IP address owners was upended recently in Hard Drive Productions, Inc. v. Does 1-1,495, Civil Action No. 11-1741 (2011). There, the magistrate held that individuals who subscribe to the Internet through ISPs have no expectation of privacy in their subscriber information, since they have already disclosed this information to their service providers. So when copyright owners file disclosure subpoenas seeking subscriber information, local district court rules require that responding IP address owners must publicly identify themselves as part of filing a motion to quash.
There are two separate levels of privacy involved here: (1) public knowledge (including opposing counsel) of the IP address owner’s identity, and (2) the court’s knowledge of the parties involved in an action before it. A simple solution to the considerable detriment posed to subpoenaed parties is to allow motions to be filed under seal. At this stage, it is only discovery, not adjudication on the merits of the underlying claims, and there is no public benefit to disclosure before consideration of the motions.
Some background: As content owners move from suing download sites for inducement liability to a model of filing reverse class actions against unnamed individual users of P2P networks, discovery of infringers becomes crucial. However, content monitoring software, at best, may associate a digitally marked file with an IP address, but does not identify the owner of the account. And, significantly, the owner of the account is not, by definition, an infringer. So with IP addresses in hand, copyright owners must file disclosure subpoenas with ISPs to get the subscriber information associated with the identified IP addresses.
Typically, consistent with due process (and common sense), IP address owners responding to a disclosure subpoena have the right to preserve their anonymity while a judge reviews the propriety of the class action and the corresponding subpoena. Without the protection of anonymity, a motion to quash a disclosure subpoena is rendered moot, since disclosure of personal information on a public docket reveals the name and address information sought by the subpoena. See Achte/Neunte Boll Kino Beteiligungs GMBH & Co. v. Does 1-4,577, 736 F. Supp. 2d 212, 215 (D.D.C. 2010). Ironically, Achte/Neunte is one of the cases cited by the magistrate in support of public disclosure.
For a number of reasons, Hard Drive makes no sense. A subpoenaed owner essentially no longer has a right to contest disclosure, since challenging the merits of the discovery process reveals the very thing sought in discovery – his identity. And even if the judge later holds that the owner was misjoined, that an IP address is not an infringer, or any of the other bases that courts throughout the country are using to dismiss file-sharing defendants and kill these suits, plaintiffs have the personal information that they need to harass presumptively innocent parties. Worse still, plaintiffs will be encouraged to withdraw subpoenas before judges evaluate their merits, since the subpoenaed information will already be in hand.
As noted above, the Hard Drive magistrate also based his holding on Local Rule 5.1, which requires that all parties who file pleadings and papers with the district court must provide their name and full residence address, even if they are seeking to proceed anonymously. Judge Bates, who had assigned the case to the magistrate, originally ordered that motions to quash would remain under seal even if the moving party lost. How about a Solomonic compromise? Allow motions to be filed under seal, then only if the motion is denied would subscriber information be released, since the ISP is going to disclose the information anyway. Certainly there are policy reasons supporting the requirement that parties identify themselves to the court -- not the least of which is that it has no way of communicating with unrepresented Does – but permitting sealed motions balances the interests of copyright owners seeking to vindicate their rights against the privacy rights of IP address owners.
Moreover, the central premise of the decision, that there is no expectation of privacy in business transactions where information is disclosed to a third party, defies logic. One also shares information with telephone and insurance companies, and medical doctors – third parties all – but an expectation of privacy remains. Moreover, courts have implicitly recognized a privacy interest in ISP subscriber information, holding that copyright owners may not use the DMCA’s takedown notice-subpoena provisions to discover subscriber identities. See Recording Industry Association of America v. Verizon Internet Services, Inc., 351 F.3d 1299 (D.C. Cir 2003); In re Charter Communications, Inc., 393 F.3d 771 (8th Cir. 2005). And although it may be argued that when copyright infringement is at issue there is no free speech right to anonymity, see e.g. Sony Music Entertainment, Inc. v. Does, 326 F. Supp. 2d 556 (S.D.N.Y. 2004), the extortionate nature of the file-sharing cases is such that fairness would dictate that IP address owners should be able to anonymously defend against inclusion in classes of unrelated others.
Further, even assuming that an individual has no reasonable expectation of privacy in his subscriber information, he certainly does in his choice of movies. Part of the copyright troll business model, particularly for pornographic films, is the threat of publicly associating an individual with his private tastes. I have represented a number of owners who have had their routers hacked or had tenants or other unauthorized parties who used their Wi-Fi connections. With or without legal liability, too many of these parties have settled because privacy is a more expensive currency than cash.
In fact, in other contexts where there is the potential for stigma or embarrassment, courts typically evaluate the merits of the underlying case before requiring disclosure of confidential information, like a person’s identity. See, e.g. Doe v. Smith, 429 F3d 706 (7th Cir. 2005). The potential for harm to defendants in file-sharing cases is worse, however, because in addition to whatever shame or stigma attaches to being labeled an infringer or, worse, a porn hound (I think that’s the legal term), there are immediate legal consequences to stripping anonymity. Not permitting sealed motions is like having discovery first, then later evaluating its legitimacy.
Finally, the importance of the anonymous motion is intertwined with the architectural problems with the reverse class action model generally. This is not a white hat/black hat debate between content creators and piracy. Rather, the file-sharing cases are about the economics of joining unrelated parties in a class as a cost-effective way to pursue often non-meritorious actions, where secondary parties who are not infringers become the collateral damage. A number of court have dismissed these actions on a variety of grounds, including that:
* IP address owners are not intrinsically infringers. See VPR Internationale v. Does 1-1017, 2:2011cv02068 (C.D. Ill. 2011) (an IP address is not a person)
* different owners have different defenses; and
* unrelated owners do not act in concert by using a P2P program. K-Beech, Inc. v. John Does 1-85, Civil Action No. 3:11cv469 (E.D. Va. 2011); Raw Films, Ltd. V. John Does 1-32, Civil Action No. 3:11cv532 (E.D. Va. 2011); Hard Drive Productions, Inc. v. Does, No. C-11-01566 (N.D. Cal. 2011).
Moreover, the reliability of monitoring programs is suspect, Challenges and directions for monitoring P2P File Sharing Networks, University of Washington Technical Report, UW-CSE-08-06-01, and because a number of ISPs use dynamic IP addresses (where an IP address is rotated between several users) and “infringements” are generally date- and time-stamped, the odds of mistakenly associating a particular IP address with the “infringement” is greatly increased.
All this for want of a sealing motion!
___________
Eric’s Comments
This is a bad ruling. The court has guaranteed that the copyright plaintiff can unmask defendants simply by asking for a subpoena—either the subpoena is granted or the defendant reveals him/herself to fight the subpoena. That’s not the way the system is supposed to work. By creating a no-recourse situation for anonymous/pseudonymous defendants, the court has stripped them of essential due process rights. And, as we know, plaintiffs able to unmask defendants often can take advantage of substantial extra-judicial remedies, such as the public embarrassment factor in porn copyright cases. Thus, this ruling unfairly screws over anonymous defendants in these cases. It needs to be fixed.
For more on the topic, see Lior Strahilevitz’s paper Pseudonymous Litigation.
Posted by Eric at 10:00 AM | Copyright , Evidence/Discovery , Privacy/Security | TrackBack
January 10, 2012
Mass Ct: ZIP Code is Personal Identification Info Under Credit Card Statute But Plaintiff Must Still Allege Harm -- Tyler v. Michaels Stores
[Post by Venkat Balasubramani]
Tyler v. Michaels Stores, Inc., 2012 WL 32208 (D. Mass.; Jan. 6, 2012)
Last year, the California Supreme Court held that a ZIP Code is personal identification information for purposes of a statute which restricted the type of information a retailer could collect: "California Supreme Court Rules That a ZIP Code is Personal Identification Information -- Pineda v. Williams-Sonoma." A federal court in Massachusetts recently construed a similar Massachusetts statute to reach the same conclusion, albeit for different reasons. But having found that the retailer in this case technically violated the statute, the court dismisses the case on the basis that the plaintiff failed to allege a cognizable injury.
Is a ZIP Code Personal Identification Information?: Section 105(a) of Massachusetts General Laws provides:
No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number.
The court looks to the legislative history behind the statute and says that the Massachusetts legislature’s intent was different from California’s. While the California legislature was concerned with retailers obtaining personal identification information and using it for marketing purposes, the Massachusetts legislature was more concerned about security and fraud prevention. Thus, while Pineda looked to whether a ZIP Code could be used (together with the customer’s name) to locate the individual, the court in this case focused on whether recordation of this information by a retailer poses the risk of identity theft or fraud. The court looks to Massachusetts’ identity theft statute, which defines personal identifying information as “any name or number that may be used . . . to assume the identity of an individual.” The court says that inputting a ZIP code in the context of a credit card transaction is similar to inputting a PIN number in the context of a debit card transaction. Because the ZIP code is information that can be used along with other card holder information to commit identity theft and criminal fraud, the court says that the ZIP code is personal identification information for purposes of the statute.
Did the Retailer Write the Information on a Transaction Form?: Michaels argued that the statute does not cover electronically stored information and that the transaction form has to be a paper document. The court rejects this argument for several reasons. First, the statute applies to all credit card transactions, whether they are processed manually, electronically, or through other means. The act does not distinguish between paper and electronic forms, and the court says that the risk of identity theft is present regardless of the type of transaction. The statute also permits the retailer to include information in the transaction form that is required by the credit card issuer. The retailer collects information during the transaction process (as required by the credit card issuer) and then issues the receipt, which may contain information different from the transaction form. (For example, the card number has to be truncated on the receipt under FACTA.) “The receipt is a printout of the permissible information on the transaction form, but it is not the transaction form itself.” (For what it’s worth, FACTA is also a statute aimed at curbing identity theft, but does not cover emailed receipts: “FACTA Does Not Cover Emailed Receipts.”)
Has Plaintiff Alleged Cognizable Injury?: The statute in question does not provide for statutory damages. It only says that a violation of the statute is “deemed to be an unfair and deceptive trade practice.” A claim for unfair and deceptive trade practice requires a showing of “injury and loss” and a causal connection between defendant's practices and plaintiff's injury. Plaintiff had not been subject to identity theft, so she had to prove injury or loss in other ways. She does not argue that she has an increased risk of identity theft. Instead, she argues that Michaels used her name and ZIP code in conjunction with a commercially available database to determine her address and phone number. The court says that her allegations are insufficient because she does not allege that Michaels acted illegally in accessing the database. She also alleged that she was injured because she received “a deluge of unwanted mail.” The court says that this is not an injury cognizable under the statute since the statute was enacted to prevent fraud. [Although not cited in the order, see Cherny v. Emigrant Bank, for the proposition that the receipt of spam is not in itself a compensable harm.]
Unjust Enrichment: Plaintiff also brought a claim for unjust enrichment. This claim is similar to the "PII-as-valuable-property" claim brought by the RockYou plaintiffs. ("Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou.") Under this theory, her personal information is a valuable piece of property so plaintiff should receive some compensation when she 'exchanges' this information with the retailer. The court says there are two problems with this argument. First, the ZIP code is not itself valuable to Michaels. It derives value only due to “the independent work and cross-referencing necessary to obtain the full address.” Second, the court says that reasonable people would not expect compensation for turning over their ZIP code, and plaintiff did not allege that, had she known all the facts, she would have “charged” Michaels for the ZIP code.
__
The conclusion that plaintiff did not state a cognizable injury was the most interesting. The court drops a giant footnote saying that it’s not deciding this case the basis of Article III standing, but even if it were, the result would be the same (citing In re iPhone App Litigation; Specific Media; In re Facebook Privacy Litigation). There is a big grey area here, which is whether a violation of a state law alone is enough to support standing, or whether even when plaintiff makes out a prima facie violation of a state statute, a plaintiff has to separately prove damages as a threshold matter. Can state legislatures circumvent Article III standing requirements? Can Congress? The court says that these issues are not implicated since the unfair trade practice statute only confers standing upon those who show that they have been injured. (My gut feeling is that Congress and state legislatures should have the power to define when a plaintiff can sue; at least they do so routinely. The court says that clarity on the standing question is forthcoming, since the Supreme Court granted cert. in Edwards v. First Am. Corp.)
The court’s conclusion on the unjust enrichment claim is also interesting. While one or two decisions accepted (at the motion to dismiss stage) the theory that personal information must be valuable because the defendant monetized it, later decisions, like this one, require plaintiff to more clearly articulate their misappropriation theories. Just because information is valuable in someone else’s hands, does not mean that their use of that information is a misappropriation of your property.
It’s unclear whether the court’s rejection of plaintiff’s injuries is a result of the court’s construction of the credit card statute as aimed to combat identity theft and fraud, or whether it’s because Massachusetts unfair trade practices statute (like California’s) requires some out of pocket loss.
Overall, this decision, like many of the privacy lawsuits we’ve blogged about reflects a reluctance by courts to recognize informational privacy claims where they don't easily see out-of-pocket losses. The risk of future identity theft is not getting much traction in courts. (See also, Reilly v. Ceridian, a recent 3rd Circuit case which is in the blogging queue.) The “personal information as currency” is also not getting much traction in courts either. When those two theories are taken out of the mix, the plaintiff is left only to allege that the defendant violated the statute and therefore plaintiff is entitled to damages. Courts are requiring privacy plaintiffs to allege more than this.
Posted by Venkat at 07:51 AM | Privacy/Security
January 06, 2012
Did a Court Eliminate 512(h) Subpoenas?--Maximized Living v. Google
By Eric Goldman with additional comments from David Gingras
Maximized Living, Inc. v. Google, Inc., 2011 WL 6749017 (N.D. Cal. Dec. 22, 2011). The initial 512(h) subpoena. The Justia page.
17 USC 512(h) is a relic of a different era. The basic architecture of 17 USC 512 seeks to put copyright liability on users instead of their service providers. However, for that scheme to work, anonymous/pseudonymous infringers must be identifiable so the copyright owners can sue them instead of the intermediaries. 512(h) seeks to expedite the identification of alleged infringers by allowing copyright owners to get an unmasking subpoena super-easily. All copyright owners need to do is file a subpoena request with a court clerk, and in response the court clerk *must* issue the subpoena--the copyright owners don't need to file a lawsuit, and no judge reviews or approves the subpoena's issuance.
Indeed, neither the clerk nor a judge have any statutorily provided discretion to refuse the subpoena. As a result, 512(h) is now badly out-of-step with the law governing anonymous/pseudonymous online defendants that has developed over the past decade in response to unmasking abuses. In other areas than copyright, plaintiffs usually must make some showing that their substantive claims are meritorious before a judge will issue an unmasking subpoena. (The level of the plaintiff's showing depends on a variety of factors). In contrast, a 512(h) subpoena issues irrespective of the substantive merits of the plaintiff's claims--thus opening up a backdoor channel to unmasking abuses. For example, last year I got anecdotal reports that doctors used 512(h) to unmask patients that anonymously/pseudonymously reviewed doctors in contravention of the Medical Justice-supplied contract. If we were redrafting 17 USC 512 today, we would pay a lot more attention to 512(h) and its privacy implications than we did in 1998. [On that front, I have a latent empirical research project to investigate what happened after 512(h) subpoenas issued, but this case may have mooted it.]
With that background, let me turn to this case. Maximized Living sells copyrighted material to chiropractors. Anonymous blogger Doe allegedly infringed Maximized Living's copyrights via a Blogspot blog post. Maximized Living submitted an apparently overbroad 512(h) subpoena request to Google to identify Doe, and Doe successfully quashed the subpoena for its irregularities. Nevertheless, Doe apparently removed the infringing material from the blog. After that removal, Maximized Living sent Google a putatively corrected 512(h) subpoena request to unmask Doe. In this ruling, the court quashes Maximized Living's 512(h) subpoena for a second time.
The court does something goofy to reach this result. The court holds "that the subpoena power of s 512(h) is limited to currently infringing activity and does not reach former infringing activity that has ceased and thus can no longer be removed or disabled." Thus, because Doe had removed the infringing material after the first 512(h) subpoena was quashed, there was no infringing activity taking place when the second 512(h) subpoena request was made.
The problem with this result is that copyright owners must submit a 512(c)(3) takedown notice to service providers before seeking a 512(h) subpoena. Most service providers will take down the allegedly infringing material in response to the 512(c)(3) notice, so unless the copyright owner moves really fast to make its 512(h) request, the infringing material invariably will be down before the 512(h) subpoena request gets filed with the court--leaving those copyright owner in the same place as this one (i.e., submitting a 512(h) request when there's no current infringement). Below, David Gingras explains why the court may have misread the statute.
As a practical matter, this case's result may not be earth-shattering even if it survives appeal. I believe most service providers honor 512(h) subpoenas without much scrutiny and perhaps without notifying the targeted individual. This case will only help if the targeted individual challenges the subpoena, which will only happen if the service provider notifies the individual before releasing the unmasking information and the individual gets to court quickly enough. Because the service providers are a critical player in this process, how they handle 512(h) subpoenas warrants careful attention. I'd be game to work with you to try to get service providers to tell us more about their 512(h) handling procedure and if they give notice to the users--and wait for any quashing effort to materialize--before forking over unmasking info. [FWIW, Google appears to have done both, so they get a gold star for the day.]
Copyright owners also can avoid this result by filing the 512(h) subpoena request basically at the same time as they send the 512(c)(3) notice. That way, when the 512(h) subpoena is filed, there is still infringing activity occurring, even if it's quickly eliminated by the service provider responding to the 512(c)(3) notice. My guess is that many copyright owners will be reluctant to do this because it will increase the cost and time required to target infringing material when quick-filing of a 512(h) request will help in only a small number of situations. Thus, changing the takedown protocol to add a 512(h) filing probably isn't cost-effective.
Finally, even if 512(h) isn't available, the copyright owner can still seek unmasking through a John Doe lawsuit. This isn't as low-cost as 512(h) and will trigger judicial screening of the subpoena request before issuance, so 512(h) is better for copyright owners if they qualify. Nevertheless, copyright owners can still achieve unmasking, and perhaps this case simply indicates that 512(h) is a much more highly specialized solution than we thought.
Finally, a personnel note: one of the plaintiff's lawyers is Kenton Hutcherson. You may recall that last year I blasted an article by Kenton for advocating that plaintiffs scrub search results by taking advantage of Google's apparently lax policy towards court orders. Here, it looks like the judge didn't respond well to at least two of the plaintiff counsels' choices:
1) the overreach in the initial 512(h) subpoena request
2) the submission of a second 512(h) without the court's permission, as specified when the court quashed the first subpoena
One possibility is that the court reached its odd substantive conclusion in response to the plaintiff lawyers' errors.
________________
Comments by David Gingras
[Eric's introduction: Many of you already know David Gingras due to his positions as General Counsel for Ripoff Report and litigation counsel for thedirty.com. While drafting this post, I sent this opinion to David for his thoughts, and his statutory analysis in response was so useful that I asked his permission to share it]
I think it’s extremely clear the court make the wrong decision here. I think the court should have found that the subpoena was entirely appropriate under § 512(h) even if the allegedly infringing material had been removed and the infringing activity stopped.
The court’s premise seemed to be that you could only use a pre-suit subpoena under § 512(h) to identify current infringers, not a former infringer who had stopped infringing. By itself, this seems like a very dubious distinction. What’s the difference?
As far as I can see, the conclusion was based on the fact that you obviously can only use what is commonly referred to as a “DMCA notice” (i.e., a takedown demand under § 512(c)(3)(A)) to address active infringements. In turn, that sounded correct because § 512(c)(3)(A) requires the party submitting the notice to identify, inter alia: “the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled." By using the present and future tenses here, it’s beyond obvious that this section doesn’t apply to past acts of infringement. In other words, you can only use a § 512(c)(3)(A) notice to address current/ongoing infringements (DUH – if the material was already removed, you wouldn’t need to a send a takedown notice anyway, right?)
Up to this point, the court interprets the DMCA in a common sense way, but then it erred when it assumed (incorrectly), that because § 512(h) subpoenas are necessarily premised on a § 512(c)(3)(A) takedown notice, that requires the court to find that where the infringement has stopped, the right to pursue a § 512(h) subpoena also stops. That’s just totally inconsistent with the plain language of § 512(h)(5) which talks about the duties of a party on the receiving end of a DMCA notice (like Google) once they receive the follow-up subpoena:
(5) Actions of service provider receiving subpoena.--Upon receipt of the issued subpoena, either accompanying or subsequent to the receipt of a notification described in subsection (c)(3)(A), the service provider shall expeditiously disclose to the copyright owner or person authorized by the copyright owner the information required by the subpoena, notwithstanding any other provision of law and regardless of whether the service provider responds to the notification. [italics added]
The way I read that section, it seems pretty simple – you can get and serve a § 512(h) subpoena either contemporaneously with the § 512(c)(3)(A) takedown notice, or the subpoena may be issued subsequent to that notice; i.e., at a later time when the infringement has already stopped. Either way is perfectly fine, which makes sense.
In this instance, the way the court interpreted § 512(h) makes the words “or subsequent to” totally superfluous, so we know the court’s conclusion is incorrect. Furthermore, the last few words of § 512(h)(5) seem to suggest that § 512(h) subpoenas may or may not come after a service provider has already “responded” to the takedown demand; i.e., after the material has already been removed – that’s another strong indicator that the right to pursue a § 512(h) subpoena may start with a § 512(c)(3)(A) takedown notice, but it does not stop simply because the infringing material was removed.
Posted by Eric at 09:18 AM | Copyright , Derivative Liability , Privacy/Security | TrackBack
January 04, 2012
Nov.-Dec. 2011 Quick Links, Part 3
By Eric Goldman
Marketing and Advertising
* Facebook is putting Sponsored Stories in user newsfeeds. Naturally, they will make the ad label almost invisible. Yet another reason to hate Facebook, and what a desperate act of financial overreaching to goose their IPO. FWIW, I absolutely hate that Twitter does the same thing. It's terribly marked as an ad, and it takes me more time than it should to figure out why it's appearing in my stream. Boo for Twitter, and boo for Facebook.
* Then again, not all Twitter ads are objectionable. The most popular tweet of 2011? An ad from Wendy’s.
* Interesting NAD decision involving Coastal Contacts' offer of "free" glasses in exchange for Facebook likes. Compare the subsequent ruling in Fraley v. Facebook.
* FTC does another bust of health marketers who allegedly used affiliates to create fake news sites. Prior blog post.
* Rebecca reports on a lawsuit over marketing that chickens were “raised humanely.” Note to meat eaters: there's no such thing as mass-raising of animals "humanely" for our food consumption. Invariably, meat-eaters who actually take the effort to understand the process of manufacturing meat decide to reduce their meat consumption.
* NYT on caller ID spoofing. The FTC just announced another bust on this front.
* AdAge: FDA's Social-Media 'Guidelines' Befuddle Big Pharma.
* Yahoo Inc. v. XYZ Companies, 2011 WL 6072263 (S.D.N.Y. Dec 5, 2011). Yahoo gets a huge and uncollectable default judgment of $610M under CAN-SPAM against Nigerian spammers.
* Adware déjà vu: Facebook bitches about adware. Prior blog post.
* A table manufacturer tinkers with his AdWords account and discovers a correlation between AdWords and clicks on his organic links (1, 2). Prior blog post.
* Pom loses a jury trial against Ocean Spray over false advertising.
* Washington Post: An inside look at the world of TV news payola/“plugola.”
* Ad Naseum on reverse product placement, i.e., manufacturing virtual brands created for TVs and movies.
* NYT: In China, car brands have very different meanings to consumers than they do in the US (except for BMW, where the brand attributes are surprisingly the same).
* Cracked: 5 Black Friday Myths The Media Wants You to Believe.
Privacy
* In re Facebook Privacy Litigation, 2011 WL 6176208 (N.D. Cal. Nov. 22, 2011). Prior blog post. Judge Ware dismisses the Facebook/Zynga referrer ID case with prejudice. Wendy Davis' coverage. It appears the plaintiffs have appealed (sub nom Graf v. Zynga) to the Ninth Circuit.
* Facebook will make 45 privacy-related changes—almost none of them “important”—to appease the Irish Data Protection bureaucrats.
* Mark Zuckerberg has extensive experience apologizing to Facebook users for Facebook's privacy transgressions.
* USA Today on how Facebook tracks user activity at websites other than its own.
* Cohen v. Facebook appealed to the Ninth Circuit. I'm not sure how the Fraley v. Facebook ruling affects this. Prior blog post.
* Interesting visualization of Facebook’s creeping degradation of privacy for user-provided info.
* In the Matter of ScanScout, Inc., FTC File No. 1023185:
According to the FTC complaint, from at least April 2007 to December 2010, ScanScout’s website privacy policy discussed how it used cookies to track users’ behavior. The privacy policy stated, “You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.” However, changing browser settings did not remove or block the Flash cookies used by ScanScout, the FTC charged. The claims by ScanScout were deceptive and violated the FTC Act, the complaint alleged.
* FTC bust of Skid-e-Kids for COPPA violations.
* Another cookie litigation settlement where the lawyers get almost all of the settlement value. PaidContent and MediaPost coverage.
* Weber v. Google, over Google toolbar snooping, was quietly dropped.
* Incorp Services, Inc. v. Does 1-10, 2011 WL 5444789 (N.D. Cal. Nov. 9, 2011). The court orders unmasking of alleged click fraudders:
By tracking the clicks over the course of several weeks and narrowing a substantial portion of the activity to only two IP addresses—both owned by the same ISP—Incorp has provided sufficient information to indicate that the responsible parties are “real person(s)” who may be sued in federal court. Incorp also has demonstrated that it took reasonable steps to identify Defendants. Because information pertaining to the assignee of an IP address is maintained by the third-party ISP, the only way in which Incorp is able to identify definitively the parties associated with the suspect IP addresses is by subpoena to the ISP.
* In re Application of the USA for an Order Pursuant to 2703(d), 1:11-dm-00003-TCB –LO (E.D. Va. Nov. 10, 2011). No Fourth Amendment privacy protection for IP addresses.
* NYT provides yet another update on some European regulators' efforts to kill Silicon Valley.
* Peter Fleischer: Harsher data protection sanctions are coming.
Contracts
* Stebbins v. Texas, 2011 WL 6130403 (N.D. Tex. October 24, 2011). Another court calls David Stebbins’ attempt to manufacture an arbitration award “frivolous,” saying “his factual assertions that the alleged contract was formed when Plaintiff sent an e-mail to Defendant with a blog link and a dollar bill describe fantastic or delusional scenarios that are clearly irrational and incredible.” Prior blog coverage (1, 2).
* Garon v. eBay, Inc., 2011 WL 6329089 (N.D.Cal. Nov. 30, 2011). No antitrust claims for vendors who eBay terminated for low ratings. I think eBay should have been able to use 47 USC 230(c)(2) (not discussed by the judge).
* Fadal Machining Centers, LLC v. Compumachine, Inc., 2011 WL 6254979 (9th Cir. Dec.15, 2011). In a B2B context, enforcing an arbitration clause posted to the web that was incorporated by reference in the vendor’s invoices.
* Spam Arrest v. Marketingesquire complaint: Spam Arrest sues an email marketer for violating its TOS by sending "spam."
* Wofford v. Apple Inc. (S.D. Cal. Nov. 9, 2011). Free software update to iPhone software did not constitute a "tangible good or service" for California CLRA purposes.
* How plaintiff firms are adapting to Concepcion.
* WSJ: Are We All Online Criminals?
Posted by Eric at 03:04 PM | Marketing , Privacy/Security , Spam | TrackBack
January 02, 2012
UGC Website Hit With Spoliation Sanctions--Io v. GLBT
By Eric Goldman
[This is one of those blog posts that got stuck in queue. It's still pretty interesting, so I'm sharing at this relatively late date. Happy new year!]
Io Group Inc. v. GLBT Ltd., 2011 WL 4974337 (N.D. Cal. Oct. 19, 2011)
This case involves Io, the pornography company that lost Io v. Veoh, the main 17 USC 512 case I teach in my Internet law course. The defendants in this case are British. They run a series of UGC porn websites where users can get some porn for free and then must pay for additional access either with cash or by uploading their own content. The plaintiffs seek to hold the defendants liable for copyright and trademark infringement because users are allegedly committing copyright infringement by uploading the plaintiffs' porn. The defendants are defending on 17 USC 512 and other grounds.
Being in Britain, the defendants are governed by the Data Protection Act. They interpreted that act to require them to flush lots of data very quickly. Perhaps they have been overly zealous about implementing the DPA such that their interpretation isn't so credible. For example, they automatically deleted all incoming and outgoing email after 3-4 days, and they didn't change this for more than a year into the lawsuit. They also completely deleted all files that were subject to a takedown notice, so it wasn't possible for plaintiffs to see which files had been removed. Their answers to the judge's pointed questions apparently weren't very satisfying, and eventually the defendants went AWOL. So it's a little hard to tease out any legitimate DPA-based objections the defendants might have had from their other questionable choices.
FWIW, I'm not a DPA expert, but the DPA requires that the service provider keep data only so long as reasonably necessary. I would think legal obligations/discovery rules satisfy that standard.
The court's opinion gives some insights into the evidence that would be useful for the 512 safe harbor. The defendants completely wiped away any UGC files they disabled. The court says:
With respect to the deleted audiovisual files, Plaintiffs are prejudiced by not being able to examine the files and related metadata for any "red flags" indicating that infringement was likely. Such red flags could render Defendants ineligible for safe harbor protections of the Copyright Act.
This is consistent with language in the Ninth Circuit's subsequent ruling in UMG v. Shelter Capital. The court continues:
The loss of takedown notices and corresponding removal notification emails also prejudices Plaintiffs. First, the trier of fact may consider the extent of copyright infringement on Defendants' websites when analyzing a claim of inducement to infringe....Although the number of takedown notices does not alone determine the amount of actual infringement on the site, a large number of notices could indicate that a large portion of the material on the site is infringing. In addition, in order to be eligible for safe harbor protection, Defendants must show that they have policy in place providing for the termination of repeat infringers. 17 U.S.C. § 512(i)(1)(A). Defendants claim that they have such a policy in place, but without the ability to examine the takedown notices and corresponding emails, Plaintiffs have no way of challenging the implementation and enforcement of the policy because they cannot examine whether Defendants actually terminated individual users who repeatedly posted infringing material.
I'm not clear about the relevance of the percentage of infringing activity, but for more on the evidentiary issues associated with inducement, see the Grokster ruling. Finally, the court says:
the destruction of Defendants' internal emails renders it impossible for Plaintiffs to explore Defendants' motivation and state of mind in operating their websites; this is key to Plaintiffs' claim of secondary infringement based on inducement
For the evidence spoliation, the court hits the defendants with adverse inference sanctions:
Plaintiffs are entitled to adverse inference instructions in the form of rebuttable presumptions. Given the specific evidence destroyed by Defendants, the court orders the following rebuttable factual presumptions: 1) third parties posted material on Defendants' websites that infringed Plaintiffs' copyrights; 2) Plaintiffs submitted takedown notices to Defendants regarding the infringing material; and 3) Defendants did not take steps to remove Plaintiffs' infringing material from their websites.
Unless the defendants magically find some exculpatory evidence, it sounds like those inferences will nail them on the substantive rulings. The court also awarded $15,000 in attorneys' fees.
This case raises a number of interesting issues.
First, exactly what evidence is plaintiffs entitled to when trying to overcome a service provider's 512 defense? As far as I can tell, there are few limits because just about anything might support an inducement finding. The otherwise defense-favorable ruling in UMG v. Shelter Capital provides some other ideas about information that plaintiffs can seek. Summing all this up, as a practical matter, 512's safe harbor is nifty, but it's an increasingly expensive proposition for both parties. Contrast this with 47 USC 230, where many immunized lawsuits are tossed on a motion to dismiss without any discovery at all. Not only does that allow judges to issue clean and quick rulings, but it saves both plaintiffs and defendants a lot of coin. Note to statutory drafters: it's so important to consider the evidentiary implications of your legislative drafting. The way the statute implicitly allocates discovery costs has a huge substantive effect--especially if the goal is to create a safe harbor or immunity. On this point, even if 512 usually gets to the right result, the safe harbor is miscalibrated from an evidentiary standpoint.
Second, service providers hoping for a 512 safe harbor are often uncertain about what data they should or must retain. After Grokster, UGC sites became nervous about potential inducement liability. As a result, I believe it's become common to recommend that UGC sites flush as much material as quickly as possible (and before litigation becomes "reasonably anticipatable") to reduce the risk that the material will be cited as evidence of inducement or otherwise disqualify the 512 safe harbor. However, UGC sites don't want to look like they are trying to evade the truth or, worse, disrespecting the court (as the defendants in this case might be perceived as doing) or engaged in evidence spoliation, so how should UGC sites strike an appropriate balance? I'd welcome your thoughts about that.
Third, irrespective of how we feel about these particular defendants, their underlying point about the intersection between 17 USC 512 and user privacy is worth considering. 17 USC 512(m) is entitled "Protection of Privacy," so the drafters of 512 recognized the push-pull issue here. Assume for a moment that the defendants in this case honestly wanted to provide their users with private browsing/uploading/downloading, something that might be desirable in the context of these defendants' service. It seems logical that the service provider seeking a privacy-enhanced UGC service would flush its logs, email and disabled files promptly and make those representations to its users. Here, it appears the court would undo those promises, forcing the service provider to retain data it didn't want to keep for the benefit of copyright plaintiffs. I understand that may be our current state of play, but I see the potential for mischief too.
Posted by Eric at 08:20 AM | Copyright , Derivative Liability , Evidence/Discovery , Privacy/Security | TrackBack
December 23, 2011
Academic Literature Recap, Q4 2011
By Eric Goldman
I'm mired in grading heck, slogging my way through 146 exams. As a result, blogging has taken a back seat. I have several key items to blog, including the UMG v. Shelter Capital and Ascentive v. Opinion Corp. rulings. I'll get to these and other topics soon.
In the interim, just in time for the holidays, let me call your attention to some recent academic articles that caught my eye this quarter. They may be worth checking out during your holidays. Happy reading!
____________
Bevin Ashenmiller and Catherine Shelley Norman, Measuring the Impact of Anti-SLAPP Legislation on Monitoring and Enforcement, The B.E. Journal of Economic Analysis & Policy: Vol. 11: Iss. 1 (Topics), Article 67 (2011). The abstract:
We examine changes in environmental monitoring and enforcement activity in the presence of state legislation prohibiting Strategic Lawsuits Against Public Participation (anti-SLAPP laws). Using data on the Clean Air Act from the Environmental Protection Agency’s ECHO database, we find evidence that state inspections increase by almost 50% after a state passes anti-SLAPP legislation. In addition, we find strong evidence that the ratio of findings of noncompliance to inspections more than doubles in the presence of anti-SLAPP legislation.____________
danah boyd, Eszter Hargittai, Jason Schultz & John Palfrey, Why parents help their children lie to Facebook about age: Unintended consequences of the ‘Children’s Online Privacy Protection Act’, First Monday, Volume 16, Number 11 - 7 November 2011. The abstract:
Facebook, like many communication services and social media sites, uses its Terms of Service (ToS) to forbid children under the age of 13 from creating an account. Such prohibitions are not uncommon in response to the Children’s Online Privacy Protection Act (COPPA), which seeks to empower parents by requiring commercial Web site operators to obtain parental consent before collecting data from children under 13. Given economic costs, social concerns, and technical issues, most general–purpose sites opt to restrict underage access through their ToS. Yet in spite of such restrictions, research suggests that millions of underage users circumvent this rule and sign up for accounts on Facebook. Given strong evidence of parental concern about children’s online activity, this raises questions of whether or not parents understand ToS restrictions for children, how they view children’s practices of circumventing age restrictions, and how they feel about children’s access being regulated. In this paper, we provide survey data that show that many parents know that their underage children are on Facebook in violation of the site’s restrictions and that they are often complicit in helping their children join the site. Our data suggest that, by creating a context in which companies choose to restrict access to children, COPPA inadvertently undermines parents’ ability to make choices and protect their children’s data. Our data have significant implications for policy–makers, particularly in light of ongoing discussions surrounding COPPA and other age–based privacy laws.
This article stirred up a fair amount of discussion. See, e.g., the CNET coverage.
Some notes about this article:
* no one looks good here: not the kids, parents, Facebook or Congress.
- Parents teach children how to lie to get what they want online
- Gilmore’s law that the Internet interprets censorship as damage and routes around it. COPPA has been a success at getting websites to shun kids 12 and under, but it’s been a complete failure at protecting kids online.
- all of the lying kids are presumptively engaged in criminal activity
* when kids are asked to represent themselves as older than they actually are, do they inadvertently put themselves in more adult situations than they can handle? See my post on mistake of age defenses.
* the policy implications of this report cut in both directions. Pro-regulation: the only way to keep kids off Facebook is to do mandatory age authentication that parents can’t game; or do comprehensive privacy regulation. Anti-regulation: COPPA was a bust, so we should repeal it or structurally modify it.
____________
Felix T. Wu, Collateral Censorship and the Limits of Intermediary Immunity, 87 Notre Dame L. Rev. 101 (2011). We don't have too many law professor papers really grokking 47 USC 230, which makes this paper instantly noteworthy. Felix presented this paper at our 47 USC 230 fiesta earlier this year. His conclusion:
Intermediary immunity can and should play an important role in protecting speech on the Internet. Immunity prevents the application of laws targeted at original speakers to intermediaries that lack the incentives of original speakers to speak. Immunity can thus be used to avoid the collateral censorship of lawful, socially desirable speech that poses a real or perceived risk of liability to intermediaries. At the same time, immunity can and should be limited. When intermediaries are actually original speakers, and have the incentives of original speakers, immunity is no longer appropriate. Similarly, immunity as to causes of action that are specifically targeted at intermediaries inappropriately prejudges the reasonableness of such liability.
Even ardent supporters of intermediary immunity would be well-served to recognize its limits. When immunity becomes unbounded, it begins to seem increasingly unfair, stimulating calls to cut back on the immunity, or even eliminate it entirely. The framework developed here demonstrates how, without any need to amend current law, we can limit the immunity, while still serving its core purposes.
James Grimmelmann's comments about the paper.
____________
Sandra L. Rierson, The Myth and Reality of Dilution, 2012 Duke Law & Tech. Rev. ___ (forthcoming 2012). From the introduction:
This Article advances three claims. First, statutory dilution erroneously assumes that the source-identifying function of a trademark is a rivalrous good and one that is dissipated by use. This assumption lacks empirical support, and is assuredly not categorically true despite the contrary principle that underlies the federal dilution statute. If marks are nonrivalrous, as they often are, no cause of action for dilution should exist.
Second, even were particular marks indeed rivalrous, the social and transaction costs imposed by the federal dilution statute would still outweigh the supposed harm to trademark holders. Dilution claims inflict profound anticompetitive burdens, preclude beneficial comparative advertising, and entrench dominant (often oligopolist) firms at the expense of market entrants. Dilution has serious non-economic costs as well and prohibits protected First Amendment speech without justification. For these reasons and others, the federal dilution statute imposes substantially more harm than it (allegedly) prevents.
Finally, the true foundation for the federal dilution statute lies not in alleged economic harms, but rather results from an entirely misplaced fiction of corporate personality. We do not require trademark holders to prove actual economic injury in the context of a dilution claim because, in truth, there is none. Instead, we have granted the holders of famous trademarks the equivalent of a “moral” right to these marks: an extension of the rights granted to a creator of an expressive work in the copyright context. Trademark owners feel vested in their brands, many of which are deliberately anthropomorphized, and the dilution statute reifies and protects these rights as a matter of federal law.
Stacey Dogan's cogent critique of the article. You may recall that in 2007, SCU convened a major academic conference on trademark dilution.
____________
Lydia Pallas Loren, Deterring Abuse of the Copyright Takedown Regime by Taking Misrepresentation Claims Seriously, 46 Wake Forest L. Rev. ___ (forthcoming 2011). A nice in-depth look into one of my favorite topics, 17 USC 512(f), by one of my favorite authors. The conclusion:
The takedown provisions of the Copyright Act are a powerful tool that copyright owners may use to obtain prompt removal of infringing material from the Internet without judicial assessment of the assertion of infringement. Congress provided a mechanism to deter abuse of this extrajudicial enforcement mechanism in the form of a new cause of action for material misrepresentation. Courts should interpret the requirements for prevailing on a claim of misrepresentation with an eye toward fulfilling Congressional intent. This means using a standard that would hold copyright owners liable not only when they had actual knowledge that the material targeted for takedown was not infringing, but also when the copyright owner should have known if it acted with reasonable care or diligence that the material was lawful. It also means interpreting the injury requirement broadly and awarding attorney’s fees to prevailing plaintiffs. Taking the claims of misrepresentation seriously will shape the behavior of copyright owners who seek removal of material through takedown notices.
Posted by Eric at 07:55 AM | Content Regulation , Copyright , Derivative Liability , Privacy/Security , Trademark | TrackBack
December 12, 2011
“Economics of Privacy” Conference Recap
By Eric Goldman
Earlier this month, I attended an event at University of Colorado Boulder called “The Economics of Privacy,” sponsored by the Silicon Flatirons center. A couple photos from the event: 1, 2. As usual, these notes reflect my impressions of the discussion. They aren’t verbatim transcriptions, so please double-check before attributing anything to anyone.
Paul Ohm was the principal event organizer. He offered a thesis: the legal academy has ignored economics and markets in its privacy scholarship. This is because a decade ago, privacy scholarship got rooted in consumer autonomy. As a result, we are letting waves of new economics discussions go past without incorporating into the privacy scholarship. He thinks this is a missed opportunity. This conference was intended to fix that.
Keynote: Alessandro Acquisti
Can market forces adequately “protect” information privacy? Answer: a resounding “it depends.”
Notifying consumers isn’t good enough. Less than 3% read privacy policies; people don’t understand them; people assume “privacy policy” implies privacy protection; if people actually read the policies, we lose significant social resources in the opportunity costs of their time; and outright deceptive bypassing of policies can go unpunished.
Consumer control is illusory. In fact, by making people feel more in control, consumers may take greater privacy risks.
Can self-regulation protect privacy? Alessandro thinks probably not. Hyperbolic discounting means consumers will take the immediate benefits and ignore future costs/risks. Further, technology keeps changing. Consumers who try to optimize for current technology are required to learn the newer technology. It’s overwhelming for consumers. Thus, the empirics of privacy shows that hurdles in decision-making render self-regulatory solutions untenable.
Where do we go from here? Currently, unless there’s a quantifiable economic harm, there’s no legally recognizable harm. However, by focusing on tradeoffs, we’ve lost the non-economic benefits of privacy, like personal autonomy. The lack of adequate consumer protection also leads to socially wasteful investments, ex post damages, shrinking share of consumer surplus, others. We can do better than telling consumers that they need “quantify the privacy costs incurred or be quiet.” Privacy enhancing technologies allow both data sharing and data protection. We should put burden of proof on data holders: prove you can’t provide same services with less data, or be quiet. Finally, he rejects the privacy fatalism that “data is price for content.” In fact, consumers pay when advertisers use the data to develop manipulative marketing.
First Panel
Lior Strahilevitz. Information asymmetries led to19th century English workhouses (like homeless shelters). The government wouldn’t provide welfare payments because recipients knew better than the government if they were worthy, so workhouses were an alternative to providing wasted welfare. The consequence of this information asymmetry was the growth of government services and poor living conditions.
India is experiencing something similar. To address this, India is collecting biometric information on its poor (the “AADHAAR”). Some Indians feel this data collection is empowering—it gives them an identity.
Homogeneity enables mass-market products, but precludes catering to idiosyncratic needs. On the other hand, we should favor serendipitous exchanges between disparate people, and that’s essential for us to function as a society.
Lior is concerned that people will buy products for signaling purposes, not because they want the goods. For example, it turns out that people who buy felt pads for their furniture are good credit risks. Knowing this, people might buy felt pads to send false signals. Peppet’s comment: signaling is exhausting. We’re always communicating through our actions, and that’s tiring. It’s rational for consumers to respond by just deleting their Facebook accounts entirely.
Alessandro’s comment: matching systems will never be perfect; they will always make errors. But if decision-makers overly rely on the technologies, we may not be able to protect ourselves from these errors.
Lorrie Cranor. In 1996, there was a lot of talk about notice-and-choice and that privacy policies were unreadable, but the thought was that privacy seals and P3P could save privacy policies. We're at that exact same place today, but the technology hasn’t changed much. In fact, the current Do-Not-Track technology is lower-tech than P3P was.
What went wrong with P3P? 5 years of haggling led to a computer-readable language for privacy policies. It’s still incorporated into Microsoft Internet Explorer, but it only focuses on cookie-blocking decisions. To avoid Microsoft’s cookie blocking, sites enacted P3P policies. At least a third of P3P policies had errors, including major sites (Amazon, Facebook), so P3P may be counterproductive (i.e., consumers relying on P3P will not have their preferences effectuated). She hopes regulators will investigate.
Based on our experiences with P3P, online behavioral advertising tools aren’t promising. Companies aren’t providing clear policies to consumers or working opt-outs; consumers don’t recognize the icon; and consumers won’t click on it because they expect to get more ads, not to opt-out. She has a feeling of déjà vu: privacy tools empower consumers, but when people inevitably lose interest in developing the tools, privacy issues will become moribund again.
In contrast, incorporating automated privacy information into search results made consumers more aware of privacy concerns, and consumers showed they were willing to pay extra for additional privacy benefits.
Julie Cohen. The term “information privacy market” is weird. The market doesn’t produce information privacy; it produces information that’s used for market segmentation and risk management. There are social costs of information privacy markets—do we need less of the outputs from this markets?
Deeply-held ideological considerations drives privacy norms. Many of us are socialized to believe that more information is better. This skews the discussion as privacy advocates try to get around this norm.
We should be skeptical of information collection practices. Social benefits don’t necessarily grow as information becomes more precise. Gaps in knowledge lead to serendipitous matches that benefit society.
Innovation is used as an excuse to stiff-arm regulators because it’s too complicated for regulators. We’re bad at valuing systemic risks.
Scott Peppet. He sees parallels between Occupy Wall Street and the concerns about privacy. We don’t know how companies are tracking us, and that lack of knowledge makes us uncomfortable. Our economy is built on data, but we don’t understand how that system works. Data collectors are getting big, and we don’t know what they are doing. Perhaps some data collectors get too big to fail—we couldn’t let Facebook’s database go through bankruptcy.
Q from Berin Szoka: why isn’t the common law system adequate to deal with exigencies? For example, the FTC can enforce P3P misrepresentations even if the private lawsuit fails in court? Why do we need additional regulation?
Q&A on self-regulation
Lorrie: self-regulatory model requires enforcement. We have some leaders in the industry doing a great job, but they aren’t getting the requisite enforcement backup.
Alessandro: self-regulation doesn’t work because it relies on notice-and-consent, and that doesn’t work. Instead, he would like to see self-regulation include broader deployment of PETs.
Peppet: he expected, but has failed, to find role-modeling privacy intermediaries such as infomediaries (see my 2005 blog post on the absence of infomediaries). Even companies that are leaders on privacy have unreadable privacy policies. His hypothesis: it’s more profitable to disrespect privacy.
Strahilevitz: self-regulation is best for handling data that’s been recently collected, not on historical data. No one has a good response to deal with new data uses enabled by evolving technologies. Data retention may be an appropriate place for government regulation.
Keynote: Joe Farrell (speaking for himself, not the FTC)
Economics assumes consumer sovereignty. Consumers have wants; the marketplace supplies them. His starting point: consumers value privacy. It’s hard to measure how much. We shouldn’t ask why or how much. We should ensure the market doesn’t thwart their desires.
If we focus on consumer sovereignty, notice-and-choice should work. This minimizes the need to figure out how much consumers value privacy and why; it enables competition on privacy; and the market can cater to consumers’ preference heterogeneity. Notice-and-choice is difficult, but we should try to fix it. However, even experts can’t tell what will happen to privacy in the future; and consumers can’t tell how their information disclosures are affected by information disclosures of other consumers.
Taxonomy of consumer data uses:
• order fulfillment (responding to consumer request). For consumers’ mail orders, it’s not surprising that retailer will tell shipper your address. This directly serves the transaction the consumer wanted, and it’s unthreatening. Leave this out of the regulation.
• Profitable re-uses that consumer may not directly like. Need to distinguish between deals consumer would be willing to strike (data-for-content) and unacceptable deals.
When marketers deceives consumers, it trains them not to trust anyone. This is a harm to society. Ad hoc case-based enforcement doesn’t fix this harm.
Teaching consumers is hard, even if both parties are motivated. This is the basic problem with “disclosures.” But when advertisers don’t have full incentive to be forthcoming, consumers are even less likely to learn.
When the market price is zero, it’s hard for consumers to discount the price further to reflect the costs of privacy risks. Micro-payments actually solve this problem (we saw some of these advantages with the move from broadcast TV to cable TV) but micro-payment service providers create their own privacy paradox.
We should be open to private law solutions, such as trustworthy intermediaries or the adoption of liability-type commitments.
Panel 2
Ryan Calo moderated this discussion, which didn’t have presentations. Because I was part of the panel, my notes are a little sketchy.
Aleecia McDonald: Definition of behavioral advertising = advertising that’s based on data collected about individuals about the websites they visited and their search terms and used to create a profile to trigger ads. Behavioral advertising can be done on a third-party or first-party (e.g., Amazon) basis. Some folks believe that online behavioral advertising only means third party behavior.
Laura Kornish: Can self-regulation work? The Behavioral Advertising icon has been around a year. The icon and linked information doesn’t answer the Qs very well of why the ads are appearing. It’s not working so well, and she’s not sure why. It depends on whether educating consumers about behavioral advertising is a technical challenge. If it is, the icon probably isn’t salvageable. In contrast, it would work if consumers get clear information about why they are getting the ads.
Eric Goldman: the point of advertising is a conversation between marketers who want to sell and consumers who want to buy. If behavioral advertising improves the conversation, there’s no problem that regulation needs to fix.
Seth Levine: He doesn’t favor regulation. As an investor, we don’t see companies trying to create containers for consumer data to give marketers. He does see entrepreneurs trying to fix the fact that publishers let a lot of data leak out to advertisers.
Eric: publishers need to manage the trust relationship on behalf of readers. It’s weird to me how few publishers take this responsibility seriously.
Aleecia: There's currently a schism between EU and US about holding first party data controllers responsible for third party actions.
Catherine Tucker discussed her paper. The punchline: EU advertising effectiveness decreased by 65% compared to the US due to privacy regulations. Small unobtrusive ads were particularly affected because these are more informational and need to be more relevant. Blaring intrusive ads weren’t affected. Most adversely affected websites: general news sites, not niche-y sites (probably because contextual targeting on niche sites was a passable substitute for behavioral advertising).
Seth: an ad impression based on data about the consumer is 3x-10x more valuable than an ad impression without consumer data. Online brand advertising isn’t very effective, so the Internet relies on direct response advertising. If brand advertising worked online, there would be less motivation for behavioral advertising.
Aleecia: Q to Catherine. What legislation caused the difference in ad performance, especially because the EU directive isn’t being enforced?
Catherine: She focused on the 2002 EU directive but the rules were rolled in over time, and advertisers were uncertain about its implementation. Some advertisers pulled away from using cookies due to the uncertainty. Health ads, in particularly, were much less effective.
Aleecia: Catherine’s study is good news for privacy advocates. It shows regulation can work.
Eric: it “worked” how? Some of the adverse consequences from privacy regulation: more intrusive ads, and some matches were foreclosed in the marketplace.
Aleecia: if regulation results in fewer beacons and tracking, this is a good result for healthcare data.
Seth: the advertising marketplace is big enough to incent investment in innovation.
Eric: the best way to spur innovation: give immunities and safe harbors. [I have a more detailed blog post in process making this point in greater detail.] The privacy plaintiffs’ bar is imposing a huge tax on advertising privacy innovation today.
Seth: existing technologies allow private/anonymous browsing. Less than 5% turn it on, and usually turn it on in the middle of the day, perhaps to hide information from their employers.
Aleecia: some consumers want to block ads, but the dominant reason for blocking ads is privacy concerns. Many of the tools are flat-out unusable. 6% of browsers have adopted DNT. On mobile, 17% have adopted DNT (and this is hard for them to do). Definition of DNT = allows users to put up their hand and request privacy. It’s not a technical mechanism; it’s just an HTTP header. What should websites do when the header is present? That's still being discussed.
Eric: the devil of DNT is in the details. We’ll know how important/useful DNT is when we see what websites do when they know consumers have raised their hand.
Catherine: consumers don’t understand online behavioral advertising, so they need protection, but maybe consumers are ahead of regulation and thus regulation would be redundant.
Seth: Solutions to privacy issues should be technology-based. If you’re 18 and don’t have a Facebook account, you’re dead. But Facebook does a terrible job with monetization: they have a huge audience and but get only a small percentage of online ad dollars.
Peter Swire Q: getting consumers adopt PETs is hard, so 5%-17% adoption is huge. Also, Julie Cohen’s right to read anonymously.
Seth: we would all agree that we should have user-driven right to read anonymously.
Panel 3
Scott Peppet. Ways to connect digital identity to physical identity:
• facial recognition. We can now do searches using a face as the search query.
• iris recognition. The technology can read irises on the run. If the technology became widely installed, it can do highly accurate individual identification.
• Car chips measure usage of cars. Insurance companies will find this information useful.
• Biometric. Your scale can broadcast your weight; it can even post to Twitter. It may be entertaining to measure oneself; but that data has substantial commercial value, and marketers may be willing to pay to get it.
• Smart goods. A sweater has been chipped to provide interested consumers background information about the exact sheep whose wool was used.
Ways to tie Digital Space to Physical Space
• Augmented reality. Smartphone can provide this functionality. Car can display information on the windshield.
• Pranav Mistry’s Sixth Sense.
Berin Szoka. Lessig outlined a dystopian view that code will become a perfect form of control. In contrast, the Supreme Court has said that technology expands consumers’ capacity to choose. So, does technology empower or enslave?
First Amendment is baseline for the (lack of) regulation of information. Government can and should punish fraud and deception. Government can validly compel disclosure of objective factual statements (Cass Sunstein’s “smart disclosure”). With proper narrow tailoring, government can intervene in other situations—user empowerment tools, limiting government, educating consumers.
Chris Hoofnagle. He favors competition-enhancing enforcement. Problem: privacy policies that are internally inconsistent; they say “we don’t share” and then say they work with third-party marketers. He also favors an enforcement action that says companies can’t force tracking onto consumers. If consumer manifested their intent not to be tracked, companies can’t undo that. Also, companies are resistant to working with privacy agents where consumers pay someone to help them opt-out; they want to confirm this intent. Companies can’t imagine that consumers don’t want their advertising.
Peter Swire. He worries about security. There’s no way to fix theft of biometrics. Iris scans can be defeated by high-quality print of a third party’s iris.
What if data = speech? (IMS v. Sorrell). He reads Sorrell to say that many privacy laws are subject to heightened scrutiny. Ex: the FCRA says CRAs can’t report credit data more than 7 years old. This limits speech by limiting data. Thus, arguably it’s both a speaker- and content-based restriction.
Berin: he hopes Sorrell will bring more rigor to legislative drafting. The Vermont statute didn’t have any showing of harm. He doesn’t think all privacy statutes are dead, but he hopes the ruling will encourage an emphasis on less restrictive measures.
Chris: Sorrell involved a dumb law, but most privacy laws are dumb because corporate lobbyists muck up well-meaning legislative proposals. He thinks libertarians should hate the Sorrell ruling—the government forced the collection of information and then it was shared with the private sector.
Berin: He doesn’t mind the government data collection in Sorrell because he believes the private sector would have generated the information anyway. Sorrell has no bearing on government-compelled disclosure.
Fernando Laguarda. The Sorrell decision was a reaction to a poorly drafted statute. Information dissemination is speech.
Paul Ohm Conversation with Julie Brill
Paul: it’s the 1 year anniversary of the FTC’s privacy report. What’s happened since then?
Julie: the FTC has spoken loud and clear on social networks (Facebook, Google Buzz). It’s brought some good cases on behavioral advertising and COPPA. The report didn’t preview the FTC’s directions; instead, it describes the problems the FTC has been running into when it brings enforcement actions, especially with notice-and-choice and consumer harm. It sums up where the FTC has been.
The report’s basic principles:
• Companies should build privacy into their foundation
• Simplify notice-and-choice. For example, on mobile devices, privacy policies are too long and not readable. Give more layered notices. Companies are burying the most important disclosures in the policy.
• Transparency. Give consumers more information about the company’s practices, but also show the data that the company has collected about the consumer and give them the right to correct. Analogy: FCRA. Data brokers that don’t come under FCRA should still give access to consumers.
What’s happened since the report? A majority of commissioners have embraced “Do Not Track.” A lot of technological development has occurred in a year—DNT technology, browser-based restrictions, BA icon.
Paul: What does Do Not Track mean, and who enforces any violations?
Julie: there isn’t consensus of what “do not track” means. A header-based solution is one way for consumers to express their preferences. But will websites honor the header? Another solution: the blacklist/whitelist built into Microsoft browser. Advertisers feel that is more draconian. The icon-based system is another solution.
She believes Do Not Track efforts have to cover data collection and retention in addition to tracking. When issue final report (maybe by end of 2011), she hopes it will include data collection.
Who decides—self-regulatory groups or browser companies? Once promises are made to consumers, FTC and state AGs need to enforce.
Paul: academics like Alessandro and Lorrie expressed a lot of skepticism about notice-and-choice. Should the FTC still be pushing it?
Julie: FTC commissioners typically agree about the FTC’s specific enforcement actions. Most opinions are unanimous, especially on privacy and consumer enforcements. When commissioners are debating theory, as opposed to a specific enforcement action involving a particular company, the commissioners disagree more. She thinks the commissioners disagree about notice-and-choice. We shouldn’t throw out notice-and-choice, nor should we throw out PII, but Julie is a skeptic on notice-and-choice. Consumers aren’t the least cost avoiders. The safety analogy is useful—just like we don’t want consumers policing aircraft, consumers shouldn’t be policing privacy. She would like more dashboards for consumers.
Paul: how do we resolve any specific privacy problem—self-regulation, FTC, Congress—who?
Julie: this is a big question, and there’s no single answer. She likes the bully pulpit; she raises her eyebrows a lot! This can lead with a lot of dialogue between industry and the FTC. The FTC has to account for the political environment. Legislative discussions look different now than a year ago; Congressional-enacted regulation isn’t realistic right now because Congress doesn’t have the bandwidth. The industry is a little emboldened because it knows the FTC can’t get Congress to act.
Eric’s Q: there have been lots of Internet privacy lawsuits, but they are routinely getting tossed. How does this affect the FTC’s calculation about whether or not to intervene?
Julie: privacy lawsuits based on deception still require the plaintiffs to show consumer damages. FTC/state AGs aren’t bound by this restriction. The FTC also has authority under unfair acts. Unfairness requires balancing of economic interests. Harm is essential to the balancing. But what about embarrassment, such as an unwanted outing or unwanted Facebook photo posting? The FTC report argues that they should expand the harms. About a decade ago, Eli Lilly had a website for Prozac users. When it decided to shut down the website, it included everyone’s email address in their announcement. This was a huge breach. FTC said it was either a deceptive or unfair act. She thinks it was really an unfairness case; it was wedged into the deception prong.
Posted by Eric at 09:17 AM | Privacy/Security | TrackBack
December 08, 2011
Employee's Claims Against Employer for Unauthorized Use of Social Media Accounts Move Forward--Maremont v. SF Design Group
[Post by Venkat Balasubramani]
Maremont v. Susan Fredman Design Group, Ltd., et al., 10 C 7811 (N.D. Ill.; Dec. 7, 2011)
I blogged about a case earlier this year where a plaintiff sued her former employer for improperly accessing the plaintiff's social media accounts. (Here's my earlier post on the case: "Employee's Twitter and Facebook Impersonation Claims Against Employer Move Forward.") I thought the case was dismissed due to plaintiff's inaction, but it looks like the case is still trudging along.
The basic facts: Susan Maremont worked for the Susan Fredman Design Group as the director of marketing. Maremont created a blog and Facebook account for SFGD. She also created Facebook and Twitter accounts that the court says are undisputedly her personal accounts. Maremont suffered an accident. While she was in the hospital, SFDG continued to access and post from Maremont's accounts. (The court is never 100% clear on which of the two Facebook accounts SFDG posted from.) Maremont returned to work briefly on a part-time basis, and during this time she thanked her temporary replacements "for their amazing posts on [the blog] in [her] absence." Subsequently, Maremont apparently changed her mind and sued for alleged misuse of her personal accounts. [The order says that Maremont stored her account access info on the SFDG server, although the folder in which she stored this info was ‘locked’ and she never gave authority to anyone to access it. This was Maremont’s version of the facts. The order does not say exactly how SFDG got access to the passwords (SFDG could have obtained the passwords through accessing the folder on the SFDG server, or it's possible that the computer Maremont used to create the accounts--which were SFDG computers--remembered them).]
SFDG brings a motion for summary judgment, which the court largely punts for lack of evidence on damages.
Lanham Act claim: Maremont's Lanham Act claim requires her to show that she had an intent to commercialize her identity. The court says that she satisfies this requirement, noting that "it is undisputed that Maremont created a personal following on Twitter and Facebook for her own economic benefit . . . " However, Maremont also must show that she was somehow damaged by her unauthorized affiliation with SFDG. The court gives Maremont additional time to marshal evidence as to how she was damaged. Maremont tells the court that she will bring an expert to testify as to the damages issue.
Stored Communications Act claim: As to the Stored Communications Act claim (which Maremont added later on in the lawsuit) there is no dispute that SFDG accessed Maremont's accounts:
there is undisputed evidence in the record that Defendants accessed Maremont's personal Facebook account and accepted friend requests at least five times from September 23, 2009 through November 24, 2009. Moreover, evidence in the record reveals that Defendants posted seventeen Tweets to Maremont's personal Twitter account during the relevant time period.
This probably amounts to unauthorized access of "a facility through which an electronic communication service is provided." However, the court says that in order to be entitled to statutory damages under the SCA, Maremont has to show that she suffered some "actual damages." (See Van Alstyne v. Electronic Scriptorium.) Because of the dearth of evidence on the damages issue, the court declines to grant summary judgment at this juncture. (Although the court's discussion of whether the SCA requires actual damages as a prerequisite to relief is not extensive--and as Van Alstyne acknowledges, there is mixed authority on the issue--the ruling is significant in this regard.)
Right of Publicity claim: The right of publicity claim fails because SFDG did not pass itself off as Maremont, even though it posted tweets through Maremont's Twitter account. The first of the objectionable tweets explained Maremont's absence and linked to a blog post by Susan Fredman. Additionally, upon returning to work on a part-time basis, Maremont "thanked" SFDG's guest editors for their efforts. Thus, the court concludes that SFDG did not misappropriate Maremont's likeness.
Common Law Privacy claim: Maremont also brought a common law privacy claim, which appeared to be based on the "intrusion of seclusion" tort. The court says that she has to show that defendants intruded into a matter that was private and which the plaintiff attempted to keep private. The court says that Maremont cannot satisfy these elements:
there is no dispute [that] . . . the matters discussed in Maremont's Facebook and Twitter posts were not private and that Maremont did not try to keep any such facts private. In short, Maremont fails to point to any private information upon which Defendants intruded.
Cf. Moreno v. Hanford Sentinel.
__
This is a messy dispute, and some of the facts don't seem clearly developed by either the court or the parties. For example, there were two Facebook accounts involved (one for SFDG and one which Maremont uses personally), but later in the discussion, the court doesn't specify which Facebook account it is talking about. Second, the court notes that "there is no evidence in the record concerning the actual Facebook postings and their content." This is a strange evidentiary omission by the plaintiff.
Then there's the issue of actual damages. Maremont has a Herculean task in proving that her affiliation with SFDG as a result of a smattering of social media posts somehow had a negative financial effect on her. How exactly was she damaged by this association? It's not as if SFDG said anything negative about her. Maremont's claim is that while she was in the hospital, SFDG continued to post and make it look (to the untrained eye) that Maremont continued to handle SFDG's social media efforts. Would a prospective client really refuse to hire Maremont because of these posts? Did this somehow diminish Maremont's earning capacity? I'm not sure what Maremont's expert is going to say, but he or she better come up with something good.
The court's analysis of the invasion of privacy issue also threw me for a loop. The court concludes that the information contained in the posts were public, so there's no violation by SFDG when it posted to Maremont's accounts, but this didn't seem to be the crux of Maremont's invasion of privacy claims. Maremont should be arguing that when SFDG accessed Maremont's accounts, SFDG could also have accessed private facts stored in the account, such as private messages, DMs, photos, and other information in the Twitter/Facebook accounts that were not public. The court's analysis makes me think that the court didn't understand that Twitter or Facebook accounts can contain other information than what's actually publicly "posted" through the account. (Of course, Maremont would have faced a challenge when it comes to damages. She may not have had a standing problem, but she would have to show that she suffered damage as a result of the intrusion, and it's fair to presume from the court's dismissal of her claim that she failed to put forth adequate evidence on this issue.)
This case, along with the PhoneDog case (and Ardis Health) highlight the inherent ambiguity in ownership over social media accounts. Property-wise, it's tough to slot the accounts in a particular box. There also seems to be differing expectations on the part of the employer and employee. The employee obviously wants to take the account with her when she leaves, but the employer would like to continue to take advantage of the goodwill built by the account. There is a solution, and that's to have a written policy in place! A policy is not a cure-all, and I think it's equally important to have a discussion up front about whose account this is and what happens when the relationship terminates. (This is a mini-version of the "blog ownership question" that Eric has harped on.)
As with the PhoneDog case, this is another dispute where the attorney's fees expended could eclipse the value of the case. If the facts as alleged are true, SFDG stepped way over the line in accessing Maremont's accounts, but Maremont's damages are probably minimal. (Ironically, I would think the invasion of privacy claim would be one of the strongest, but the court kicks this claim.)
As a final note, it's worth comparing the result in this case to In re Rolando S., the case where a California appeals court found that a juvenile violated California's identity theft statute when he took someone's Facebook account for a joyride. Here, SFDG gets dangerously close to this line, although it was not clear that the posts in question purported to be from Maremont. As I mentioned in my initial post on the case, depending on what jurisdiction you are in, meddling with someone's social media account in this context could result in e-personation liability.
Related posts:
Employee's Twitter and Facebook Impersonation Claims Against Employer Move Forward
Courts Says Employer's Lawsuit Against Ex-Employee Over Retention and Use of Twitter Account can Proceed--PhoneDog v. Kravitz
Ex-Employee Converted Social Media/Website Passwords by Keeping Them From Her Employer--Ardis Health v. Nankivell.
Court Declines to Dismiss or Transfer Lawsuit Over @OMGFacts Twitter Account -- Deck v. Spartz, Inc.
Posted by Venkat at 03:45 PM | Privacy/Security , Publicity/Privacy Rights , Trademark
December 02, 2011
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
[Post by Venkat Balasubramani]
Del Vecchio v. Amazon, C11-366-RSL (W.D. Wash.; Dec. 1, 2011)
Plaintiffs sued Amazon, alleging that Amazon’s use of “flash” cookies and certain browser “tokens” was misleading. In a putative class action, Del Vecchio asserted claims against Amazon under the Computer Fraud and Abuse Act, and the Washington Consumer Protection Act, along with claims for trespass and unjust enrichment. The court dismisses the lawsuit, and although it grants leave to amend, it sends a pretty clear message to plaintiffs that they face a high (and likely insurmountable) hurdle.
CFAA Claim: The court identifies two problems with the CFAA claim. First, plaintiffs fail to satisfy the $5,000 damage threshold. Plaintiffs argued that Amazon’s use of cookies “devalued” their personal information but the court says that this allegation is entirely speculative. Did the plaintiffs really lose the ability to exchange their personal information with third parties as a result of Amazon’s use of cookies or was this ability somehow lessened? Negative, says the court. The second category of possible loss was diminished performance to the plaintiffs' computers. The court rejects this allegation as well, noting that “not one of the Plaintiffs alleges that he or she discerned any difference whatsoever in the performance of his or her computer while visiting [Amazon’s] site.”
Although the failure to meet the five thousand dollar threshold is sufficient to dismiss the CFAA claim, the court goes on to address the issue of authorization and says that Amazon’s terms of use and privacy notice disclosed to end users that Amazon uses “Flash cookies” and uses these cookies to track and serve advertisements. (Thus, the access by Amazon was not "without authorization".) Plaintiffs made the clever argument that their injury occurred at the very moment they accessed Amazon’s site (i.e., before they had the chance to read and agree to the policy) but the court rejects this, saying that any information collection only occurred as a result of plaintiffs’ use of Amazon’s site.
Consumer Protection Act: Plaintiffs’ CPA claim suffered from two similar flaws. The court says plaintiffs failed to allege any “non-speculative” injury. One of the plaintiffs claimed that after she purchased pet supplies through Amazon, she received advertisements and junk mail from companies selling pet products. The court says this allegation is too speculative. In a footnote the court notes that this type of tracking and marketing is disclosed in Amazon’s privacy policy. The court also says that Plaintiffs failed to satisfy the requirement that Amazon’s conduct be unfair or deceptive—plaintiffs did not allege any actions that were inconsistent with Amazon’s privacy policy. [Although not cited in the order, see Cherny v. Emigrant Bank, for the proposition that the receipt of spam is not in itself a compensable harm. I would assume the same is true of junk mail as well.]
Trespass to Chattels: The court dismisses the trespass argument on the basis that trespass to chattels requires an allegation that the defendant’s actions interfered with a plaintiff’s property interest in a way that affects the physical condition or plaintiff's use of the chattel, and plaintiffs failed to adequately make out this allegation.
Unjust Enrichment: Relying on the plaintiffs’ failure to allege any improprieties in Amazon’s use of cookies or collection of information, the court also dismisses the unjust enrichment claim. The court cites to In re DoubleClick case and says:
Although demographic information is valued highly . . . the value of its collection has never been considered an economic loss to the subject. Demographic information is constantly collected on all consumers by marketers, mail-order catalogues and retailers . . . we are unaware of any court that has held the value of this collected information constitutes damage to consumers or unjust enrichment to collectors.
__
Yet another decision rejecting claims by plaintiffs who sued over the use of cookies. (See the Specific Media and Interclick cases for other recent examples.) Some courts dismiss on the basis of Article III standing, while others (as in this case) find that plaintiffs failed to allege the requisite elements of causes of action. Whichever route the courts end up taking, they have overwhelmingly rejected these lawsuits. The "personal information as property" argument ends up going nowhere--in the context of tracking, courts don't seem enthusiastic about claims where the damages are premised on loss of value to personal information.
There was an element of plaintiffs’ allegations which did not receive as much attention as I expected. Plaintiffs alleged that Amazon used a piece of code, or a “token” (a P3P "Compact Policy"), which told the user’s browser that no personal information is collected and thus allegedly “tricked” the browser into accepting Amazon’s cookies. (Here is a link to plaintiffs' complaint, which details these allegations.) The court does not get into the issue of whether even if Amazon did "trick" the user’s browser this translates into misleading the user, or whether there was some sort of implied contractual promise in the P3P Compact Policy in the first place, given that it is a string of code directed at a machine, rather than a human. The court instead relies on the fact that plaintiffs’ have not alleged any harm. In any event, the court cites to the broad disclosures in Amazon’s privacy policy, indicating that the disclosures in the policy will likely trump any claim based on Amazon's allegedly misleading use of the P3P Compact Policy.
Plaintiffs (and their lawyers) who have brought the latest wave of cookie lawsuits must be feeling pretty discouraged at this point. They’ve tried every conceivable variation of every possible argument and have gotten nowhere in the courts. We will see if they have better luck on appeal.
Related posts:
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn
Posted by Venkat at 07:00 AM | Privacy/Security
December 01, 2011
Spiritual Group's Attempt to Unmask Online Critics Goes South--Art of Living Foundation v. Does
[Post by Venkat Balasubramani]
Art of Living Foundation v. Does, 10-cv-05022-LHK (N.D. Ca.; Nov. 9, 2011)
Art of Living Foundation is an organization based in India that is dedicated to teaching the spiritual lessons of “His Holiness Ravi Shankar.” Defendants are disgruntled former “student-teachers and students” of plaintiff who want to bring to light their view that AOLF is a “manipulative and abusive cult.” Defendants posted blogs under the pseudonyms “Skywalker” and “Klim.”
AOLF sued, alleging various claims including defamation, misappropriation of trade secrets, copyright infringement and trade libel. AOLF also alleged that defendants published AOLF’s copyrighted “Breathe Sound Water Manual.” AOLF sought leave to conduct expedited discovery. This request was approved and AOLF issued subpoenas to Google and Automattic. Before Google and Auttomatic complied with the subpoenas, defendants appeared through counsel and moved to dismiss AOLF’s defamation claim, strike its trade secrets claim, and also moved to quash the discovery. Skywalker acknowledged that he published the manual, but said that he posted this solely as part of his larger campaign to bring awareness to his views about AOLF.
While the motion to quash was pending, the court granted defendants’ request to dismiss the defamation claim, and struck the trade secrets claim. AOLF filed an amended complaint limiting its claims to copyright infringement and misappropriation of trade secrets. Magistrate Judge Beller granted the motion to quash as to Klim but denied it as to Skywalker, relying largely on the fact that a prima facie claim of copyright infringement is sufficient to overcome the right to anonymity. Judge Koh, reviewing Magistrate Judge Beller’s order, finds that AOLF failed to overcome Skywalker’s right to remain anonymous and quashes the subpoena as to Skywalker.
In a characteristically excellent order, Judge Koh canvasses the various standards courts apply in resolving anonymity issues. Some courts have required plaintiffs to make a prima facie showing before ordering disclosure, while others have demanded admissible evidence establishing each element of a claim. The Ninth Circuit recently held that in resolving the disclosure issue, courts should keep in mind the nature of the speech (e.g., purely commercial versus purely political) as well as the potential chilling effect of ordering disclosure (In re Anynomous Online Speakers). Finally, and most troubling for the defendants, a widely cited 2004 decision from the Southern District of New York found that a prima facie allegation of copyright infringement entitles the plaintiff to identify doe defendants (Sony Music v. Does).
Defendant raised a fair use argument, but the court does not rely on the possibility of non-infringement in resolving the disclosure issue. The court notes that “evidence of copyright infringement does not automatically remove the speech at issue from the scope of the First Amendment.”
The court employs a balancing test where it weighs the harm to plaintiff and defendants. Disclosure of Skywalker’s identity would have a chilling effect on other bloggers, and this weighed heavily in favor of defendants. With respect to harm to the plaintiff from quashing the subpoena, the court finds that AOLF would not suffer a comparable harm. AOLF could proceed in the litigation without knowing Skywalker's identity—Skywalker had responded to written discovery, and if necessary, AOLF’s counsel could even conduct a deposition via telephone (or alternatively, Skywalker’s identity could be revealed on an attorneys’ eyes only basis). Ultimately, AOLF was unable to make a compelling argument that it needed to discover Skywalker’s identity at this point in the litigation. It raised a weak argument that it needed to find out the revenues generated from Skywalker’s blog but the court notes that this information could be gleaned through other sources, such as Google and Automattic.
__
This is a nuanced result. The court recognizes that the copyright claim is not particularly strong and there is a good chance, this is the end of the road for Art of Living Foundation. The earlier dismissal of its defamation claim (and accompanying liability for attorney's fees) is a serious blow, but the court's rejection of its request to unmask Skywalker deprives AOLF of what it was looking to get out of this lawsuit--early identification of a pseudonymous blogger. On the merits of his copyright claim, Skywalker may win on his claim for fair use or successfully argue that the damages are minimal at best. (See generally, the Righthaven debacle.)
The overall takeaway is that if you as a blogger face a claim for garden-variety copyright infringement, this type of a ruling shouldn't give you much hope. Courts will readily cite to Sony Music v. Does and order compliance with a subpoena seeking your identification. If, on the other hand, a plaintiff is using a weak copyright claim to get at you for bad-mouthing the plaintiff, a court may see it for what it is, and deny the requested discovery. Of course, this depends on your luck of the draw and requires you to be in front of a thoughtful judge and have good representation. (The ACLU, EFF, and Public Citizen weighed in as amici, which didn't hurt.) It also requires that service providers don't jump the gun when responding to subpoenas seeking identification. I'm sure on a daily basis, numerous posters and bloggers are unmasked because the circumstances are different from those in this case. Additionally, "garden-variety" copyright infringement unmaskings never get to court at all; service providers routinely make disclosures under section 512(h) without the alleged infringer even knowing it.
Added: Art of Living approached me and asked if I would add a link to an explanatory letter from them explaining their motivations in bringing the lawsuit. I've uploaded it to Scribd here.
Other coverage:
Public Citizen: Federal Judge Protects Anonymity of Blogger Despite the Allegedly Infringing Posting of a Copyrighted Teaching Manual
Techdirt: Courts Can't Ignore Free Speech Concerns Just Because Someone Claims Copyright Infringement
Wendy Davis: Court Rejects Bid To Unmask "Art of Living" Critic
RCFP: Federal judge preserves blogger's anonymity
Posted by Venkat at 04:45 PM | Copyright , Privacy/Security
November 30, 2011
Pennsylvania Court Orders Personal Injury Plaintiff to Turn Over Facebook Password to Defendant -- Largent v. Reed
[Post by Venkat Balasubramani]
Largent v. Reed, 2009-1823 (Pa. Ct. of Common Pleas; Nov. 8, 2011)
Keith and Jessica Largent were involved in an accident in 2007. They sued Jessica Rosko and Sagrario Pena alleging negligence and loss of consortium. During Ms. Largent’s deposition, defense counsel realized that Ms. Largent had a Facebook profile and she “used it regularly to play a game called FrontierVille.” Largent refused to turn over any information about the account, and Rosko moved to compel Largent to disclose her Facebook username and password.
Rosko argued that Largent’s profile was “public,” and certain posts to Largent’s Facebook account contradicted her claims of “serious and severe injury.” Specifically, Rosko claimed that Largent posted photographers that depict her “enjoying life with her family and a status update about going to the gym.”
The court starts by noting that Pennsylvania discovery rules are broad and “the relevancy threshold is slight.” The court also notes that Rosko claimed a “good faith” basis for seeking the material in question: “[t]he information sought by Rosko might prove that Largent’s injuries don’t exist, or that they are exaggerated.”
If there is no applicable privilege or statutory bar, the information must be turned over. On the privilege issue, the court says:
[t]here is no confidential social networking privilege under existing Pennsylvania law. There is no reasonable expectation of privacy in material posted on Facebook. Almost all information on Facebook is shared with third parties, and there is no reasonable privacy expectation in such information.
As far as a statutory bar, the Stored Communications Act was the obvious possibility. The court recognizes the complexity around the statute and its applicability to the types of communications at issue, but says that “the minutae are irrelevant for [the present] purposes.” Only one court has addressed whether Facebook communications are covered by the SCA (Crispin v. Audigier) and the court distinguishes that case on the basis that in that case the information was sought directly from the provider. In this case, Rosko is seeking the information from Largent directly:
[t]he SCA does not apply because Largent is not an entity regulated by the SCA. She is neither a RCS nor an ECS, and accessing Facebook or the internet via a home computer, smartphone, laptop, or other means does not render her an RCS or ECS.
Largent argued that granting Rosko’s motion was akin to “asking her to turn over . . . her private photo albums and requesting to view her personal email,” and would cause embarrassment and annoyance, but the court rejects these arguments. With respect to the possibility of embarrassment, the court says that because the posts are not truly private anyway, there can be no credible argument that disclosing the information would cause unreasonable embarrassment. As to the issue of annoyance to Largent the court says, the costs will be borne by Rosko, and:
Largent can still access her account while Rosko is investigating.
The court orders Largent to turn over her Facebook login information to defense counsel within 14 days of the date of the order. Defense counsel then has a 21 day window in which to inspect Largent's profile. After this window elapses, the court says that Largent may change her password.
__
I think we can all agree that the court's reminder that just because you posted something on a social network does not mean that it's privileged or off-limits is useful. The court is also right that it is folly to assume that anything posted to a social network (or for that matter, anywhere) is truly "private." These points can't be made often enough. That said, I think as with other Facebook discovery disputes, the resolution here is clunky and fails to account for the varied nature of the information that is stored in someone's Facebook account. This may range from private, e-mail-like communications with someone's lawyer or psychologist (should be privileged) to pictures of you frolicking on the beach which are published without any privacy restrictions at all (which are not privileged and undoubtedly relevant). Under the court's order, this distinction does not matter, and defense counsel is free to rummage around in Largent's Facebook account freely. (Kash Hill blogged about a discovery dispute with a similar result. A divorcing couple was forced to swap Facebook and dating site log-ins: "Judge Orders Divorcing Couple To Swap Facebook And Dating Site Passwords.") Some intrusion is expected and tolerated when you bring a claim for personal injury and maybe this is the cyber version of the independent medical examination. [As a sidenote, while it's problematic to delete any profiles while litigation is pending, if you are the plaintiff and you assert a claim for personal injury, you may want to delete your profile or deactivate it before you file suit. Added: check with your lawyer before you delete any profiles. Someone pointed out that the duty to preserve evidence arises before you file suit, so the pre-suit deletion of profiles may be ill advised.]
Of course, sharing your Facebook credentials with a third party is a violation of Facebook's terms of service--we all know that accessing a site in violation of its terms of service can come with stiff criminal penalties (the court even cites to US v. Drew in its order).
I don't have a great solution for this. It would be nice if Facebook allowed you to generate some sort of log of all of the items you have posted or sent around. This way the parties and the court can focus in on what's relevant without an opponent having to rummage around in your account.
In the meantime, if you are a litigant in a civil lawsuit and you post something online that you hope some folks don't see, just as with email, or any electronic media for that matter, realize that IT WILL COME BACK TO HAUNT YOU.
[NB: the court's order has some nice snark, including footnote 3: "Facebook currently does not allow a person to "dislike" (or in Facebook parlance, "un-like") a friend's post, probably for good reason."]
[Added: Lance Peterman suggests the ThnkUp app from Gina Trapani. I have not checked it out, but if it allows you to produce a comprehensive log of your Facebook posts, communications, and other activity, it may be useful for these types of discovery disputes. Another alternative may be the "download your information" feature which Facebook offers.]
Other coverage:
Drug & Device law: Another Excellent Facebook E-Discovery Opinion
Law.com No Reasonable Expectation of Privacy on Facebook, Pa. Judge Says
Previous posts:
"Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway"
"Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville"
"Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier"
"Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson"
"Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc."
Posted by Venkat at 09:24 AM | Evidence/Discovery , Privacy/Security
November 29, 2011
Facebook Settles With the FTC -- In re Facebook, Inc.
[Post by Venkat Balasubramani, with comments from Eric]
In re Facebook, Inc. (Nov. 29, 2011) (Settlement & Proposed Consent Decree [pdf]) (Mark Zuckerberg's blog post)
The FTC announced its long-rumored settlement with Facebook. The key terms:
• Facebook is barred from making representations about the “privacy or security” of consumers’ personal information;
• Facebook must get end user approval before it enacts changes which “override” consumer preferences;
• Facebook is required to prevent anyone from accessing a “user’s material” within 30 days of a user’s deletion of his or her account;
• Facebook must enact a “comprehensive privacy program”;
• Facebook must undergo periodic privacy audits conducted by independent third parties.
Facebook is under the FTC’s jurisdiction for 20 years.
__
The FTC’s complaint and its explanation sheds some light on the scope of the settlement. Among other things, the complaint alleged: (1) Facebook shared informormation such as “friends lists” without warning users that it would change the default; (2) shoddy security practices around third party apps, which were permitted to access information beyond what was necessary to operate the apps; (3) Facebook shared personal information with advertisers when it said it wouldn’t; (4) Facebook continued to allow access to profiles after end users had deleted them; and (5) Facebook claimed it complied with EU Safe Harbors when it didn’t.
Given the numerous missteps (or some would say, overt disregard for user privacy) by Facebook, this was inevitable. As Eric mentions in his comments, Twitter and Google are both under similar consent decrees, and now with Facebook having agreed to a proposed settlement, the FTC has achieved de facto regulation of the biggest social networks.
The big question is what this will mean for Facebook’s advertising practices. It will undoubtedly make it harder to Facebook to permeate as a platform without clearly disclosing changes to users (the Facebook feature that alerts your friends when you are reading an article probably warrants more robust disclosure as a result of this decree), but will Facebook’s garden-variety targeting be affected in any way? I’m guessing not. (The definition of “third party” in the settlement carves out a “service provider . . . [who] uses the . . . information for and at the direction of [Facebook] and no other individual or entity and for no other purpose [and] does not disclose the . . . information, or any individually identifiable information derived from such information, except for, and at the direction of, [Facebook], for the purpose of providing services requested by a user . . . .” Query as to how this carve out affects Facebook’s advertising practices.)
The provisions about “privacy changes” seem to apply prospectively. I assume Facebook rolled back all of the objectionable changes which precipitated consumer complaints in the first place, so it's not as if Facebook gets a free pass on its overreaches to date. Still, it’s interesting that the settlement did not specify the various changes over the past couple of years that spurred the FTC into action.
The part about deleted profiles was interesting in that the settlement only says that Facebook agrees to not “allow third party access” to profile information. There’s nothing about Facebook purging the information, so I assume it can still be subpoenaed.
I question whether the settlement comes too late for Facebook. It has fooled users not once, or twice, but on a regular basis. (Facebook is like the stereotypical person in an abusive relationship. It doles out the punishment and people keep coming on hearing a promise that it will make things right.) In a way, the settlement may be a boon to Facebook. It has failed to keep its promises of its own accord, but now it can point to the imprimatur of the FTC settlement and say: “like Twitter and Google, we too are under the tumb of the FTC…you don’t have to take our word for it that we will make good on our privacy promises!”
[NB: the numerous privacy class actions against Facebook have all been dismissed or are otherwise languishing and are likely to be dismissed. This settlement should not have any effect on those lawsuits one way or another, although Zuckerberg’s blog post contains a broad mea culpa that may sway a judge or a factfinder. If plaintiffs can get past the damages/standing issue, they are sure to wave that around.]
____
Eric's Comments
1) The FTC's privacy rules are quite easy to follow. Tell users the truth, and don't change the rules mid-stream without users' consent. We've all known that Facebook repeatedly cuts corners when it comes to its privacy promises. Like most Internet companies, they thought they could get away with it. They didn't.
2) The fact Facebook violated these rules is bad legally, but it's even worse for Facebook’s user relations. Few Internet brands as big as Facebook have so many users that feel apathetic—or downright antagonistic—towards the service. This isn't a recipe for long-term success.
3) Surprisingly, although the collateral material discusses third party apps, the settlement doesn’t crack down on Facebook's API and the stunning amount of personal data (about both users and their friends) that third parties can pull from Facebook without any meaningful supervision. Even so, I can't imagine Facebook's API will continue to work as it's currently working for the indefinite future.
4) The FTC is on the way to making a clean sweep of settlements with major Silicon Valley Internet players. See our blog posts on the Twitter and Google Buzz settlements. It seems inevitable that the FTC will eventually put all of them under a monitoring program. In effect, the FTC is manufacturing de facto legislation through its Silicon Valley tour-de-force.
5) Add in the DOJ's extraordinary attention to the Silicon Valley, especially Google, and it's clear that DC regulators intend to have the final word about Silicon Valley business practices.
Posted by Venkat at 11:42 AM | Privacy/Security
November 27, 2011
Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records -- Sterk v. Redbox
[Post by Venkat Balasubramani]
Sterk v. Redbox, 11 c 1729 (N.D. Ill. Aug 19, 2011)
Redbox is a company which rents DVDs to customers from automated, self-service kiosks, typically charging $1 per rental. The customer is required to return the DVD the following day and, if the customer fails to do so, the customer is charged a late fee. If the customer is twenty five days late, then the customer is charged the price of the DVD (at which point the customer owns the DVD).
Plaintiffs filed a putative class action, alleging that Redbox maintained customers' credit card billing information, along with their "video programming viewing histories," in violation of the provisions of the Video Privacy Protection Act. The VPPA has a section ("subsection 2710(e)") which says that:
a person subject to this section shall destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information under subsection (b)(2) or (c)(2) or pursuant to a court order.
Plaintiffs alleged that Redbox violated subsection 2710(e).
Does the VPPA Create a Private Cause of Action for Wrongful Retention of Video Rental Records: Redbox argued that the statute only provides for a private action for wrongful disclosure, not for the "wrongful retention" of video rental records. The court rejects this argument, noting that the subsection authorizing a private right of action (subsection 2710(c)) says that any person aggrieved by a violation of "this section" may file a suit.
The court interpreted the language referring to "this section" as a reference to section 2710--i.e., the entire statute. The court looks to the "House Legislative Counsel's Manual on Drafting Style," which provides a hierachical breakdown of statutes (by sections, subsections, paragraphs, subparagraphs, and clauses) and the fact that Congress adhered to this hierarchy in other parts of the statute. Redbox pointed to another part of the statute dealing with court-ordered disclosures where Congress used the term "section" arguably somewhat imprecisely to argue that Congress did not consistently use the term "section" in the statute. The court rejects this argument on the basis that provisions dealing with court ordered disclosures are contained in several different subsections, so the use of the term "section" in section 2710(b)(3) is not a mistake, or alternatively does not support the argument that Congress used the term "section" ambiguously in subsection (e).
The court also distinguished a Sixth Circuit decision (Daniel v. Cantrell) which held that only subsection (b) can form the basis of liability under the VPPA. In that case, the court held that only subsection (b) "includes language relating to liability," and if Congress intended a private right of action for violations of subsections (d) and (e), it would have included the private right of action language at the end of the statute, rather than preceding subsections (d) and (e).
Redbox also argued that the legislative history of the VPPA supported its theory that Congress did not provide for a private right of action for the wrongful retention of records, pointing to the Senate Report, which stated that the goal of the statute was to "reduce the chances that an individual's privacy will be invaded, by requiring the destruction of information in an expeditious fashion." The court says that the legislative history is inconclusive, and in any event, the court need not resort to it since the statute is not ambiguous.
Did Plaintiffs State a Claim for Wrongful Retention Under the Statute: Redbox also argued that it collected the information for the purpose of "recouping late fees," and at worst, Redbox had one year from the date of collection to purge the information. The court disagrees with Redbox and says that the statute does not say that a provider always has at least 1 year to purge the information. According to the court, this interpretation of the statute reads the phrase "as soon as practicable" out of the statute. Redbox argued alternatively that it collected the information for marketing and advertising purposes, but this is only allowed if the provider gives the customer the opportunity to opt out "in a clear and conspicuous manner." Sterk alleged that the opt-out was not conspicuous, and the court treats this as a factual dispute which cannot be resolved at the motion to dismiss stage. [Although the court does not rely on this allegation in resolving the motion to dismiss, plaintiffs alleged that Redbox changed its disclosure practices and included a more prominent link to Redbox's terms of use and privacy policy after the lawsuit was filed.]
__
Oy. I'm guessing Congressional staffers who were involved in drafting the Video Privacy Protection Act are cringing as they read this decision.
It's interesting that video rental records are carved out for such special protection under the law. (The VPPA was passed in 1988, in the wake of then-judge Robert Bork's confirmation hearings.) Imagine if we had a similar law in place for book records or web-surfing records!
At any rate, Redbox is potentially on the hook for statutory damages under the VPPA, regardless of whether it used or misused its customers' video rental records in any way. It's unclear as to whether other online "video tape service providers" are going to be tagged with similar lawsuits. Netflix is in the firing line. (See "Close-Up: Netflix Hit With Privacy Suit.") Are Amazon, Apple, and Hulu next?
The craziest part of the lawsuit is that video rental companies can avoid liability by taking the largely ministerial step of procuring their customers' consent to the disclosure of rental records. (Given that Redbox is not some bootstrapped start-up, it's surprising that it did not take this step in the first place.) Although the consent provisions don't appear to expressly insulate records retention, consent needs to be "written" if the provider wants to disclose the information in question. Recently introduced legislation, supported by Netflix, would allow consumers to give blanket authorization to disclosure by video rental companies and to provide such disclosure online. (See Tech Daily Dose: "Calling Robert Bork" (reporting on H.R. 2471.) Interestingly, the proposed legislation does not clearly cover the retention of records and only covers their use and disclosure.
[Since this ruling, Redbox move to reconsider or, in the alternative, sought permission to take an interlocutory appeal, and this motion is pending. In the meantime, the court also denied Redbox's motion to dismiss plaintiffs' consolidated amended complaint. (Here is a copy of the court's minute order denying Redbox's motion.) Redbox in its answer also asserted the affirmative defense that the statute is unconstitutional.
Also, note that the ruling is from August of this year. This one languished in the queue.]
Additional coverage:
N.D. of Ill. Judge Allows VPPA Privacy Lawsuit to Go Forward (Sedgwick)
Posted by Venkat at 08:10 AM | Privacy/Security
November 17, 2011
App Developer RockYou Settles Privacy Lawsuit--Claridge v. RockYou
[Post by Venkat Balasubramani with comments from Eric]
Claridge v. RockYou, 09-CV-6032-PJH (N.D. Cal.; Nov. 14, 2011) (settlement pending court approval)
Eric and I previously blogged about the opinion in Claridge v. RockYou, where the court tentatively recognized the theory that personal information may be an end user's property and thus a misappropriation of that data can satisfy Article III standing. ("Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff.") RockYou is an app developer who claimed to have 130 million unique customers using its apps on a monthly basis. It was hit with a security breach, which allegedly affected the log-in credentials of 32 million RockYou users. Claridge sued, and RockYou and Claridge settled the dispute.
The principal terms of the settlement:
- RockYou consents to an injunction for 36 months, requiring it to undergo two audits during this time (the audits will be conducted by an independent third party selected by "defendant") [i.e., RockYou];
- RockYou is bound by the injunction to the extent it continues to collect consumer information "as alleged in the" lawsuit;
- Claridge gets $2,000 for his time and efforts, and plaintiff's counsel gets $290,000;
- RockYou "represents and warrants that it is financially unable to provide the monetary relief sought by [Claridge]".
The settlement is subject to court approval and only resolves the claims for injunctive and declaratory relief with prejudice as to the proposed class. Someone else is not precluded from bringing another class action, but they have to seek money damages and cannot rely on injunctive relief.
__
The court/agency-monitored audit requirement is in vogue. Soon, it's possible that every single network will have a court or agency imposed requirement to undergo periodic privacy/security audits. (As part of settlements with the FTC, Twitter and Google agreed to periodic audits.) The efficacy of these audits is not clear and surely depends on the scope of the audit and who conducts it. In this case, the audit requirement is toothless since RockYou chooses its auditor. There is also no discussion of what action on RockYou's part facilitated the breach and what corrective steps it would take.
Paragraph 2 of the settlement was confusing. RockYou is only bound by the injunction to the extent it continues to collect and maintain information as alleged in the complaint? Or is RockYou indefinitely subject to the injunction if it continues to collect and maintain such information? How much does RockYou have to change its business practices such that it's not bound by the injunction? Something broader, that required RockYou to be bound any time it collected consumer information, makes more sense. Also, what happens to the information RockYou previously collected if it "exits the business"?
The attorneys' fees figure in this settlement ($290,000) is significantly less than what has been paid in previous cases (Google Buzz: $2.5mm; TD Ameritrade: $500K, knocked down from $1.8mm; Facebook Beacon: $2.8mm, currently on appeal to the 9th Circuit).
I'm not sure if the attorneys' fees figure is related to this, but RockYou's representation that it is "financially unable" to shell out money to the Proposed Class was worth noting. Does this mean it's on the ropes financially? It's interesting that Claridge did not go after the platforms the RockYou apps were run on top of. The responsibility of networks and platforms to police the conduct of app developers is a brewing issue.
Of course, one downside of the settlement is that the court's earlier order remains on the books.
Related posts:
Beacon Class Action Settlement Approved -- Lane v. Facebook
The FTC's Proposed Settlement With Google Over Buzz Privacy Breaches
The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?
Court Approves TD Ameritrade Data Breach Settlement -- In re TD Ameritrade
Google Settles Buzz User Privacy Litigation
_____________
Eric's comments
This is an odd settlement. The plaintiff class got virtually nothing from RockYou--no relief for the class and de minimis promises from RockYou. The plaintiff's lawyer didn't even get a particularly big payday, although they do expect to get paid even if the "victims" don't get a dime. This financial dichotomy makes me wonder if the judge will approve this settlement. I would expect the judge to ask more questions about RockYou's purported poverty (see Paragraph 5) given it's the excuse for not paying anything to the class. Paragraph 5 sounded to me more like a preference (RockYou would prefer not to pay out more money) than a necessity (RockYou is on death's door). RockYou clearly isn't raking in the dough--it just laid off over half its staff--but they are claiming they'll be profitable within the next year, they have raised nearly $130M in financings, and they surely have cash remaining in the bank.
Because the lawyers are getting paid while the class is getting bubkus, the judge surely can't miss the possibility that the lawyers sold out the class to advance their own profit-seeking interests. That would be a good basis to reject the settlement. Personally, I hope the judge does reject it so that the plaintiff's lawyers don't even get these crumbs and so that RockYou will keep litigating to demonstrate the lack of merit to the plaintiffs' claims.
The ongoing promises by RockYou are ambiguous. There's a fatal typo in the settlement agreement. Paragraph 2 reads "RockYou’s shall be bound by the injunction described in Section 2.1 above, so long as it is engaged in the business of collecting and maintaining consumer records as alleged in the Action." Putting aside the minor typo (the possessive "RockYou's"), the provision references "Section 2.1 above," which doesn't exist. Unlike Venkat, I have no idea what additional obligations RockYou is undertaking other than the 2 audits referenced in Paragraph 1.
It's a bummer the agreement leaves the existing opinion in place. I wish the parties had agreed to ask the judge to vacate it. Even though other courts haven't embraced the judge's data-as-valuable-property argument (see, e.g., the Low v. LinkedIn opinion), with the opinion still on the books, plaintiffs will keep citing it (and clearing the Rule 11 bar) until an appellate court wipes it away--a result that could take years. Until then, the existing opinion gives plaintiffs false hope, spurring many more meritless actions. Just what we need.
Posted by Venkat at 03:08 PM | Privacy/Security
November 14, 2011
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn
[Post by Venkat Balasubramani with comments from Eric]
Low v. LinkedIn, 2011 WL 5509848 (N.D. Ca.; Nov. 11, 2011)
Low brought a putative class action against LinkedIn, complaining about the fact that LinkedIn "allows transmission of users' personally identifiable browsing history and other personal information to third parties, including advertisers, marketing companies, data brokers, and web tracking companies . . . " He asserted a variety of different claims, including under the Stored Communications Act, the California Constitution, breach of contract, conversion, and California consumer protection statutes. The Court finds that Low failed to satisfy Article III standing and dismisses (with leave to amend).
The complaint alleged that LinkedIn assigned users unique user IDs, and LinkedIn "links and transmits the user ID number to third party tracking IDs ('cookies')." This allows third parties to track the online browsing histories of users, which is linked to LinkedIn's unique user ID (using which third parties can probably determine the identity of the user). [It's unclear from the ruling whether transmitting the user ID is a mistake on LinkedIn's part or whether it was all part of some nefarious Orwellian scheme to track everything and everyone. It was also unclear whether LinkedIn was allegedly compensated for this. I didn't check, but I presume LinkedIn has taken corrective measures.]
Emotional harm: Low argued that he suffered "embarrassment and humiliation caused by the disclosure of his personally identifiable browsing history." But apart from a general allegation that the disclosure of someone's browsing history to third parties would be embarrassing, Low failed to highlight what information was actually disclosed. Additionally, Low also failed to allege that a third party actually linked the browsing history with his identity, as opposed to his LinkedIn unique ID. To the extent Low tried to rely on the future disclosure of information the court says that this is too conjectural and hypothetical.
Economic harm: Low's argument for how he had been economically harmed by LinkedIn's practices was that his browsing history was a marketable piece of property and he was not compensated for LinkedIn's transfer of this property to third parties. The court recaps the cases on this issue (Specific Media; In re iPhone App Litigation; DoubleClick; In re JetBlue) and says Low failed to allege how he was economically harmed by LinkedIn's practices. In particular, the court says Low failed to allege how he was prevented from capitalizing on the value of his personal data. Low cited to Krottner v. Starbucks and Doe 1 v. AOL and argued that the mere disclosure of personal information may create standing. The court says that these cases are distinguishable in that they involved the disclosure of sensitive or private information. Krottner involved the theft of a laptop which contained the private information of employees, including names, addresses, and social security numbers. Although the Ninth Circuit said that plaintiffs were not entitled to relief since they were provided credit monitoring, the court found that loss of sensitive information was enough to satisfy standing. The AOL ('search Valdez') case involved the packaging and distribution of a huge quantity of search data, which included similarly sensitive information, along with sensitive search information. In this case, the court says that Low's allegations are easily distinguishable from Krottner and AOL, and are not sufficient:
Low has not alleged that his credit card number, address, and social security number have been stolen or published or that he is a likely target of identity theft as a result of LinkedIn's practices. Nor has Low alleged that his sensitive personal information has been exposed to the public. Indeed, the Plaintiff has failed to put forth a coherent theory of how his personal information was disclosed or transferred to third parties, and how it has harmed him. Accordingly, Low has failed to allege an injury-in-fact.
The court also footnotes the issue that violation of a statutory right may in some cases confer standing on a plaintiff, but does not delve into it since plaintiff did not raise this issue and plaintiff was given leave to amend.
__
This is a helpful order because it recaps many of the recent cases dealing with the issue of what type of harm a plaintiff must allege. Judge Koh, who wrote the order dismissing plaintiff's claims, also authored the iPhone Privacy opinion, where she methodically picked apart plaintiff's claims. (See iPhone Privacy Class Action Dismissed for Lack of Standing -- In re iPhone App. Litigation.) Judges in the Northern District of California have heard a slew of potential class action privacy lawsuits over the last couple of years and have almost uniformly rejected them. One of the common problems in these cases is that the plaintiffs are not able to articulate with much clarity what practices they are complaining of and how exactly the practices harmed the plaintiff. What often spurs these lawsuits is a research finding or a media report about a company's practice. The lawsuit does not start with the plaintiff who suffers an injury or a negative consequence.
The idea that a company's exploitation of your browsing history or viewing habits causes you economic injury is not getting much traction. Courts are mostly saying that in order to allege economic damages, it's not sufficient to argue that the information has some value in an advertiser or a network's hands--you have to allege that their use of the information somehow impeded your ability to exploit the information. To my knowledge, the RockYou case is the only one to accept the "PII as property" argument, but the court did so reluctantly, and expressed skepticism over the ultimate fate of this theory. (Here's my earlier blog post on the RockYou case: "Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff.")
This is not the end of the road for this case, as the court grants leave to amend the complaint, but the court says clearly what type of injury the plaintiff has to allege, and I'm somewhat skeptical that the plaintiff will achieve a better result in round 2.
Related Posts:
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
AOL's Disclosure of Search Data May Support Claims Under California Law
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
iPhone Privacy Class Action Dismissed for Lack of Standing -- In re iPhone App. Litigation
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
_____
Eric's Comments
1) LinkedIn should never have included a unique ID in its referrer URLs. Same with the other websites that undertook the practice. That was an avoidable error on their parts.
2) Article III standing is an awkward way of disposing of the referrer URL cases. However, at this point, knowing that defendants are going to bring an Article III challenge, it's becoming embarrassing for plaintiffs' lawyers to bring such weak arguments about the plaintiffs' harms. If you're going to bring a privacy lawsuit, find a plaintiff who actually suffered tangible harms and then allege those harms. If you can't, let it go.
3) Allegations of "embarrassment and humiliation" as the harm for Article III standing in a privacy class action suit, without specific facts explaining how, should always fail.
4) I thought the whole "data as property" meme died a decade ago. I agree with Venkat that the RockYou case hasn't opened up a hole for the plaintiffs, but it's too bad that court gave the glimmer of hope to the plaintiffs.
5) I know why Judge Koh gave the plaintiffs another chance, but I'll be surprised if they do any better on round 2. I hope future judges will squelch these low-merit privacy suits even more quickly as the plaintiffs continue to make the same pleading errors over and over again.
Posted by Venkat at 01:20 PM | Privacy/Security
November 04, 2011
Minnesota Appeals Court Says Tracking Statute Excludes Use of GPS to Track Jointly Owned Vehicle -- State v. Hormann
[Post by Venkat Balasubramani]
State v. Hormann, A10-18722 (Minn. Ct. App. October 19, 2011)
Hormann was charged with installing a tracking device on his then-wife's car, in violation of a Minnesota statute prohibiting the use of, among other things, tracking devices without a court order. (Minn. Stat. 626A.35.)
As recounted in the order, in March 2010, the victim had a mechanic inspect the car, and the mechanic found a tracking device magnetically attached to the underside of the car. In January of that year, the victim testified about an incident involving domestic violence. In response, the victim moved out, but the defendant sent her text messages "commenting on where she had been and otherwise indicating that he was . . . monitoring her movements." She also testified that the defendant allegedly put spyware on her cell phone that "allowed him to intercept her text messages and that he also seemed to know everything she was doing on the family computer." The defendant was also involved in an incident where the defendant allegedly located the victim in a lakeside cabin, "entered the cabin, and physically attacked an acquaintance of [the victim's]."
The statute excluded the use of a mobile tracking device when it was used to track an object with the "consent of the owner." Hormann argued that because he had an ownership interest in the vehicle, the statute could not be used to convict him.
The court finds that the statute's use of the word "owner" is ambiguous in this context, and the drafters did not anticipate the scenario where an object has more than one owner. The court looks to Minnesota's vehicle-title rule for the definition of "owner." The vehicle-title statute defined owner to include a person who has "property in [sic] or title to a vehicle." A person entitled to "use" the vehicle was encompassed within the definition of "owner."
The court found that Hormann was entitled to use the vehicle. The vehicle was purchased with marital funds and thus presumptively marital property. There was also evidence in the record that Hormann used the vehicle on occasion. (At oral argument, the state conceded that it would not prosecute Hormann for auto theft if Hormann was found to be driving the vehicle, even without the victim's consent.) The evidence with respect to title to the vehicle was also favorable to Hormann. While the victim was shown to be the sole registered owner, Hormann produced evidence that the victim signed title over to Hormann (the testimony at trial showed that this transfer was done to facilitate the sale of the vehicle and the transfer was never recorded). According to the court, this transfer demonstrates how "incidents of formal ownership of marital property may not accurately reflect who is using a vehicle."
The court applies the rule of lenity to construe the statutory ambiguity narrowly, and holds that the exception applies where the vehicle or object has multiple owners, and one of the owners consents to the tracking device.
__
Divorces are fertile ground for privacy issues, and in previous posts I've speculated about the effect of joint ownership rules on privacy violations. A New Jersey (civil) case involved GPS tracking, and although the court did not raise the issue and there was no statute expressly aimed at tracking, I wondered about the fact that "since the wife owned the car, she could have argued that she had the right to track its movements." (The New Jersey case was decided largely on the grounds that the vehicle in question was on publicly visible roadways, where the driver enjoyed a diminished expectation of privacy.) The issues can be less clear when it comes to emails, since spouses sometimes maintain joint email accounts, and there's not always a clear "owner" of a particular account. On the other hand, statutes which are aimed at communications provide for exceptions based on the consent of the parties to the communications, and ownership of a phone or an email account will not provide an easy out under those statutes. In this case, the victim alleged that the now-former husband infringed on her privacy in other ways (e.g., installing spyware on her computer and her cell phone), but the focus of the charge was the tracking.
It may be too early to have a meaningful tally, but I wonder if courts are more tolerant of spouses who engage in tracking while in the midst of a divorce or separation. As always, soon-to-be ex spouses who track and listen in should beware.
Additional coverage:
Kashmir Hill: "Scary Stalker Husband In The Legal Clear To Track Wife's Car" ("If you co-own it, you can track it.")
Topically related posts:
Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse -- Hayes v. SpectorSoft
Court: Husband's Access of Wife's Email to Obtain Information for Divorce Proceeding is not Outrageous
NJ Appeals Court: No Privacy Violation When Spouse Uses GPS to Track Vehicle -- Villanova v. Innovative Investigations, Inc.
Posted by Venkat at 09:45 AM | Privacy/Security
November 02, 2011
Yahoo Partially Defeats Lawsuit Over Wrongful Account Termination--Buza v. Yahoo
By Eric Goldman
Buza v. Yahoo, Inc., 2011 WL 5041174 (N.D. Cal. Oct. 24, 2011). The complaint.
Buza claims Yahoo terminated two GeoCities accounts related to his advocacy efforts. Buza is proceeding pro se, which is typical for user lawsuits over wrongful account termination. He sued Yahoo in state court. Yahoo tried to remove to federal court. In this ruling, Judge Seeborg dismisses the federal claims and sends the others back to state court. I'm sure Yahoo wished Judge Seeborg had cleaned out the case entirely, but I bet Yahoo will get there soon enough.
Buza claimed that Yahoo violated his First Amendment rights. As I explain in my article on wrongful account termination, plaintiffs often invoke the Constitution to get around any statutory immunities, but Constitutional claims routinely go nowhere. It's 100% clear that privately owned online service providers like Yahoo aren't state actors and therefore aren't restricted by the Constitution. The court says:
Buza's response that Yahoo!'s services should be seen as a "public forum" in which the guarantees of the First Amendment apply is not tenable under federal law. As a private actor, Yahoo! has every right to control the content of material on its servers, and appearing on websites that it hosts.
Similar recent cases in this vein include Young v. Facebook, Estavillo v. Sony and Jayne v. Google Founders.
Buza also brought an ECPA/SCA (18 USC 2701) claim for unlawful access to stored communications. The court dismisses because the restrictions don't apply to the service provider's access of those communications.
Having disposed of the federal claims, Judge Seeborg sends the case back to state court to deal with the remaining claims, which include a violation of California's state constitution, "intellectual property," trespass to chattels and breach of contract. The judge expresses some skepticism about some of these claims, but having decided he could quickly clean his docket of the case, he doesn't go any further than necessary to send the case back to state court.
My understanding is that Yahoo didn't raise a 47 USC 230(c)(2) defense, the federal immunity for service providers' filtering decisions. I explore this point in detail in ">my recent 230(c)(2) article. 230(c)(2) can't trump federal constitutional claims, but it should (?) trump state constitutional claims. 230(c)(2) doesn't apply to IP claims per a statutory exclusion, but the Ninth Circuit in Perfect 10 v. ccBill said that 230 trumps state IP claims (the judge says no federal IPs are at issue). The immunity likely trumps the trespass to chattels claim, although I don't recall seeing that issue tested before. And I explain in my article, 230(c)(2) could very well trump the contract breach claim. (This judge could have also disposed of the contract claim based on express terms giving Yahoo the power to pull the plug on websites, but the state court judge will have do that).
Because the immunity is a federal statute, it would have been appropriate for the federal court to interpret its application to the state claims before remanding. This discussion suggests that had the immunity been raised, Judge Seeborg might have completely ended the case on 230(c)(2) grounds without sending anything back to state court.
Posted by Eric at 09:33 AM | Derivative Liability , Licensing/Contracts , Privacy/Security , Trespass to Chattels | TrackBack
October 27, 2011
In Hannaford Data Breach Case, First Circuit Says Card Replacement and ID Theft Insurance are Reasonable Mitigation Damages and Compensable--Anderson v. Hannaford Bros.
[Post by Venkat Balasubramani]
Anderson v. Hannaford Brothers Co., 10-2384; 2450 (1st Cir. Oct. 20, 2011)
Background: Plaintiffs sued Hannaford based on a massive data breach in 2007. In this ruling, the First Circuit said that money spent by plaintiffs to obtain replacement credit cards and for credit monitoring could be considered reasonable mitigation efforts and was therefore legally compensable.
The court recounts the facts underlying the data breach, which is reportedly one of the largest ever. In late 2007, hackers stole up to 4.2 million credit card numbers, expiration, and security codes. Visa notified Hannaford in February 2008, and Hannaford publicly announced the breach on March 17, 2008. At the time it made the announcement, Hannaford knew of some 1,800 cases of fraud resulting from the breach--the unauthorized charges in question "originated in locations across the globe, including New York, Spain, and France."
Affected customers fell into a few different categories. Some financial institutions immediately cancelled their customers' cards and issued replacements. Others did not cancel the card but monitored accounts. Some customers requested that their cards be cancelled but had to pay fees. Other customers also purchased identity theft insurance.
Twenty six different lawsuits were filed against Hannaford, which were consolidated in the District of Maine. The consolidated complaint alleged that fourteen of the named plaintiffs had unauthorized charges on their accounts, seventeen of the named plaintiffs had their cards cancelled, and two of the plaintiffs requested that their issuers give them replacement cards. Plaintiffs alleged seven causes of action, including breach of contract, breach of an implied warranty, negligence and unfair trade practices. They also alleged a variety of different injuries, including:
the cost of replacement card fees when the issuing bank declined to issue a replacement card to them, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud.
Plaintiffs also claimed damages for "the cost of purchasing identity theft/card protection and credit monitoring services."
District Court Proceedings: The district court split the plaintiffs into three different categories. The first category was composed of customers who did not have fraudulent charges posted to their account and the district court held that they were not entitled to relief. The second group was composed of plaintiffs who incurred unreimbursed financial charges. The court said that these plaintiffs could recover. However, during the pendency of the litigation, the single plaintiff who had an unreimbursed charge advised that the charge was reversed.
The last category was composed of customers who experienced unauthorized charges but whose charges were reversed. The district court said that the losses suffered by these customers were "too remote, not reasonably foreseeable, and/or speculative (and under the [trade practices statute] not a 'substantial injury')." (Here's my earlier blog post on the district court ruling: "Hannaford Data Breach Plaintiffs Rebuffed in Maine.") After the court's ruling, plaintiffs moved to certify several questions to the Maine Supreme Judicial Court. The key question, which the court answered in the negative, was whether "time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm" was a cognizable injury under negligence or breach of contract theories. (Here's a brief post discussing this ruling: "Two More Courts Close the Doors on Data Breach Plaintiffs.")
First Circuit: The court rejects plaintiffs' cause of action for breach of fiduciary duty, finding that the relationship between a grocery store and customer is not sufficiently imbued with trust or unequal bargaining power for the court to impose fiduciary obligations on Hannaford. The court also rejects plaintiffs' claims under Maine's unfair trade practices act, finding that the statute does not provide for a private cause of action in these circumstances. The court does recognize plaintiffs' implied contract and negligence claims. Although the court finds that plaintiffs can assert two different bases for recovery (negligence and implied contract), the court focuses on what types of damages are recoverable.
The court says that the costs of procuring replacement cards and credit insurance are recoverable as reasonable mitigation damages. The court looks to the Restatement of Torts (section 919) and its treatment in other contexts (construction and environmental cases) and says that the key question is whether the amounts expended are reasonable when made, even if they turn out to be excessive when viewed in hindsight. In the context of this case, plaintiffs' mitigation efforts were reasonable. Plaintiffs' credit card data was stolen by a sophisticated group of thieves who not only intended to misuse the data, they actually did. The court contrasts these facts with other data breach cases where there had been no obvious malfeasance or no actual misuse of the data. Further evidence of the reasonableness of plaintiffs' efforts was the fact that some banks actually issued replacement cards. The court holds that even if plaintiffs did not experience any unauthorized charges, it was reasonable under the circumstances to pay to have their card replaced.
While the court finds that the replacement card and identity theft fees are recoverable, the court affirms the district court ruling with respect to the remaining categories of damages. These include the claims based on loss of rewards points, fees for pre-authorization charges (etc.).
__
This is not the first court to say that credit monitoring may be an appropriate response to a data breach. In Ruiz v. Gap, the Ninth Circuit analogized to toxic chemical exposure and noted that in certain circumstances, the costs for monitoring credit activity following a data breach may be recoverable. ("9th Circuit Affirms Rejection of Data Breach Claims Against Gap.") In that case, defendant had offered credit monitoring services and plaintiffs failed to explain why they were inadequate, so the Ninth Circuit did not end up expressly deciding the issue.
Although I'd chalk this up as a win for data breach plaintiffs, it's a slight one. The court's ruling appears limited to credit cards and the court relies heavily on the fact that the prospects of misuse were significant and had actually occurred. The court notes: "where neither the plaintiff nor those similarly situated have experienced fraudulent charges resulting from a theft or loss of data, the purchase of credit monitoring services may be unreasonable and not recoverable." The court also ends up disapproving the bulk of the requested damages. At a minimum, the fact that the court disapproves of damages such as time spent dealing with remedial efforts, damages relating to rewards programs, and for emotional distress is significant. There's no prospect of a damage free-for-all. In fact, in the event of this type of a breach, the prospective defendant(s) can limit their liability by covering the costs of free credit monitoring services and the costs of replacement cards.
The court mentions in a footnote that cardholders are probably limited in their exposure to unauthorized charges due to the Truth in Lending Act. Hannaford argued that the card issuers have instituted "zero-liability protection," which means that customers are not liable for unauthorized charges, but the court says that this does not matter. It would still be reasonable for customers to attempt to mitigate harm to themselves in these circumstances.
A big question is what this means for other privacy plaintiffs in terms of Article III standing. In concluding that plaintiffs may move forward, the court points out the fact that plaintiffs suffered "actual financial losses." Thus, plaintiffs who allege anything other than actual financial losses (e.g., Facebook privacy plaintiffs) would still face an Article III standing hurdle under this case.
Additional coverage:
David Navetta: "Federal Appeals Court Holds Identity Theft Insurance/Credit Monitoring Costs Constitute "Damages" in Hannaford Breach Case"
Earlier posts on Hannaford:
"Hannaford Data Breach Plaintiffs Rebuffed in Maine"
"Two More Courts Close the Doors on Data Breach Plaintiffs."
Related (data breach) posts:
"Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks"
"Two More Courts Close the Doors on Data Breach Plaintiffs"
"9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap"
"The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt"
"Acxiom Not Liable for Security Breach"
Posted by Venkat at 08:38 AM | Privacy/Security
October 26, 2011
Ex-Employee Converted Social Media/Website Passwords by Keeping Them From Her Employer--Ardis Health v. Nankivell
[Post by Venkat, with comments from Eric]
Ardis Health, LLC, Curb Your Cravings, LLC and USA Herbals, LLC v. Ashleigh Nankivell, 2011 WL 4965172 (S.D.N.Y. Oct. 19, 2011)
Nenkivell worked for CYC as a "video and social media producer." Her work included producing videos, "websites, blogs, and social media pages" for CYC and the other two plaintiffs, which were founded by Jordan Finger. Her responsibilities included:
maintaining passwords and other login information for websites, email account, and social media accounts, a well as for third-party servers where plaintiffs stores content
Fortunately for plaintiffs, Nenkivell signed an agreement with CYC which vested ownership in her work product to CYC and required Nenkivell to return all confidential information at CYC's request.
In 2010, Finger and Nenkivell developed a service called "whatsinurs," which the court described as a "social media website for cosmetic products." Ardis applied for a trademark in Whatsinurs and registered the copyright for the website. Finger sent Nenkivell an agreement for the organization and ownership of the new site, which Nenkivell never signed. Nenkivell was restless and looked around for alternate employment. Plaintiffs were unhappy about this and fired Nenkivell in June 2011. After the termination, Finger requested the laptop, which plaintiffs had provided her, and the access information for the various websites. She declined to provide this. Plaintiffs sued and sought injunctive relief.
The Access Information: The court says that it's "uncontested that plaintiffs own the rights to the Access Information," and as a result, Nenkivell's retention of this information can form the basis of a conversion claim. The court also says that plaintiffs' inability to access and update their site ("to react to online trends" and effect a new initiative to participate in "'daily deal' promotions") constitutes irreparable harm. The court orders the information turned over to plaintiffs pending resolution of the dispute.
The Laptop: The court declines to order the laptop returned, saying that the laptop is a "mass-produced object," the loss of which can be compensated by money damages. Plaintiffs also argued that they were entitled to the information on the laptop but the court faults plaintiffs for not fully developing their argument--they relied on confidentiality terms in the agreement and nothing more. Nenkivell also argued that the laptop had continuously synched to plaintiffs' computer. Plaintiffs argued that they could not be sure of this without seeing the laptop, but this argument does not get much traction with the court.
Display of Whatsinurs Content on Defendant's Website: Plaintiffs also argued that they suffered irreparable harm from the display of the whatsinurs site's content on her personal website (as an example of her work). Plaintiffs' key argument on this score was that a search for "whatsinurs" would display both defendants' website and the same contents, as displayed on Nenkivell's personal website. Plaintiffs argued that consumers would be confused as to the source of the website and this would dilute plaintiffs' "whatsinur" brand.
The court says this argument "is preposterous on its face":
Not only do defendant's websites appear below plaintiffs' in search results, defendant's [sic] do not purport to be, or in any way give the impression of being, portals for the sale of commercial goods. On both of defendant's websites, the Whatsinurs content is wholly non-functional, little more than dressed-up image captures. It is clearly labeled as an example of defendant's "Design" capabilities and surrounded by content from other projects defendant has worked on. It does not compete with plaintiffs' websites or pose potential issues of confusion.
Plaintiffs argued that Nenkivell's bad faith raises a presumption of confusion, but the court says that Nenkivell has an innocent explanation and there's no bad faith. Even assuming that there is a presumption of confusion, the court says that this is alone insufficient to warrant injunctive relief.
__
Yet another dispute over access to websites and social media profiles. It look like plaintiffs half-followed the basic advice of having a written agreement in place that documents the relationship between the company and the individual who manages the company's website and social media profiles. But the agreement in this case was not necessarily clean--the agreement was between Nenkivell and CYC, but one of the other plaintiff entities actually (Ardis) asserted ownership over the "whatsinurs" website. The court does not get into the issue of whether Nenkivell's development of the "whatsinurs" website was outside the scope of her relationship with CYC and therefore not subject to the agreement, but this seems like an issue that should come up. Social media accounts do not neatly fit into existing categories of property and we haven't seen many disputes over account ownership fully play out. (See the OMG Facts case for one ongoing dispute.) While an agreement that expressly covers ownership is ideal, it's interesting to note that the confidentiality provisions of the agreement do the job in this case.
On the web developer/social media producer side, holding any sort of website or social media credentials (or domain names) hostage is legally risky behavior. We've seen a slew of cases where this type of behavior resulted in possible liability. In DSPT Int'l v. Nahum, the Ninth Circuit held that holding domain name hostage may be bad faith under the ACPA. Maremont v. Susan Fredman Design Group involved a social media manager who continued to post on the Twitter and Facebook accounts following termination (this case was dismissed for lack of prosecution). Finally, the Ohio Court of Appeals held earlier this year in Eyesoldt v. Proscan that obstructing access to a website and email account can constitute conversion. The contours of legal liability are far from clear, but there is definitely risk when you hold website, email, or social media credentials hostage! Courts have shown a willingness to treat these credentials as intangible personal property that can support a claim for conversion. We all know how important it is to constantly update our social media accounts. It looks like the courts get this.
[Eric adds: some other analogous cases include New Mexico v. Kirby, Mikhlyn v. Bove, In re Rolando S., Ground Zero Museum v. Wilson and TEG v. Phelps.]
The court's rejection of plaintiffs' request to have Nenkivell's "portfolio copy" of the site taken down was interesting. Courts have moved away from automatically granting injunctive relief based on copyright or trademark claims. You have to show actual irreparable harm now. Plaintiffs proceeded primarily based on a trademark theory, and the court's rejection of their argument that the portfolio copy of the site appearing in search results would cause them irreparable harm will get Eric's resounding endorsement. Any time a court credits an end user with the shred of common sense necessary to parse the origin of content on the internet is a cause for celebration in his book (and rightfully so).
_______
Eric's Comments
1) Kudos to the plaintiffs for having a written agreement that governed the social media credentials, but demerits to them for not learning those credentials before they needed them. If an employee has login credentials to an account that they use for the company, at minimum that employee's manager should get those credentials too.
2) The judge's references to the employee "converting" those credentials makes me want to cry. The court had a half-dozen other legal doctrines easily available to order the defendant to turn the credentials over. Calling her retention of those intangible data strings "conversion" was completely unnecessary and adds to the growing confusion on what it means to "convert" electronic information. Perhaps that ship is sailed, but I continue to insist that "conversion" only applies to physical chattel, not intangible assets, and conflating the two inevitably leads to doctrinal meltdowns.
3) As Venkat predicts, I do cheer that mere appearance in search results should be legally irrelevant. However, I definitely don't like the judge's reference to the relative placement of the search results. I last "bitched" about that issue in my post on the Bitchen Kitchen case, so check that out.
Posted by Venkat at 06:42 AM | Copyright , Privacy/Security , Search Engines , Trespass to Chattels
October 21, 2011
Did California Unintentionally (?) Impose New Statutory Duties on Every Blogger? A Post on the Newly Enacted California Reader Privacy Act
By Eric Goldman
California recently enacted the Reader Privacy Act, SB 602. See the EFF announcement.
This new California law seeks to protect online book reader privacy to the same extent reader privacy is protected by libraries, by requiring heightened process before the government or private litigants can get certain types of information about book readers/buyers. As a restriction on government action, I support the concept enthusiastically. Indeed, I count many supporters of this bill as friends (well, maybe not after they read this post). At minimum, I know the effort was well-intentioned. However, I continue to believe this law was misarchitected for the reasons I expressed in my prior blog post on the proposed legislation.
My concerns from my prior post still apply, but this post will walk you through a specific reason why this law could be bad news for people who don't realize their conduct is now regulated. Let's look closely at who is required to comply with the law--recognizing that the statute has a private cause of action that will be enforced by a rapacious privacy plaintiffs' bar. The law's requirements applies to "any commercial entity offering a book service to the public." A "book service" means "a service that, as its primary purpose, provides the rental, purchase, borrowing, browsing, or viewing of books."
OK, clearly this covers Amazon and other online book retailers. But in this day and age, what is a "book" and, more importantly, what isn’t? The statute defines a book as:
paginated or similarly organized content in printed, audio, electronic, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or finite number of volumes, excluding serial publications such as a magazine or newspaper
So, let's play a game and try to spot some book services in the field. Is YouTube a book service? It definitely has "electronic" books, but maybe that's not its "primary" purpose. Scribd? It has lots of books too and plenty of other long-form "book-like" content. iTunes? It has lots of audiobooks. Wikipedia? It markets itself as an online encyclopedia, but maybe it isn't commercial enough? Hmmm....this is a tough game.
But what about blogs? Are they "book services"? Before you discount the latter, consider that many blogs are, in fact, paginated (at least in the URL--see Blog Law Blog as an example). Perhaps mere pagination alone isn't enough; maybe the pagination needs to be essential to the content's organization. Perhaps many bloggers aren't "commercial entities," although I'm sure plaintiff lawyers will argue that a blog with AdSense and some Amazon affiliate links would satisfy that standard. Or perhaps bloggers will be excluded as "serial publications," although the statute could have--and should have--made clear that blogs fit into that exception. In fact, cases like the old It’s in the Cards v. Fuschetto suggest that courts might read the statutory exclusion narrowly on the theory that the legislature knew what blogs were but didn't mention them.
The ambiguity of blogs as "book services" means it’s possible California has imposed a new statutory obligation on bloggers (at least those based in California, but who knows if it will be so limited), and this obligation effectively puts bloggers' houses on the line if they don’t hire lawyers to properly navigate through the statute when the government or private litigants ask for information. Gee, thanks.
Indeed, this law could do more than just sweep in bloggers; it might cover *every* website because of the ambiguity of the term "book" and the concept of pagination. I don't know what "pagination" means in the online environment, but the concept may become more problematic in the near future. See News.com, "Opera proposal brings a book look to the Web." Thus, it seems like the law's attempt to carve out books from the universe of online content could fail, in which case large swaths of web operators become unexpectedly governed by the law--with a swarming privacy plaintiffs’ bar as the reward for the uninformed.
I have long believed that states categorically should not try to regulate the Internet. A law like this, as laudatory as its goals are, helps confirm my beliefs.
UPDATE: Paul Levy doesn't agree with my analysis.
On his point about commercial entities, I'm not sure I agree with Paul that courts will exclude individual operators. After all, we call those folks "sole proprietors." But if it definitely includes "partnerships," does that mean it will include co-bloggers? See my article on co-blogging. UPDATE: Eric Johnson parses the statutory language on this point with some care.
My broader point is that this statute is riddled with ambiguities that raise questions about its coverage. If you think my statutory reading is tendentious, it's my position that a typical Internet privacy lawsuit involves a far more tendentious reading of the applicable statute than anything I could ever imagine.
UPDATE 2: In another example of a possible ambiguity, Eugene Volokh asks if the statute makes it illegal for bookstore owners to tell the police about patron-on-patron crime.
UPDATE: Eric Johnson explains why the statute is "crazy."
Posted by Eric at 09:57 AM | Content Regulation , Privacy/Security | TrackBack
October 19, 2011
Comments on Doe v. IMDB Privacy Lawsuit
[Post by Venkat Balasubramani]
Doe v. Amazon.com, Inc. and IMDB.com, Inc., 11-cv-1709 (W.D. Wash.; Oct. 13, 2011)
An actress who goes by a stage name sued IMDB and Amazon for disclosing her birthdate, which IMDB allegedly obtained through the payment process. The allegations of the lawsuit are straightforward. Doe is an actress who "has a given legal name that is extremely difficult for Americans to spell and pronounce." [Definite sympathy points from me on that score.] As a result, she adopted a stage name. She listed herself on IMDB, which, apart from being a widely used information source for movie trivia, is also an industry resource. She did not list her age on her IMDB profile. She signed up for "IMDB pro," and in the process IMDB charged her credit card. Doe alleges that IMDB associated her birthdate, and listed this information on her IMDB profile. Noting that "in the entertainment industry, youth is king," Doe alleges that disclosure of her birthdate by IMDB harmed her. She requested IMDB to remove her birthdate, and apparently IMDB refused. She sued.
A few observations about the complaint:
You may or may not quibble with the extent of Doe's damages, but unlike other privacy lawsuits where harm is speculative, Doe has a much better chance at getting over any damages hurdles. There is definitely no standing issue here, and the lawsuit will not be kicked on the basis of standing.
Unlike the privacy class actions which usually allege violations of federal law, Doe alleges violations of state law. There are no federal causes of action in the complaint. This is obviously a strategic decision and in part could have been made to avoid the statutory hoops that a plaintiff alleging causes of action under federal statutes have to jump through. There's a possible preemption argument lurking in the background, but there's not much precedent and tough to say whether defendants will raise the argument and whether it will get any traction.
The biggest threat to IMDB may not be the prospect of damages, although that's surely lurking in the background. What could end up being a fiasco is discovery. Doe's complaint implies that IMDB had some sort of system where it matched information obtained during the payment process with information in its public database. It's a good bet that IMDB (and Amazon) does not want this process to become public, but this is sure to be one of the key aspects of the discovery sought by Doe. A follow up question is whether there is any additional information sharing going on (e.g., between IMDB and Amazon). This is also something that Amazon probably wants to keep under wraps.
PogoWasRight takes a look at IMDB's privacy policy: "Aspiring actress sues IMDB and Amazon for revealing her true age and for misusing her credit card details to obtain it." Unfortunately for IMDB, the privacy policy does not clearly insulate its actions here. On the other hand, the privacy policy does not say anything about information such as an IMDB pro user's birthdate. Doe has a reasonable chance at pointing to IMDB's extra-contractual statements and statements in the subscriber agreement itself, and arguing that these constitute promises or assurances.
IMDB was previously sued on a similar theory. ("Actress Blames Fear of Fan Attacks on Web Site.") That plaintiff did not have much success, but we'll see what happens with Doe.
Additional coverage:
Eriq Gardner (THR): Actress Sues IMDb for $1 Million for Revealing Her Age
PogoWasRight: "Aspiring actress sues IMDB and Amazon for revealing her true age and for misusing her credit card details to obtain it
Seattle Weekly: Mystery Actress Files Lawsuit Against IMDb for Revealing Her 'True Age and Name' (offering to "buy beers for anyone who can figure . . . out [the identity of the actress]")
GeekWire: Texas actress sues Amazon for displaying age in IMDb listing
Posted by Venkat at 01:12 PM | Privacy/Security
October 14, 2011
Court Disregards Check-the-Box Agreement and Doesn't Enforce Venue Clause -- Dunstan v. comScore
[Post by Venkat Balasubramani with additional comments from Eric]
Dunstan v. comScore, Inc., 11-cv-05807 (N.D. Ill. Oct. 7, 2011)
Plaintiffs sued comScore, alleging that comScore improperly obtained and misused plaintiff's personal information, after plaintiffs downloaded and used comScore's software. comScore sought to have the lawsuit transferred to Virginia, which was the forum specified in a forum-selection clause in the software terms of use/EULA. The court denies comScore's motion.
A comScore Vice President testified that "before a user can install comScore software," a customer must "click the box acknowledging" that the customer read and agreed to the terms. Plaintiffs, on the other hand, alleged that the forum-selection clause was not "apparent" when they downloaded the software. They also alleged that the terms of service were "obscured" during the installation process. From the court's order, it seems like plaintiffs did not deny that they checked the box. The court resolves the apparent factual dispute as follows:
the court declines to infer that clicking a box acknowledging that a user has read an agreement indicates that the agreement was reasonably available to the user, particularly when the plaintiffs have alleged that the hyperlink to the agreement was obscured.
Whoa. Let's take another look at this sentence. The court is saying that just because a user checked a box acknowledging the user had read the agreement, this does not mean that the court can infer that the user was able to read the agreement. (???)
comScore cited to several cases where courts enforced "click-through" agreements, including Specht v. Netscape. The court says that none of the cases involved an allegation of an obscured hyperlink. According to the court, Specht acknowledged the possibility that "a click-through agreement is not enforceable if its terms are not reasonably apparent to the user." The court goes on to note:
it is not reasonable to expect a user casually downloading free software to search for such an agreement if it is not immediately available and obvious where to obtain it. As the Second Circuit noted, 'when products are 'free' and users are invited to download them in the absence of reasonably conspicuous notice that they are about to bind themselves to contract terms, the transactional circumstances cannot be fully analogized to those in the paper world of arm's-length bargaining.' [U]nder the circumstances alleged here, including that the location of the license agreement was not readily apparent, the court concludes that the forum-selection clause was not reasonably communicated to the plaintiffs . . . .
This is definitely a double-take-worthy decision. The court relies on Specht v. Netscape, but Specht is a browsewrap case, where the user did not have to indicate assent to the terms before downloading the software. Given the circumstances (free download) and the fact that the terms were not in an obvious location, the court in Specht declined to enforce the terms.
There's an easy way to solve the problem presented by Specht: have a mechanism to require the user to unequivocally indicate assent to the terms before downloading the software. Courts have upheld this type of contract formation because there is no ambiguity as to the user's assent to the terms, and this was the type of agreement comScore had in place here. The consumer cannot say that he or she did not read the terms because prior to downloading, the user has to indicate that they read the terms. (See for example Feldman v. Google, which Eric discusses in this blog post: "Google Adwords Contract Upheld (Again)".)
It's tough to understate the importance of certainty in online contracting and the predictability of online agreement enforceability. They're among the cornerstones of online commerce. Courts struggled with the enforceability of browsewrap terms, but check the box terms are widely acknowledged to be enforceable; at least there should be no bar as to mutual assent and basic contract formation. I'm not sure whether the formation process or the court went astray here (see Eric's comments below regarding the former--he makes good points regarding implementation). If there were no issues with the UI implementation or the browser, then the court's decision is off base.
[Interestingly, comScore did not argue that the dispute is subject to arbitration, which tends to indicate that the agreement did not have an arbitration clause.]
______
Eric's comments
I have a couple theories about what went wrong here. Theory #1 is that the judge was overly willing to accept a plaintiff's bald factual assertion that comScore didn't adequately present the contract. (The judge says, "At this stage, however, the court must take the plaintiffs’ word for it."). As Venkat indicates, judges have to do a little more gatekeeping than this, because plaintiffs will assert this defect in every lawsuit. If all it takes to survive a motion to dismiss is the plaintiff's bald assertion, the contracts are nearly worthless.
Theory #2 is that comScore didn't do its formation process properly. I think there is truth to this theory even if comScore went "by the book" and used what seemed like a mandatory non-leaky clickthrough agreement. It's the responsibility of software vendors/website vendors to present the contract in such an unambiguous/can't-miss-it process that NO ONE--plaintiffs' lawyers, judges, Grandma--could possibly fail to see it. The fact that the judge gave the plaintiffs the benefit of the doubt is prima facie evidence that comScore failed to do this well enough.
The case might remind us of two key lessons for lawyers advising companies implementing user agreements:
1) I don't care how brilliantly you draft your user agreement. It's also your job as a lawyer to advise your clients HOW to form the contract and to ensure they follow your advice. If your brilliant contract isn't properly formed, who cares what it says?
2) You need to look at the UI implementation across multiple browsers with a variety of settings. Even if your browser renders the agreement formation process just fine, another browser may chunk the display. This is even more crucial in the mobile environment, where UIs are even more constrained.
Posted by Venkat at 12:55 PM | Adware/Spyware , Licensing/Contracts , Privacy/Security
Q3 2011 Quick Links, Part 4
By Eric Goldman
Content Regulation
* Lawmakers are putting the squeeze on advertisers to be content police. Meanwhile, VeriSign begged for the right to act as content police before changing its mind.
* Kowalski v. Koster, 2011 WL 4349365 (W.D. Mo. Sept. 15, 2011): “the CDA immunizes Internet service providers and does not create any cause of action under 42 U.S.C. § 1983.”
* SC v Dirty World, 4:11-cv-00392-DW (ED Mo. Sept. 22, 2011). Defendant posting a complaint filed against him & saying "game on" doesn't create an intentional infliction of emotional distress claim.
* Obsidian Finance Group, LLC v. Cox, 2011 WL 2745849 (D. Or. July 7, 2011). Allegedly defamatory statements at obsidianfinancesucks.com are "expressions of opinion protected by the First Amendment"
* Calibra Pictures LLC v Variety, 2011 WL 3612209 (Cal. App. Ct. Aug. 17, 2011). A negative newspaper review is protected by anti-SLAPP laws, even when the newspaper had enticed the plaintiff to spend substantial amounts of money to advertise with it. The allegations in this lawsuit were quite troubling about Variety’s peddling its insider influence and selling movie producers on results it could deliver. Rebecca's coverage.
* BCG Attorney Search v. Kinney, 2011 WL 2936773 (Cal. App. Ct. July 21, 2011). Lawsuit over a Ripoff Report post leads to a successful anti-SLAPP defense.
* US poker players turned into refugees by online gaming ban. Partially related: was Full Tilt Poker a Ponzi scheme?
* Carleton Hotel v Gladstone (complaint filed June 15, 2011). Hotel sues author of TripAdvisor review (for accusing the hotel of a bedbug infestation).
* Parisi v Sinclair appealed. Prior blog post. In addition, in Parisi v. Sinclair, 2011 WL 3705141(D.D.C. Aug 23, 2011) (NO. CIV. 10-897 RJL), one of the book authors was dismissed from the case for lack of personal jurisdiction.
* Useful primer on how to identify John Doe defendants.
* Hollywood, Esq.: Hot New Hollywood Trend: Crazy Defamation Lawsuits.
* Aaron Swartz is being prosecuted for a mass download from the JSTOR database.
* American Booksellers Foundation for Free Expression v. Sullivan, No. 10-193 (D. Alaska June 30, 2011). Alaska's baby-COPA law unconstitutional.
Social Networking Sites
* Bemis v. Bemis, 2011 WL 3335202 (Conn. Super. Ct. July 12, 2011). In a custody dispute involving 13 year old Alyssa, the court order imposed the following requirement: "Each parent shall view Alyssa's Facebook page once per week. If Alyssa is unwilling to share 100% access, she shall be denied computer and smart phone access except for use of a computer for schoolwork which shall be supervised."
* Held v. Ferrellgas, Inc., 2011 WL 3896513 (D. Kan. Aug. 31, 2011): “Plaintiff testified at his deposition that his coworker began subjecting him to a hostile environment prior to his termination in April 2009. At his deposition, Plaintiff could not recall whether he posted anything on Facebook that may be relevant to this case. Defendant claims that information from Plaintiff's Facebook page during Plaintiff's tenure at Ferrellgas is relevant. This court agrees. Further, it appears that Defendant is attempting to mitigate Plaintiff's privacy concerns by allowing Plaintiff to download and produce the information himself, rather than providing login information. Indeed, Defendant itself notes that it is not seeking unfettered or unlimited access to Plaintiff's Facebook, but rather limited access during the relevant time frame. As such, Defendant's motion to compel regarding the Facebook information is granted.”
* U.S. v. Fumo, 2011 WL 3672774 (3rd Cir. Aug. 23, 2011):
Not unlike a juror who speaks with friends or family members about a trial before the verdict is returned, a juror who comments about a case on the internet or social media may engender responses that include extraneous information about the case, or attempts to exercise persuasion and influence. If anything, the risk of such prejudicial communication may be greater when a juror comments on a blog or social media website than when she has a discussion about the case in person, given that the universe of individuals who are able to see and respond to a comment on Facebook or a blog is significantly larger.
Yet while prohibiting and admonishing jurors from commenting—even obliquely—about a trial on social networking websites and other internet mediums is the preferred and highly recommended practice, it does not follow that every failure of a juror to abide by that prohibition will result in a new trial. Rather, as with other claims of juror partiality and exposure to extraneous information, courts must look to determine if the defendant was substantially prejudiced.
* Missouri State Teachers Association v. Missouri (Mo. Cir. Ct. Aug. 26, 2011). Enjoining part of Missouri's Amy Hestir Student Protection Act. Prior blog post.
* D.J.M. v. Hannibal Public School District #60 (8th Cir. Aug. 1, 2011). A student's IM messages threatening to harm other students supported school discipline of the student, even if the messages were exchanged off school property.
* Kowalski v. Berkeley County Schools, 2011 WL 3132523 (4th Cir. July 27, 2011):
school administrators suspended [Kowalski] from school for five days for creating and posting to a MySpace.com webpage called "S.A.S.H.," which Kowalski claims stood for "Students Against Sluts Herpes" and which was largely dedicated to ridiculing a fellow student....we conclude that in the circumstances of this case, the School District’s imposition of sanctions was permissible. Kowalski used the Internet to orchestrate a targeted attack on a classmate, and did so in a manner that was sufficiently connected to the school environment as to implicate the School District’s recognized authority to discipline speech which "materially and substantially interfere[es] with the requirements of appropriate discipline in the operation of the school and collid[es] with the rights of others."
* Oddee: 9 Most Bizarre Facebook Related Crimes
* NYPD puts cops on the Facebook beat.
Wikipedia
* Wikimedia released its 2011-12 annual plan. One of its seven big goals: "The declining participation of seasoned Wikipedia editors must be reversed." As the the detailed report explained: "Declining participation is by far the most serious problem facing the Wikimedia projects: the success of the projects is entirely dependent upon a thriving, healthy editing community." To explain why that's such a challenge, see my article, Wikipedia’s Labor Squeeze and its Consequences. The plan also notes: "Recently we have seen a general decline online in the growth of unique visitors and in page views in the United States."
* In partially related news, Wikipedia is doing a broader rollout of its AbuseFilter tool.
* The Wikipedia Editor Survey from April 2011 provides more evidence of the challenges to replenishing the ranks of active editors.
Posted by Eric at 07:00 AM | Content Regulation , Evidence/Discovery , Privacy/Security | TrackBack
October 13, 2011
Q3 2011 Quick Links, Part 3
By Eric Goldman
Advertising
Search Marketing
* Search Engine Land: "In many cases, it is worth buying keywords even if you rank organically for them." Similarly, a Google study indicates that PPC advertising lifts clicks on organic results. Prior blog post.
* NJ Supreme Court Opinion 43 from the Committee on Attorney Advertising: "attorneys are not flatly prohibited from paying “perlead” Internet advertising charges provided the marketing scheme is advertising and not an impermissible referral service. Just as “pay-per-click” has become more prevalent in the Internet advertising community, “pay-per-lead” or “pay-per-contact” for Internet advertising is likely to become a more common model due to its inherent reward for effective advertising."
* Most Expensive Keywords in Google
* Confusing developments in SF Comprehensive Tours v Groupon. Reuters article. The opaque ruling. Prior blog post.
* Google quietly liberalizes its policy on buying keyword ads on people's names.
* Lawsuit over Paxfire's role in allegedly redirecting some IAPs' search traffic. In slightly related news, Nebuad settled its case.
* ClickZ: Why isn't Google letting display advertisers do retargeting using search data?
False Advertising
* AdAge on the Great Wiener Wars. The case settled.
* WSJ: Litigation battles over the use of “all natural.”
* Nabors v. Google, 2011 WL 3861893 (N.D. Cal. Aug. 30, 2011) and McKinney v. Google, 2011 WL 3862120 (N.D. Cal. Aug. 30, 2011). Court dismisses false advertising lawsuits over the Google Phone allegedly not running at 3G speed.
Endorsements and Testimonials
* WSJ: "Digital Technology and the Re-Birth of Product Placement": "Given the choice, the majority prefer placement to commercial breaks."
* Car company Scion is forming its own record label. Remind me again, where’s the line between ads and editorial content?
* The FTC did a bizarre flipflop on the legitimacy of disclosures by Ashton Kutcher. Like everyone else, the FTC doesn't understand its endorsement/testimonial guidelines.
* ConAgra invited bloggers to a free dinner where they surreptitiously served frozen food and videotaped their surprised reactions. This is great when it works; but if it doesn’t work, you’ve got a group of angry bloggers on your hands. It didn’t work.
* Brooke Burke’s contract gives a little insight into the insidious nature of an endorsement contract.
Other Topics
* AdAge on how Campbell Soups did eye-tracking studies and ethnographic research to improve the way its soups displayed on grocery store shelves.
* AdAge: Meredith, a large print publisher, is guaranteeing its largest advertisers that they will see a sales lift from their ads. It's unusual for a print publisher to make such a guarantee given how much of the sales process is out of their control. On the other hand, advertisers are almost always seeking sales lifts from advertising, but usually they have to rely on weaker proxies to guess whether or not they'll get it.
In related news, Time Inc. is going to try to measure its sales lift for advertisers. This is not quite as aggressive as Meredith’s guaranteed sales lift, but it’s a sign that traditional print publishers recognize that advertisers are buying results.
* Cracked: The 5 Biggest Disasters in the History of Marketing Ideas. Classic, especially the "bananas" one.
Search Engines
* Search Engine Land on a Searchmetrics study showing that: "YouTube is the number one video site that shows up for video results; Google Maps is the number one map site that shows up for map results; Google Product Search is the number one shopping site that shows up for shopping results; Google’s Blogger is the number one image site that shows up for image results."
* Ugh. From Wired: Entrepreneurs scrape mug shots from public sites, SEO them and then charge the depicted individual money to have the photos removed.
* Google bought Zagat. The $125M price tag is incredible. It makes sense only if Zagat becomes Google's foundation for its Places offering. This has to be a signal that Google will be more than happy to honor any de-indexing requests from Yelp. Expect plenty more howling about Google favoriting its own properties over third party sites.
On a related matter, I can’t imagine Orbitz/Travelocity/Expedia/Kayak are thrilled about the ITA implementation either.
* Google's +1 apparently is going to influence search rankings. The story started at Kash Hill's Forbes blog, but it appears Forbes spiked the story (at Google's request...?), so that story is down. Now you have to read both the story, and the possible coverup, at Wired.
* Google killed Sidewiki. I doubt anyone misses it (it was one of Google's many failed UGC/social efforts), but do you remember just how much angst was spilled when Sidewiki first launched?
* I'm sure you're shocked to learn that Bev Stayart is headed to the Seventh Circuit...again... Prior blog post.
* NYT on Europe's love affair with the "right to be forgotten."
* My hometown, Mountain View, is becoming a one-company town. While we love Google, naturally this evolution will create some tension. Then again, the Mercury News declares Mountain View a good city for start-ups.
* ShopCity (not surprisingly, working with Gary Reback) has entered the bitchfest about Google rankings. As John McClane would say, "Welcome to the party, pal."
* Findwhat Investor Group v. Findwhat.com, 2011 WL 4506180 (11th Cir. Sept. 30, 2011):
The Form 10-K contains affirmative statements of present fact—"[w]e employ an integrated system ... that continually monitor[s] traffic quality," and "[w]e enforce strict guidelines ...to ensure the quality of traffic," (Compl.75) (emphases added)—that unquestionably create the impression that MIVA maintains an active and sophisticated monitoring system for screening fraudulent traffic. Accepting the Plaintiffs' allegations as true, these statements are misleading because they could mislead a reasonable investor into believing that the Defendants had systems in place that would detect and remove distribution partners engaged in extensive fraudulent revenue-generating practices, when in truth and in fact they did not.
However, management lacked the requisite scienter for securities fraud liability for those statements. Nevertheless, the 11th Circuit held that management’s failure to disclose information about rogue affiliates after it learned the news could constitute securities fraud. Rebecca’s coverage.
Privacy
* The FTC has proposed revisions to COPPA's regulations. The two most important points:
1) The FTC rejected that websites could have constructive knowledge that they are dealing with kids under 13. As a result, so long as the site doesn’t know a user is under 13 or market to kids under 13, the site can ignore COPPA.
2) The FTC is including geolocation and IP address information as PII. Does this signal that the FTC is taking an expansive view of PII across-the-board, not just in the COPPA arena?
In partially related news, the FTC scored a rare COPPA bust, this time from a mobile app developer.
* FTC settlement with FrostWire: the FTC takes the position that a software default setting that enables too much data sharing is unfair to consumers. This is similar to the LimeWire settlement with the Maryland AG. However, it raises the Q: is the FTC going to take the position that any service that enables too much sharing by default is engaged in unfair practices? If so, it will be taking quite an active role in telling software developers how to code, and the FTC will face an overwhelmingly large list of potential targets!
* Facebook is tracking logged-out users. Mostly this is due to the distributed Facebook “like” button, which acts as a driftnet for collecting lots of information from third party websites. Some members of Congress are unhappy. In contrast, the privacy plaintiffs' bar is rejoicing! Named plaintiffs include Davis, Thompson, Graham, Singley, Howard, Seamon, Beatty, Parrish, Rutledge, Brkic and Hoffman.
* Pandora got sued for privacy breaches too. I'm surprised this took so long.
* OnStar had its own brush with privacy problems when it announced it would track non-customers, but it soon backed down.
* Specific Media settled its lawsuit. Prior blog post.
* Sams v. Yahoo appealed to the 9th Circuit. Prior blog post. Related blog post.
* The Lares Institute, Data Breaches and the Phantom Damage Allegation, July 2011: 97% of those surveyed had not “experience[d] any unreimbursed losses that you could trace to a security breach that occurred in the last 12 months.” [link may be down]
* WSJ on the growth of “corporate privacy” positions.
* Zynga gamified its privacy policy.
Posted by Eric at 11:43 AM | Marketing , Privacy/Security | TrackBack
October 07, 2011
Massachusetts Court Dismisses Lawsuit Alleging Failure to Adequately Safeguard Personal Information -- Katz v. Pershing
[Post by Venkat Balasubramani]
Katz v. Pershing, LLC, 10-12227-RGS (D. Mass. Aug 23, 2011)
Background: Katz maintained an account at National Planning Corporation, an "introducing firm" for which Pershing provides brokerage clearing services. Pershing's services are provided on a proprietary exchange known as "NetExchange Pro," and this platform allows firms and their customers to access account information, stock quotes, etc. Katz alleged that up to 100,000 users have electronic access to customers' non-public personal information, including social security numbers, taxpayer identification numbers, and bank account numbers. Katz alleged that the security deficiencies rendered this information susceptible to being compromised. She claimed that NPC paid Pershing fees to protect the data and these fees were passed on by NPC to Katz and other putative class members.
She filed a lawsuit bringing claims under the Massachusetts deceptive trade practices statute, breach of contract, negligence, and unjust enrichment. Pershing initially moved to dismiss and the court granted the motion before Katz had an opportunity to respond. Katz filed a motion to reconsider. On reconsideration, the court dismisses the case.
Discussion: The court dismisses the based on standing (lack or jurisdiction) and on the merits.
Standing: Pershing argued that Katz did not allege that any of her protected data was actually compromised. The court agrees, noting that several cases have dismissed data loss claims on Article III standing grounds, finding that the increased risk of identity theft is insufficient to create standing. Katz argued that her claims were distinguishable from the other increased risk cases because she brought claims under Massachusetts statutes and for breach of contract.
Massachusetts Data breach statute: The court pointed out that Katz's claims under the Massachusetts unfair trade practices statute needed a statutory predicate--some statute or policy which was enacted for the benefit of the public which the defendant failed to comply with. Katz argued that here, Pershing failed to comply with Massachusetts' data breach statute, which was enacted in the wake of the well-publicized TJX data breach. The court rejects this argument, finding that the data breach statute defines a "breach of security" to include an "unauthorized acquisition or unauthorized use" of encrypted data. While breaches that create a substantial risk of identity theft trigger the statute, there must be a breach in the first place, and there was none alleged by Katz here. There was a second problem with Katz's argument. The Massachusetts data breach statute does not provide for a private cause of action. The statute is intended to be enforced by the attorney general. Therefore, Katz's claim of unfair trade practice based on a violation of the Massachusetts data breach statute fails.
Breach of contract claim: The court rejects Katz's breach of contract claim because it is based on the agreement between NPC and Pershing, and Katz argued that she was an intended third party beneficiary to this agreement. The court pointed to language in the NPC-Pershing agreement which states that the agreement was "not intended to confer any benefits on third-parties including, but not limited to, customers of [NPC]." Katz argued that the contract was superseded by marketing representations made by Pershing, but the NPC-Pershing agreement contained an integration clause, and Katz could not introduce additional terms to vary the agreement. The court also rejects Katz's implied contract claim because it was not supported by valid consideration. If, as Katz alleged, Pershing promised to NPC to safeguard Katz's personal information, "any alleged promise to Katz to do the same would not amount to valid consideration."
Unjust enrichment: The court also rejects Katz's claim for unjust enrichment on the basis that Katz did not allege that she conferred a specific benefit on Pershing or that Pershing was ever aware of this benefit.
__
Courts have rejected claims from data breach plaintiffs where the plaintiffs have not suffered any out of pocket loss. Here, the plaintiff sued before the breach even occurred, and the court rejects the claims. Out of necessity, plaintiffs have gotten creative and tried every angle imaginable, but so far they have had no luck.
As in the Ikon Solutions case, the plaintiff in this case tried to rely on the data breach statute but the court found that it was inapplicable. To my knowledge, no state has enacted a data breach statute which provides for a private cause of action or damages. The Massachusetts statute primarily requires notification of an alleged breach. The court's two conclusions with respect to the data breach statute are not surprising, but they are significant.
Related posts:
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit
9th Circuit Affirms Rejection of Data Breach Claims Against Gap
The [Non]enforceability of Privacy Promises
Acxiom Not Liable for Security Breach
When Does a Privacy Policy Breach Support a Breach of Contract Claim?
Ikon Office Solutions Had no Duty to Disclose That Office Equipment Retained Data
Posted by Venkat at 01:36 PM | Licensing/Contracts , Privacy/Security
October 06, 2011
Court Nukes Another Mass Defendant File-Sharing Lawsuit -- Digiprotect v. Does
[Post by Venkat Balasubramani]
DigiProtect USA v. Does, 10 Civ. 8760 (S.D.N.Y.; Sept. 26, 2011)
Plenty of bad news for copyright plaintiffs lately. Righthaven is getting hammered left and right and is struggling (to say the least) to keep any momentum going. (See Eric's most helpful recap: "Resetting the Righthaven Fiasco," in which he notes that '[t]he Righthaven empire is in tatters.") The mass defendant file-sharing lawsuits have mostly spiraled downward as well. So many of these lawsuits have been dismissed on procedural grounds that I've lost track. Here's another one to add to the list.
Background: This was one of two lawsuits filed by DigiProtect in the Southern District of New York. In late 2009, the court granted DigiProtect's request to conduct limited discovery, although the court put in place some procedural safeguards. In December 2010, Time Warner and Comcast moved for a protective order, claiming that compliance with DigiProtect's subpoenas would be unduly burdensome. They sought an order requiring DigiProtect to compensate the ISPs for processing subpoenas and to limit the scope of information sought. In January 2011, the court raised the issue that the 240 Doe defendants may not be subject to personal jurisdiction in New York, and joinder may not have been proper. After considering DigiProtect's response, the court dismisses the lawsuit, with leave to replead and name only those Doe defendants who are properly subject to personal jurisdiction in New York.
Personal jurisdiction: The court runs through the Due Process/long-arm statute analysis to determine whether jurisdiction is proper. Although a recent New York state court case construed its long-arm statute broadly to allow for lawsuits against non-resident defendants where the plaintiff/copyright-owner is located in New York, that analysis does not apply in this case. Here, DigiProtect was a New York resident, but the actual copyright holder (Patrick Collins Inc.) was a California company. In passing, the court notes that although DigiProtect is authorized to pursue claims, Patrick Collins "retains most of the bundle of rights as copyright holder." [Houston, we may have a Righthaven-style standing problem!] The court says DigiProtect can't sue based on the fact that the harm from the infringement would be felt in New York, because this is not the case.
DigiProtect also argues for a "swarm" theory of jurisdiction, under which infringers are viewed as agents or co-conspirators of each other. According to DigiProtect, if one participant in a P2P swarm is located in New York, then this is sufficient to assert jurisdiction over the remainder of the group. The court also rejects this argument, noting that the complaint does not connect the Doe defendants to the same "swarm" transaction. Just because the defendants may have downloaded the same media does not mean that there was any connection between the downloads. (See Pacific Century International v. Does, discussed in this blog post: "P2P Swarm Defendants Can't Be Joined in the Same Lawsuit.")
The court expresses a reluctance to
ensnare unsophisticated individuals from around the country in a lawsuit based in New York [where the individuals would] likely be encouraged to settle rather than incur the burden and embarrassment of contesting the litigation.
The fact that the individuals whose IP addresses associated with infringing activity are located in New York is sufficient to establish jurisdiction in the court's view, and the lawsuit may proceed against those individuals only. However, the court notes that this is not the case for the bulk of the Doe defendants in question. Comcast reported to the court that none of the Comcast-associated IP addresses were for New York residents, and Comcast argued that this information could be obtained using a "free, publicly-available website that matches an IP address with the internet service provider . . . and lists the geographic region in which the provider uses the address."
As Comcast notes, this "could easily have been done by Plaintiff at the outset." The court's discussion of this was somewhat confusing to me, as I was under the impression that you cannot reliably "look up" an Internet user's geography using just an IP address. Comcast says that Digiprotect can find the geography of the provider. The court seems to think this means Digiprotect can identify the geography of the accountholder, but of course many Internet access providers have customers in more than one state. In any event, the fact that the court makes this statement shows that it's not excited about plaintiff and its claims.
Costs of compliance: The court also grants the ISPs' request for reimbursement and limitations on plaintiff's requests for information. Plaintiff argued that the ISPs were required to turn over the information anyway based on the DMCA-subpoena provisions, but the DMCA subpoenas don't help when the entity is just providing connectivity and not storing the user files on its servers. (See the Verizon DMCA subpoena case.) In granting the request of the ISPs, the court says:
- DigiProtect must reimburse the ISPs for IP address look-ups and for notifying subscribers;
- this amounts to $120 per IP address (not per subscriber);
- the lookups are limited to 25 IP addresses per month.
__
Oy vey. A few quick observations.
I'm surprised at the procedural gaffes which have derailed the latest round of mass-defendant P2P lawsuits. I was even more surprised when I saw the large national law firm, Foley & Lardner, was representing DigiProtect. Somewhat surprising to see them involved in a lawsuit over "Let Me Jerk You 2." Even more surprising to see them get smacked down by the court on relatively obvious procedural grounds.
What bogs down these lawsuits are the way they are pursued. You could use the IP addresses and pursue actions in individual jurisdictions (subject to discovery and subpoena limitations), or pursue one identified component of an alleged "swarm" and go after the remaining people involved (subpoena their information from the initial defendant and then go after them in other jurisdictions, if necessary). DigiProtect did not do that, and there's a reason why. It wants to obtain the list of everyone whose IP addresses they have, and send every single one of these people a letter. The same letter. DigiProtect is pursuing the settlement mill model, and more often than not, this model is blowing up in the face of plaintiff and its counsel.
I don't recall whether other courts have expressly approved ISP requests for processing costs, but the court does so here and this may end up effectively putting the kibosh on the lawsuit. I don't get the sense that the plaintiff has invested significant dollars into the dispute or is willing to do so. Plaintiff may balk at the prospect of having to shell out cash upfront to learn the identity of the Doe defendants who may or may not pay off. The limitation on the number of lookups is also a significant limitation. It is at least going to slow things down
To people who are on the receiving end of subpoenas in Doe cases: take the lawsuit seriously, retain counsel, and if you don't have the resources to defend and push back, consider settling for a nominal amount, if possible. But definitely check to see if the case has been blown up by the judge. There's a good chance it has.
Posted by Venkat at 08:48 AM | Copyright , Privacy/Security
October 05, 2011
Ca. Court of Appeal Vacates $100,000 Non-Party Discovery Sanction Against Facebook -- In re J.G.
[Post by Venkat Balasubramani]
In re J.G., A128898; A129157 (Ca Ct. App.; Sept. 30, 2011)
Background: This involved a juvenile proceeding where J.G., a minor, was charged with the offenses of forcible sexual penetration and false imprisonment. During the proceedings, J.G.'s counsel served three subpoenas on Facebook, seeking information "relating to the victim's Facebook user account, including electronic messages sent to and from the account, and other data."
The first subpoena was issued on March 3, 2010 and demanded the production of documents within five days, or alternatively, Facebook's appearance at a court hearing on March 12. On March 17, Facebook served objections on J.G.'s counsel, and among other bases, Facebook argued that the Stored Communications Act precluded the production at issue. Facebook went back and forth with J.G.'s counsel, but did not appear at the scheduled hearing. At the hearing, J.G.'s counsel requested an order requiring Facebook's appearance in court on a new date: April 5, 2010.
On March 29, 2010 and April 7, 2010, the private investigator working for J.G.'s counsel served two additional subpoenas, the latter of which set a hearing date of April 13, 2010. While the first subpoena was signed by J.G.'s counsel, these two subpoenas were signed by the juvenile court commissioner. On April 9, 2010, Facebook served objections to these two subpoenas on counsel but did not file these objections with the court.
On April 12, 2010, Facebook's representatives discussed with J.G.'s counsel the possibility of having the victim execute a consent form. Facebook provided J.G.'s counsel the consent form, and counsel acknowledged receiving the form and advised Facebook: "You don't need to go to court tomorrow."
Facebook did not appear at the April 13 hearing. The investigator emailed a consent form purporting to be signed by the victim but it was actually signed by a representative of the district attorney's office. (??) The investigator further advised Facebook that there was a hearing and a further hearing on Facebook's "handling of the subpoenas" was set for April 20, 2010.
Prior to the April 20th hearing, Facebook's outside counsel arranged for a paralegal to contact the court. The court clerk advised that the hearing was scheduled to occur, but J.G.'s counsel advised Facebook's counsel that the hearing was cancelled. Facebook's counsel appeared at the April 20th hearing where he found out that the court was considering imposing a sanction on Facebook "for failing to comply with court orders relating to the subpoenas." Facebook's counsel advised that the Stored Communications Act restricted Facebook's ability to disclose the information in question. Following the hearing, the court imposed a sanction on Facebook in the amount of $100,000, payable to the Alameda County Superior Court. At the hearing, the court drops the gem of a line, that:
[the judge] saw in the [newspaper] two weeks ago that [Facebook's CEO] made three billion dollars in 19-- excuse me, 2009, three billion dollars . . . .
Shortly after the hearing, J.G.'s counsel provided Facebook with the signed waiver, Facebook produced the information in question, and the juvenile court released J.G. to home supervision. Facebook then moved to vacate the sanctions order.
Discussion: Facebook made three arguments for why the sanction should be vacated. The court rejects the first two, but agrees with the third.
Due Process/notice: Facebook argued that it did not have adequate notice of the court's intent to impose a sanction. The court disagrees, noting that Facebook's counsel appeared at and participated in the hearing. In fact:
counsel acknowledged that Facebook was aware of the court's displeasure with its compliance efforts, and [admitted] that 'it's entirely possible that some things may have fallen through the crack [sic].'
Even if there was some irregularity in the procedures, the court concluded that Facebook did not suffer any prejudice--it participated in the hearing fully and filed papers after the hearing.
Consent to commissioner acting as judge pro tempore: Facebook contended that it did not consent to the commissioner acting as judge pro tempore "for purposes of the sanctions proceedings." The court says Facebook's conduct at the sanctions hearing was implied consent.
Court's authority to impose sanctions: The final argument gets traction with the court. The court says that while the juvenile court has inherent authority to manage its proceedings, the juvenile court does not have inherent authority to impose punitive monetary sanctions. Several different statutes authorize the court to impose sanctions, but none of these come close to authorizing an award of $100,000. While a statute authorizing broader sanctions is on the books, it's limited to parties and not directed at the conduct of nonparty witnesses.
__
The court vacates the sanctions award as unauthorized and sends the matter back to juvenile court for further consideration in light of its opinion. The court does not reach the issue of whether Facebook "acted reasonably and in good faith," and it looks like the juvenile court is directed to not address this issue either. (The court's order is unclear on this last point.)
Service providers have to walk a fine line when responding to requests for communications. Although both lawsuits were dismissed, MySpace and Yahoo were both sued for disclosing information and communications in response to subpoenas that plaintiffs claimed did not fall under the specific exceptions in the Stored Communications Act. (See Sams v. Yahoo! and Hubbard v. Myspace.) Providers also have to worry about statutes such as the Video Privacy Protection Act and the newly-enacted California Reader Privacy Protection Act [pdf]. I haven't looked at it in detail, but my instinct is that the communications in this case could not be disclosed by Facebook, and it was correct in asserting that the Stored Communications Act barred disclosure. (The DOJ's Cybercrime division lays out the circumstances in which information can be disclosed by service providers. Even wading through this summary will make your head hurt.)
I'm sure Facebook is breathing a sigh of relief over having avoided the sanctions order, although it must not be looking forward to dealing with these discovery issues on an ongoing basis. Dealing with a subpoena in federal court is somewhat more straightforward than dealing with it in other fora, such as in a juvenile criminal proceeding.
It's unfortunate that the court did not discuss the merits of Facebook's objection based on the Stored Communications Act. Litigants also continue to grapple with the issue of how to get Facebook profile information in discovery. As far as recommendations for litigants trying to get Facebook-related information, I would familiarize yourself with what information is covered by the SCA and tailor your request for information accordingly. Second, whenever possible, I would try to seek the information from the litigant rather than from the network directly, and try to obtain a waiver, to the extent there are logistical issues preventing discovery of the information from the litigant. (Of course, courts have not resolved the issue of whether someone can be forced to execute a waiver, but I'm guessing we'll see some decisions on that soon enough.)
Posted by Venkat at 02:08 PM | Evidence/Discovery , Privacy/Security
October 04, 2011
9th Cir.: ECPA Protects Non-Citizen Communications Stored in the US -- Suzlon Energy v. Microsoft
[Post by Venkat Balasubramani]
Suzlon Energy Ltd. v. Microsoft Corp., 10-35793 (9th Cir. Oct. 3, 2011) [pdf]
Suzlon Energy sought emails from Microsoft for use against Sridhar, an Indian citizen, in a civil lawsuit pending in Australia. It filed a petition for the production of documents, which the district court initially granted. In response, Microsoft and Sridhar filed objections. The district court agreed with Microsoft and Sridhar and held that, although Sridhar was not a United States citizen, the Electronic Communications Privacy Act precluded Microsoft's disclosure of the emails.
The Ninth Circuit affirmed, finding that the text of the statute answers the question of whether the protections of the ECPA are limited to United States citizens. The statute prohibits disclosure of communications which fall under the statute and contains numerous exceptions, but citizenship is not listed as an exception. Additionally, the statute defines a user as "any person or entity" who uses an electronic communications service with authorization:
The Court finds that the plain language of the ECPA extends its protections to non-citizens. The Court is therefore obligated to enforce the statute as written.
Although the court found that the text of the statute answered the question, it nevertheless analyzed the legislative history of the statute "for its instructive value." The court notes that Congress' intent in passing the ECPA is to protect the privacy interests of American citizens. But nothing indicates an intent to protect the privacy rights of only American citizens. Although the language of the legislative history is inconclusive, the passage quoted by the court is interesting and one that Congress may want to take a look at when thinking whether and how to revamp the ECPA:
With the advent of computerized record keeping systems Americans have the ability to lock away a great deal of personal and business information. . . . [T]he law must advance with technology to ensure the continued validity of the fourth amendment.
The court makes clear (citing to Zheng v. Yahoo!) that it's only deciding that ECPA protections apply to information stored in the United States. (Zheng was a case where the district court concluded that a dissident in China could not sue Yahoo! for allegedly turning over email messages to the Chinese government.)
The court also addresses the issue of consent, finding that Sridhar did not impliedly consent by being involved in the Australian litigation. The court does not see the logic in Suzlon's consent argument. The court also says that he did not consent to Microsoft producing the emails on his behalf. Microsoft's terms of service only say that any emails would be disclosed in accordance with United States law and in other circumstances not relevant to the case. Microsoft "never told Sridhar that his communications might be monitored or disclosed." There are no facts supporting an implied consent based on waiver.
__
It's tough to quibble with the court's interpretation of the statute, but it's interesting that the court specifically carved out and reserved judgment on communications that are not stored in the United States. Zheng v. Yahoo! didn't expressly rely on the storage issue; the court determined that the predicate acts occurred abroad and therefore the ECPA did not apply.
Is the location of the server where the email is stored a workable basis to determine whether ECPA protection should be lost? Does this type of a rule allow an ISP to play games as to what emails are subject to ECPA protection and which are not? If an ISP decides to change its storage practices and decides to store emails offshore, does this suddenly mean that those emails are no longer entitled to protection under the ECPA? (I recall some proposed legislation which would prohibit US companies from storing data outside the United States to avoid foreign governments being able to impose different rules.) From a consumer standpoint, the location of storage doesn't offer much clarity. I imagine customers have no idea what jurisdiction the servers which house their communications are located in.
[Clarification: I revised the post to indicate that the court did not hold that foreign-stored communications are outside the scope of ECPA protection. My zeal to highlight an interesting issue got the better of me! Thanks to the emailer who pointed this out.]
Additional coverage: Ninth Circuit Says ECPA Protects Foreign Citizens (Tom O'Toole/BNA)
Posted by Venkat at 03:35 PM | Privacy/Security
September 23, 2011
iPhone Privacy Class Action Dismissed for Lack of Standing -- In re iPhone App. Litigation
[Post by Venkat Balasubramani]
In re iPhone Application Litigation, 2011 WL 4403963 (N.D. Cal.; Sept. 20, 2011)
iPhone users sued Apple and various advertising networks alleging that defendants violated their privacy rights "by . . . allowing third party applications that run on [iOS devices] to collect and make use of . . . personal information without user consent or knowledge." The court dismisses the claims but grants leave to amend. Judge Koh's order has the feel of a professor grading an exam, and it covers a lot of ground, including many cases we've blogged about. (It's well worth the read.)
Plaintiffs alleged that Apple made public statements about protecting user privacy but the design of its iOS system "permit[ted] apps that subject consumers to privacy exploits and security vulnerabilities." Plaintiffs alleged that Apple devices allow apps to track, access and use the following customer information:
address book, cell phone numbers, file system, geolocation, International Mobile Subscriber Identity (IMSI), keyboard cache, photographs, SIM card serial number, and unique device identifier (UDID).
Plaintiffs claimed that they were not put on notice of this tracking. Plaintiffs also alleged that the "Mobile Industry Defendants" exploited this information and "use[d] the merger of personal information to effectively or actually de-anonymize consumers." Despite being put on notice, Plaintiffs claimed Apple did not take any action to prevent this tracking and use of information.
Standing: Plaintiffs argued that they suffered three types of injury: (1) their personal information was misappropriated; (2) the personal information diminished in value; and (3) they suffered lost "opportunity costs" in having installed the apps and suffered a diminution in value of their devices because the devices are "less secure" and "less valuable." The court says that the complaint has a deeper standing issue. Plaintiffs failed to allege what injury they suffered personally (or as a class). They fail to identify what apps they used, what personal information was accessed, and what harm resulted. The court also says that the allegations are "especially slim with respect to . . . Apple."
The court also says that there's another issue with the complaint. Plaintiffs fail to allege a "concrete harm." Citing to Specific Media, JetBlue, and Doubleclick, the court says:
[as in Specific media, plaintiffs have] not alleged any 'particularized example' of economic injury or harm to their computers, but instead offer only abstract concepts, such as 'opportunity costs,' 'value-for-value exchanges,' 'consumer choice,' and 'diminished performance.'
Plaintiffs pointed to Doe v. AOL, but the court distinguishes it on the basis that in that case there were "specific allegations" of the danger of public disclosure of "highly sensitive information." Plaintiffs' allegations in this case "come nowhere close" to the allegations in AOL. Plaintiffs also cite to the Facebook privacy case, but the court distinguishes it on the basis that the Facebook privacy case involved Wiretap Act claims which only require a showing that a person's communication was "intercepted, disclosed or used" in violation of the statute. Here, there's no analogous statute.
The court also says that the alleged injuries are not "fairly traceable" to defendants. There is no allegation that Apple misappropriated the data, and plaintiffs did not distinguish between the "mobile industry defendants," which made it tough to figure out who plaintiffs were trying to hold liable for what misappropriation. The court dismisses on the basis of standing with a cautionary note to plaintiffs:
any amended complaint must provide specific allegations with respect to the causal connection between the exact harm alleged (whatever it is) and each Defendants' conduct or role in that harm.
Although the court dismisses on standing grounds, it goes on to address alternate arguments raised by defendants and other issues in the case.
End user agreements: Apple argued that various end user agreements barred claims for the alleged injuries. Plaintiffs argued that the agreements were contracts of adhesion. The court says that plaintiffs will have trouble with both prongs of the adhesion argument. Plaintiffs have alternatives available, and the contract in question is for a recreational activity. The court does not outright reject plaintiffs' adhesion argument, but it sends plaintiffs a signal that they should articulate in their amended complaint why Apple should be held responsible despite any terms in the agreements.
Particularity and the absence of app developers: The court says that, as to the mobile industry defendants, the complaint fails to allege what role each of the defendants played in the alleged harm. This needs to be fixed in any amended complaint. Apple also raised the argument that the app developers were necessary parties but the court rejects this argument. At this stage, the court declines to dismiss the lawsuit for failure to join the developers.
Negligence: The court identifies two problems with the negligence claims. Apple does not necessarily have a legal duty to protect end user information from third party app developers and damages are speculative.
Breach of the duty of good faith: The court tells plaintiffs to identify which of the end user agreements and privacy agreements plaintiffs are using to support their duty of good faith claim.
Consumer Legal Remedies Act: The court questions whether the statute is applicable at all to software--it covers the sale of goods and services (citing to Ferrington v. McAfee).
Consumer Fraud and Abuse Act: The court says that plaintiffs' Computer Fraud and Abuse Act claims are deficient for three reasons. First, there is no allegation that Apple acted "knowingly." Plaintiffs only allege that Apple failed to take "meaningful steps" to police third party developers. Second, since the software was downloaded voluntarily, this tends to undermine a claim that the access was "without authorization" or "exceeded authorized access." Finally, there's the damages issue. The court says that only economic damages are available and damages for "death, personal injury, mental distress, and the like" are not available. There are no allegations of economic harm. Although damages can be aggregated where the violation can be described as "one act," plaintiffs failed to point to any "single act" of harm by defendants.
California's anti-hacking statute: The court says (citing to Facebook v. Power Ventures) that the phrase "without permission" in the statute is more narrowly construed that in the Computer Fraud and Abuse Act. In Power Ventures, the court held that the mere violation of a terms of use does not violate the statute. In that case, the court held that Facebook would have to show that Power Ventures circumvented technical barriers of some sort. The court says that plaintiffs fail to articulate how access falls into this category. Plaintiffs also pointed to a section of the statute which imposes liability for the introduction of "computer contaminants." The court says that this section also contains a requirement that the introduction of the contaminant be without permission. The court also says that the subsection addressing computer contaminants is aimed at "viruses or worms," and it does not look like the apps in question fall into this category.
Trespass to chattels: Under Intel v. Hamidi, a trespass to chattels claim based on access to a computer server requires impairment or loss of use. The court says plaintiffs have not adequately pled this element.
Unfair competition: In order to bring an unfair competition claim, a plaintiff needs to have suffered damage or lost money or other property. The court says it is skeptical of the "personal information as currency" argument (citing to the recent Facebook privacy ruling). The court also says that it's unclear as to whether plaintiffs paid money for the apps in question.
Unjust enrichment: There is no separate cause of action for unjust enrichment under California law. The court says that restitution may be available as an equitable remedy in lieu of contract damages. If plaintiffs amend their complaint, they are directed to clarify that they are looking for as far as restitution.
__
Judge Koh goes through and basically shreds the complaint. A consistent theme is plaintiffs' lack of specificity. This is not surprising, because the trigger for the complaint is a news story or a scholarly study, rather than a specific event that a plaintiff had awareness of when it happened. The court's order makes clear that, even if plaintiffs get past the allegation of harm issue, there are numerous other hurdles that stand in the way of holding defendants liable. In particular, she says that Apple as the third party is somewhat removed from the information collection, and plaintiffs are not going to have an easy time holding Apple liable. Apple may also have a robust defense in its end user agreement(s). Other than knocking down plaintiffs' unconscionability argument, the court did not get into specifics of what those agreements contain that may limit Apple's liability, but the agreements are sure to contain a few. All of this has to be good news for Apple. [I'm somewhat surprised the issue of arbitration has not come up. Also, Apple may be able to assert a Section 230 defense, either based on section (c)(1) for its putative liability based on the developers' actions, or under (c)(2) for the negligence claim that it failed to police its app store properly.]
Lower courts have overwhelmingly rejected the latest wave of privacy class actions, and evinced deep skepticism towards the theory that the collection of personal information alone by a private entity constitutes harm. Courts also do not seem excited about the theory that tracking somehow harms end users because it diminishes the value of their personal information. Nor do they seem excited about the "information as currency" argument. I think it's fair to say that, while the case law leans towards the defendants, there's not necessarily a ton of Ninth Circuit precedent that directly speaks to the issues raised by tracking cases. It's possible that some set of plaintiffs may have better luck in the Ninth Circuit.
Posted by Venkat at 10:31 AM | Privacy/Security
September 22, 2011
Court Revisits and Dismisses Fair Credit Reporting Act Lawsuit Against Spokeo -- Robins v. Spokeo, Inc.
[Post by Venkat Balasubramani]
Robins v. Spokeo, Inc., 10-CV-05306 (C.D. Cal.; Sept. 19, 2011)
Spokeo collects information about individuals and allegedly markets this information to employers and HR professionals. Robins sued Spokeo in a putative class action, alleging violations of the Fair Credit Reporting Act. The court initially dismissed the lawsuit for lack of standing, due to Robins's failure to allege actual harm. ("Court Dismisses Class Action Against Spokeo for Lack of Standing.") Robins filed an amended complaint and the court found that Robins adequately alleged injury and standing. ("Court Allows Fair Credit Reporting Act Claims Against Spokeo to Move Forward.")
The court revisits the ruling and finds that plaintiffs failed to adequately allege harm:
the Court reinstates the January 27, 2011 Order, which found that Plaintiff fails to establish standing. Among other things, the alleged harm to Plaintiff's employment prospects is speculative, attenuated and implausible. Mere violation of the Fair Credit Reporting Act does not confer Article III standing, moreover, where no injury in fact is properly pled. Otherwise, federal courts will be inundated by web surfers' endless complaints. Plaintiff also fails to allege facts sufficient to trace his alleged harm to Spokeo's alleged violations. In short, Plaintiff fails to establish his standing before this Court. This action is therefore DISMISSED.
Is it sufficient for a plaintiff to plead a violation of a statute or does the plaintiff have to allege harm for Article III purposes separately? Does a statutory violation automatically confer Article III standing? I'm guessing Robins will appeal this ruling and we will get to see what the Ninth Circuit says about the standing issue. [For what it's worth, I predict a reversal.]
Previous posts:
Court Dismisses Class Action Against Spokeo for Lack of Standing.
Court Allows Fair Credit Reporting Act Claims Against Spokeo to Move Forward
Posted by Venkat at 12:05 PM | Privacy/Security
August 24, 2011
Mixed DMCA Online Safe Harbor Ruling in Cloud-Based Music Locker Case--Capitol v. MP3Tunes
By Eric Goldman
Capitol Records, Inc. v. MP3Tunes, LLC, 2011 WL 3667335 (SDNY Aug. 22, 2011).
Background. This case involves MP3Tunes.com and Sideload.com. MP3Tunes is a music storage locker. Small lockers are free, but more storage is available at a price. The system doesn't store redundant copies; if the system recognizes an identical bit stream coming from a second user, it just records the hashtag. Sideload is a music search engine that lets users find free music on the Internet. (It was also a browser plug-in). If users find a music file they like, they can "sideload" the music file into their MP3Tunes' locker as a personal archive copy. MP3Tunes' database tracks the sources of these personally archived files.
Due to other issues being addressed in prior proceedings, this ruling primarily focuses on the applicability of the 17 USC 512 safe harbor. This court expressly interprets 512(d), the safe harbor for linking to infringing content--one of the rare opinions to do so. Like most 512 rulings, this ruling is lengthy and detailed, reflecting the fact that the plaintiff contested a long list of safe harbor elements. As I recently mentioned, god bless the pithy 47 USC 230 immunity and the short opinions it produces.
Result. The net effect is that most of MP3Tunes' operations got a 512 safe harbor defense, but it is contributorily liable for any infringing sideloaded files it didn't remove following a takedown notice, and MP3Tunes' CEO (the persistent Michael Robertson) may be personally liable for any infringing files he personally loaded into his locker. These rulings leave the defendants on the hook for potentially millions in damages. Other questions, such as liability for employees' uploads, were rolled over to trial. Because of this mixed ruling, both sides issued public statements touting their wins. As I'll explain momentarily, both sides also earn some brickbats from me.
Some of the post-ruling punditry has suggested this ruling provides a roadmap for other cloud-based music lockers, including the offerings from Apple, Amazon and Google. While that's partially true, the guidance is limited at best due to the fact-specific nature of the ruling. Perhaps the best news for the other services is that lockers may not have to store redundant copies of user-uploaded files to qualify for a Cablevision defense (see the EFF post for more on this). However, as the Zediva ruling recently showed, it remains uncertain how broadly other courts will read the Cablevision case. Otherwise, I think this case mostly tells us things we already knew but that copyright owners refuse to believe.
Out of this dense and slightly inscrutable ruling, some of the points that I found most interesting:
Bogus Takedown Notices (Yet Again...) EMI sent MP3Tunes overbroad takedown notices. The court says EMI affiliates "provided a list of EMI artists and demanded that MP3Tunes 'remove all of EMI's copyrighted works, even those not specifically identified.'" This was in 2007, NINE YEARS after the DMCA came into effect. Seriously, guys? 512(c)(3) isn't that complicated, and major copyright owners that send notices vastly in excess of 512(c)(3) look like greedy or clueless SOBs.
With the hope that we can avoid future SOBness, here's an offer I extend to any and all major copyright owners. I will happily give you a FREE tutorial on how to draft proper 512(c)(3) takedown notices so that you don't look as asinine as EMI looked here. I'm not worried about these trainings being too much of a drain on my time--they should only take about FIVE MINUTES and involve a variation of RTFM.
Needless to say, the court wasn't impressed by EMI's overreaching takedown notuices. It reminds EMI that a proper 512(c)(3) takedown notice requires the copyright owner to provide sufficient information to locate the infringing files (cite to Wolk v. Photobucket).
MP3Tunes' Takedown Policy. MP3Tunes took the puzzling position that, in response to the overreaching 512(c)(3) notices, it only had to remove specified links from Sideload and not any files downloaded from those URLs into personal lockers--even though MP3Tunes kept the source URLs in its database and could therefore trace those files. Now, if the users had downloaded the files to their hard drives, that wouldn't be MP3Tunes' issue--though, to be clear, the users probably don't have a fair use defense if the files are actually infringing (see, e.g,. the BMG v. Gonzalez case). However, as a cloud service provider, MP3Tunes needs to respond to 512(c)(3) notices when they meet the statutory requirements, even if the locker is supposed to be the user's "private" space. MP3Tunes loses the 512 safe harbor for these files because EMI's 512(c)(3) notices provided adequate information for MP3Tunes to locate the files, and the court says MP3Tunes is contributorily liable for these infringements. MP3Tunes argued a Sony defense that its lockers had substantial non-infringing uses, but the court says Sony applies only to products, not services.
It's unclear how this discussion applies to other cloud-based music lockers. The court distinguishes Viacom v. YouTube because Viacom could easily search YouTube for infringements--which isn't possible with private cloud-based lockers (just as it isn't possible with user hard drives). The court also asserts that any other lockers letting users "sideload" from the Internet must trace URL source and disable all files from that URL in response to a 512(c)(3) notice. But what if the music locker allows users to upload files from their hard drives and don't allow those to be searched? The opinion seems to deliberately avoid addressing that situation. [A related unresolved Q: how copyright owners can find private YouTube videos. I've posted a few myself for use in my Advertising Law course.]
The court dismisses MP3Tunes' seemingly overstated concerns about its liability to users for disabling files in their "private" lockers. MP3Tunes' user agreement expressly allowed this, as I would expect every other cloud service providers' user agreements to do.
Even so, it's 100% clear that cloud storage is different from hard drive storage, and some users are going to get quite a surprise when they learn that third parties can zap files from their cloud storage. (Recall the hubbub over Amazon's zapping of books from Kindle). If Congress weren't so dysfunctional, this would be a good place for a statutory fix. It would make a nice complement to the Digital Due Process initiative to fix the ECPA's application to the cloud.
It's worth noting that users weren't represented in this litigation and had no ability to show that their uses were fair, notwithstanding BMG v. Gonzalez and similar cases. If cloud-based music lockers simply pull the trigger on 512(c)(3) notices on an "ex parte" basis (i.e., without any input from the affected users), their fair use rights become effectively irrelevant unless the sites honor users' putback notices. I think it's critical for cloud-based music lockers enabling "private" lockers to address how they will deal with 512(c)(3) notices and if they will honor 512(g) putback notices. I'd welcome your thoughts on ways that we collectively can monitor cloud service providers' policies and practices on this topic.
Repeat Infringer Policy. MP3Tunes had an adequate repeat infringer policy because, among other things, its users weren't "blatant infringers" (they were just downloading files for personal use and may not have known better) and "MP3Tunes does not purposely blind itself to its users' identities and activities."
Red Flags of Infringement. I continue to assert that "red flags of infringement" is no longer possible given copyright owners' widespread practices of freely seeding their content on the Internet as marketing. EMI did that too. Indeed, the court says "EMI executives concede that internet users, including MP3tunes' users and executives, have no way of knowing for sure whether free songs on the internet are unauthorized." The court further dismisses EMI's mockable argument that the terms "free," "mp3" and "file-sharing" automatically confer red flags knowledge. EMI's takedown notices that didn't comply with 512(c)(3) didn't contribute to any red flags knowledge either.
Vicarious Infringement Standards. The court rejects that the sideloading feature contributed to "financial benefit" because, even if it was a "draw," it had non-infringing uses, and MP3Tunes didn't charge for its usage. MP3Tunes lacked the requisite "control" because it was a cloud storage solution.
Public Performance. EMI argued that MP3Tunes publicly performed the files in users' lockers. MP3Tunes responded with a Cablevision defense. The court explains that MP3Tunes doesn't deliver files from a "master copy" (even though redundant copies aren't made) but instead "uses a standard data compression algorithm that eliminates redundant digital data" and therefore preserves exact digital copies. Thus, MP3Tunes wasn't publicly performing. I didn't understand the technological distinction the court was making, but I didn't find it persuasive at all. The court also distinguished Cablevision because it couldn't qualify for 512, while MP3Tunes does.
DMCA's Applicability to pre-72 Sound Recordings. FN1 says that 512 applies to pre-1972 sound recordings:
The Court agrees with Defendants that the plain meaning of the statutory language makes the DMCA safe harbors applicable to both state and federal copyright claims. Thus, the DMCA applies to sound recordings fixed prior to February 15, 1972.
I believe this is the first ruling reaching this conclusion (am I forgetting one?). The court didn't offer any citations or analysis in support of this conclusion, and I anticipate this issue will continue to be litigated fiercely.
Reminder: in case you missed it, I recently caught up on 4 months worth of online copyright rulings, including several addressing the same or similar issues as this case.
Other comments on this ruling: Techdirt, EFF, CNET News.com
Posted by Eric at 02:26 PM | Copyright , Derivative Liability , Licensing/Contracts , Privacy/Security | TrackBack
August 22, 2011
Deep Packet Inspection Lawsuits: NebuAd Partner ISP Wins Summary Judgment -- Kirch v. Embarq
[Post by Venkat Balasubramani with comments from Eric]
Kirch v. Embarq, 10-2047-JAR (D. Kan. Aug. 19, 2011)
The fallout from Nebuad's ill-fated deep packet inspection continues to percolate through the courts. Plaintiffs sued NebuAd and ISPs in the same forum in Northern California, but the ISPs were dismissed on jurisdictional grounds, requiring plaintiffs to pursue them through local lawsuits. NebuAd reportedly shut down, but lawyers recently announced a settlement over claims against NebuAd. (See: "NebuAd Settles Lawsuit Over Behavioral Targeting Tests.") Interestingly, the $2.4M from the proposed settlement will go to public interest organizations and the lawyers--there's no class payout, and just small payments to the named plaintiffs. This is fairly typical in privacy lawsuits, but settlements like these have elicited a few challenges, most prominently in Facebook's Beacon settlement (which is currently on appeal to the Ninth Circuit).
This particular case is one of the end users' cases against ISPs. They brought claims for violation of the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, invasion of privacy and trespass to chattels. They voluntarily dismissed the invasion of privacy, trespass and CFAA claims. This left the ECPA claim. (The court says the claims were dismissed pursuant to "stipulation," but does not get into detail as to whether there was any settlement associated with this dismissal.)
No derivative liability: The court found for summary judgment purposes that Embarq did not have access to the contents of user communications. Embarq admittedly facilitated NebuAd's tracking and targeting, but this is not enough for plaintiffs to hold Embarq liable:
As plaintiffs' expert testified, Embarq's role was to install the NebuAd device so as to furnish the UTA connection to NebuAd. In other words, the NebuAd device . . . goes into place, then all of the raw data that flows through Embarq is directed to that device, where NebuAd does the analysis and, apparently, separates out the Port 80 traffic. Moreover, plaintiffs cite no authority that Embarq's access to the raw data that flowed through its network constitutes a violation of the ECPA, which requires an entity to actually acquire the contents of those communications. There is nothing in the record that Embarq itself acquired the contents of any communications as they flowed through its network; instead, plaintiffs' theory rests on the notion that the NebuAd System extracted the contents of the communications. Plaintiffs' assertion that Embarq 'endeavored to intercept' communications falls short of creating civil liability under the ECPA, which creates liability for actual interception.
Plaintiffs pointed to the contractual relationship between Embarq and NebuAd as a basis for holding Embarq indirectly liable. The court says clearly that the "civil liability provision of the ECPA . . . does not provide for secondary liability."
User consent: The court also grants Embarq summary judgment on the basis that to the extent there was improper interception, the users consented to it. Embarq's "activation agreement" pointed to its privacy policy and said Embarq could revise it. Prior to deployment of NebuAd, Embarq posted a new paragraph in its privacy policy entitled "preference advertising." This paragraph informed subscribers that:
Embarq may use information such as the websites you visit or online searches that you conduct to deliver or facilitate the delivery of targeted advertisements. The delivery of these advertisements will be based on anonymous surfing behavior and will not include users' names, email addresses, telephone numbers, or any other Personally Identifiable Information.
You may choose to opt out of this preference advertising service. By opting out, you will continue to receive advertisements as normal; but these advertisements will be less relevant and less useful to you. If you would like to opt out, click here. (embarq.com/options)
Subscribers were given an opportunity to opt-out by clicking on a link. Plaintiffs made three arguments as to why this consent should not be viewed as being effective, but the court summarily rejects them all, relying in part on Mortensen v. Bresnan: (1) the scope of the disclosure was inadequate and did not identify NebuAd; (2) the notice was not conspicuous enough; and (3) the opt-out mechanism was insufficient.
__
The NebuAd deep packet inspection idea was ill-fated, but it's interesting to see the litigation play out as it has. NebuAd's insurers settled for a relatively small amount. The claims against the individual ISPs are struggling, and when you throw requests to compel arbitration based on the Supreme Court's decision in Concepcion into the mix, it's going to end up being a long road for plaintiffs.
I'm not sure I can think of a principled reason for this, but I've always viewed deep packet inspection as something that crossed the line. But under existing privacy laws, it's not easy to hold ISPs who partnered with NebuAd liable. Privacy plaintiffs continue to push the envelope but they are repeatedly rebuffed by the courts. As Eric notes, the statutes under which plaintiffs assert causes of action in privacy class actions are convoluted, confusing, and in need of a much-anticipated revamp.
As with the flash cookie cases, I'm curious about the FTC's role in the regulatory quagmire. I would think they could have a significant effect in the area if they came in and took type of action they took against the likes of Google and Twitter against the players in this space. Maybe I'm missing something or there are institutional factors at play (or activities going on behind the scenes), but it certainly seems like the FTC has extracted a large quantity of blood in some situations but is ineffectual or slow to act in others.
Previous posts on NebuAd:
Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues
NebuAd Deep Packet Inspection Lawsuits Sputter -- Deering v. CenturyTel & Green v. Cable One
Additional coverage:
Wendy Davis: "Embarq Wins Privacy Suit Stemming From NebuAd Tests"
__
Eric's comments
1) For sake of completeness, I note that a 47 USC 230 defense wouldn't have helped Embarq against the derivative ECPA claim because 230's immunity expressly excludes ECPA claims. See 47 USC 230(e)(4). Thus, this case failed on the prima facie elements. The court says confidently (cites omitted):
The civil liability provision of the ECPA, however, does not provide for secondary liability, as liability attaches only to the party that actually intercepted a communication. As numerous courts have consistently held, a defendant does not “intercept” a communication merely by allowing or enabling, or even directing, another party to intercept communications.
2) The court's conclusion about consent is interesting:
plaintiffs were required to agree to the terms of the Activation Agreement in order to use Embarq’s Internet service; that Agreement incorporated the terms of the Privacy Policy, which informed subscribers that their de-identified data could be shared with third parties; that Agreement informed subscribers that the terms could be changed at any time through posting a new policy at Embarq’s website; and Embarq modified those terms in advance of the NebuAd test to add a paragraph regarding preference advertising, with an opt-out mechanism.
This summary, very much in line with the Mortensen case, shows an extreme judicial deference to Embarq's contract--both in terms of letting broad opaque language serve as user "consent" and letting Embarq unilaterally amend the contract to add new and different terms. We've seen other courts push back on both practices, so I wouldn't recommend Embarq's approach as an industry best practice. It seems especially odd that courts have been so deferential on consent issues given the inherent disagreeability of NebuAd's DPI practices.
3) Along with last week's Bose v. Interclick ruling, chalk this up as another plaintiff loss in a privacy case that most people probably thought was a slam dunk. So many of the pending privacy lawsuits are filed solely because defendants will pay to avoid the adjudication costs of defending their practices under poorly drafted statutes, not because there's any fundamental merit to the cases. We desperately need a complete rewrite of the CFAA and ECPA simply to put them in English so that everyone has a better sense of which cases are meritorious from the outset.
4) An interesting factoid: NebuAd paid less than $30k to Embarq for the trial period. Note to future IAPs who want to experiment with potentially privacy-invasive technologies: it isn't a good financial deal for you! Or, at minimum, get the vendor's insurer to stand behind the vendor's indemnity clause so that you won't spend many multiples of the associated revenue defending yourself when the vendor goes belly-up.
Posted by Venkat at 04:27 PM | Derivative Liability , Licensing/Contracts , Privacy/Security
Federal Geolocation Bills Differ on Scope and Damages (Guest Blog Post)
By Sonya Ziaja
[Sonya is an American attorney and MSc. candidate at University of Oxford. She writes regularly for LegalMatch and Shark. Laser. Blawg.]
Congress will be considering at least two geolocation privacy bills this term. The bipartisan Geolocation Privacy and Surveillance Act (“GPS Act”) tries to tackle both the Fourth Amendment problems with law enforcement's widespread unwarranted use of GPS as well as the pesky consumer privacy issues with data collection. Senator Al Franken's Location Privacy Protection Act separates those issues, and focuses instead only on consumer privacy.
The GPS Act's comprehensive approach to geolocation privacy is admirable. But, in its attempt to regulate such disparate actors as the F.B.I. and Apple, the bill looks like it bit off more than it could chew and lost some teeth—especially with regards to consumer protection. A comparison of the bills highlights a weakness in the GPS Act's enforcement mechanism.
In both bills, enforcement means litigation. Both bills allow for a private right to civil action against non-government entities and individuals that intercept, use or disclose geolocation information. Both bills also provide for equitable relief. So, under either bill, you could sue to stop an entity from collecting or selling your geolocation information. And both bills include a fee-shifting provision, so hiring an attorney shouldn't be too much of a barrier to seeking relief. There are significant differences, though, in how damages are calculated and the limitations on relief in the bills.
On the surface, the GPS Act’s remedies appears stronger. It gives courts two options to assess damages and instructs the courts to use the greater of the two. Either the plaintiff is awarded actual damages plus any profits the offending party gained through the violation; or the plaintiff is granted statutory damages of $100 a day for each day of violation or $10,000, whichever is greater. The first option seems unlikely to act as a deterrent, unless the case is brought as a class action suit, or the individual was in a unique position to lose money from having their location known. So for an ordinary individual bringing suit, statutory damages likely make the most sense under this plan. Successful plaintiffs are guaranteed a minimum $10,000. In addition a plaintiff can sue for punitive damages in “appropriate cases.” What exactly constitutes an “appropriate case” is not described in the bill and is left to the courts to decide.
The Location Privacy and Protection Act takes a more modest and straightforward approach. Potential damages include actual damages (assuming they're beyond a $2,500 threshold) and punitive damages. So an ordinary individual plaintiff could get less under this bill than the $10,000 minimum in the GPS Act.
But while the GPS Act provides for potentially steeper penalties than the Location Privacy and Protection Action, it also contains significant barriers to bringing a successful suit. Chief among these is its statute of limitations. It requires that a plaintiff bring a case within “two years after the date upon which the claimant first has a reasonable opportunity to discover the violation” or the plaintiff loses the right to bring a suit. In other words, if you fail to realize that an entity is intercepting, using or distributing your geolocation information, you're in danger of losing your right to sue and stop that entity from continuing to track you.
The statute of limitation in the Location Privacy and Protection Act is more reasonable. It's still a two-year limit, which would protect corporations from unanticipated lawsuits far into the future. But, where the GPS Act starts the two-year count from the moment that you could have possibly known you were being tracked, this bill starts the two-year count from the date the violation actually happened or the date that you actually learned the violation had taken place.
The GPS Act does take positive steps to protect citizens' privacy rights from law enforcement. But from the point of view of the bill, when those same citizens are viewed as consumers, their privacy no longer seem to be as much of a concern. I would hope that the barriers to enforcement included in the GPS Act are simply oversights and will be remedied in future versions of the bill. Absent changes, however, Franken's Location Privacy Protection Act looks to be the better bet for protecting consumer privacy rights. You might not get the same returns on it as you might from the GPS Act, but at least you have a better chance of being able to sue to stop companies from surrepticiously tracking you.
Posted by Eric at 07:22 AM | Privacy/Security | TrackBack
August 18, 2011
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
[Post by Venkat Balasubramani, with comments from Eric]
Bose v. Interclick, Inc., et al., 10-cv-09183-DAB (S.D.N.Y. Aug. 17, 2011)
Bose sued Interclick, an advertising network, and various advertisers (including McDonald's, Mazda and Microsoft) over "flash cookies" and "history sniffing." As described the court:
[w]hen a user deletes a browser cookie, the flash cookie "respawns" the browser cookie without notice to or consent of the user....
"history sniffing" code, which [contains] a list of web page hyperlinks . . . [uses] the computer's browser to determine whether the computer had previously visited those hyperlinks, and [transmits] the results to [the advertising network's] servers. Interclick used data on the computer's browsing history to select particular advertisements to display on that computer.
Plaintiff asserted putative class claims under the Computer Fraud and Abuse Act, New York's unfair competition statute, and common law trespass.
CFAA claims: Bose asserted three types of damages to support her CFAA claims: (1) impairment of her computer; (2) "loss" based on the collection of personal information; and (3) loss due to "interruption of internet service."
Damage to the computer system: The court canvassed the broad array of losses that can support a CFAA claim, but focused on the issue of whether the loss alleged by Bose satisfied the $5,000 jurisdictional threshold. Boss "[failed] to quantify any damage Interclick caused to her computer . . . ." and what it would cost to remedy this supposed damage.
Collection of personal information: The court rejects Bose's attempt to satisfy the loss threshold by pointing to the alleged misappropriation of her personal information. The court notes that the CFAA provides recovery for "economic damages," and misappropriation of personal information does not qualify. In re DoubleClick arrived at the same result in 2001, and the court rejects her attempt to distinguish DoubleClick on the basis that in this case the network "circumvented" privacy controls that the plaintiff put in place.
Interruption of service: The court also rejects Bose's attempt to argue that the flash cookies caused a slowdown sufficient to invoke the CFAA:
Bose . . . fails to allege specific damage or loss incurred due to alleged interruption of service, or costs incurred to remedy the alleged interruption of service. Even if a flash cookie may reach up to 100 kilobytes in size and may occupy space on Bose's hard drive, Bose fails to demonstrate that the flash cookie caused damage, a slowdown, or a shutdown to her computer.
Aggregation: Finally, the court addressed the issue of whether the damages could be aggregated under the CFAA to meet the $5,000 jurisdictional threshold. The court notes some divergent authority on the issue of whether losses can be aggregated among multiple plaintiffs (as opposed to multiple computers or events) and concludes that each plaintiff has to satisfy the damages threshold individually.
Deceptive business practices: The deceptive business practice requires a consumer-oriented practice that was misleading and that caused injury. The court rejects the defendants' argument that there was no misleading practice. With respect to injury, the court notes that New York law does not require pecuniary injury to maintain a claim; a bare claim for invasion of privacy is sufficient. The deceptive business practices claim against Interclick moves forward. With respect to the advertisers, the court finds that there is no allegation that the advertisers were involved in any way with the misleading practices.
Trespass: Bose claimed that she was "dispossessed of the economic value of her personal information," but the court says this type of a trespass claim is of "dubious merit." Bose also asserted a more conventional trespass claim (a la Intel v. Hamidi). Although the court notes that "there is no allegation that the devices materially affected the condition, quality or value of the computer," the court nevertheless says that her allegations are sufficient to state a trespass claim.
Contract claims: Bose also asserted contract claims, but the court doesn't spend much time before dismissing those claims.
Dismissal with prejudice: The court dismisses the claims against the advertisers with prejudice, finding that any amendments against these defendants would be futile. The court also dismisses the CFAA and contract claims with prejudice.
__
This is the second lawsuit over flash cookies to meet a chilly reception in court. Eric blogged about the Specific Media case (repeatedly cited by this court) earlier this year: "Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media." Cookie plaintiffs just don't seem to have compelling facts in the eyes of the courts. Part of it, no doubt, is the courts' skepticism that anyone who got cookied would care enough about the damage to actually spend money fixing damage to their computers. Plaintiffs rarely allege that they do.
Interestingly, there is mixed authority on whether you can aggregate damages for loss purposes and whether you can assert claims premised on non-economic damages. To my knowledge, some courts had answered these questions in the affirmative, in part based on changes to the CFAA since the DoubleClick decision. But the court here was clearly unwilling to explore the outer reaches of the statute for the sake of these plaintiffs. The tenor of the court's opinion is one of deep skepticism that the plaintiffs is complaining about something that is truly injurious and which warrants judicial intervention:
personal data and demographic information concerning consumers are constantly collected by marketers, mail-order catalogs and retailers. The collection of demographic information does not 'constitute damage' to consumers or unjust enrichment to collectors. Advertising on the internet is no different from advertising on television or in newspapers. Even if Bose took steps to prevent the data collection, her injury is still insufficient to meet the statutory threshold.
It's interesting that the court comes right out and says that even if Bose took steps to prevent the collection, her injury isn't enough to get the court's attention. Not a very privacy-friendly judge here.
In some cases, plaintiffs have sued the advertisers as additional defendants, but the judge here clearly did not see them as appropriate defendants. It's helpful from an advertiser standpoint to get a clear ruling that their mere purchase of advertising on an ad network will not get them sucked into a privacy lawsuit. I wouldn't characterize this scenario as risk-free, but it's still nice that the court made clear that advertisers should not be a part of this lawsuit.
On the other hand, regardless of the legal rules and court decisions, there's little excuse for advertisers to not conduct some due diligence on the networks they deal with. The companies are off the hook in this particular decision, but the advertisers named are established companies, and I would be curious to know the background on how they ended up becoming entangled in a privacy-unfriendly practice that has recently been the focus of a huge negative spotlight.
The court's conclusion on the trespass claim was a little awkward. The court says that a slowdown is required, but despite noting the lack of this allegation, allows the claim to move forward.
It was also somewhat awkward that the court doesn't discuss plaintiff's "history sniffing" allegation at all. The omission is somewhat strange, but it looks like the court just treated Interclick's information collection practices generically. Here's a post from Kash Hill that explains the practice.
It may be too early to tell, but the early indication is that this wave of tracking lawsuits will have a long slog in the courts. This one suffered a pretty big hit at the judge's hands. Both this and the Specific Media case will likely be cited by privacy advocates as to why the current regulatory scheme is broken. I agree that consumers being tracked despite their stated preferences is problematic, but I'm not sure that creating a private right of action is the best solution. A final question. Where is the FTC in all of this? They seem pretty behind the curve in comparison to class action lawyers in the push to regulate privacy.
____________
Eric's comments:
Hey, ad networks: it's not nice to ignore people's expressed preferences about cookies. (I'm not saying the defendants did so in this case; I'm just speaking generally). There may not be legally recognizable harm from placing unwanted cookies, but your consumers are trying to tell you something, and you really ought to listen. Contravening their wishes ticks people off, and it invites legislative bodies to pursue crackdowns like "Do-Not-Track" legislation (whatever that means). If Congress enacts some type of anti-cookie/anti-tracking measure, the ad network industry will have no one to blame but itself (and the Wall Street Journal "What They Know" series).
Hey, plaintiffs: lawsuits over cookies are stupid. The vast majority of us learned that from In re Doubleclick--a decade ago. Cookie lawsuits haven't gotten any more meritorious in the intervening years. So please, just get over it. Meritless privacy lawsuits over advertiser/ad network practices that don't actually harm consumers give legislators some reasons to make privacy lawsuits harder to bring.
Earlier posts:
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
Posted by Venkat at 08:55 AM | Privacy/Security , Trespass to Chattels
August 17, 2011
Ikon Office Solutions Had no Duty to Disclose That Office Equipment Retained Data -- Putnam Bank v. Ikon Office Solutions
[Post by Venkat Balasubramani]
Putnam Bank v. Ikon Office Solutions, Inc., 10-cv-1067 (WWE) (D. Conn.; July 5, 2011)
Putnam Bank filed a putative class action on behalf of those who purchased and leased office equipment from Ikon, alleging that Ikon improperly failed to disclose that this type of equipment automatically saved images of documents that had been printed, faxed, scanned, or copied. The complaint alleged that not only did Ikon failed to disclose this, Ikon failed to destroy the data when such equipment is returned. The complaint further alleged that Ikon knew or should have known that the equipment would be used to fax, print, scan and copy documents which contained sensitive information (e.g., social security numbers, birthdates, medical records, and business data). Putnam sued under Connecticut's unfair trade practices statute, under general negligence and breach of contract theories, and under Connecticut's data breach statute.
Did Ikon Have a Duty to Disclose? A key question relevant to the negligence, unfair trade practice and data breach statute claims: did Ikon have a duty to disclose in the first place? Negative, says the court. According to the court, the data breach statute "is directed to businesses that collect or keep personal information." Ikon does neither by incidentally coming into contact with personal information that their customers have placed on office equipment that Ikon leased out. Additionally, the data breach statute only kicks in where there has been a breach, and Putnam failed to allege that "a breach of security [had] occurred."
The allegations regarding identity theft were, as usual, too speculative:
The amended complaint does not allege facts establishing a reasonable belief that an unauthorized person has accessed personal information from the office equipment used by Putnam. The allegations are confined to an undetermined degree of risk of identity theft.
Was Ikon bound to disclose by its implied duty to act in good faith? Putnam pointed to the implied duty of good faith and fair dealing as a basis for Ikon's duty to disclose. This duty requires a party to not take action that "would injure the other party's right to receive the benefits of the contract." The court found that the complaint did not include allegations of bad faith on Ikon's part. Putnam argued that the lease agreement did not address "the storage devices in office equipment," but the court says that this is not indicative of bad faith.
Was there a common law duty to disclose? Putnam also argued that Ikon had a common law duty to disclose. The key question on this issue was whether it was foreseeable to Ikon that leasing equipment would create a risk of its customers having to incur expenses associated with credit monitoring and ID-theft prevention. This turned on whether reasonable business persons in Ikon's position would expect disclosure of the risk in question. The court says no. The "essence of the transactions between Putnam and Ikon was the lease of office equipment, not the protection of data that would be saved on the equipment." There was no allegation that Ikon knew that Putnam was unfamiliar with the data storage aspect of the equipment or that Putnam expected digital storage to be covered by the lease.
Did Ikon have a contractual obligation to disclose? Finally, the court dismisses Putnam's contract-based argument. The agreement was silent on the issue of data security. Putnam tried to argue that "common trade practice" was to imply a term as to data security but the court is unswayed.
__
It's become entirely predictable that data breach plaintiffs will be rebuffed if they don't assert any out-of-pocket losses. Courts have said time and time again that data breach plaintiffs who don't suffer out of pocket costs cannot maintain a claim, and that the costs of monitoring is not damage that the law typically provides compensation for. Here, the plaintiff tried to argue that the data breach statute required disclosure. Not only was there no breach to speak of, the court questioned whether the statute applied to Ikon at all, since it did not collect any information.
Users of office equipment should obviously have some control over whether data is stored and erased when this equipment is returned to vendors such as Ikon. In some instances, the users may not want their data to be stored at all. But for some reason, many machines are manufactured to store such data. I wondered about whether manufacturers provide a mechanism and instructions on how to wipe hard drives on office equipment. A quick Google search unearthed this LifeHacker post which advised on erasing a copy machine's hard drive ("Erase Your Copy Machine’s Hard Drive to Wipe Important Documents"):
most manufacturers provide exact instructions on how to clear this data, so check your machine's manual before you get rid of it.
It looks like many manufacturers or vendors provide some instructions and a mechanism for making sure data is wiped from the equipment. But the court did not place responsibility on the vendor in this case to make sure this issue was addressed. It would have been nice to see some details around manufacturer/vendor practices and whether information on how to wipe the particular pieces of equipment in question was readily available (i.e., in the equipment manuals) but the court did not delve into this issue. Obviously individual employees may not have much control over storage and deletion of digital images, so they may want to avoid using office equipment to copy highly personal documents.
Related posts:
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt
Acxiom Not Liable for Security Breach--Bell v. Acxiom
When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue
Posted by Venkat at 11:14 AM | Privacy/Security
August 04, 2011
Sixth Circuit: Email and Phone Advocacy Campaign Can Violate the Computer Fraud & Abuse Act -- Pulte Homes v. LIUNA
[Post by Venkat Balasubramani]
Pulte Homes, Inc. v. Laborers' Int'l Union, et al., 09-2245; 10-1673 (6th Cir. Aug 2, 2011)
I blogged about a case involving a labor dispute between Pulte Homes and Laborers' International Union of North America (LIUNA). After Pulte terminated a LIUNA member for alleged misconduct and poor performance, LIUNA became embroiled in a labor-relations dispute with Pulte. LIUNA allegedly exhorted its members and others to "bombard Pulte's sales offices and three of its executives with thousands of phone calls and e-mails." LIUNA allegedly hired an auto-dialing service and encouraged its members to call Pulte. It also used engaged in a web-based email campaign where it encouraged visitors to its website to "fight back" and send e-mails to "specific Pulte executives."
Pulte sued LIUNA, asserting claims under the Computer Fraud and Abuse Act and state law. The district court denied Pulte's request for an injunction and dismissed Pulte's claims. Here is my blog post covering the district court's ruling: "Web-based Email Bombardment Campaign Does Not Amount to a Violation of the Computer Fraud and Abuse Act." The Sixth Circuit reversed the district court's ruling, finding that a phone or email bombardment campaign can constitute a violation of the Computer Fraud and Abuse Act. Pulte asserted two claims under the CFAA, one for unauthorized access which causes damage and the other for transmission of information, code, or a program which caused damage.
Access claim: The CFAA creates a cause of action based on the unauthorized access, or access in excess of authorization, of a protected computer. While acknowledging grey area in the statute over when conduct crosses the line from authorized to unauthorized access, the court holds that there's no grey area in this case, because the phone and email systems were set up to receive calls and emails without restriction:
LIUNA used unprotected public communications systems, which defeats Pulte's allegation that LIUNA accessed its computers "without authorization." Pulte allows all members of the public to contact its offices and executives: it does not allege, for example, that LIUNA, or anyone else, needs a password or code to call or email its business. Rather, like an unprotected website, Pulte's phone and email systems 'were open to the public, so LIUNA was authorized to use them.'
So far, so good.
Transmission claim: The court's resolution of the transmission claim was a little more problematic. The court assumes that LIUNA's communications constitute transmissions and that Pulte's phone and email systems qualify as "protected computers." This leaves two questions: (1) whether the transmissions caused "damage" and (2) whether LIUNA intended to cause damage.
The court notes that the statute only defines damage as "impairment to the integrity or availability of data, a program, a system, or information." Because the statute did not further define "impairment," "integrity," or "availability," the court looked to the ordinary meaning of these words:
'Impairment' means a 'deterioration' or an 'injurious lessening or weakening.' The definition of 'integrity' includes an 'uncorrupted condition,' an 'original perfect state,' and 'soundness.' And 'availability' is the 'capability of being employed or made use of.'
Applying these ordinary meanings, the court concludes that a transmission that weakens a sound computer system--or, similarly, one that diminishes a plaintiff's ability to use data or a system--causes damage. The court further concludes that taking Pulte's allegations as true:
LIUNA's barrage of calls and e-mails allegedly did just that. At a minimum, according to the complaint's well-pled allegations, the transmission diminished Pulte's ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending at least some emails.
With respect to the intent element, the district court found that LIUNA did not intent to damage Pulte's systems because LIUNA did not fully "grasp . . . the actual consequences of its email campaign." The Sixth Circuit says this is too strict a standard. As long as LIUNA intended to cause a denigration of Pulte's systems, this is sufficient. The court looked to several of the allegations and found this intent satisfied: (1) LIUNA instructed its members to send thousands of emails to specific Pulte executives; (2) the emails came from LIUNA's server; (3) LIUNA encouraged its members to "fight back" after Pulte terminated several employees; (4) LIUNA used an auto-dialing service; and (5) some of the messages included threats and obscenity.
[Interestingly, after concluding that Pulte satisfied the elements of a CFAA claim, the court concludes that the district court properly denied the injunction on the basis that Pulte failed to comply with certain provisions of a statute relating to labor disputes: the Norris-Laguardia Act.]
__
This case is Intel v. Hamidi revisited. That case involved a departed employee who engaged in an email bombardment campaign, and although the California Supreme Court rejected Intel's claims, it held that if a sufficient quantity of emails were sent which caused damage or disruption to Intel's system, this could state a claim for trespass. (I'm not sure what's up with email bombardment, but there have been several cases which address legal liability for this. Television pitchman Kevin Trudeau was hit with a contempt order after encouraging his supporters to send email to the judge hearing his case. The Seventh Circuit vacated this contempt order on procedural grounds. See "Seventh Circuit Vacates Contempt for E-Mail Barrage.")
Neither of the cases are perfectly analogous because in this case the plaintiff was proceeding under the Computer Fraud and Abuse Act. This is a statute that provides for civil and criminal liability, and is widely acknowledged as intended to deal with hacking.
The court cites to AOL v. National Health Care Disc., Inc., 121 F. Supp.2d 1255, 1274 (N.D. Iowa 2000) for the proposition that if "a large volume of [spam messages] cause slowdowns . . . [to AOL's servers] an impairment has occurred." However, this case relied in part on AOL's zany argument that by transmitting email to AOL members through AOL's servers, defendants were engaged in unauthorized access because spam violated AOL's member agreement. AOL argued also that the emailers extracted information in the form of email addresses, but the court denies AOL's motion for summary judgment finding that it's unclear whether the emailers were AOL members or third parties and whether the emails caused damage. The court in that case pointedly questioned whether the CFAA applied to the transmission of spam at all: "realistically, no federal statute currently exists which would prohibit a non-AOL member from sending UBE to any number of AOL members' e-mail addresses, without ever accessing AOL directly." Since the date of that ruling, a federal statute now exists (CAN-SPAM) but this statute would not cover LIUNA's actions in this case since none of the messages in question appear to be commercial email messages.
What's problematic about this case to me is that there were scant allegations that LIUNA engaged in any technical measures designed to slow down or cause "damage" to Pulte's website. The sole allegation was that LIUNA used an auto-dialer, but I wasn't swayed by the court's summary conclusion that the telephone lines were necessarily 'protected computers' or there had been a real 'slowdown' to the phone lines. Indeed, LIUNA's conduct--encouraging supporters to contact a third party to influence action--is something that others engage in with some regularity in the context of political and consumer advocacy. There's nothing in this case which distinguishes LIUNA's conduct from any other web-based action campaign. If you encourage people to flood someone's office with phone calls, you can be liable under the Computer Fraud and Abuse Act? Say what?
Given the fact that LIUNA lacked an obvious commercial purpose, and given the First Amendment interests involved, this decision is somewhat troubling.
Previous posts:
Posted by Venkat at 03:00 PM | Privacy/Security
August 01, 2011
Logging Into Someone Else's Facebook Account and Posting Messages on Their Friends' Walls Could Be Identity Theft -- In re Rolando S.
[Post by Venkat Balasubramani, with comments from Eric]
In re Rolando S., 2011 WL 3212879 (Ca. Ct. App.; July 21, 2011)
Background: Rolando was a juvenile who received an unsolicited text message with the victim's email password. According to the court, he used the password to gain access to the victim's Facebook account and posted several sexually inappropriate messages from the victim's account. The Facebook posts included posts on the walls of the victim's friends and the following change to the victim's profile:
Hey, Face Bookers, [sic] I'm [S.], a junior in high school . . . I want to be a pediatrician but I'm not sure where I want to go to college. I have high standards for myself and plan to meet them all. I love to suck dick.
The victim testified that she suffered stigma as a result of these and other posts. She said:
I used to love going to school. Now, I dread dealing with this every day.
The juvenile was prosecuted under a California statute (section 530.55) which applies to anyone who:
wilfully obtains personal identifying information [of the victim and] uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, real property, or medication information.
Discussion
Did the defendant willfully obtain the victim's "personal identifying information"? The court holds that despite his argument that he "passively receiv[ed] the text message" which contained the victim's password information, he "willfully" obtained it because he remembered it or otherwise recorded it so he could use it later. Moreover, the court concludes that defendant willfully obtained the victim's Facebook account password. The record was devoid of evidence as to how exactly the defenant accessed the victim's Facebook account, and in the absence of any such evidence, the court says it's "reasonable to infer" that the defendant reset the victim's Facebook password using her email password, and then gained access to the victim's Facebook account.
Did the defendant use the victim's information for an unlawful purpose? In addition to obtaining the information willfully, the perpetrator has to use the information for an "unlawful purpose." The first possibility was that the defendant violated section 647.6, which applies when someone "annoys or molests any child under 18." However, under California Supreme Court precedent, this statute requires a motivation by "an unnatural or abnormal sexual interest in the victim." [emphasis added] The court concluded that the facts did not fit into this statute because the defendant had no real contact with the victim other than the Facebook posts and he also testified that he "intended his comments to be taken as a joke."
The second possibility was that the defendant used the victim's personal information to commit a tortious act. The defendant argued that "unlawful purpose" as used in the statute should be restricted to criminal conduct, but the court disagreed, noting legislative intent to expand the scope of the statute in amending it. The court also pointed to the fact that the definitions section of the statute included the term "crime," and the legislature chose instead to use "any unlawful purpose." The defendant practically conceded that his conduct satisfied the requirements of a civil defamation claim. The court therefore finds that defendant's act constituted libel and constituted an "unlawful purpose" under the statute. Alternatively, the court held that defendant's conduct satisfied the statute because it also constituted a criminal offense. Defendant's actions violated section 653m, which makes any contact with another person using "obscene language . . . by means of an electronic communication device . . . with [the] intent to annoy."
___
It's tough to muster much sympathy for the defendant, who was previously in trouble for reckless driving when he drove his car "at three girls in the school parking lot, but stopped abruptly several feet away from them in an attempt to scare them."
The definition of "personal identifying information" in the statute is broad. (We ran into an analogous problem in the Pineda case). It looks like the court focused on the Facebook password as being the PII in question that supported the violation of the statute, but the opinion is not totally clear on this. A broad definition of personal identifying information coupled with the court's decision to allow tortious conduct to satisfy the "unlawful purpose" could lead to a statute that is expansive in scope and which should raise everyone's First Amendment hackles. Given that the defendant used the email password to access Facebook, this does not feel to me like a case that pushed the statute to the limit.
Interestingly, the defendant argued that his conduct would violate California's newly enacted e-personation statute (section 528.5) which was effective January 1, 2011, and the fact that this statute was passed demonstrates that the legislature did not view his conduct to violate the previously existing statute. The court disagrees with this argument, noting that the newly enacted e-personation statute has different elements from section 530.5:
Section 528.5 does not include a requirement that a perpetrator obtain personal identifying information. As a result, a person could violate section 528.5 by merely posting comments on a blog impersonating another person. There is no requirement, under these circumstances, that the person obtain a password -- a key distinction.
Yikes. This is precisely what is wrong with California's e-personation statute.
_______
Eric's comments
This case plays out as a Greek-style tragedy in three parts.
Part #1: Someone sent the victim's email password to the defendant. The court is vague about who did this or how that person got the victim's password.
This prompts one of my modern rules for clean living: never tell anyone else your passwords. EVER. (Another rule for clean living is to constantly change your passwords, but this is harder to obey). I am such a stickler about my passwords that I don't tell them to ANYONE. Certainly not to campus IT when they want to muck with my computer, but I don't even tell my passwords to my wife. (FWIW, my wife has told me many of her passwords, but I would never use them without her express instructions). I know there's a debate about the spouse-and-passwords dilemma. It's not that I don't trust my wife. I do, completely. But my rule is clean and simple. If someone other than me types in my password, then they ripped it off. (We'll revisit the problem of accessing a logged-in computer in a bit).
In this case, we don't know why the password-obtainer had the victim's password. Perhaps it was hacked. More likely, the victim made an error in judgment. Either way, the defendant apparently used the email password to help reset the Facebook password and access the Facebook account.
Part #2: The defendant misused the victim's password. It goes without saying that the defendant had no business logging into the victim's email or Facebook account. Doing so was inappropriate even if the defendant merely just looks around, given the amount of private information stored in email and Facebook accounts. It was even worse to publish content under that person's name, and worse still to post fake come-ons for sex.
Having said this, once a juvenile finds out he/she can access to a peer's Facebook account, it seems like it would be almost irresistible not to muck around with it. I don't want to dismiss this entirely as "kids will be kids," but I'm sure a non-trivial percentage of kids would take advantage of a peer's password if the circumstance presented itself. Perhaps it's like the joyriding of days of old. If people left keys in their cars, some kids will take the cars for a spin. We can enact draconian laws to discourage joyriding, but if keys are left in cars, joyrides are inevitable. Here, the defendant basically took the victim's Facebook account for a joyride. It was unquestionably wrong behavior, but given its inevitability, it probably shouldn't be felonious.
The defendant's behavior here is analogous to the fake online profiles that teens set up for school officials. I blogged in more detail about that phenomenon last year. In connection with the DC v. RR case, I also blogged on the problems of kids saying hyperbolicly outrageous things online that aren't amenable to punishment under traditional defamation or bullying laws. All of these examples remind us that kids are going to push limits with electronic tools just like they do offline. We need to find safer ways to let kids be kids online without ruining their lives.
Part #3: The court stretched the identity theft statute too far. As Venkat recaps, the court confronted several statutory ambiguities without any good common law precedent. The court also didn't acknowledge or consider any constitutional concerns with its ruling. Instead, the court reaches the counterintuitive and potentially troubling result that publishing fake content through someone else's account steals their identity. Obviously that takes us a pretty far distance from a paradigmatic case of pretending to be someone for commercial benefit (i.e., what I typically think of as "theft").
As Venkat indicates, the ruling reinforces why we should be nervous about California's recent "e-personation" law, which is even more broadly written and applies even when there's no password misuse. It also shows why expansive identity theft laws should be feared, not encouraged. For more on that point, see my post about Illinois' identity theft law.
This ruling leaves open two obvious questions:
1) will it always be identity theft to use a third party password to publish fake content via someone else's account?
2) will it be identity theft to access a third party or shared computer and publish fake content via someone else's account? In that case, the password isn't obtained at all. Given how many people always leave their computers logged-in to various services, I imagine this happens with some frequency.
Posted by Venkat at 03:06 PM | Privacy/Security
July 27, 2011
Power.com Up For Auction -- Facebook v. Power Ventures
[Post by Venkat Balasubramani]
Facebook v. Power Ventures, Case No. 5:08-cv-05780 JW (N.D. Cal.)
[Update/Clarification: I received an email from the CEO of RokMe Inc. (who is handling the power.com auction) to this effect:
Power.com is being sold by its owner Power Assist Inc. The domain was never owned by Power Ventures. According to Scott Smith (CEO of RokMe Inc. who is handling the auction) the domain was always owned by Power Assist Inc. (or its beneficial owner). The domain name was only leased to Power Ventures, and when the lease expired, the owner of the domain name decided to sell it.]
We've blogged a bunch about Facebook v. Power Ventures. Power Ventures operated power.com and billed itself as a social network aggregator. Facebook was unhappy with, among other things, the fact that Power.com allowed Facebook users to access their Facebook accounts and extract data (and contacts) through Power.com, which bypassed Facebook's developer program.
The dispute received attention because it raised the issue of data ownership--whether Facebook could prevent a third party from accessing or exporting user data, when the third party engaged in access purportedly on behalf of users (who arguably owned the data). Facebook primarily proceeded under the theory that access of Facebook by Power Ventures violated California's anti-hacking statute. Judge Ware agreed, and held that Facebook could make out a violation of the statute, to the extent Power Ventures circumvented technical barriers in accessing Facebook. (The EFF weighed in on the dispute, arguing that the California statute should be construed narrowly.)
Since then, very little activity has taken place in the dispute. Power Ventures moved for summary judgment, but Facebook successfully resisted the motion on the basis that it had not had an opportunity to conduct sufficient discovery.
Now I see a report from Domain Name News that power.com is listed as being up for auction (minimum bid - $2.5mm!). I'm not sure when power.com shut down its service, but this is certainly a public admission that Power Ventures is not looking to continue the fight with Facebook for the sake of operating the service at power.com. At this point, given that only attorneys' fees are at stake, I'm surprised the parties don't quickly settle. (I would be surprised if Facebook is looking to recover significant damages from Power Ventures. To the extent it is, Facebook may assert some sort of lien on the auction proceeds.) Sidenote: I wonder what happened to the user data from power.com?
Previous posts:
Power.com Counterclaims Dismissed -- Facebook v. Power Ventures
Judge Denies Facebook’s Request for Judgment on the Pleadings and Strikes Power.com Counterclaims -- Facebook v. Power.com
EFF Weighs in on Facebook v. Power Ventures -- Facebook v. Power Ventures
Posted by Venkat at 09:39 AM | Privacy/Security
July 19, 2011
Judge Ware OKs Immediate Appeal of Street View ECPA Ruling -- In re Google Inc. Street View Electronic Communications Litigation
[Post by Venkat Balasubramani]
In re Google Inc. Street View Electronic Communications Litigation, 2011 WL 2571632 (N.D. Cal. July 18, 2011) (Order granting Google's request to certify and staying case) [pdf]
Judge Ware recently denied Google's request to avail itself of the "Readily Accessible to the General Public" ECPA defense in the Street View litigation. Judge Ware's ruling acknowledged that it was a novel issue, and both Eric and I expressed surprise at the ruling. (See "Judge Ware: Google Not Entitled to "Readily Accessible to the General Public" Defense in Street View Class Action.")
Google sought an interlocutory appeal because of the issue's novelty, the importance to the litigation's outcome, and the possibility that reasonable judges may disagree on the outcome. Judge Ware granted Google's motion and certified the question for interlocutory appeal.
This means that the lawsuit is stayed at the trial court level while the Ninth Circuit hears the appeal. I'm sure Google wants to get this lawsuit resolved, but it would much rather spend a year in the appeals court than being mired in discovery at the trial court level. Plaintiffs can't be too happy about this turn in the lawsuit.
What are the chances of success for Google on appeal? It's anyone's guess, and Judge Ware's opinion was thorough and written with an eye to the appeals court, but I can see a judge or two disagreeing with Judge Ware. [If I could predict the outcome of appeals in the Ninth Circuit, I would be doing something a lot more gainful than lawyering and blogging!] EPIC weighed in as amicus in the trial court, and I would expect that there will be others involved as amici in the Ninth Circuit. In any event, this will be a high stakes, fun-to-watch appeal.
Other coverage:
Judge Grants Google ‘Street View’ Wiretap Appeal (Wired)
Posted by Venkat at 11:19 AM | Privacy/Security
July 15, 2011
Court Denies Injunction in Webcam Case Against Aarons -- Byrd v. Aarons, Inc.
[Post by Venkat Balasubramani]
Byrd, et al. v. Aaron's, Inc., et al., 11-cv-00101-SJM-SPB (W.D. Pa. July 8, 2011). Magistrate report. Judge's approval.
Plaintiffs leased (and then purchased) their computer from Aspen Way, a franchisee of Aaron's. Many of the computers leased by Aspen Way reportedly had a piece of software called "PC Rental Agent" installed on them. This software was designed (by DesignerWare) to purportedly "assist rental companies in the recovery of lost or stolen computers." One feature of this program allowed for the remote capture or recordation of "keystrokes, screenshots, and photographers" from a computer it was installed on.
Crystal and Brian Byrd received a visit from someone who by mistake sought to repossess the laptop which they had purchased from Aspen Way. The repo man showed the Byrds a picture of Brian which was taken from the webcam of the Byrds' computer. The Byrds called the police, who came to investigate. The police took the Byrds' computer (presumably for investigative purposes).
The Byrds sued Aaron's, Aspen Way, Aaron's, and DesignerWare, alleging violations of the Wiretap Act and the Computer Fraud and Abuse Act. They sought an injunction seeking four different items of relief, but resolved the bulk of the issues, leaving for the court the sole issue of whether the court should enjoin "suspension of the Detective Mode of the PC Rental Agreement."
Somewhat surprisingly, the court denies the request for injunctive relief. At oral argument, plaintiffs argued that irreparable harm was a given:
I can't imagine anything more obvious than this prong. You have literally thousands of people who are sitting at their computers right now who have this program on it where detective mode may be enabled today, tomorrow, at any time, and this information, private information, can flow from their kitchen table through the server in Erie and back to the people who they don't know in these local stores. I don't know when a trial will be set in this case, but I do know that this is--there will be irreparable harm if this information, private information will be distributed.
The court finds that because plaintiffs' laptop was no longer in their possession, there is no showing of ongoing irreparable harm as to plaintiffs. With respect to other potential members of the class, the court finds that
it is purely conjecture that the other members of the putative class will be subjected to remote access of personal information.
The court cites to the testimony of the co-owner of DesignerWare that only eleven computers were transmitting information to Aaron's franchises. (Roughly 80 to 100 computers are supposedly reported "stolen" from Aaron's in any given month.) Plaintiffs also submitted the testimony of a former employee of Aspen Way, who was a sales manager and testified that she witnessed Aspen Way employees viewing personal information of Aspen Way customers (including bank accounts, names, addresses, and social security numbers). The court rejects this evidence, finding that it does not speak to the current practices of the particular franchise in question and is thus not relevant to the irreparable harm analysis.
While it is permissible to grant injunctive relief based on the type of testimony adduced by plaintiffs and in protection of as-yet-unnamed class members, the court declines to do so in this case. Along the way, the court drops a footnote, expressing some skepticism as to the merits of the case. The court notes that it's entirely unclear that the information collection at issue constitutes an "electronic communication," because there is no evidence that Mr. Byrd was "online" when the information was collected. The court also says it has "grave doubts" as to whether the communications "affected . . . interstate or foreign commerce." The court also states that it is unclear as to whether the Wiretap Act reaches a person's "communication with his own computer."
__
Yikes! Privacy class actions seem out of control to me, but I'll admit even I was surprised by this result. I'm equally surprised that the Aaron's-affiliated defendants did not all just stipulate to suspending use of the software until things were sorted out. (Aarons, Inc. did, but its franchisee Aspen Way did not. In fact, Aspen Way did not participate in the hearing, which makes the denial of injunctive relief all the more perplexing.) Setting aside whether the court was correct in its view of the merits of the case, the court takes an unduly restrictive view of the facts when it states that no "interception" of an electronic communication occurred because there was no evidence that Mr. Byrd was online or communicating with someone else when the image in question was captured. Surely, given the ex-employee's testimony as to what type of information was viewed through use of the software, it's fair to presume that the Aspen Way employees are not sitting around making sure that the capture only occurred while the computer user was offline or not communicating with another person. The court's skepticism about whether the communications in question affected interstate commerce also seems off-base. The communications of Aspen Way customers probably traveled halfway around the world, even if they were transmitted between computers that were in the same city.
This is not to say that it should be an easy path to finding liability for all defendants. DesignerWare developed the software in question, and it's far from clear that it should face liability as a developer/vendor for what may turn out to be the errant acts of Aspen Way employees. (See the SpectorSoft keylogger case: "Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse -- Hayes v. SpectorSoft.") Similarly, it's also unclear as to whether Aaron's Inc. should face liability for the CFAA and Wiretap Act violations of Aspen Way employees or for the acts of its franchisee. Courts are mixed on whether you can even assert a derivative claim under the CFAA. Regardless, both claims will probably require some showing of knowledge on the part of Aaron's Inc., the deep pocketed defendant.
Another pair of laptop cases which also happened to be out of Pennsylvania involved a school district's use of webcams to allegedly spy on students. Those cases settled, with the school district agreeing to pay a named plaintiff $175,000 along with attorneys' fees of $425,000. I'm guessing this setback will not deter plaintiffs, who probably will soldier on in discovery and see what they can unearth (despite a clearly unsympathetic judge).
Other coverage:
"Injunction Denied in Rental Computer 'Spyware' Case" (Courthouse News)
Posted by Venkat at 12:30 PM | Privacy/Security
July 12, 2011
Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc.
[Post by Venkat Balasubramani]
Zimmerman v. Weis Markets, Inc., CV-09-1535 (Pa. Ct. Common Pleas; May 19, 2011)
Courts continue to struggle with the discoverability of social network evidence in civil cases and the logisictal problems posed by these discovery disputes. In this case, the court orders the plaintiff to turn over his Facebook and MySpace passwords to defendant.
This was a personal injury case where plaintiff sued Weis Markets for injuries he suffered on the job. Weis Markets had a contracting relationship with plaintiff's employer. Plaintiff sought damages for physical injuries, but also for "suffering, scarring and 'embarrassment'."
Weis Markets reviewed the publicly available portions of plaintiff's Facebook and MySpace pages and discovered a bunch of clearly relevant evidence: (1) photographs of the plaintiff with a black eye, before and after the accident; (2) photographs of the plaintiff wearing shorts, which he claimed he was too embarrassed to do because of the accident, and (3) the fact that plaintiff listed "ridin" and "bike stunts" as interests.
The court weighs plaintiff's privacy arguments and finds that they are insufficient to overcome defendant's need for the requested information. Quoting Romano v. Steelcase, the court notes that refusing the discovery request would:
condone Plaintiff's attempt to hide relevant information behind self-regulated privacy settings.
The court also relies on the fact that Facebook's terms do not guarantee privacy (regardless of what Facebook may say):
It is well publicized that Facebook's privacy policy and its revisions have been the subject of criticism and controversy that may be never ending. One need only "Google" search the terms "Facebook privacy" for an exhaustive list of . . . articles on the topic.
Ouch! The court also drops in a warning to social networkers everywhere that the details you share with your social circle are not magically off-limits in litigation:
By definition, a social networking site is the interactive sharing of your personal life with others; the recipients are not limited in what they do with such knowledge. With the initiation of litigation to seek a monetary award based upon limitations or harm to one's person, any relevant, non-privileged information about one's life that is shared with others and can be gleaned by defendants from the internet is fair game in today's society.
The court orders plaintiff to turn over his log-in information for all MySpace and Facebook accounts and also orders plaintiff to not delete or alter "existing information and posts" on those accounts.
__
I don't have a good solution to the logistical problem posted by this discovery dispute, but I'm convinced that forcing a party to hand over his or her log-in information is not the correct result. Problems with this approach are legion, starting with the fact that the party seeking discovery will undoubtedly be exposed to irrelevant, non-discoverable information that may be private, intimate, or embarrassing. There's a chance that attorney/client privileged communications can be exposed. There's the possibility that the party who gets access to the profiles may alter or delete information unwittingly, or change settings. Then there's also the thorny Stored Communications Act issue, which prevents the party from seeking any private communications directly from the social networking site by means of a subpoena. Is court ordered disclosure of the log-in information an end-run around the Stored Communications Act?
Interestingly, in the criminal context, a district court is currently considering whether a defendant can be compelled to reveal a decryption password. ("DOJ: We can force you to decrypt that laptop.") Whether the government can force you to reveal your encryption password depends on different standards than those applicable to a civil discovery matter, but there are still interesting parallels.
A better approach is to generate some sort of inventory of the page, similar to a privilege log. Of course, this runs in to the problem that it relies on the good faith of the party who creates the inventory. An alternative is for the court to conduct in camera review. The court rejects that proposal outright here, saying that this would be "an unfair burden to place on the court, which would not only require the time and resources necessary to complete a thorough search of these sites, but also require the court to guess as to what is germane to defenses which may be raised at trial."
Finally, I'm not sure what to make of the court's directive to the plaintiff to not alter or delete "existing information or posts" on his Facebook and MySpace accounts. I guess you could imply a "relevant to the dispute" limitation onto this, but the court does not include such a limitation here, and it's overly broad for the court to order the plaintiff to not delete or alter any of the content in his accounts.
Additional coverage:
Pa. Court Finds Facebook Posts to be Discoverable Evidence
Previous posts:
Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier (June 2, 2010)
Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville (June 9, 2010)
Deleted Facebook and MySpace Posts Are Discoverable--Romano v. Steelcase (Sept. 29, 2010)
Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway (Oct. 24, 2010)
Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson (May 19, 2011)
Court Conducts in camera Review of Plaintiff's Facebook Page to Resolve Discovery Dispute -- Offenback v. Bowman (June 24, 2011)
Posted by Venkat at 08:55 AM | Evidence/Discovery , Privacy/Security
July 06, 2011
Supreme Court Strikes Down Statute Restricting Sale and Use of "Prescriber" Data on First Amendment Grounds -- Sorrell v. IMS
[Post by Venkat Balasubramani with comments by Eric]
Sorrell v. IMS Health Inc., 10-779 (June 23, 2011) [pdf]
The Supreme Court struck down a Vermont statute restricting the dissemination of "prescriber-identifiable" information for marketing purposes. While this case was viewed as one that could potentially have far-reaching effects on data-mining and privacy, the majority and dissenting opinions ended disagreeing on the level of protection accorded to commercial speech.
The Vermont statute was aimed at data-mining companies which gather information regarding what drugs doctors prescribed. Drug companies obtained and used this information to better target their marketing efforts to doctors. The statute restricted the sale or transfer this information to make it harder for the drug companies to target. The statute also restricted pharmaceutical manufacturers from using this information for "marketing or promoting a prescription drug" without the prescriber's consent. The statute included an exception which allowed this information for education and research purposes. Finally, the statute set aside funds for a "prescription drug education program," which would inform prescribers as to when generic alternatives became available for drugs which they prescribed. (The statute was not aimed at the dissemination of patient information, which the data-mining companies did not disseminate or sell--as Professor Goldman notes, this case was only nominally about privacy.)
Majority: Justice Kennedy wrote that "speech in aid of pharmaceutical marketing ... is a form of expression protected by the First Amendment." In his view, the statute restricted certain speakers from disseminating certain types of content to particular recipients. Because the statute was discriminatory in this respect, it was subject to a heightened level of scrutiny. Applying this scrutiny, he finds a poor fit between the State's goals and the statute.
The first justification asserted by the State was prescriber privacy. However, the existence of numerous exceptions to the statute, including an exception for educational and research uses, undermined this objective. Wile the State pointed to the fact that the statute contained an exception for prescriber consent, the Court finds that this merely offers a "contrived choice." Either the prescriber withholds consent which allows prescriber-information to be used in support of the State's message, or grants consent and allows for the wide dissemination of the information.
The second justification offered by the State was that the statute would lower the cost of medical care. The Court finds that which this is a laudable and important goal, the State may not accomplish this goal by "restraining certain speech by certain speakers." If the State wants to tip the balance in favor of generic drugs, this is an acceptable goal, but it cannot accomplish this goal by hamstringing the marketing efforts of the drug companies who manufacture brand-name drugs.
Dissent: Justice Breyer wrote in dissent that since commercial speech was at issue the Court should employ a lower standard, and not require a perfect fit between the State's asserted goals and the means. In fact, he even seemed skeptical that speech was at issue at all, since the statute regulated the transfer of data, and not necessarily a particular message. In his view, this was just one aspect of the State's overall regulatory program which the government should have room to pursue.
---
The big question was whether this decision will have broader effect for data mining or behavioral targeting. I'm guessing it will probably have less effect than what people envisioned. More than anything this case represents a victory for commercial speech, which has steadily inched up the scale in the amount of protection it is accorded.
The fact that the sale of data is characterized as speech deserving of a high degree of protection may make it tougher for legislators to enact laws which regulate the transfer of consumer information, but what bothered the majority here is that the purported privacy interest was ill-served by the statute and the fact that the state sought to favor one set of products by suppressing the flow of data to its marketers (while allowing the competition to use the information). To use an analogy, the State went beyond restricting the transfer of information to car manufacturers for marketing purposes. It authorized the use of this information only by manufacturers of electric cars.
Will this opinion affect more general laws aimed at the collection, use, or transfer of information for marketing purposes? Some of these already exist in specific contexts (e.g., COPPA for information collection from children under 13; CAN-SPAM includes provisions restricting the transfer of email address in certain contexts; the Video Privacy Protection Act deals with video tape rental records; and there's of course HIPPA, which deals with patient records). Provided that the regulation is not discriminatory, this case should not present an impediment to enacting this type of legislation.
The Court's treatment of the consent issue was interesting. Are doctors really powerless from a bargaining standpoint that they can't take steps in the market to somehow fix the supposed forced consent issue? The majority opinion had a paternalistic tone to it, which may make sense if the statute was dealing with patient records and patient choices, but I found it odd, given that the statutory scheme was about sales pitches to doctors!
Other coverage:
CDT Statement on Supreme Court Decision in Sorrell v. IMS Health (CDT)
Information is not Beef Jerky (info/law)
Supreme Court Rx Records Case: Not So Bad (info/law)
Court’s data-mining ruling: big change on commercial speech? (First Amendment Center)
_________
Eric's comments:
I agree with Venkat's comments but I wanted to add a few more:
Let's start with two basic premises: (1) healthcare costs have spiraled out of control, and (2) doctors' medical decisions are a big part of that. For example, it turned out that Wisconsin healthcare costs were unusually high because Wisconsin doctors are more likely to require various tests/diagnostics than doctors in other areas. It was unclear if this was because local doctors had a heightened fear of malpractice liability, different regional norms, different assessments of medical best practices or something else. However we get there, the cumulative effect of Wisconsin doctors' choices was dramatic: enormous healthcare insurance premiums (and heaven help you if you didn't have medical insurance).
Therefore, it's quite logical for a state to look more closely at doctors' drug prescribing choices both as a matter of public health and fiscal responsibility. If a state could identify systematic drug prescribing judgment-calls that unnecessarily jack up medical costs, it would be in the public interest to curb those.
The theory behind Vermont's statute (and other states in the Northeast that adopted similar laws) is that doctors are overprescribing branded pharmaceuticals when they could be prescribing generic drugs instead; and that doctors are overweighting branded drugs because drug reps are bending their ears to persuade them to prescribe the branded drug in preference to the generics; and that the drug reps are successfully persuading doctors to make this choice because the drug reps are armed with the doctor's past prescribing practices and therefore can make a more effective but socially unwanted sales pitch that is overriding the doctor's own medical judgment that would otherwise lead the doctor to prescribe the generic drug.
Stated this way, we see that the statute is targeting a problem (high medical costs) through a very indirect means (suppress a doctor's past prescribing practices from drug sales reps). Should any inference in this logic chain be wrong, then the statute is, at best, ineffectual. However, there are a broad range of other ways the state could try to remediate the problems with branded drugs jacking up medical costs, including monkeying with the states' reimbursement policies for branded vs. generic drugs; counter-educating doctors about the merits of generic drugs; educating patients about the bioequivalence of branded and generic drugs so they could make their own substitutions or push their doctors to prescribe generics when available; etc. The state was trying some of these as well.
There are two other aspects of the unique situation of doctors that I feel get lost in the top-line headlines. First, the whole concern here is face-to-face meetings between doctors and drug sales reps. Given how hard it is for us as patients to see our doctors face-to-face, it is a little shocking that doctors are voluntarily choosing to spend discretionary time with the drug reps for meetings that the doctors know are sales pitches. Why are the doctors allocating their time this way?
Putting aside the odds that the drug sales rep is very attractive and charming (have you ever noticed that on the Survivor TV show, the former beauty queens all list their job title as "pharmaceutical sales"?), it's presumably because doctors find the meetings valuable to them. Indeed, even Justice Breyer in dissent acknowledges that the drug sales reps impart valuable information in those meetings. The state statute very explicitly tried to make those meetings less useful to doctors by making the drug sales rep less well-prepared. If the drug sales reps wanted to provide tailored information to the doctor's practice, the drug reps would have to take time out of these meetings to interrogate doctors about their prescribing practices; and if the doctors concluded that the meetings weren't productive because they took too much time on irrelevant or uninteresting chatter, the doctors would simply skip the meetings entirely and perhaps lose the other valuable information being exchanged in the meetings. So before we get too worked up about the evilness of the drug reps working against the consumer interest, we should not forget that very busy doctors are voluntarily choosing to take these meetings, and doctors can and will choose otherwise when it doesn't make sense for them.
Second, the opinions talk a lot about "privacy," and this baffled me. Everyone agrees we're not talking about patient privacy. Instead, there is some back-and-forth on DOCTOR privacy in their prescribing patterns. What??? In this situation, doctors are business operators making business decisions. Tracking their prescribing decisions is similar to tracking how other businesses interact with third party vendors. We might have concerns about how tracking these decisions exposes trade secrets or competitive intelligence, but we wouldn't talk about business decision-making as being covered by "privacy" concerns. So the notion that this case teaches us anything about "privacy" law confuses me greatly.
In the end, what we really want to know is whether this case will enable more First Amendment challenges to behavioral advertising or other privacy statutes. I personally don't feel any more knowledgeable about that question after reading the majority and dissenting opinions. Part of this reflects my cynicism about the Supreme Court's First Amendment's jurisprudence, which still seems to me that it's developed case-by-case instead of forming a coherent body of jurisprudence. Part of this reflects the quirks of Vermont's statute, which suffered from two easily targeted defects. First, it sought to regulate the doctor-drug rep conversation, setting up the possibility of content-based and perhaps even viewpoint-based review. Second, Vermont changed its position about who could get access to the database of prescribing information, and this flip-flopping gave the majority extra reasons to suspect the state's policy rationales. So I suspect that Vermont or other states could find a way to draft around this opinion if they chose to; and I'm skeptical that other behavioral advertising or privacy laws would set off the justices' First Amendment hackles like this statute did.
Posted by Venkat at 12:19 PM | Marketing , Privacy/Security
July 02, 2011
Court Finds That the Value of Bartered-For Services Constitutes Loss Under the Computer Fraud and Abuse Act -- Animators at Law v. Capital Legal Solutions
[Post by Venkat Balasubramani]
Animators at Law, Inc. v. Capital Legal Solutions, 10cv1342 (E.D. Va.; May 10, 2011)
This lawsuit presented an increasingly familiar fact pattern. Employees leave a company and the employer sues the ex-employees under the Computer Fraud and Abuse Act for accessing the employer's computers without authorization. I previously blogged about US v. Nosal, which held that any violation of an employer's network use policy can constitute "unauthorized access" under the CFAA. In addition to proving that the employee engaged in unauthorized access of an employer's computer system, the CFAA contains a $5000 jurisdictional loss threshold. This case focuses on what the employer must show in order to satisfy that jurisdictional threshold. The answer: not much.
The now ex-employees quit and took a company owned laptop. Animators, the employer, realized this a week from when the employees left, and promptly hired a forensic computer security/data recovery firm to assess the damage. The firm performed its services and realized that some files had been deleted from the laptop. Animators also concluded that the employees accessed its Dropbox account where the company stored files. The ex-employees apparently also accessed a time-keeping program which the employer used.
The court denied the ex-employees' motion to dismiss and granted limited discovery on the issue of what "losses" Animators had suffered as a result of the alleged data breach. Following limited discovery, the ex-employees brought a motion for summary judgment. The court denies the motion.
The forensic firm hired by Animators had an engagement letter in place with Animators which said that it would bill Animators on an hourly basis at $0 per hour. After the court denied the motion and allowed discovery, the forensic firm invoiced Animators. The invoice included approximately 63 hours of professional services for $24,000 and hosting services for $29,000. Animators acknowledged that it did not pay the forensic firm in cash for these services. However, the principal of Animators testified that he apparently made available the "Law Prospector" subscription services offered by one of his affiliated entities at no charge to the forensic firm.
The key issue was whether the invoices issued by the forensic firm were a sham or whether Animators actually incurred the costs. Animators explained the belated invoice on the basis of a credit relationship between Animators and the forensic firm. Apparently the parties did not operate on a cash basis. (!) The court agrees with Animators and rejects the ex-employees' position, finding that there is nothing in the Computer Fraud and Abuse Act which requires the aggrieved party to actually shell out cash in the course of taking remedial steps in response to an incident involving unauthorized access to its computers. The court notes that the CFAA expressly states that value of in-house time spent addressing a breach can go towards satisfying the loss requirement and this points in the direction that the CFAA does not restrict plaintiffs to claiming cash-based losses. (The CFAA contains a broad definition of "loss," which includes: (1) the cost of responding to an offense, (2) the cost of conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and (3) any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Courts are split on whether lost revenues are recoverable absent an "interruption in service," and whether there has to be a relationship between the lost revenues and the unauthorized access.)
The court was required to take a view of the facts at summary judgment that was most favorable to Animators, but the record as described by the court was littered with red flags. The fact that the invoice was sent by the forensic firm after the court denied the motion to dismiss and the fact that the engagement letter between the forensic firm and Animators required the firm to provide Animators services at "zero dollars per hour" were just some of these red flags. Others included the fact that Animators' principal spent twelve hours setting up a box.net account after the dropbox account used by the ex-employees was determined to have been compromised. The court notes in passing that the Dropbox password "was not disabled" after the ex-employees left. As a final bonus, Animators' counsel spent thirty hours assisting Animators with its remediation efforts. (I'm not suggesting there was anything improper about this, but thirty hours is a lot of time.)
It's tough to get a clear sense of what happened from the record, but the court does not seem to take into account steps Animators could have taken which would have prevented or mitigated against the losses. For example, when the ex-employees left, Animators could have asked them to leave the laptop on their final day. Animators could have also disabled the Dropbox password which the ex-employees used to access Animators' account. The CFAA allows a plaintiff to use costs attributable to "reasonable" steps to satisfy the damages threshold, but the court does not employ a very strict definition of reasonable here. I blogged about US v. Nosal awhile back. ("9th Cir: Access of Computer in Violation of Employer's Use Policy Violates Computer Fraud and Abuse Act -- US v. Nosal.") That case held that any violation of an employers network policy--including for example, using internet access for personal reasons--is sufficient to find liability under the CFAA. When you add a lax definition of what's reasonable in response to an alleged breach, employers are virtually guaranteed to be able to make out a prima facie CFAA claim against ex-employees.
The CFAA was a statute that was intended to address hacking. The Lori Drew case was one example of a use of this statute by prosecutors outside its intended scope. Use by employers in this type of a case is another example. The CFAA has become a potent weapon in the hands of employers, who have taken to asserting CFAA claims against ex-employees as a matter of course.
Posted by Venkat at 03:40 PM | Privacy/Security , Trespass to Chattels
July 01, 2011
Judge Ware: Google Not Entitled to "Readily Accessible to the General Public" Defense in Street View Class Action
[Post by Venkat Balasubrmani, with comments from Eric]
In re Google Inc. Street View Electronic Communications Litigation, 2011 WL 2571632 (N.D. Cal. June 29, 2011) (Order) (Google's Motion to Dismiss) (Google's Reply) (Google's Supplemental Brief) (EPIC's Amicus Brief)
The multitudinous consolidated lawsuits over Google's access of plaintiffs' Wi-Fi networks, as part of its Street View data collection, survived an important juncture this week. Judge Ware rejected Google's defense that it cannot be held liable under the Electronic Communications Privacy Act because the Wi-Fi transmissions were "radio communications" which were "readily accessible to the general public."
Background: Google deployed its Street View vehicles to capture 360 degree views of the streets. Google's vehicles were equipped with 3G/GSM/Wi-Fi antennas and "custom-designed software for the capture and storage of wireless signals and data." Google also deployed smaller vehicles known as "Google Trikes," which were outfitted with cameras and Wi-Fi equipment, to "capture photo and Wi-Fi data from areas inaccessible to cars." Although Google issued a press release letting the public know that it intended to use these vehicles to capture photo data, it did not inform the public of its intent to capture Wi-Fi data.
Multiple class action lawsuits were filed across the country, and these were all consolidated and transferred to Judge Ware in the Northern District of California. Plaintiffs brought claims under the ECPA, state wiretap statutes, and Cal. B&P 17200.
Discussion: Google argued that state wiretap law claims were preempted, and there was no "money or other property" taken by Google that the Court could force Google to disgorge under the unfair competition statute. With respect to the ECPA claim, Google argued that since the Wi-Fi networks were configured in a manner that was "readily accessible to the general public," the ECPA claim failed.
ECPA Claim: The ECPA provides for a private right of action but also contains a section which provides exemptions to this. One of the exemptions is a general one for an interception of an "electronic communication" that is readily accessible to the general public (2511(2)(g)(i)):
It shall not be unlawful . . . to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible the general public.
A separate subsection (2511(2)(g)(ii)) also provided an exemption that was applicable to the interception of "radio communications," but this subsection contained a laundry list of the types of "radio communications" which were exempt (none of which were readily applicable in this case). Separately, the statute contains a definition for when something is "readily accessible to the general public," and this definition says that "readily accessible to the general public' means, with respect to a radio communication" that such communication is not (among other exceptions) "scrambled or encrypted."
When I see these three sections of the statute, I see a drafting error, or at least some seriously clunky drafting. The most obvious interpretation to me is that a "radio communication" enumerated in 2511(g)(ii) is exempt. A "radio communication" that is spelled out in 2510(16) is also exempt, because it is "readily accessible to the general public." (Anything that fits 2510(16) would fall within 2511(2)(g)(i).) Judge Ware didn't see it this way. He sees the definitions of 2510(16) as describing exceptions that only apply to "traditional radio broadcast mediums." According to Judge Ware, these definitions "do not address any broader radio-based communications technology of the time," and nor do they address modern technologies--such as Wi-Fi--that were obviously not contemplated by the drafters of the statute. As support for this interpretation, Judge Ware points to the legislative history, which indicates a reluctance to include cell-phone transmissions within the scope of the exception. (This part of the discussion really confused me.) At the end of the day, even though plaintiffs failed to plead that their Wi-Fi networks were scrambled and encrypted (and arguably made admissions to the contrary), Judge Ware concludes that:
the wireless networks were not readily accessible to the general public as defined by the particular communications system at issue, wireless internet networks, which are not "radio communications," as the term was intended by Congress in drafting Section 2510(16).
Google also argued that United States v. Ahrndt [pdf] supported its interpretation of the statute. Ahrndt was a criminal case where a defendant moved to suppress evidence that defendant's neighbor encountered while accessing the defendant's wireless network. When the neighbor accessed the network (which was open), she could view the files in defendant's iTunes account, which included child porn. The court denied defendant's request (citing 2511(g)(i)) to suppress the evidence because defendant had configured his system so "the electronic communications [at issue were] readily accessible to the general public." Judge Ware distinguished Ahrndt because, in the Street View case, the users had only set their Wi-Fi settings so that the networks themselves (and not the content) were accessible to the general public.
State wiretap claims: Google argued that ECPA preempted plaintiffs' claims under state wiretap statute. Judge Ware found that although there was no express preemption in the statute, ECPA demonstrated a Congressional intent to comprehensively regulate the field. Therefore, the state law claims were preempted. The order does not cite to Velentine v. NebuAd [pdf], also recently decided in the Northern District, where Judge Henderson came to a contrary conclusion.
Section 17200 claims: Plaintiff's section 17200 claims suffered a familiar flaw: they were unable to allege that they lost "money or other property" as a result of Google's actions. The court rejects the argument that "data packets" are property for section 17200 purposes, finding that recognizing a property interest in data would undermine the intent of Proposition 64 (which created stricter standing requirements for Section 17200 claims).
__
I'm not sure where to begin with this one. This is yet another case where the statute was written with certain technology in mind, and the court struggles with which box the present day technology belongs in. Is a transmission via open Wi-Fi a "radio transmission"? An "electronic communication"? Both? It's unclear from the order where the court comes out on this issue. There is no dispute that Wi-Fi was not around when the statute was drafted or more recently amended, and the contortions required to figure out what statutory box it fits in are downright painful.
A factual question which did not receive much attention in the order was how difficult it is for the average person to access someone else's content through an open Wi-Fi. Is this the same as picking up a transmission on a ham radio? Is this like picking up police scanner transmissions? Google argued that accessing data through an open Wi-Fi can be easily accomplished using inexpensive (or free) and widely available software, but there wasn't much discussion of this in the court's opinion. The fact that Google reportedly filed for a patent over some aspect of this did not help its argument.
I can see unintended consequences that would flow from either approach. Finding that data transmitted over an open Wi-Fi is not protected under the ECPA would undermine privacy in a big category of communications. On the other hand, by creating a special category of "radio communications" that don't get the benefit of the general exemption, this broadens the scope of a statute which has criminal consequences. Judge Ware decided Power.com, and applied the rule of lenity in that case in construing the statute narrowly. Given that a violation of this statute can result in criminal liability as well, I'm surprised this doctrine did not come into play in interpreting the statute narrowly.
________
Eric's comments:
1) I continue to insist that the ECPA is one of the worst-drafted statutes of all time. As Venkat's confusion indicates, no one really knows what the statute means, which suggests it's hard to advance an implausible interpretation of the statute.
2) This case is a fairly typical "technological convergence" case where we try to interpret technological terms in a statute in light of unanticipated technological evolution. Congress couldn't conceive of private WiFi back in 1986, so the statute doesn't fit the technology very well. Personally, in light of modern sensibilities, I think "radio" most naturally means the entire wireless spectrum. Judge Ware saw it differently and found reasons to separate out pieces of the spectrum for differential statutory application. I could see other judges reading the term more broadly on appeal.
3) Google's loss on the motion to dismiss is surely disappointing to Google, but I don't think the plaintiffs should start cashing their checks yet. There are plenty more interstices of the ECPA for both parties to explore on summary judgment and perhaps at trial.
4) As Congress revisits the ECPA as part of the Digital Due Process initiative (which I support), I desperately hope Congress also reconsiders the ECPA's private cause of action. The class action plaintiffs have gone crazy with the statute, and due to its drafting deficiencies, the plaintiffs claims are rarely clearly wrong on the surface. The result has been a huge tax on innovation with no commensurate social benefits; only the private benefits of a few privacy class action lawyers getting fat and happy while feasting on Silicon Valley companies.
5) The ECPA's preemption of state wiretap laws, if followed by other courts, could be a Very Big Deal. However, Judge Ware didn't cite any caselaw in support of his conclusion, and frankly I'm skeptical that ruling will survive further challenge.
Other coverage:
Judge to Google: sniffing even open WiFi networks may be wiretapping (Ars Technica)
Judge: Google Can Be Sued for Wiretapping in Street View Debacle (Wired/Threat Level)
Posted by Venkat at 11:09 AM | Privacy/Security
June 28, 2011
San Diego County Bar Tackles Lawyer Friend Requests and the Ex Parte Rule
[Post by Venkat Balasubramani]
The San Diego County Bar Association recently tackled the issue of whether a lawyer's friend request to an employee of a party violates the rule barring ex-parte communications by a lawyer with a party whom the lawyer knows or should know is represented by counsel. You can access the opinion on Scribd here, and it's worth a read.
The factual scenario involved a lawyer who represented a plaintiff against a company in a wrongful discharge lawsuit. The lawyer knows the defendant-employer is represented by counsel, but obtained a list of the defendant's current employees. The client provides the list, identifying which of those employees may be disgruntled and therefore likely to provide dirt on the defendant-employer. The lawyer then sends Facebook friend requests to these individuals.
The opinion looks to California Rule 2-100, which provides that:
While representing a client, a [lawyer] shall not communicate directly or indirectly about the subject of the representation with a party the [lawyer] knows to be represented by another lawyer . . . unless [the other lawyer first consents].
The opinion first tackles the issue of whether the employees are "parties" for purposes of the rule. If they exercise discretion and determine the employer's policy, they may be treated as part of the represented corporate-party for purposes of this rule. Consequently, the opinion advises that the lawyer should first check with his or her client as to what role the employees play in the organization before treating the employees as unrepresented parties. Assuming they are policy-making employees and therefore "represented," the opinion looks to whether the lawyer's friend request constitutes a communication "about the subject of the representation." The opinion parses the language of the friend request and the fact that it's initiated by the lawyer but transmitted by Facebook, and concludes that the friend request would violate the rule against ex parte contact:
[i]f the communication to the represented party is motivated by the quest for information about the subject of the representation, the communication . . . is about the subject matter of that representation. . . . This becomes clearer when the request to friend . . . is transferred from the virtual world to the real world. Imagine that instead of making a friend request by computer, opposing counsel instead says to a represented party in person and outside of the presence of his attorney: "Please give me access to your Facebook page so I can learn more about you." That statement on its face is no more "about the subject of the representation" than the robo-message generated by Facebook. That what the attorney is hoping the other person will say in response to that facially innocuous prompt is "Yes, you may have access to my Facebook page. Welcome to my world. These are my interests my likes and dislikes, and this is what I have been doing and thinking recently.
The opinion also addresses a few objections:
The friend request does not refer to the issues raised by the representation: With respect to this objection, the opinion notes that even open-ended questions can "impel the other side to disclose information that is richly relevant to the matter," even if the question itself is directed to a subject relating to the representation. Information "uncovered in the immediate aftermath of a represented party's response to a friend request at least 'might reasonably assist a party in evaluating the case, preparing for trial, or facilitating settlement thereof.'" Although the initial friend request may not relate to the representation, it's the type of open-ended question that is designed to elicit a response that provides useful information. Indeed, the opinion notes that once you have become a person's Facebook friend, you have access to a wealth of information regarding that person, including information that will potentially be advantageous to know in litigation.
Friending a represented party is the same as accessing the opposing party's website: The second objection argued that accessing a publicly available website of a party who is represented is permitted, and this is no different. The opinion states that there is a key difference between the two. In one instance the webpage is publicly accessible, and in the other, you need permission--acceptance of the friend request--in order to access it. The opinion concludes that if a witness or opposing party maintains a profile on a social network that is freely accessible by the general public, there is no ethical bar to its access by a lawyer.
The opinion also dismisses a couple of other objections: (1) statements in a Facebook profile are not necessary protected by the attorney/client privilege (the restriction on ex parte contact goes beyond this information), and (2) courts have rejected deception as the basis for excluding evidence in the criminal context (the standards for when evidence should be excluded in a criminal case are not the same as those which prohibit ex parte contacts in civil cases). The opinion notes that the policy underlying the rule prohibiting ex parte access is to restrict the opposing lawyer from interfering in an existing lawyer/client relationship and exerting undue influence through this interference. The tenor of the opinion is that this risk of undue influence clearly exists in the context of a Facebook "friendship."
The opinion raises some interesting issues and takes a careful look at the rules and other opinions on this issue. (The Philadelphia Bar Association and the New York State Bar Association have both weighed in on this issue as well.) The opinion cites to another case (U.S. v. Sierra Pacific Industries, 2010 WL 4778051 (E.D. Cal. 2010)) where the court held that a lawyer who was litigating a claim against the U.S. Forest Service violated the ex parte rule when he attended a "field trip" organized by the Forest Service and extensively questioned Forest Service employees on their policies. The field trip was open to the public and thus mere attendance did not violate the rule. The court focused on the questioning, rather than the attendance. In contrast, here, the opinion concludes that merely sending a friend request could violate the rule.
I wonder whether the result would have been different if the lawyer in question sent a friend request that expressly addressed the ex parte issue--e.g., "I'm John Doe, counsel for Jane Doe, and I'd like to speak with you about this matter. If you are represented by counsel, please do not accept this friend request."
The opinion serves as a good reminder that despite the treasure trove of evidence that may be contained in social media profiles, accessing this information is another matter.
(h/t ABA Journal: "Facebook Friend Request to Exec of Represented Corp. May Violate Ex Parte Rule, Opinion Says")
Posted by Venkat at 02:25 PM | Evidence/Discovery , Privacy/Security
June 24, 2011
Court Conducts in camera Review of Plaintiff's Facebook Page to Resolve Discovery Dispute -- Offenback v. Bowman
[Post by Venkat Balasubramani]
Offenback v. Bowman, 10-CV-1789 (M.D. Pa.; June 22, 2011)
Background: Discovery disputes over Facebook accounts and whether they are discoverable in civil cases are piling up. Courts and litigants continue to grapple with the central problem that even to the extent the information is properly discoverable, at least some portion of a litigant or party's Facebook's account deserves privacy protection and should also be protected by federal statutes such as the Stored Communications Act. On the other hand, an opposing litigant needs to get access to the Facebook profile in order to determine whether something contained in the account is relevant, in order to articulate a "likely to lead to the discovery of admissible evidence" argument.
Courts have come up with interesting and mostly imperfect ways to solve this problem. In one case, a court suggested that the litigants "friend" the court so the court could review the contents of the account which would be visible to the witness's friends. ("Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute.") In this case, the court conducted an in camera review of the plaintiff's Facebook profile and determined what information was discoverable.
The facts follow a familiar pattern. Plaintiff suffered a car accident, and sued, alleging he suffered physical and psychological injuries. He claimed that these physical injuries limited:
his ability to sit, walk, stand, ride in a vehicle, bend, stoop, push, pull, and lift. He claimed that he could not drive for any period of time and is physically limited as to riding his bicycle or motorcycle.
Defendant sought access to plaintiff's Facebook and MySpace accounts. The court asked for plaintiff's log-in information for these accounts. Plaintiff provided the Facebook password but said "he could no longer locate information related to his MySpace account, since he had neither activated nor used the account since November 2008." [Ouch! Plaintiff is not alone, this BusinessWeek article notes that even one of the co-founders of MySpace no longer checks his MySpace account: "The Rise and Inglorious Fall of MySpace."]
Discussion: The court reviews plaintiff's Facebook page and concludes that the bulk of the material there is unrelated to the accident and not discoverable. There were a few items that were discoverable and these included:
- photos of plaintiff taking numerous motorcycle trips;
- photos of plaintiff hunting;
- photos and comments suggesting that plaintiff "may have recently ridden a mule";
- comments confirming plaintiff's continued interest in riding motorcycles.
The rest of the page contained information that was not discoverable--such as "routine communications" with family and friends, and expressions of plaintiff's interests and hobbies. [The court notes that plaintiff had a passion for the Philadelphia Phillies "which was not dampened after he moved to Kentucky from Pennsylvania."]
___
The court drops a footnote in the order, knocking the parties for getting the court involved in this discovery dispute. Plaintiff conceded that some of the information in the Facebook profile was discoverable. Defendants appeared to have backed away from their initial position that all of the information was discoverable, but they did not actually narrow their discovery requests to the items that plaintiff admitted were discoverable. Translation: the parties ended up wasting the court's time, and should have worked it out themselves.
It still feels awkward that the court took the approach of actually logging in to plaintiff's Facebook account using plaintiff's password. Isn't this a violation of the Facebook terms of service?
There's another issue lurking in the background of these disputes that courts will be forced to confront: can a party be forced to consent to disclosure of information that falls under the Stored Communications Act? No case has directly confronted this question, although one court has held that a party's default and fugitive status is not consent. (See "Being a Fugitive is Not Consent for Production under the Stored Communications Act.")
Earlier related posts:
"Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville"
"Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway"
"Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson"
Posted by Venkat at 09:45 AM | Evidence/Discovery , Privacy/Security
June 19, 2011
Employer Who Fails to Consistently Enforce Computer Usage Policy Cannot use the Policy to Justify Dismissal -- Branson v. Harrah's
[Post by Venkat Balasubramani]
Branson v. Harrah's Tunica Corp., et al., 08-cv-02804-BBD-cgc (W.D. Tn; June 3, 2011) (decision)
Background: Branson was an employee with the Grand Casino for over ten years, from 1996 to 2007. Harrah's acquired Grand in 2006. He received uniformly favorable employment ratings. In March 2007, Grand employed three "table games shift managers," Branson, Rob Keene, and Denise Alford, each of whom reported to Darrell Pilant. Each manager had their own computer log-in, password, and Windows account. As Branson described it, he accidentally accessed the email account of one of the other managers and forwarded himself an email:
Plaintiff sat down to use a shared, work computer when he noticed an email from Alford to Pilant. Alford had apparently failed to log out of her email account, and the email appeared on the screen when Plaintiff touched the mouse. The email stated that [Branson] and Keene were speaking in front of Mitch Pate, a pit manager, about the performance of [their] subordinates. . . . Apparently two hours into his shift, [Branson] forwarded a copy of Alford's email first to his business email account and then to his personal email account so that he could access the email from home.
Branson told his boss what he had done, and Pilant looked into it. Pilant had the IT department investigate to verify what happened, and once he did, he informed Branson that Branson "violated several policies and the trust that Pilant had placed in [Branson]." Ultimately, Branson was given the option of resigning or being terminated, and he chose the first option. Although Branson resigned, Harrah's placed a notation in his employee file that he was "eligible for rehire."
Branson brought claims alleging that he was forced to resign because of his age.
Discussion:
Employer status: The first issue the court addressed was whether Harrah's Entertainment, Inc. and Harrah's Operating Company, Inc. were Branson's employer. There was testimony that Harrah's acquired Grand (where Branson originally started working) in 2006. After the acquisition, employees received a Harrah's handbook and W-2's which listed Harrah's as their employer. Additionally, defendants' own witnesses, who purported to be Grand employees, listed Harrah's as their employer on their LinkedIn pages. Based on this evidence, the court held that Harrah's Entertainment, Inc. and Harrah's Operating Company, Inc. were both Branson's employers for purposes of the ADEA. (Coincidentally, Harrah's also got burned by LinkedIn evidence in another case where a different plaintiff asserted age discrimination claims against Harrah's: "Contrary LinkedIn Evidence Crushes Witness' Testimony." The plaintiff in that case testified in this case as well.)
The ADEA claim: Resolution of the ADEA claim was the more interesting part of the ruling. The court found that plaintiff put forth a prima facie case--he was within the protected class, received favorable ratings, and was replaced by someone younger than him. It was up to defendants to put forth a non-discriminatory reason for the termination, and defendants relied on the fact that Branson violated Harrah's computer use policy by improperly accessing his co-worker's email and forwarding an email to his own business and personal account. The court found that this was a sufficient non-discriminatory reason for the termination, and shifted the burden to Branson in order to show pretext. The court concludes that he put forth sufficient evidence to satisfy his burden.
The court found that defendants typically followed a four step disciplinary process before terminating an employee and that "the evidence presented [did] not support the conclusion that [Branson's] conduct was serious enough to justify deviating from this process." In particular, the court found that:
employees did not receive training or instructions on how to use the Grand's computer system. [The witness-employees did not appear] to be familiar . . . with the policies that defendants cite[d] as justification for [Branson's] termination. Furthermore, the proof show[ed] that it was not uncommon for employees to each other's email accounts, and presumably each other's passwords on the shared work computer, without fear of suffering any disciplinary action.
The court also found defendants' explanation was contradictory in that if Branson was terminated for a serious issue, defendants would not have found that he was eligible to be rehired.
As an added bonus, the court finds that defendants' conduct was willful, or at best, with reckless disregard of whether it was in violation of the ADEA. The court smacks defendants with a whopping award of $361,363.42.
___
Accessing someone else's email is risky behavior and a potential violation of federal statutes which protect the privacy in electronic communications. This has gotten a few employers into trouble. In Pure Power Boot Camp v. Warrior Fitness Boot Camp, for example, ex-employees were awarded (admittedly nominal) damages when their former employer accessed their emails. (See "Ex-Employees Awarded $4,000 for Email Snooping by Employer.") You would think when an employee does something like this and admits to doing it, the employer would have no problem firing the employee for this. Defendants even had a written policy in place which the employee in this case violated when he accessed his co-worker's account. One would think that a violation of this policy would put defendants in a position to prevail at summary judgment if not deter the plaintiff from pursuing his claims in the first place. Here, despite having a policy in place, this still didn't allow the employer to use the policy violation to justify the termination. Why? The policy was not taken seriously or consistently enforced. Despite the potential seriousness of plaintiff's act, there was testimony in the case that other employees regularly violated the policy and were not subject to disciplinary measures.
A useful reminder that regardless of what network/social media policies you have in place, if you do not actually implement them, and enforce them in a consistent way, they may not be of much use at the end of the day.
Posted by Venkat at 10:29 AM | Privacy/Security
June 18, 2011
Bank ACH Fraud Victims Get Mixed Rulings -- Experi-Metal v. Comerica Bank & Patco Constr. v. People's United Bank
[Post by Venkat Balasubramani]
We have posted on numerous cases involving data breach plaintiffs who are rebuffed by courts because they have not suffered cognizable harm such as out-of-pocket losses. A pair of recent cases involved businesses whose bank accounts were drained after their log-in credentials were compromised and who sued their banks for the resulting out-of-pocket losses. In one case, the court finds for the customer; in the other, it finds for the bank. (Standing was not an issue in either case, since the plaintiffs suffered out-of-pocket losses.)
Experi-Metal v. Comerica Bank, 09-14890 (E.D. Mich.; June 13, 2011)
Experi-Metal was a victim of a phishing attack, which led to unauthorized wire transfers of $1.9+ million from its bank accounts. Comerica recovered all but $560,000 of this amount, and Experi-Metal sought to hold Comerica liable for this remaining amount. Following a bench trial, the court concludes that Comerica did not act in good faith--i.e., did not observe "reasonable commercial standards of fair dealing."
Here is how the court recounts the phishing incident:
During the morning of January 21, 2009, Comerica was alerted to phishing e-mails sent to its customers by a third-party attempting to lure the customers into providing their confidential identification information . . . . Mr. Kind, Experi-Metal's Vice President of Manufacturing, forwarded [the phishing e-mail he received] to Mr. Maslowski [its controller]. The e-mail instructed the recipient to click on an attached link to complete a "Comerica Business Connect Customer Form." At approximately 7:35 a.m., Mr. Maslowski clicked on the link and was directed to a website where he responded to a request for his confidential secure token identification, Treasury Management Web ID, and login information. By doing so, Mr. Maslowski provided a third-party with immediate online access to Experi-Metal's Comerica bank accounts from which the individual began initiating wire transfer payment orders . . . .
Whether Maslowski was authorized to initiate wire transfers: Experi-Metal first argued that Maslowski was not authorized to initiate wire transfers so the bank should not have processed the requests. The court rejects this argument, finding that on numerous documents, the CEO of Experi-Metal designated appropriate "users," for Experi-Metal's Comerica account, and these documents included herself and Mr. Maslowski. The court finds that the CEO's explanation regarding Maslowski's lack of authority wasn't credible. He had the password and, in the aftermath of the phishing incident, the CEO did not raise a hue and cry about why he had the password.
Whether Comerica processed the payment orders in "good faith": Michigan's version of the Uniform Commercial Code allows the bank to get off the hook for unauthorized wire transfer orders if (1) the bank and customer agree to a security procedure for verifying payments; (2) the security procedure is commercially reasonable; and (3) the bank accepts the orders in "good faith." Even if these conditions are satisfied, the customer may shift the loss to the bank if the customer can show that "the person committing the fraud did not obtain the confidential information [facilitating the breach of the security procedure] from an agent or former agent of the customer or from a source controlled by the customer."
The parties agreed that the burden fell on Comerica to prove that it accepted the payment orders "in good faith." Both sides presented expert testimony on the issue of whether Comerica's acceptance and processing of the unauthorized wire transfers comported with industry or commercial standards. The court does not give much credence to the testimony of either party's expert. Ultimately the court concludes, based on a variety of facts that Comerica failed to satisfy its burden:
the volume and frequency of the payment orders and the book transfers [from one Experi-Metal account to another] that enabled the criminal to fund those orders; the $5 million overdraft created by those book transfers in what is regularly a zero balance account; Experi-Metal's limited prior wire activity; the destinations and beneficiaries of the funds; and Comerica's knowledge of prior and . . . current phishing attempts.
Based on these facts, the court concludes "that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier."
Patco Construction Co. v. People's United Bank, d/b/a Ocean Bank, 09-cv-005003 (D. Maine; May 27, 2011)
In this case, unknown third parties initiated a series of withdrawals from Patco's account with Ocean Bank over the course of several days. The withdrawals totaled $588,851, and of this amount Ocean Bank blocked $243,406 of the transfers. Patco sought to hold Ocean Bank liable for the remainder. The person who initiated the transfers obtained Patco's credentials:
The Bank authenticated [the initial unauthorized transfer] with Patco's company ID and password and [Patco's] proper credentials, including [an authorized user's] ID, password, and answers to challenge questions. Whoever initiated this transaction did not submit an incorrect password or answers to challenge questions even once.
The court focused on whether the security procedures employed by Ocean Bank were "commercially reasonable" (as in the Comerica case, the court looked to the UCC and the state law version of the relevant provision). In a 70 page opinion which includes discussion of the perspectives of competing experts, industry practices, and alternative security measures, the court concludes that the bank's procedures may not have been perfect, but were commercially reasonable. As summarized by Brian Krebs ("Court: Passwords + Secret Questions = 'Reasonable' eBanking Security"):
The magistrate analyzed whether the bank’s security satisfied "multi-factor authentication" guidelines by incorporating at least two of three checks: Something the user knows (such as a password), something the user has (such as the passcode generated by a one-time token); and something the user is, such as a biometric identifier. (Those guidelines were established in 2005 by banking regulators at the Federal Financial Institutions Examination Council (FFIEC).)
The magistrate judge said the bank's security satisfies these guidelines. Patco argued that the fraud was caused by keylogging software and the bank's security measures (its "rules" for when it would look into suspicious transfers and how it deployed its authentication procedures) were commercially insufficient to deal with this type of risk. Patco faced a bit of an uphill on this point because it failed to preserve the evidence in its computers--i.e., Patco did not immediately stop using them and allow them to be forensically examined.
___
Both cases had a few things in common. First, the actual breach happened on the user's end--there was no allegation that a criminal broke in to the bank's computer system and siphoned money out of it. Regardless, this did not preclude the claims in either case. Second, in both cases, the bank's customers were limited by the agreements in question. Although the agreement did not totally preclude Experi-Metal's claim, it undermined Experi-Metal's argument that the individual employee who was the victim of the phishing attack was not authorized to undertake wire transfers. I'm willing to bet the plaintiffs in both cases did not carefully review the voluminous documents and updates provided by their respective banks as to matters such as account security, authorized signatories, and loss prevention. In both cases, the parties entered into agreements which were "updated" by the banks numerous times, often via email notice or notice via the bank's online interface for online banking.
The court's conclusion in Comerica was very Solomonic: "I've taken in all of the evidence and here is my judgment." The court does not give much credence to either expert. In contrast, the court in Patco goes into mind-numbing detail about the processes, industry standards, and the contentions of the experts.
These decisions are both good wake-up calls to businesses about their exposure to security risks and limits on their ability to outsource losses to third parties. Both plaintiffs were small business who suffered relatively significant out-of-pocket losses, and it probably came as a surprise that there is no legal mechanism to shift the losses to the banks. From reading through both orders, you get the sense that neither the bank nor the customer is particularly well situated to prevent the losses in question. (Undeniably, some additional training and education at the customer end could have potentially averted these losses, but it's tough to say.) This looks like the type of loss where insurance would be well worth exploring, to the extent it is available. I wonder if we will eventually see federal legislation that sets minimum standards here.
Other coverage:
"Court Says Comerica Bank Must Pay After Customer Is Hacked" (Bob McMillan)
"Court: Passwords + Secret Questions = 'Reasonable' eBanking Security" (Brian Krebs)
Posted by Venkat at 08:46 AM | Privacy/Security
June 06, 2011
April-May 2011 Quick Links, Part 3
By Eric Goldman
Search Engines
* Google is working on a deal with the DOJ over illegal pharmaceutical ads and has set aside $500M for fines. Some background on the problem. Google isn’t the only search engine with problematic pharmaceutical ads. Will the other companies be getting the DOJ’s call too?
* Kevin Kelly: "This is the great gift of the free web. It has made some goods so cheap to acquire -- like answers, encyclopedia facts, directions, weather reports, recommendations -- that we generate entirely new realms of activity by doing far more of them. More is different. We ask so many more questions than before that this ask-and-answer is something new. Have you ever wondered where all our questions were before search engines? We didn't even bother to ask them."
* Vitaly Borker, who tried to game Google’s algorithm by seeking out bad consumer reviews, will be going to prison.
* Google won ALM's Best Legal Department in 2011. This article has a great inside look at Google’s legal department and how it makes decisions.
* More winners and losers from Google's algorithmic update.
* Latest antitrust enforcement challenge for Google: South Korea.
* More search censorship in Argentina. The ruling in Spanish.
* Yahoo changed its search log retention period from 3 months to 18.
* Market America is appealing its court loss to Google to the Third Circuit. Most recent blog post.
* Apple jiggers with the ranking algorithm for apps in its app store.
* CNET: “Bing head says 'traditional search' is dying.”
* Realcomp II, Ltd v. FTC, 11a0084p.06 (6th Cir. April 6, 2011). A monopolistic real estate electronic network violated antitrust laws when it provided only limited syndication of real estate listings subject to non-standard brokerage fee arrangements. Implications for Google?
* JC Penney’s 90 day timeout from Google for black hat SEO appears to be over.
* Gord Hotchkiss: “Why Results Quality Is So Important to Search Engines”
Privacy and Security
* Facebook tried to conduct a whisper campaign to bash Google on privacy. That backfired. Steven Levy: “Facebook’s Stealth Attack on Google Exposes Its Own Privacy Problem.” Danny Sullivan: “How Facebook Enables The Google Social “Scraping” It’s Upset About.”
* Not everyone loves the WSJ “What They Know” series.
* Kate Kaye of ClickZ on which of the half-dozen Congressional privacy bills the ad industry should favor.
* WSJ: Schmidt: Google Trying to Simplify Privacy Policies, but Lawyers Get In the Way.
* Less than 1% of Firefox users are using Do Not Track TPLs.
* Third party misuse of an open wifi leads to an unhappy wake-up call for the wifi owner.
* FTC gets $3M settlement from Playdom for COPPA violations. Among other purported defects, Playdom asked kids their ages and purported to bounce underage kids, but gave those kids the option to proceed just by checking a box rather than obtaining verifiable parental consent.
* An IP address can now pin down your location to within a half mile.
* The Sony Playstation hack of 70M member records will probably make my year-end list of top 10 Internet law developments. This event will be horking the law for the better part of a decade.
* EFF on how the Kerry-McCain privacy bill would preempt state law.
* Apple tried to squash the Mac Defender malware in its latest operating system release, but didn't get very far. Microsoft has made such benevolent dictatorship decisions before as well.
Publicity Rights and Trade Secrets
* Reality TV show participants were sued for prematurely revealing the show's outcome (in a lawsuit over the show's alleged failure to pay). See my first year Contract Law problem on maintaining secrecy in reality TV shows.
* Stars on the red carpet grant an implied license to their publicity rights in photos taken there.
* Basketball player Chris Bosh sues the mother of his child to prevent her from appearing in a reality TV show “Basketball Wives.”
* Larry Montz v. Pilgrim Film and Television, 08-56954 (9th Cir. May 4, 2011). In an idea submission case, “We again hold that copyright law does not preempt a contract claim where plaintiff alleges a bilateral expectation that he would be compensated for use of the idea, the essential element of a Desny claim that separates it from preempted claims for the use of copyrighted material.” The panel also reversed the district court conclusion that a “breach of confidence” claim was preempted.
* Many publicity rights complaints over Facebook's "Sponsored Stories": Fraley v. Facebook; JN v Facebook; and EKD v. Facebook. Filings in the Cohen v. Facebook case: motion to dismiss and supplemental brief on 47 USC 230.
* Litigation over Donald Trump’s licensing of his name to home developers. Interesting issues about a trademark licensor’s liability for a licensee’s activity and liability by endorsers for bum offerings.
* MGA spent $130M in its legal battle with Mattel.
Posted by Eric at 07:19 AM | Privacy/Security , Publicity/Privacy Rights , Search Engines , Trade Secrets | TrackBack
June 04, 2011
NebuAd Deep Packet Inspection Lawsuits Sputter -- Deering v. CenturyTel & Green v. Cable One
[Post by Venkat Balasubramani]
The alleged monitoring and use of ISP subscribers' internet activity for advertisement targeting purposes by NebuAd spawned a slew of class actions. NebuAd shut down, leaving plaintiffs to go after the individual ISPs who partnered with NebuAd. ("Turning Out The Lights: NebuAd.") Plaintiffs have not had much luck with their claims against the ISPs.
In Mortensen v. Bresnan, the court dismissed the ECPA and state law privacy claims but left the Computer Fraud and Abuse Act claims intact. ("Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues.") As an update to that case, the court ruled that the claims were not subject to arbitration, but the defendant-ISP moved for reconsideration of this ruling in light of AT&T Mobility LLC v. Concepcion, the recent Supreme Court case where the Court held that the Federal Arbitration Act preempts state law unconscionability arguments which are applied disproportionately to invalidate arbitration agreements. You can access the motion for reconsideration here.
Deering v. Centurytel, Inc.: In Deering, the court came to the same conclusion as it did in Bresnan, dismissing the privacy and ECPA claims on the basis of the end user agreement. The court notes that as in Bresnan, the ISP here:
also provided notice of the NebuAd agreement. Specifically, an email to its subscribers was sent informing them that the Privacy Policy had been updated and providing a link to the updated Privacy Policy. Under the heading, "Online Advertising and Third Party Ad Servers," CenturyTel customers were notified that "CenturyTel partners with a third party to deliver or facilitate delivery of advertisements to our users while they are surfing the web. This delivery of advertisements may be facilitated by the serving of ad tags outside the publisher's existing HTML code. These advertisements will be based on those users [sic] anonymous surfing behavior while they are online." . . . CenturyTel customers were further notified of their right to opt out of receiving targeted advertisements by clicking on an imbedded link. The "Online Advertising and Third Party Ad Servers" section also contained a link to NebuAd's website.
I'm a little stumped by the court's reliance on the language in the privacy policy. The court cites to CenturyTel's privacy policy which at the time said that:
personal information collected [by CenturyTel] may include, without limitation, name, address, telephone number, personal computer specifications, e-mail address, user IDs and passwords, billing and transaction information, credit card information, and contact preferences.
It looks like this describes information collected by CenturyTel, as well as information provided to CenturyTel by its users. But it still doesn't come out and say that CenturyTel or a third party track the contents of users' communications. As described by the court, the policy also had standard "cookies and web beacons" language which made clear that CenturyTel used cookies and web beacons to target. This would put users on notice that their clickstream would be used for targeting purposes, but would not alert them to the fact that their traffic is being routed through a third party server or that the contents of their web surfing activity would be exposed to a third party (which is what NebuAd is accused of doing).
CenturyTel sent an email to its users alerting them of an update to CenturyTel's privacy policy, but the email only said that "advertisements will be based on . . . [the] anonymous surfing behavior" of end users." The court does not cite to the NebuAd agreement, but nothing in the CenturyTel disclosures look like they clearly state that the contents of users' communications would be viewable and accessible by a third party. The use of "anonymous surfing" language if anything would tend to minimize the effect of any disclosures in the NebuAd agreement or would create a conflict between the two. How exactly NebuAd was monitoring and targeting is not clear, but the disclosure could have certainly been much clearer, and the court doesn't delve into the details here.
More than anything, this ruling seems to reflect the court's antipathy towards privacy class actions or the motivations behind them. The subtext of the ruling is that there is no "there" there. The notice provided by the ISPs and NebuAd may not have been perfect, but the court had to be influenced by the fact that the plaintiffs were told about some monitoring and given the ability to opt-out. No one took advantage of this or alleged that they followed up.
The court also has harsh words for plaintiff's counsel, finding that it is "telling, and somewhat troubling" that the plaintiff did not mention the Bresnan case, "even though the same lawyers appear to have filed very similar complaints in these cases."
Green v. Cable One: In addition to Bresnan and CenturyTel there's another NebuAd case where plaintiff's claim went sideways (this happened in late February and I missed it at the time). In Green v. Cable One, plaintiff brought claims against Cable One based on alleged monitoring by NebuAd. According to a post at Wildman Harrold, here's what happened next:
Plaintiff filed a motion for class certification in August 2010. Cable One served a demand to copy and inspect plaintiff’s computer. The plaintiff then voluntarily dismissed with prejudice three of the four claims that depended upon allegations of harm/damage, leaving only the claim for violations of the ECPA remaining. (Dkt 43, October 2010). On November 9, 2010, the named plaintiff Green was deposed. During that deposition, he testified that he only accessed his Cable One account from one computer/IP address located in Alabama. Cable One’s records revealed that the Internet subscription had been canceled for that home address on November 19, 2007, one day before the NebuAd ad serving technology went into use by Cable One.
Cable One filed a motion to dismiss for lack of standing. In response, plaintiff filed a "non-opposition" with a curious explanation:
Plaintiff conferred with Defendants in effort to reach a stipulation on the Motion to Dismiss in an effort to minimize the use of judicial resources. Defendants requested the Plaintiffs file a Notice of Non-Opposition instead. Therefore, Plaintiff submits this Notice of Non-Opposition to Defendant's Motion to Dismiss.
Say what? The fact that the named plaintiff dismissed a chunk of the claims in response to a request to inspect plaintiff's computer is telling. The fact that plaintiff agreed to dismiss the claims in their entirety when Cable One argued that plaintiff cancelled his Cable One subscription the day before NebuAd filtering was implemented just demonstrates that (assuming what Cable One says its true), there was no way that plaintiff could have suffered any harm as a result of the alleged filtering. This points in the direction that courts' skepticism towards these lawsuits may be entirely warranted.
Posted by Venkat at 01:10 PM | Licensing/Contracts , Privacy/Security
June 01, 2011
Updates on DoctoredReviews.com and Medical Justice
By Eric Goldman
You may recall our April launch of DoctoredReviews.com, a website explaining why Medical Justice's form agreement, the "Mutual Agreement to Maintain Privacy," was a bad deal for doctors, patients and review websites. See a list of the media coverage on the site's launch.
Since then, there have been three developments of interest.
First, Timothy B. Lee at Ars Technica covered his experiences with a dentist who asked him to sign the Mutual Agreement to Maintain Privacy and what happened when he balked at signing (predictably, there was no negotiation, and he was booted from the office). The entire article is a great read, but this line especially caught my eye: "we began to wonder if Medical Justice was taking advantage of medical professionals' lack of sophistication about the law." Watching the doctor community's response to our site launch, I had been wondering the same thing. Doctors and other healthcare professionals are very scared of the combination of privacy laws and unfettered consumer reviews; and Medical Justice has a several year headstart in (mis?)educating them about the law. It's clear that our advocacy site alone isn't enough to do the necessary counter-education.
Timothy also hammers on how Medical Justice has been backpedaling about the efficacy of the Mutual Agreement to Maintain Privacy. Medical Justice publicly claims that the agreement is principally useful for dealing with reviews from the doctors' competitors or ex-employees or other fraudsters. This is a baffling argument because (as Timothy points out) those folks undoubtedly haven't signed the Mutual Agreement to Maintain Privacy, so doctors can neither assert a breach of the agreement nor the assigned copyrights in those reviews. (And asserting copyright to the review websites could lead to 512(f) claims). There is a massive logic disconnect between the purported goals of the Mutual Agreement to Maintain Privacy and the legal effect of the contracts. For an outfit that was clever enough to develop a way to hack 47 USC 230 through a copyright workaround, the response that the agreement should be used only against people who haven't signed it is so oddly sophomoric that it makes me wonder about the sincerity of the proffered explanation.
Timothy followed up his initial story with a postscript. In it, the dentist who claimed he'd never enforced the Mutual Agreement to Maintain Privacy backpedaled and admitted that he had, in fact, help drive a negative review off the Internet. On the plus side, the dentist publicly acknowledged that the Mutual Agreement to Maintain Privacy wasn't a good deal for him, and he said he wouldn't renew with Medical Justice. Hey doctors and other healthcare professionals, I hope you took note.
Second, John Swapceinski of RateMDs made a post entitled "Medical Justice planting glowing reviews on RateMDs.com." Apparently, John saw some early activity from a new Medical Justice offering called the "Review Builder Program" that Medical Justice claims will help patients leave reviews from doctors' offices. Timothy at Ars Technica has plenty of sharp words about the program and the possibility of Medical Justice duplicity.
Third, we are working on Phase 2 of the DoctoredReviews project, during which we identified another doctrinal oddity: doctors, based on their purported copyright ownership, can obtain and send 512(h) expedited subpoena requests in an effort to unmask the review author--in a process that is outside of public view and without any substantive judicial oversight. Obviously, review websites can (and should) push back on these subpoenas, but I have some reason to believe that the Mutual Agreement to Maintain Privacy's purported copyright assignment is producing unmaskings that would not occur if supervised in a court of law. I'm adding this attack on privacy to the taxonomy of abusive takedown practices I'm developing.
Posted by Eric at 02:18 PM | Content Regulation , Copyright , Derivative Liability , Licensing/Contracts , Privacy/Security | TrackBack
Yahoo! Entitled to Immunity for Disclosing User Information in Response to Subpoena -- Sams v. Yahoo!
[Post by Venkat Balasubramani]
Sams v. Yahoo!, Inc., CV-10-5897-JF(HRL) (N.D. Cal.; May 18, 2011)
Fayelynn Sams sued Yahoo!, contending that Yahoo! improperly produced information in response to a subpoena which requested information regarding Sams's account. She brought a putative class action asserting a variety of claims, including a state law privacy claim, breach of contract, breach of the duty of good faith and fair dealing, and claims under the Electronic Communications Privacy Act. The court finds that Yahoo! is entitled to immunity under the Electronic Communications Privacy Act's immunity provisions and dismisses the case.
Yahoo! received a grand jury subpoena signed by the Clerk of the Superior Court of Lowndes County (Georgia). This subpoena sought:
any and all records regarding the identification of a user with the Yahoo! ID "lynnsams" or "lynnsams@yahoo.com" to include name and address, date account created, account status, Yahoo! E-mail [sic] address, alternate e-mail address, registration from IP, date IP registered and login IP address associated with session times and dates.
A second subpoena issued from the same court sought "any and all I.P. login tracker for "lynnsams" or "lynnsams@yahoo.com"" for dates in December 2008. The subpoenas, which stated that they were related to a child pornography investigation, specifically instructed Yahoo! to not inform the account-owner of the subpoena or that any information was provided. (See both subpoenas here.)
It's unclear exactly what information Yahoo! disclosed in response to the subpoenas, but the subpoenas do not seek the substantive contents of any communications--the subpoenas are directed to account and identification information. Sams did not specifically allege in her complaint that Yahoo! produced the contents of any of her email messages.
Yahoo! argued that it was entitled to immunity under 18 U.S.C. section 2703(e). Immunity under section 2703(e) is available to "any provider of wire or electronic communication service . . . for providing information . . . in accordance with the terms of a court order, warrant, subpoena, statutory authorization, or certification under this chapter." Yahoo! alternatively argued that 18 U.S.C. section 2707(e) immunized the disclosure in question. This subsection contains a similar immunity provision, but requires "good faith" reliance on a subpoena or other process, and requires notice in certain circumstances.
Resolution of affirmative defense on a motion to dismiss: The court first addressed Sams's argument that since Yahoo! raised defenses based on statutory immunity, these were not properly resolved on a motion to dismiss. The court says that Yahoo!'s defenses can be resolved at the 12b stage, citing Goddard v. Google, among other cases. Sams's pleading raised the issue of whether Yahoo!'s disclosure of information was proper, and this was something the court could resolve at the pleading stage because it turned on the Sams's arguments regarding validity of the subpoenas.
Was Yahoo! entitled to immunity?: Yahoo! was entitled to immunity to the extent it disclosed the information "in accordance" with a subpoena. Sams made a couple of creative arguments as to why this immunity was not available to Yahoo!
Sams first argued that the subpoena was invalid because it was issued out of Georgia and directed at a California company (Yahoo!). State procedural rules do not require an out-of-state company to comply with a Georgia subpoena, and there is a procedure (which is often ministerial in practice) to get a subpoena issued by a local court seeking information from a California company. Since these procedures were not followed, Sams argued that the subpoena was invalid. Yahoo! argued that although the subpoenas were faxed to Yahoo!'s compliance office in Sunnyvale, "the language [of the subpoena] could be read to refer generally to Yahoo! as a singular corporate entity." Yahoo! further explained that although it used to contest jurisdiction in states other than California (where it has offices and employees) and resist subpoenas on this basis, it no longer does so. It pointed to one decision where it raised the issue and lost. Apparently Yahoo! argued that it was subject to jurisdiction in Georgia, so it did not bother to raise the argument that the subpoena should have been issued out of a California court. [Going forward, it's not clear if you need to obtain a local subpoena if you are in a state where Yahoo! has an office, but it's interesting that Yahoo! says that it has a policy of no longer contesting subpoenas in states where it has an office.]
Sams also argued that Yahoo! did not produce the information "in accordance" with the subpoena because the subpoena directed Yahoo! to "appear and produce evidence," and Yahoo! instead sent the information to avoid the hassle of having to appear personally. The court says that there is no authority for the proposition that a person who produces documents instead of appearing in person is not producing the documents "in accordance" with the subpoena.
Finally, the court addressed Sams's argument that Yahoo! was not entitled to immunity because it disclosed the "contents" of her communications. The court says that there are no allegations to support her argument that Yahoo! disclosed the "contents" of any communication. The ECPA sets forth a hierarchy of protection for user information, and non-content information is entitled to less protection. The statute authorizes the disclosure of things like user identification information, records or session times and durations, and temporarily assigned network addresses in response to a subpoena, as opposed to a court order. The court concludes that Sams fails to adequately allege facts that Yahoo! is not entitled to immunity because she does not specify the contents of any communications which were actually disclosed by Yahoo!. The court dismisses the case, but grants leave to amend if Sams can allege that Yahoo! impermissibly disclosed any content-based information.
__
One notable thing about this case is Judge Fogel's willingness to dismiss at the pleading stage based on Yahoo!'s claim of immunity. Section 230 cases have been somewhat mixed, but the court cites to at least a couple of cases granting requests to dismiss on Section 230 grounds at the pleading stage. Goddard v. Google, cited by the court, was also decided by Judge Fogel. (Professor Goldman's post on that case: "Google Not Liable for False Ads.")
The disclosure of user information has generated a fair amount of attention recently. The United States government sought and obtained a court order requiring disclosure of the information of various Twitter users in connection with its Wikileaks investigation. (See "Court Refuses to Set Aside Order Requiring Disclosure of Twitter Users' IP Addresses." The court's refusal to set aside the order is currently on appeal, and in that case, Twitter sought permission in order to provide notice to the users in question.) More recently, a council in the UK subpoenaed (in California) user information from Twitter about a possible whistleblower who was badmouthing the council. This The Next Web story has some details, but the user in question was given the opportunity to contest the subpoena but he did not, citing to the costs involved. In both situations, Twitter looks like it did what it could as far as providing users notice and not just handing over the information.
Section 2703(c)(2) sets forth certain information (name; address; local and long distance telephone connection records, or records of session times and durations; length of service and types of service utilized; telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and means and source of payment for such service (including any credit card or bank account number)), which can be disclosed to the government pursuant to an "administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena or any means available under paragraph (1) [a warrant, court order, or consent]." It would seem that in response to a subpoena such as this one, a service provider that falls under the statute would be well served to restrict the disclosure of information to what is contained in subsection (c)(2), unless its user agreement clearly allows for greater disclosure. User agreements are not always conclusive, and the court did not rely on the user agreement in this case. I'm somewhat surprised that the court did not look to this laundry list of items that may be disclosed to the government in response to a subpoena and compare it to the actual subpoenas in the case. The statute is specific as to what types of information may be disclosed, but the court focuses on the distinction between content information and all other information.
Although the court ruled in Yahoo!'s favor, disclosure of user information comes with risk, from both the perspective of the service provider and the party (and its lawyer) who seeks the information. The service provider should not take the shotgun approach of turning over user information. Cases have held that "content" information may not be produced in response to a civil subpoena, and at least one court has imposed liability on a party and its lawyer for obtaining email messages using what the court described as a "patently invalid" subpoena. (Theofel v. Farey Jones.) Additional uncertainties are present when a party seeks to subpoena information from social networking sites, where the sites' classification under the statute and the distinction between "content" information and other information are more fluid.
Posted by Venkat at 10:08 AM | Privacy/Security
May 18, 2011
No Computer Fraud and Abuse Act Violation for Access of Facebook and Personal Email by Employee -- Lee v. PMSI
[Post by Venkat Balasubramani]
Lee v. PMSI, 8:10 cv 2904 T 23TBM (M.D. Fla; May 6, 2011)
I blogged last week about US v. Nosal, a Ninth Circuit case where the Ninth Circuit held that access of a computer in violation of an employer's acceptable use policy can support a criminal indictment under the Computer Fraud and Abuse Act. ("9th Cir: Access of Computer in Violation of Employer's Use Policy Violates Computer Fraud and Abuse Act -- US v. Nosal.") One judge dissented in Nosal, noting the absurd claims that could flow from this ruling, including that an employee's access of a website such as espn.com for personal purposes could now be rendered criminal if it violates the employer's policy. The case from Florida involved an analogous scenario.
Lee sued PMSI, her employer, for pregnancy discrimination. PMSI counterclaimed, alleging that she violated the Computer Fraud and Abuse Act by engaging in "excessive internet usage" and "visiting personal websites such as Facebook." PMSI also alleged that she violated the statute by "sending personal email through her Verizon web mail account."
The court rejects the employer's claims in a ruling that I'm surprised did not include stronger language directed at defense counsel. The court notes that the CFAA was designed to prevent hacking. According to the court, "[b]oth the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working." [As a side note, if any such statute were enacted, we'd all be in trouble. I would be violating the statute as I write this blog post!]
The court notes that PMSI failed to allege that it suffered the requisite amount of damage as a result of Lee's alleged violation. PMSI argued that the loss in productivity from Lee accessing her personal account satisfied this jurisdictional requirement, but the court rejects this argument, noting that "loss" must related to damage to the "system or data, rather than lack of productivity." The court also notes that there was no allegation by PMSI that Lee "obtained or alter[ed] information in the computer" which she accessed - she merely accessed third party websites. (Although the legal theories are different, this case is reminiscent of Intel v. Hamidi, where the California Supreme Court held that a departing employee could not be held liable under a trespass to chattels theory for sending mass emails to Intel because there was no showing of damage to Intel's servers.)
The court dismisses the claims with prejudice. The court does not cite to Nosal, which represents a sharp departure from Brekka. I guess you can say that the jurisdictional threshold places some sort of limitation on the far reaching implications of Nosal, but given the ease with with parties can allege the jurisdictional threshold, I'm not sure this limitation is very meaningful. Nosal is still a disturbing ruling for the reasons stated in the dissenting judge's opinion.
Other coverage:
Evan Brown: "Employee did not violate Computer Fraud and Abuse Act by checking Facebook and personal email at work"
Info. Law Group: "District Ct. Holds Use of Facebook at Work Does Not Violate the CFAA"
Related post:
Posted by Venkat at 02:24 PM | Privacy/Security , Trespass to Chattels
May 13, 2011
Facebook Scores Initial Win Against Privacy Plaintiffs Over Data Leakage Claims -- In re Facebook Privacy Litigation
[Post by Venkat Balasubramani]
In re Facebook Privacy Litigation, 2011 WL 2039995 (N.D. Cal.; May 12, 2011)
There are so many recent privacy class actions out there, it's become tough to keep track of them all. One of the early lawsuits against Facebook was consolidated in the Northern District of California, in front of Judge Ware. In an order issued yesterday, Judge Ware granted Facebook's motion to dismiss the complaint. Although he granted leave to amend on certain counts, he certainly expressed some skepticism about the overall merits of the case.
As the court summarizes them, the facts boil down to Facebook's transmission to third-party advertisers of the user ID or "username" of Facebook users who clicked on advertisements. This started "no later than February 2010 and ... continued until May 21, 2010." The transmission of this information forms the basis of putative class action claims for violations of the Stored Communications Act and the Electronic Communications Privacy Act, California's anti-hacking law, and a slew of state law claims.
Standing: The court first tackles Facebook's argument that plaintiffs lack Article III standing because they have not suffered "injury in fact." Because plaintiffs have alleged violations under a statute which "can be understood as granting persons in the plaintiff's position a right to judicial relief," the court finds that plaintiffs have standing to sue.
Wiretap Act/Stored Communications Act: With respect to plaintiffs' claims under the Wiretap Act and the Stored Communications Act, court says that:
there are two possible ways to understand Plaintiffs' allegations. On the first view, Plaintiffs alleged that when a user of Defendant's website clicks on an advertisement banner displayed on that website, that click constitutes an electronic communication from the user to Defendant. Under this interpretation, the content of the user's communication with Defendant is a request that Defendant "send [a further] electronic communication to [an] advertiser." On the second view, Plaintiffs allege that when a user of Defendant's website clicks on an advertisement banner, that click constitutes an electronic communication from the user to the advertiser. Under this interpretation, Plaintiffs are merely "asking [Facebook]" to pass the communication along to its intended recipient, who is the advertiser.
The court finds that neither approach states a claim under the Wiretap Act. Citing to the language of the statute, the court notes that it restricts entities who provide electronic communication services from divulging the contents of any communication, other than a communication "to such person or entity or an agent thereof." Similarly, the statute restricts a provider from divulging the content of a communication to any person or entity "other than an addressee or intended recipient of such communication."
The court arrives at a similar conclusion under the Stored Communications Act, which contains an exception for disclosure where the "addressee or intended recipient" consents to the disclosure.
Unfair Competition Claim: The unfair competition claim requires plaintiffs to have "lost money or other property as a result of the unfair competition." The court finds that "personal information" does not constitute "property" for purposes of California's unfair competition law. Plaintiffs cited to the AOL data search case (Does v. AOL, LLC) for the proposition that "personal information" can be property for this purpose, but the court points to a significant difference between the two cases: plaintiffs in the AOL case paid fees for the service. In contrast, plaintiffs in this case used Facebook's service for free. The court footnotes plaintiffs' argument that personal information "constitutes currency" as not being supported by any case law. The unfair competition law claims are dismissed with prejudice.
California Penal Code sec. 502: Plaintiffs brought claims under California anti-hacking statute. This was most recently construed in Facebook v. Power.com, where the same judge said that the words "without permission" should be interpreted to require circumvention of some technological measure and not just access in violation of a website or service terms of use. The court finds that plaintiffs failed to allege that Facebook bypassed any technical barriers in transmitting plaintiffs' personal information. The court dismisses these claims with prejudice, but gives plaintiffs leave to re-allege the claim under subsection (c)(8) of the statute, which covers the introduction of "any computer contaminant into any computer."
Consumer Legal Remedies Act: The court finds that this only applies to individuals who "purchase or lease" goods or services for personal or household use. Plaintiffs have not paid any money to use Facebook. Plaintiffs relied on their "personal information is currency" argument, but the court doesn't give it the slightest credit. This claim is dismissed with prejudice.
Contract Claim: The contract claims fail for lack of any allegation of "actual damages." The court will allow plaintiffs to amend to "allege specific facts showing appreciable and actual damages in support of their claim."
Fraud: No luck on the fraud claim either. Plaintiffs fail to allege reliance on any alleged fraudulent misrepresentations. The court grants leave to allege reliance.
Unjust Enrichment: The court says plaintiffs cannot simultaneously pursue an unjust enrichment claim while simultaneously pursuing a contract claim. This claim is also dismissed with prejudice.
__
Plaintiffs have one more chance with respect to several of these claims, but the court is pretty unimpressed with the lawsuit overall. In the last paragraph of the court's recitation of the facts, it notes plaintiffs "suffered injury." This looks like the judicial version of using air quotes.
I'm somewhat surprised at how easy the court's conclusions seemed on the ECPA and SCA claims. The court's conclusion on these issues is similar to the conclusion from the Doubleclick lawsuit over cookies from 2001 (In re Doubleclick). With respect to California penal code section 502, I don't see how the transmission of information states a claim under this statute. There have not been many rulings construing this statute, but it looks like the Power.com ruling will certainly be a meaningful hurdle for claims under this statute.
The interesting part of the lawsuit is the treatment of personal information as "property." The court is extremely skeptical of this theory. There was speculation as to whether acceptance of the classification of personal information as property for standing purposes would empower privacy plaintiffs when it came to the merits. Only a few results are in, but so far this does not seem to be the case. (See the discussion of Claridge v. RockYou, where this theory seems to have first been given credit for standing purposes: "Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff.") A lawsuit over flash cookies was recently dismissed for lack of actual harm, and the court in that case also expressed skepticism over the "personal information as valuable property" theory. (See Professor Goldman's post on that case: "Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media.") I don't know if there was a hearing on this particular motion, but if there was, I can see the judge taking off his glasses, looking down at plaintiffs' counsel and giving the "you can't be serious here" look. At least, that's the tone of the order. It's also worth noting that plaintiffs who are subscribers of free services will have challenges bringing claims under some of the state statutes because they are not paying customers. Whatever the viability of the "personal information as valuable property" theory for other causes of action, courts do not appear very willing to treat personal information as the equivalent of money, in order to turn an otherwise free service into a paid service.
I'm with Professor Goldman on these lawsuits. I have a really tough time seeing the harm here. Maybe there's an example out there of a company finding out the identity of someone on Facebook who clicked on their banner ads, and all sorts of real-life negative consequences that flow from this. This sounds implausible enough that plaintiffs should have made some sort of attempt to explain why this is the case or provide an example or two. Judging from the court's order, plaintiffs didn't bother doing this, or did not do so effectively. I haven't even read any newspaper articles which points to any compelling examples of real world harm that resulted from this disclosure of information by Facebook.
Plaintiffs get another chance for some of the claims, but it looks like they have a judge who is going to take a serious look at their claims. It's going to be a long road for these plaintiffs.
Posted by Venkat at 10:09 AM | Licensing/Contracts , Privacy/Security , Trespass to Chattels
May 10, 2011
The FTC's Proposed Settlement With Google Over Buzz Privacy Breaches
[Post by Venkat Balasubramani with additional comments from Eric]
[Eric's note: This topic festered in my blogging queue for far too long, so we are finally posting this after the FTC's comment window closed. Nevertheless, this is such an interesting and important settlement that it's worth reviewing at this late date.]
In the matter of Google Inc., FTC File No. 102-3136 (Consent Order [pdf]) (FTC Press Release)
The FTC proposed a tentative settlement with Google over Google's ill-fated rollout of Google Buzz. The settlement includes the following terms:
No misrepresentations: The proposed agreement prohibits Google from making any misrepresentation regarding its information collection and use, and "the extent to which consumes may exercise control over the collection, use, or disclosure of covered information."
Opt-in for new sharing: To the extent Google shares previously collected information in a way that is different from what is stated in its policy at the time it collected the information (or any sharing occurs as a result of a new product feature), Google must (1) give notice separate from any terms of use or privacy policy, (2) disclose the identity or specific category of the third party recipients of the information (and the purpose), and (3) obtain "express affirmative consent."
Develop a privacy program: Google is mandated to develop a "comprehensive privacy program", and appoint a privacy czar who must, among other things conduct ongoing risk assessments, implement reasonable controls and procedures, and evaluate and adjust its privacy program in light of the results of any monitoring or any material changes.
Ongoing assessments: Google must obtain biennial assessments from third party experts regarding Google's "privacy controls," and how the controls are appropriate, and are implemented to meet the requirements of the settlement.
Record keeping requirements: Google has to comply with ongoing record keeping requirements, including of its own privacy pronouncements, consumer complaints, any documents that question its compliance with the settlement, and underlying data used to prepare any assessments.
___
This looks similar to the settlement Twitter and the FTC entered into over Twitter's privacy (and security) practices. ("The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?") Both agreements impose a variety of fairly onerous obligations on the companies for a fairly long period of time. The FTC's proposed agreement with Google imposes significantly more obligations on Google than its settlement did with Twitter and it applies across the board to all of Google's various initiatives. (This includes YouTube, Google street view, Android etc.) I did not pick up on this at first, but Commissioner Rosch concurred but issued a separate statement speculating about Google's own anti-competitive motivations in agreeing to restrictions that would make it harder for potential entrants into the field. ("Concurring Statement of Commissioner J. Thomas Rosch" [pdf].) Professor Goldman comments on this below, but maybe Google wanted this consent decree to be extraordinarily broad in its application?
I don't have a sense of the inner workings of an agency and what sorts of considerations go into bringing an enforcement action, but this seems over the top. Google acknowledged that its rollout of Buzz was fumbled - I don't think anyone thinks this was some nefarious plot to get everyone to share their email addresses and contacts and then exploit this information sharing. Apart from the outcry from privacy advocates, the service received a tepid response and was pretty much a flop. Google took reasonably prompt action in response to user outcry. I doubt this type of a botched rollout will happen to Google again. If there was ever a situation where a slap on the wrist would have been appropriate, this is it. Instead, Google is subjected to potentially onerous ongoing compliance obligations, and the failure to follow any one of these will result in a potential call from the FTC.
It's also odd that Twitter and Google who are viewed to be on the more privacy-friendly end of the spectrum are both under FTC jurisdiction for twenty or so years when the FTC hasn't taken action against Facebook. If anyone should be jumping through hoops and filing periodic reports with the FTC about privacy, it should be Facebook! [I'm sure Apple is viewing this with interest, in light of the ongoing commotion over its location tracking. (See "Apple Blames Bug For Extensive Location Tracking.")] As Professor Goldman points out, maybe this is part of an FTC strategy to bypass Congress when dealing with online privacy in general. When and if this settlement is approved, the FTC will have two of the biggest companies in the space under its thumb. It only has a few more to go before all of the major players are accounted for.
Two specific observations about the language of the agreement.
The definition of "covered information" includes:
(a) first and last name; (b) home or other physical address, including street name and city or town; (c) email address or other online contact information, such as a user identifier or screen name; (d) persistent identifier, such as IP address; (e) telephone number, including home telephone number and mobile telephone number; (f) list of contacts; (g) physical location; or any other information from or about an individual consumer that is combined with (a) through (g) above. [emphasis added]
This language is slightly different from the language in the privacy bill recently proposed by Senators McCain and Kerry. The proposed bill does not treat an IP address as personally identifying information but instead uses the term "unique identifier information that alone can be used to identify a specific individual." This may indicate a slight but potentially significant difference in the way that Congress and the FTC view an IP address as being "personally identifiable information".
The language also references "information [Google] collects from or about an individual." Initially, I assumed that the parties intended to refer to information Google collected while an end user is using one of its products or sites or information that is provided to Google by an end user, and not include the information Google "collects" about an individual. This latter category includes a whole lot more than information individuals provide to Google while using any of its products or services (e.g., information Google collects when it crawls the web). An FTC chat on Twitter regarding the proposed settlement makes clear that the FTC intends that any information Google collects about an individual is covered. (See FTC's "March 30 Twitter Chat regarding the proposed settlement with Google" [pdf], A5.)
Finally, the agreement requires disclosure of any new or additional uses of "covered information" clearly and conspicuously, and requires this disclosure to take place "separate and apart" from any end user agreement or privacy policy. Ouch. The requirement that disclosure take place separate and apart from an end user agreement strikes me as new. I'm sure there are ways this can be implemented without killing user adoption, but it speaks to the FTC's views on the efficacy of disclosures in terms of use and privacy policies.
There's also the issue of the class action over Buzz which Google settled which is awaiting final approval from the trial court. ("Google Settles Buzz User Privacy Litigation.") The lawyers are entitled to up to $2.5 million from the settlement, but the settlement did not extract from Google 1/10th of the provisions as the ones in the FTC's proposed settlement. If there was ever a situation that highlights the need for scrutiny of lawyers' fees in privacy class action, this is it. (As a sidenote, EPIC whose complaint prompted the FTC inquiry is objecting to the proposed settlement in the class action.)
____________
Eric's Comments
To me, one fact about the FTC-Google settlement stands out above all others: Google isn't paying a dime to the FTC. Given that Google already paid $8.5M to settle the civil lawsuits and the fact that very few (if any) consumers were actually harmed by the botched Buzz launch, a no-cash settlement with the FTC is logical. But it still leaves me pondering: if it wasn't looking for cash, why did the FTC initiate an enforcement action in the first place?
One possible answer is that the FTC is using this settlement to establish de facto legislation without having to deal with Congress, and it found a pliable target who thinks de facto legislation could help increase barriers to entry for its competition. After all, Google is already doing some of the things required by the settlement; but maybe Google's competitors aren't, in which case agreeing to the settlement has the backdoor benefit for Google of raising its competitors' costs. Commissioner Rosch hints at this possibility in his concurring statement.
Like Venkat, I see the similarities between this settlement and the Twitter settlement. Both involved Silicon Valley companies, both were no-cash deals and both involved lengthy behavioral restrictions. Another hypothesis to explain the enforcement action is that the FTC has had it with the Silicon Valley "cowboys," so it is going to lock down the leading Silicon Valley companies, one-by-one if it has to, into settlement agreements that give the FTC greater control over their activities. If this hypothesis is correct, then this settlement apparently has plenty of implications for Facebook and Apple and other leading Silicon Valley Internet companies--the FTC *will* be calling at some point based on some "technical" breach of the FTC Act, looking to put you under their thumb too.
I would also link this settlement with the DOJ's conditions on the Google-ITA merger, which also imposed substantial reporting requirements on Google. Maybe the DC powers-that-be are craving deeper looks into key Silicon Valley companies, and the reporting requirements give these regulators lots of extra information to improve the future ability to bust Google whenever they want.
The "fencing-in" part of the settlement is also particularly interesting. The actual commitment by Google--get express opt-ins for secondary data uses--isn't earth-shattering; it's always been my position that such permission was legally required anyway. However, the requirement in the settlement agreement has two implications.
First, the restriction applies across Google's entire organization for the next 20 years. If any part of Google violates the restriction, even accidentally, then the FTC comes a-callin' for a violation of the settlement agreement rather than an enforcement of the FTC Act from scratch. Procedurally, this puts the FTC in a more advantageous position to turn the screws on Google if there's a slip-up; or stated differently, Google has less room for minor errors than its competitors.
Second, Internet technologists widely believe that it's OK to launch half-baked web services on a beta basis and quickly iterate to fix any issues identified by the beta test. This approach doesn't work from a legal standpoint. If a beta version of an Internet service has a privacy problems, the privacy plaintiffs' bar will swarm all over the company like flies to honey; the "but it was only a beta test" defense is legally irrelevant. This settlement, and the de facto legislation binding Google, is an indication that the FTC won't give anyone a free pass for botched beta launches either. Ultimately, this standard may be a good thing; companies should resolve issues before they put their users at risk. On the other hand, making new services error-proof before they go live is hard, and doing that level of fit-and-finish makes the innovation cycles harder. Unquestionably, the innovation process at Google will get gummier due to this settlement.
Admittedly, it's hard to feel sorry for Google in this situation. After all, I could comfortably live the rest of my days on only 0.1% of their 2010 profits, and their Buzz offering was misarchitected and too addled by Facebook envy. But given Google's large cash settlement of the civil lawsuit and the seemingly complete failure of Buzz in the marketplace, I don't see how the FTC's appearance at this party was either necessary or desirable. Thus, I still have this queasy feeling that the FTC settlement isn't designed to advance the public interest.
Posted by Venkat at 09:03 AM | Privacy/Security
May 04, 2011
9th Cir: Access of Computer in Violation of Employer's Use Policy Violates Computer Fraud and Abuse Act -- US v. Nosal
[Post by Venkat Balasubramani]
US v. Nosal, 10-10038 (9th Cir.; Apr. 28, 2011)
The Ninth Circuit reversed the district court's dismissal of an indictment under the Computer Fraud and Abuse Act, holding that an employee's access of an employer's protected computer in violation of the employer's "use policy" violates 18 U.S.C. 1030(a)(4).
Background: Nosal, the defendant, worked for Korn/Ferry International, an executive search firm. He left the firm in October 2004 and signed a separation agreement under which he agreed to help Korn/Ferry as a consultant. After leaving employment with Korn/Ferry, Nosal allegedly engaged three Korn/Ferry employees to help him start a competing business:
[t]he indictment alleges that these employees obtained trade secrets and other proprietary information by using their user accounts to access the Korn/Ferry computer system. Specifically, the employees transferred to Nosal source lists, names, and contact information from the 'Searcher' database - 'a highly confidential and proprietary database of executives and companies' - which was considered by Korn/Ferry 'to be one of the most comprehensive databases of executive candidates in the world.'
The indictment indicates that Korn/Ferry took certain steps to secure its "highly confidential' database, and among other things, required its employees to enter into agreements which "restricted the use and disclosure of all [confidential] information, except for legitimate Korn/Ferry business."
LVRC Holdings v. Brekka: The district court, relying on LVRC Holdings LLC v. Brekka, dismissed, on the basis that the cooperating Korn/Ferry employees had authorization to access the confidential database for legitimate Korn/Ferry business, and therefore, their access of the database was not "without authorization." In Brekka, an LVRC sued an ex-employee under the Computer Fraud and Abuse Act, alleging that the ex-employee accessed LVRC's computer's without access when the employee emailed himself documents. The employee was authorized to access the documents in question, but accessed them for his own purposes, rather than in furtherance of LVRC's goals. The court rejected LVRC's claims, holding that "access without authorization" means access of a computer that was never authorized, or where access was expressly revoked - i.e., access of information that the employee is authorized to access, but accesses for a purpose contrary to the employer's purpose does not constitute access "without authorization." In a footnote, the court also rejected LVRC's "implicit" argument that Brekka "exceeded the scope of authorization" on the basis that the statute defines "exceeding the scope of authorized access" as the access of a computer that the person has permission to access, but where the person accesses information that the person is not entitled to access.
The Ninth Circuit's Opinion in Nosal: The Ninth Circuit does a 180 from Brekka and holds that an employee who accesses a protected computer in violation of the employer's use restrictions "exceeds authorized access" for purposes of the CFAA:
as long as the employee has knowledge of the employer's limitations on that authorization, the employee 'exceeds authorized access' when the employee violates those limitations. It is as simple as that.
The court distinguishes Brekka and states that while in Brekka there was no express policy in place (and the employer relied on state law duties of loyalty), in Nosal, the Korn/Ferry employees "were subject to a computer use policy that placed clear and conspicuous restrictions on the employees' access both to the system in general and to the . . . database in particular."
Judge Campbell dissented, arguing that the majority's interpretation would:
make criminals out of millions of employees who might use their work computers for personal use, for example, to access their personal email or to check the latest basketball scores.
Judge Campbell points out that this case is analogous to US v. Drew case, where the court rejected the government's interpretation that a violation of a website terms of service could support a criminal violation of the CFAA. Judge Campbell also points out that although section 1030(a)(4) requires an intent to defraud, section 1030(a)(2)(C) also contains identical "exceeds authorized access" language but does not contain an intent requirement.
___
Nosal bolsters employer claims based on the Computer Fraud and Abuse Act, but it raises the same issues that the Lori Drew prosecution raised. The legal theory behind both prosecutions will render criminal harmless activity that many engage in on a daily basis. Under the prosecution's theory in Drew, a website terms of service would turn everyday web surfing which is in technical violation of a terms of service into a federal crime. People violate terms of service of websites they access every day. Similarly, employees access their employer's computers in technical violation of acceptable use policies all the time. If an employer's policy says that you can only use the computer for work purposes, and you access espn.com, this is a technical violation of the policy, and under the court's interpretation of the statute, a federal crime.
What's surprising in all of this is that this looks like it should be a run of the mill trade secrets case brought by an employer, who has ample tools available other than the Computer Fraud and Abuse Act to deal with this situation. Instead, it's a federal criminal indictment which drastically expands the scope of Computer Fraud and Abuse Act liability.
[It's worth adding that other federal appeals courts have taken the same approach that the Ninth Circuit took in this case.]
Other coverage:
Threat Level: "Appeals Court: No Hacking Required to Be Prosecuted as a Hacker"
Orin Kerr: "Ninth Circuit Holds That Violating Any Employer Restriction on Computer Use “Exceeds Authorized Access” (Making It a Federal Crime)"
PrawfsBlawg: "When the Right Interpretation of the Law is a Scary One (CFAA Edition)"
Posts on US v. Drew:
"Lori Drew Criminal Case Ends With a Whimper"
"Lori Drew Guilty of 3 Misdemeanor Violations of the Computer Fraud & Abuse Act"
Posted by Venkat at 02:21 PM | Privacy/Security
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
By Eric Goldman
La Court v. Specific Media, Inc., 8:10-cv-01256-GW-JCG (C.D. Cal. April 28, 2011)
Lawsuits over cookies seem so Y2K to me. I thought we'd pretty much concluded that placing cookies wasn't actionable a decade ago (see, e.g., In re Doubleclick from 2001). But two things have changed in the interim. First, we're no longer dealing with garden variety cookies. Now we're dealing with FLASH cookies or SUPER cookies or LORD VOLDEMORT cookies or whatever. Surely, if you add a scary adjective before the word "cookies," they become much, much more pernicious than the plain ol' cookies of 2000. See more on my mocking of cookie angst.
Second, and perhaps more importantly, the Internet privacy plaintiffs' bar is much more organized than it was a decade ago. They have built litigation machines that are ready to rock-and-roll at any privacy provocation, no matter how slight. But just because the privacy plaintiff's bar is a well-oiled machine doesn't mean it is doing quality legal work, as this judge notes pointedly--and repeatedly.
Even though the world might be a better place if they did, most judges are too polite and diligent to dismiss a lawsuit with a simple but honest opinion: "Motion to dismiss granted because the lawsuit is asinine." Instead, this opinion takes 9 single-spaced pages to reach that conclusion and grant the dismissal motion, although the judge does give the plaintiffs the chance to amend (an option they should decline, although they won't).
The Article III standing issue in privacy cases has gotten murky in the past 6 months in light of the 9th Circuit's Krottner v. Starbucks opinion and the more recent and much broader (but surprisingly uncited) Claridge v. RockYou opinion, both of which found privacy harms where I would not have. I still think Article III standing is the best way to get rid of the junk privacy lawsuits, so I am happy when courts embrace the doctrine to end unmeritorious cases early. This court says the plaintiffs might have been able to allege some harms sufficient to show Article III standing, but their advocacy sucked.
On the key question of economic harm from placing flash cookies, the court says:
the Complaint does not identify a single individual who was foreclosed from entering into a "value-for-value" exchange as a result of Specific Media's alleged conduct. Furthermore, there are no facts in the FACC that indicate that the Plaintiffs themselves ascribed an economic value to their unspecified personal information. Finally, even assuming an opportunity to engage in a "value-for-value exchange," Plaintiffs do not explain how they were "deprived" of the economic value of their personal information simply because their unspecified personal information was purportedly collected by a third party.
In response to the amended complaint, I hope the court will use Rule 11 to police any deliberate overclaims by the plaintiffs trying to respond with new evidence.
The court also rejects the plaintiffs' conclusory claim that the cookies degraded their computers' performance. This allegation shows up in a lot of privacy complaints, and good for the judge for rejecting the generic assertion and requiring the plaintiffs to show something more tangible before they survive a motion to dismiss.
The court's conclusion at the end of the Article III standing discussion isn't exactly a compliment to the plaintiffs:
It is not obvious that Plaintiffs cannot articulate some actual or imminent injury in fact. It is just that at this point they haven't offered a coherent and factually supported theory of what that injury might be.
Ugh. Then again, in a footnote, the court shows the whip to defense counsel in response to the assertion that the lawsuit was brought in bad faith:
Defendant's counsel would be instructed that lawyers should not, just as a matter of basic professionalism, accuse other lawyers of operating a "shakedown" operation unless they can completely support such accusations.
Clearly, not a judge to be trifled with!
Although the judge dismisses the lawsuit on Article III grounds, it provides some early guidance on some of the substantive claims:
* the judge expresses skepticism that the plaintiffs can meet the $5k of damage requirement for a CFAA claim. In a footnote, the judge wonders if the plaintiffs' harm can be aggregated together to reach the $5k threshold. (I thought it could, so I'm intrigued what prompted the footnote).
* the judge wonders if the ECPA preempts the CA Penal Code 631 claim
* the judge is skeptical of the common law trespass to chattels claim because the plaintiffs didn't allege any meaningful impairment to their computers
* as usual, the unjust enrichment claim isn't a standalone claim. The plaintiff also drops its CLRA claim.
Wendy Davis' coverage of this ruling.
Posted by Eric at 09:30 AM | Privacy/Security , Trespass to Chattels | TrackBack
May 02, 2011
California's Reader Privacy Act: A First Step in a New Direction (Guest Blog Post)
By Sonya Ziaja (with comments at the end from Eric)
[Eric's note: this guest post is from Sonya Ziaja, J.D., a California attorney and co-owner of Ziaja Consulting LLC. She writes regularly for LegalMatch's Law Blog and Ziaja Consulting's blog, Shark. Laser. Blawg. I have added some of my own comments at the end.]
California's Reader Privacy Act, SB 602, recently passed through the Senate Judiciary Committee and will move to the next step in the legislative process. The bill, sponsored by Senator Yee, the ACLU, and EFF, aims to protect readers' right to privacy against unwarranted disclosure to state governments and third parties. It represents an important first step towards protecting readers' rights in the digital age; but it alone cannot achieve reader privacy.
Background
The impetus for this bill stems in part from behavioral and technological shifts in how people read. The availability and variety of data about people's reading habits is far greater when they read digital materials than with traditional printed media. The ACLU's 2010 report on digital books provides a nice summary of what information can be collected:
Digital book providers can easily track what books an individual considers, how often a given book is read, how long a given page is viewed, and even what notes are written in the "margins." As reading has moved online, it also has become much easier to link books that are browsed or read with a reader's other online activities, such as Internet searches, emails, cloud computing documents, and social networking. With all of this information, companies can create profiles about individuals, their interests and concerns, and even those of their family and friends.
Despite the dramatic increase in metadata about people’s online reading activities, current reader privacy law in California only protects personal information recorded at libraries. Earlier attempts to protect readers of digital materials from unwarranted government searches focused on self-regulation. For example, in 2009 EFF, concerned about Google's reader privacy policy, requested that Google adopt a “come back with a warrant” policy. Google refused. Self-regulation has so far has been insufficient to protect reader privacy.
Key Provisions
The Reader Privacy Act defines book providers and books inclusively. “Book providers” means any commercial entity that offers a “service that, as its primary purpose, provides the rental, purchase, borrowing, browsing, or viewing of books.” A “book” is defined as
. . . paginated or similarly organized content in printed, audio, electronic, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or volumes.
Under this definition, news articles, blogs, magazines, and potentially some websites could all be considered “books.” This would mean that “book providers” could include LexisNexis, Google Reader, Amazon and your local bookstore. (More on the expansive definition of “book provider” in a moment).
The Act would limit a book provider’s release of information it collects about readers to a third party. Essentially, the bill places stones in the river; it won’t dam it completely, but it would subtly redirect the flow.
The Act is strongest against government entities. Generally, if a request comes from a government entity, a book provider could not “knowingly disclose” personal information without a valid warrant except in cases of “imminent danger.” In addition to requiring a warrant, the Act gives guidelines for when such a warrant is legitimate. The guidelines are very similar to Colorado's Tattered Cover balancing test (Tattered Cover v. City of Thornton, 44 P. 3d 1044 (2002)), which requires that (1) the requester have a compelling need for the information sought, (2) there are no alternative means for collecting the information, and (3) the court balance the law enforcement's need for information against the constitutional rights of the user. Similarly, California's bill requires there be a compelling interest in obtaining the information, and that there be no less intrusive way to obtain the information, before a warrant can be issued. In addition, under the California bill, before a warrant can be issued, the provider must be given reasonable notice and have a chance to contest disclosure before a warrant is issued.
While government entities would need a warrant before a book provider can release personal information to them, book providers can, on their own initiative, still sell and trade personal information to data brokers and other third parties. The Act, however, does place a few hurdles in the way of third parties who seek to compel book providers to disclose information. Litigants—both government entities and private third parties—cannot compel discovery of personal information about users from book providers without a court order. The court order would be subject to similar restrictions to warrants: compelling interest, no less intrusive means, notice to the book provider, and notice to the user.
The Act requires the book provider communicate specific discovery requests it receives to users.
Book providers must also publish aggregate statistics on a publicly accessible website. Those stats must include the number of disclosure requests the book provider received and whether they complied with or contested those requests.
These are new obligations; the ACLU notes that Amazon's privacy policy as of 2010 specifically states that the company will not tell users if they have shared personal information in many circumstances. By mandating disclosure, the Act would make companies more publicly accountable for their privacy policies and compliance with the law.
Remedies & Scope
There are few penalties for violating the Act. Evidence obtained in violation of the bill would not be admissible in criminal or civil proceedings (except of course to demonstrate a violation of the Act). And book providers would be civilly liable for violating the Act, but only if they knowingly give information to a government entity.
In those cases, the user whose information was distributed can sue the book provider for up to $500 per violation. In addition, if a book provider violates the Act more than two times in six months—again, by knowingly giving personal information to a government entity—then the Attorney's General, district attorney, or city attorney can sue the provider for $500 per violation.
It is not clear from the statute what constitutes a “single” violation. As the Act is currently written, a single violation could be a data transfer of compiled information, or it could be the transfer of each individual piece of personal information in that compilation. Depending on the interpretation of the statute, transferring just 100 distinct pieces of user information in one transfer could make a book provider liable for either $500 or $50,000. If and when a case is brought under the Reader Privacy Act, this interpretation is likely to be an issue in litigation.
Interpreting what exactly a “book” is will also likely be an issue. Part of the statutory definition is that a book is “paginated or similarly organized content.” The “pagination” requirement might limit the statutory scope; but, if “similarly organized” means “information appearing in a sequential order,” then the scope of the Act is greatly increased. Given the references to “audio” books, some Internet radio stations and even services like NetFlix could be within the statute’s scope. Films, for example, are frequently organized by chapters or segments in “audio, electronic, or other format.” Similarly, some unexpected websites could hypothetically be “books.” Ted.com, for example, is a website that presents short lectures on a myriad of topics. Once a viewer has finished one lecture, links appear for what to watch next or for other lectures from the same series. In other words, there is a sequence to the lectures presented. Since the information is presented sequentially—and could be paginated if it the same lectures were transcribed into a codex form—perhaps the website is also a “book.” The effort to define “books” as separate from other types of content (for purposes of heightened protection) could trigger lots of litigation, some of it unproductive.
Websites that primarily feature written content, e.g. blogs, are more likely candidates to be covered by the Act. Blogs after all are published sequentially (by date) and some are paginated; so they very likely fulfill the first part of the statutory definition. The content in blogs is presented in electronic format, which fulfills the second part of the definition. In short, bloggers, watch out—even though the statute probably wasn’t meant to cover you, you inadvertently might be a “book provider” too.
The geographic scope of the Act of course covers websites based in California, and will include some out-of-state sites as well. A plaintiff's ability to sue an out-of-state “book provider” under the Act depends on whether the site is “active” or “passive.” Without going too deep into the rabbit hole of internet jurisdiction, generally speaking a site is “active” if it has an interactive component (including marketing). A website that sells books, for example, is likely “active.” Whereas a blog is more likely to be “passive.” If a website is “active” and establishes minimum contacts in California, it could be subject to liability under the Reader Privacy Act.
Shortcomings & Potential
The most significant limitation of the Reader Privacy Act is that the warrant requirement only applies to California state and local government entities. It does not (by its own terms) and cannot (under Article VI of the Constitution) restrict the information-gathering efforts of federal government entities. And so, for example, warrantless searches for reader information conducted by FBI cannot be covered by the Reader Privacy Act. This seriously undermines the Act’s efficacy.
In addition, the Act would not prevent book providers from compiling and using data about readers for their own benefit. It also does not prohibit providers from selling or giving personal information away to non-government entities.
This allowance could create a significant loophole in preventing government intrusion. One legal scholar describes this as the fourth-party aggregator problem,
[Fourth-party data aggregators, like Choice Point and LexisNexis] are in the business of acquiring information, not from the information's originator (first-party), nor from the information's anticipated recipient (second-party), but from the unavoidable digital intermediaries that transmit and store the information (third-parties). These fourth-party companies act with impunity as they gather information that the government wants but would be unable to collect on its own due to Fourth Amendment or statutory prohibitions.
(Joshua L. Simmons, Note: Buying You: The Government's Use of Fourth-Parties to Launder Data About “The People,” Columbia Business Law Review, Vol. 2009, No. 3, p. 950.)
In its current form, the Reader Privacy Act would not stop “fourth-party” information collectors from giving or selling the same information that the original book provider collected to government entities—but only the book provider sells or transfers the information to a fourth-party collector in the first place
If the bill remains in its current form, there may be external ways to close that loophole, though admittedly, they are scrappy. One possibility is to wait for a judicial ruling in California holding that fourth-party aggregators who turn over data to government entities are acting as agents of the government and therefore are held by the same laws that constrains government intrusion. Of course, such a decision would require a judiciable case to be brought first, and even then, the court’s decision is unpredictable.
Alternatively, one could piece together additional state or federal legislation that protects readers from companies collecting data in the first instance. For example, if the Kerry-McCain privacy bill is passed, users could opt out of data collection by the book providers. But, it would still only protect readers of digital materials who are savvy enough to know about the law and opt out.
Perhaps a more elegant way to handle the fourth-party problem, though, is to simply include fourth-party aggregators who sell or give data to government entities in the Reader Privacy Act's statutory definition of “government entity.”
How the California legislature chooses to deal with this loophole will determine the efficacy of the Reader Privacy Act. Even so, the transparency requirements of the Act, and the increased scrutiny it provides for discovery requests, makes the Act a positive step towards reader privacy protection.
___________
Eric's comments
This bill is animated by laudable concerns but ultimately flawed in its execution. Personally, I hope it doesn't pass in its current form.
The bill starts with the right premise. I find it odd when I see freak outs about "Little Brother's" use and disclosure of personal data. To me, Big Brother is far scarier, yet we rarely see new legislative initiatives to curb government surveillance powers--even though the digital age has expanded the reasons why we need additional limits on the government's power to snoop on its citizens
Reading data is an example of relatively new digital data that is overwhelmingly attractive honeypot to government snoopers. I got into this issue a bit in my Coasean Analysis of Marketing article, where I argued that we needed a new evidentiary privilege to protect our reading/browsing data (in that case, as captured in an automated technological agent trying to effectuate our consumer interests). On that basis, I enthusiastically support efforts to restrict the government's ability to learn more about my private interests.
However, this particular law has two major structural defects. First, it tries to limit its applicability to "books" as a subset of all of the information we consume. Unfortunately, books aren't easily defined, and as Sonya points out, the definition in this statute creates many ambiguous border cases. Further, in the modern era when consumers have shorter attention spans than ever, it seems archaically quaint to think that our interactions with books are more sensitive than our interactions with other types of content. The more logical move would be to treat all reading data equally rather than privileging books over the other information classes. I suspect such a broad legislative sweep would fail, but the definition of "books" doesn't work either.
Ordinarily, I would be OK with the definitional ambiguity with a statute like this. After all, the law is designed to limit the government's snooping power; if that restriction bleeds beyond books and into other content classes, that sounds like a feature, not a bug. However, this leads to my second structural problem: the private cause of action. The combination of an ambiguous scope + private enforcement = plaintiff lawyer fiesta. Let's be clear how big of a problem this is: as a blogger, I'm not sure if this statute covers me or not. However, if I were to respond to a subpoena without complying with the technical requirements, I may be betting my house. Meanwhile, if I *don't* comply with the subpoena, I might also be betting my house. Uh, trouble in either direction. NO THANK YOU.
I think the law would be much more appealing if it lacked the private cause of action. But if the drafters thought they really needed a private cause of action, they should put the liability on the real wrongdoers--the people asking for information they are not entitled to have. For example, it would be more appropriate to put the onus on the government to actually comply with its own laws when it's snooping on its citizens, rather than on the intermediaries to figure out if they are governed by this law or not.
I do want to mention one other structural issue. As a categorical matter, I oppose any state law to regulate the Internet. We have seen absolutely nothing good come from those efforts. At best, the state laws have been inconsequential; at worst, they have threatened to destabilize the Internet. (Utah's repeated screw-ups come to mind). With this particular law, the state effort might be OK if it only restricts the California government and California litigants--but that is also of limited benefit, and as usual, the drafting doesn't make its geographic restrictions clear. Separately, I have supported the Digital Due Process effort, which addresses cloud privacy (a similar issue). The DDP effort is federal and therefore would standardize practice across the nation. For that reason alone, the DDP would be more helpful than this law.
I don't feel great bashing this legislative proposal. We need more legislative efforts to protect readers' rights, and those efforts are all too rare. Nevertheless, I hope we will continue to think about better ways to accomplish this act's goals.
Posted by Eric at 01:54 PM | Privacy/Security | TrackBack
April 20, 2011
A Look at the Commercial Privacy Bill of Rights Act of 2011
[Post by Venkat Balasubramani]
The Commercial Privacy Bill of Rights Act of 2011
Senators McCain and Kerry recently introduced the Commercial Privacy Bill of Rights Act of 2011. It will probably go through various iterations before being enacted, and its prospects are far from certain, but I thought would summarize what jumped out at me when I first read it.
Who does it apply to? It applies to anyone who "collects, uses, transfers or stores" information concerning more than 5,000 individuals in a 12 month period and who is subject to the authority of the Federal Trade Commission (or is a common carrier or a non-profit). However, it does not apply to government agencies. (See "Privacy 'bill of rights' exempts government agencies.")
Who gets to enforce it? The FTC and state attorneys general. The Bill does expressly state that it "may not be construed to provide any private right of action." A separate provisions says that other than as authorized under the Bill, no one can use the provisions of the Bill as a basis for state law claims. There are provisions which touch on customer rights, but end users cannot bring an action to enforce the provisions of the Bill.
What is the effect on state laws? The Bill would preempt state laws to the extent those laws relate to the collection, use, or disclosure of covered information, personally identifiable information, or personal identification information. The short title contains a nod to avoiding a "patchwork of inconsistent standards and protections." The Bill's preemption clause carves out (1) state laws addressing "health or financial information," (2) state data breach notification laws, and (3) state laws which relate to "fraud." If enacted, it looks like the states are going to have to take a back seat to this Bill and are going to have a tough time enacting online privacy statutes.
What information is covered? The Bill defines "Personally identifiable information," as (1) the first and last name of an individual; (2) postal (residential) address; (3) email address; (4) telephone number or mobile number; (5) social security number; (6) credit card number; (7) "unique identifier information that alone can be used to identify a specific individual"; or (8) "biometric data," including fingerprints and retina scans. [emphasis added]
The definition of PII also covers any of the following if stored or used along with (1) through (8) above: (1) date of birth; (2) birth certificate number; (3) place of birth; (4) unique identifier information "that alone cannot be used to identify a specific individual;" (5) "precise geographic location," excluding general geographic information that can be derived from an IP address; (6) information about an individual's use of "voice services, regardless of technology used;" and (7) a catch-all.
The Bill also contains a third category of information which it calls "sensitive" PII, which includes medical/health information and the "religious affiliation" of an individual.
The Bill excludes PII that is obtained from public records and "that is not merged with covered information." Information that is voluntarily shared (without restriction) and that is widely and publicly available is also excluded.
What is "unauthorized use"? Unauthorized use is broadly defined as use of "covered information . . . for any purpose not authorized by the individual." The definition contains a list of exceptions to deal with things like transaction processing, fraud prevention, and compliance with subpoenas. One of the exceptions deals with online advertising, and provides that use for marketing or advertising (from a covered entity in the context of the entity's own website, services, or products) is not unauthorized if the information is (1) used by the entity which collects the information or (2) used by a third party "at the affirmative request of the individual" or where the affected individual has "an established business relationship" with the individual. There's also a catch-all provision which states that the exclusions apply only where the use is "reasonable and consistent with the practices described in the notice" pursuant to which the information was collected.
The Bill directs the FTC to enact rules which will require any covered entity to offer a "clear and conspicuous" opt-out for any unauthorized use of PII, and specifically to offer "robust, clear, and conspicuous mechanism" for use of information by third parties for "behavioral advertising or marketing," and "clear and conspicuous" opt-in consent for the treatment of sensitive PII and the use or transfer to a third party of previously collected PII (if there is a material change in the entity's practices and the use or transfer creates a "risk of economic or physical harm").
Does the Bill allow users to force entities to correct their information? The FTC is directed to implement rules which would also require covered entities to allow users can access their information and a mechanism to "correct such information to improve the accuracy of such information." Finally, the FTC rules would address transfers in the event of a bankruptcy. The Bill also addresses security standards.
__
This is a meaty piece of legislation that will easily fatigue anyone who tries to digest it in one sitting. Whether or not it accomplishes anything in terms of user privacy, it will certainly keep many lawyers gainfully employed.
One of the big questions is how any privacy legislation will affect the online advertising market. How does it affect the use of cookies, which allow sites or advertising networks to collect information which is used for targeting? The rules which the FTC is directed to enact would:
offer individuals a robust, clear, and conspicuous mechanism for opt-out consent for the use by third parties of the individuals' covered information for behavioral advertising or marketing.
The National Advertising Initiative (which many advertising networks are a part of) offers an opt-out, and one question is whether this (or a similar) opt-out would suffice. There was speculation about a "do-not-track" list but "do-not-track" did not make it into the bill. It was unclear to me as to whether if someone exercised their opt-out right, a site or company in question (the third party) would have to stop using the person's data, or whether the opt-out would be passed up the chain (i.e., to an ad network).
Interestingly, the Bill only covers "personally identifiable information" (and sensitive PII). "Unique identifier information" is defined as information that "alone can be used to identify a specific individual." The definition of "covered information" in turn references PII and "unique identifier information," and information that is collected with either of these. This means that at least some tracking will not even be covered by the opt-out rules. Retailers, for example, who use cookies to track your browsing look like they may be covered (and would be entitled to the business relationship exception anyway, to the extent they collect personally identifiable information along with information used for tracking purposes), but sites that you don't register or provide your identifying information to are not necessarily using any "covered information" when they target advertising using cookies. (The practice of anonymization - stripping information of any personal attributes and then using it for targeting purposes - looks like it may be OK under the Bill as well.)
The Facebook exception is something that is worth flagging. Facebook reportedly sent an army of lawyers and lobbyists to the hill to fight for the "established business relationship" exception. The fight was successful, and the result is significant. The Bill defines established business relationship as any time an end user has "established an account" with an entity for the receipt of products or services "offered by the covered entity." The definition is somewhat clunky, but the consequence of this is that Facebook (or Twitter, Google, etc.) would not be considered a "third party" with respect to a website, if the user in question has an account with Facebook. So CNN.com (for example) and Facebook can freely use PII to target advertising, and Facebook would not be considered a third party. If I'm reading this right, this could be a huge boon for the likes of Facebook and Twitter, and a killer for ad networks. (The regulations which require covered entities to offer individuals an opt-out for behavioral advertising only apply to use by "third parties," and entities which have "established business relationships" are not considered third parties.)
I'm curious about how the Bill would affect off-line (paper) direct marketing. My read of the bill is that it could limit certain aspects of junk mail. (The preamble talks about on and off-line use of data, but the text of the bill doesn't seem to delve into details much with respect to off-line use.) The Bill treats a residential address as personally identifiable information, which is subject to various restrictions on use and transfer. The Bill treats advertising from a covered entity's "own . . . website" as authorized, but does not clearly state that direct mailing is authorized. (The language is somewhat clear on this point.) Certainly, the Bill could be read to reach the sharing of addresses from one retailer to another, or from one retailer to a clearinghouse? Will the Bill require an opt-out from catalog marketers? Did the direct mailer association miss the lobbying boat on this one?
The effect on data aggregators is another aspect of the Bill that's worth watching. Could the Bill be read to prevent retailers and other companies (such as cell phone companies) from transferring your information to companies that aggregate and sell your data, even for purposes such as a credit check?
Finally, since the Bill defines personally identifiable information to include email addresses, I wonder what effect this will have on email marketing, and the transfer of email addresses among various entities.
Other coverage:
ReadWriteWeb: "John McCain & The Wall St. Journal Should Not Determine the Future of the Internet"
Ad Age: "Proposed Privacy Law Serves Notice to Online Ad Companies" ("There is a section that protects Facebook and like enterprises under the "Established Business Relationships" section, which would allow the social network to continue to collect "likes" that appear on thousands of sites across the web.")
EFF: "Well-Meaning "Privacy Bill of Rights" Wouldn't Stop Online Tracking"
LA Times: "Facebook looks to cash in on user data"
cnet: "Privacy 'bill of rights' exempts government agencies"
Posted by Venkat at 09:03 AM | Privacy/Security
April 19, 2011
FTC Warns Debt Collector About Using Facebook to Contact Debtor
[Post by Venkat Balasubramani]
In the Matter of Gary D. Nitzkin, P.C. (FTC Letter; Mar. 10, 2011)
Debt collectors have gotten into trouble over the use of social media to contact debtors. (See "Judge Orders Creditor to Stay Off Debtor’s Social Networking Pages.") Facebook has also taken a stand against the use of its service by debt collectors. ("Facebook Warns Debt Collectors About Using Its Service.")
The FTC jumped into the fray as well, and recently issued a closing letter to a lawyer who used social media to contact a debtor. Although the FTC declined to take action in that particular case (because the lawyer only did this on one occasion and the debt in question was a commercial debt which does not fall under the Fair Debt Collections Practices Act), the FTC articulated its position that debt collectors may violate the Fair Debt Collections Practices Act and/or the FTC Act by doing any of the following:
(1) requesting to join debtors' social media networks (for example, by sending a "friend request" on Facebook), or making any subsequent communications, for the purpose of collecting a debt, without making the disclosures required by Section 807(11) of the FDCPA; (2) communicating with third parties other than in the limited circumstances permitted by Section 805(b) of the FDCPA; (3) communicating with third parties to obtain location information about debtors in a manner that violates Section 804 of the FDCPA; (4) utilizing social media in a manner that constitutes a publication of a list of debtors who allegedly refuse to pay debts, in violation of Section 806(3) of the FDCPA; and (5) communicating with debtors or third parties in a false, deceptive, or misleading way, in violation of Section 807 of the FDCPA.
I'm no FDCPA expert, but the FTC's interpretation seems fairly expansive. It looks like the FTC is drawing a protective wall around the social networking profiles of debtors. Effectively, the FTC's approach (for better or worse) will preclude a debt collector from joining a debtor's "social network" for information collection purposes. (Nothing in the FTC's letter restricts a debt collector from privately messaging a debtor, as long as the necessary disclosures are made along with the message. Whether or not a debt collector can privately message a debtor on Facebook without being their 'friend' depends on the debtor's privacy settings.)
Posted by Venkat at 02:23 PM | Content Regulation , Privacy/Security | TrackBack
Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe
By Eric Goldman
I've been so behind that it's taken me until now to blog these cases from last month. All three opinions involve the same basic fact pattern: a bulk emailer gets blocked by an email service provider (relying in part on third party filtering/blocking services) and sues to undo the block. These claims are largely preempted by 47 USC 230(c)(2), and the courts mostly get to the right place with the immunity (although not without small points of drama). The aggressive plaintiffs also assert claims not covered by 47 USC 230(c)(2), but these mostly don't go anywhere either. The lesson is pretty clear: if an email service provider blocks your email, the courts aren't going to help you out.
Holomaxx Technologies v. Microsoft Corp., 2011 WL 865278 (N.D. Cal. March 11, 2011), and
Holomaxx Technologies v. Yahoo, Inc., CV-10-4926-JF (N.D. Cal. March 11, 2011). Venkat's excellent prior blog post on the complaints. These rulings are substantially identical, so I'll discuss them together except where they diverge.
Holomaxx is a bulk email sender upset because Yahoo and Microsoft are blocking its emails based both on IP address blocks and reputation scores (including those provided by third parties). We've heard this refrain before in many cases over the years, and the law is pretty clear about this. Email service providers can't be obligated to carry emails they don't want to carry. There are a number of legal doctrines that help reach this conclusion, but the most salient one is 47 USC 230(c)(2), the immunity for filtering decisions.
In response to Holomaxx's lawsuit over the block, Microsoft and Yahoo interposed the 230(c)(2) defense on a 12(b)(6) motion to dismiss. Holomaxx objected that 230(c)(2) is an affirmative defense and not appropriate response for a 12(b)(6) dismissal motion. This is the issue that vexed the Ninth Circuit in the Barnes v. Yahoo case until they fixed the opinion. In this case, Judge Fogel properly concludes that 230(c)(2) can support a 12(b)(6) motion to dismiss. (He reached the same conclusion in Goddard v. Google).
Holomaxx then argued that 230(c)(2) does not prevent blocking of legitimate email because such a block doesn't fit within 230(c)(2)'s "otherwise objectionable" language. The judge says:
No court has articulated specific, objective criteria to be used in assessing whether a provider’s subjective determination of what is “objectionable” is protected by § 230(c)(2).
And Judge Fogel isn't going to be the first. Instead, he sidesteps the issue, holding that the service providers could deem the emails "harassing" because, even if Holomaxx had a 0.1% error rate, as it claimed in the Yahoo case, that still netted 2M bad emails/year. Therefore, the filtering decisions fit within the other statutory language in 230(c)(2). This is a cute intellectual move which potentially expands the scope of 230(c)(2) by reading "harassing" broadly.
Holomaxx also attacks the "good faith" requirement of 230(c)(2), but does so in a generalized way. The judge rejects the argument, saying (in the Yahoo case):
Holomaxx alleges no facts in support of its conclusory claim that Yahoo!’s filtering program is faulty, nor does it identify an objective industry standard that Yahoo! fails to meet. While it suggests that Yahoo! is “using cheap and ineffective technologies to avoid the expense of appropriately tracking and eliminating only spam email,” it offers no factual support for these allegations. Nor does Holomaxx cite any legal authority for its claim that Yahoo! has a duty to discuss in detail the particular reasons for blocking Holomaxx’s communications or to provide a remedy for such blocking. Indeed, imposing such a duty would be inconsistent with the intent of Congress to “remove disincentives for the development and utilization of blocking and filtering technologies.”
The Microsoft opinion's text is similar. Holomaxx gets another chance to marshal better allegations, but I'm guessing they won't be able to do so.
The court rejects the ECPA claim (which 230(c)(2) doesn’t immunize) because Holomaxx didn't explain clearly enough how the email service provider "intercepted," "used" or "disclosed" Holomaxx's email or how the ESP improperly accessed stored communications. The 17200 claim (which I think should be preempted by 230(c)(2), although that issue isn't discussed) also fails for lack of Holomaxx's specificity. A Microsoft-only defamation claim doesn't survive either:
Holomaxx alleges, on information and belief, that Microsoft "informed Dragon Networks in writing" that it had blocked all IP addresses originating from Dragon Networks because "certain of Holomaxx's .78 addresses had been rejected 'for policy reasons,' and were blocked manually 'or for spamming.'" Holomaxx does not explain how the alleged statement was defamatory or produce a copy of the alleged defamatory correspondence between Microsoft and Dragon Networks. Nor does it explain how the alleged communication amounts to "a statement of fact that is false."
As a result, the judge dismisses the lawsuit but with leave to amend.
Smith v. Trusted Universal Standards in Electronic Transactions, Inc. (d/b/a TRUSTe, Inc.), 2011 U.S. Dist. LEXIS 26757 (D. N.J. March 15, 2011).
Like Holomaxx, Smith sends a lot of email through Comcast. Comcast blocked his outgoing email twice. The first time, Comcast pointed to Microsoft's Frontbridge/Exchange Hosted Services (EHS) quarantine system. The second time, Comcast pointed to Cisco's IronPort/Senderbase blocklist. Smith sued all three entities (and others). Last year, the court rejected a 12(b)(6) motion to dismiss based on 47 USC 230(c)(2).
Ten months later, after presumably lots of wasted effort, the court converts Cisco's and Microsoft's 12(b)(6) motions into a summary judgment motion and grants the dismissal on 230(c)(2) grounds. I'm sure the defendants appreciate the dismissal, but I'm sure they would have been even more appreciative if the court had reached the result on the last go-around. The court still can't let the case go with respect to Comcast, however.
Cisco/SenderBase gets the 230(c)(2) defense as a blocklist provider. This may sound easy, but the statutory drafting makes the court’s analysis more arduous than it ought to be.
Cisco's senderbase.com website constitutes an ICS. This makes Cisco a "user" of an ICS because it uses its website to publish the blocklist. It is also a provider of an ICS because it runs the website. This is the issue that tripped up the court in the last ruling, and although it got to the right result, I don't think the court has fully wrapped its head around the statutory language. I read the court's discussion at least 6 times, and I couldn't make it make sense. Just know that a blocklist provider probably is both a provider and user of an ICS, so this element is met.
The blocklist easily satisfies the requirements of 230(c)(2)(B). As the court notes (citing Zango v. Kaspersky), whether material is "objectionable" is measured subjectively. Thus, the court dismisses Cisco, noting:
The Court notes that Plaintiff's breach of contract and defamation claims are dismissed because they specifically relate to Cisco's SenderBase service. Plaintiff defamation claim is based upon the fact that Cisco publishes IP scores. Plaintiff's breach of contract claim is based on the fact that Cisco refused to provide Plaintiff with the information that it used to calculate the reputation score for the IP address assigned to Plaintiff by Comcast.
Microsoft's EHS quarantine operates in the cloud by routing all email through its servers, which screen out emails based on its blocklist (as modified by customers' parameters). This should be even easier to qualify as a provider/user of an ICS. The court's discussion on this point doesn't make any sense either, but it reached the right result. As with Cisco, the court says the blocklist qualifies for 230(c)(2)(B) and the contract breach claim fails for the same reason.
Comcast doesn't get so lucky. The court once again finds that Comcast could have acted in "bad faith" which could disqualify it from 230(c)(2) coverage:
the Court finds that a reasonable jury could conclude that Comcast acted in bad faith when it failed to respond to Plaintiff's repeated requests for an explanation why it continually blocked Plaintiff's outgoing email...the Court is not convinced that an internet service provider acts in good faith when it simply ignores a subscriber's request for information concerning an allegedly improper email blockage...there is no reason why Comcast could not articulate its immunity (or provide another rationale for the blockage) when asked to do so by a paying customer.
Whoa. Hold on a sec. The court is saying that online providers have to provide explanations to their customers for their back-end choices. First, that's not in the statute. Second, Judge Fogel expressly rejected this argument in his Holomaxx rulings. Third, the court’s position is ridiculous. Being legally obligated to explain business decisions to affected customers would add an extra layer of expense/hassle to everyday business decisions, and the explanations will just become additional grist for the plaintiff's mill (see, e.g., Barnes v. Yahoo and the resulting incentives to tell customers less, not more). I'm 99%+ confident that an appellate court would reverse this judge on this point. I think he went off the rails. As a result, I don't plan to advise clients that they have to provide explanations for their blocking decisions, and I don't recommend you advise otherwise.
Although Comcast doesn't get the 230(c)(2) immunity, the court still ends up granting it summary judgment on all of the claims. There's some interesting discussion there too.
The court rejects Smith's ECPA claims and the substantively identical state claims. Cisco doesn't actually intercept emails, and Microsoft quarantines emails with its customers' consent.
Smith's contract breach and promissory estoppel claims against Comcast fail because Comcast didn't make any promises it failed to keep and because Smith was using a personal account for unpermitted commercial activities. (To me, this is facially inconsistent with any argument that Comcast had bad faith for 230(c)(2) purposes, but the court ignores that implicit contradiction).
Smith's NJ Consumer Fraud Act claim against Comcast also fails because he can't show fraud or ascertainable loss (because he only alleged that he lost time). The court dismisses a couple other claims, too.
Posted by Eric at 11:04 AM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam | TrackBack
April 18, 2011
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
[Post by Venkat Balasubramani with comments from Eric]
Claridge v. RockYou, 2011 WL 1361588 (N.D. Cal.; Apr. 11, 2011)
RockYou is a developer and publisher of applications for use with Facebook, MySpace, hi5, and Bebo. RockYou's applications allow users to share photos, write text on a friend's page, or play games with other users. In order to sign up, users are asked to provide an email address and create a password. Users may also be required to provide their social network user name and passwords. RockYou displays advertisements on the apps. RockYou claims to have "more than 130 million unique customers using its application on a monthly basis."
RockYou was alerted to an alleged security problem with its SQL database in late December 2009 by an online security firm. Plaintiff claims that RockYou failed to act quickly enough to address this problem, and as a result
at least one confirmed hacker known as 'igigi' accessed RockYou's database, and in the process accessed and copied the email and social networking login credentials of at least 32 million registered RockYou users.
Plaintiff sued RockYou in a putative class action, alleging a slew of claims: breach of contract, the Stored Communications Act, negligence, California's anti-hacking statute, and California's unfair competition and consumer protection statutes.
Standing: RockYou argued that plaintiff lacked standing - i.e., that the unauthorized access of plaintiff's login credentials did not cause plaintiff any "concrete, tangible, non-speculative harm." In response, plaintiff argued that:
[RockYou's] customers, including plaintiff, 'pay' for the products and services they 'buy' from [RockYou] by providing their PII, and that the PII constitutes valuable property that is exchanged not only for [RockYou's] products and services, but also in exchange for [RockYou's] promise to employ commercially reasonable methods to safeguard the PII.
The court agreed with plaintiff and found that plaintiff alleged an injury in fact sufficient to confer standing. The court noted that the case law is mixed on the question of whether data breach plaintiffs have standing to sue. The court recognized the novel context in which the claims arose:
the unauthorized disclosure of personal information via the Internet - is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.
Although the court expressed "doubts about the plaintiff's ultimate ability to prove [plaintiff's] damages theory," the court declines to dismiss on the basis of standing.
Contract Claims: The court initially rejects RockYou's request to dismiss the contract claims (based on a breach of RockYou's privacy policy) on the basis that plaintiff did not lose anything of value. For pleading purposes,
plaintiff . . . sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified 'value' and/or property right inherent in the PII.
RockYou argued that the privacy policy terms expressly provided that it could not be held liable for any unauthorized third party access to users' personal information, but the court disagrees, citing to RockYou's privacy policy. The policy disclaims liability where a third party accesses user information contained in RockYou's "secure servers," but the court notes that RockYou's servers were not in fact secure. The court also cites to flowery language in RockYou's privacy policy to the effect that RockYou takes "commercially reasonable . . . safeguards" to protect user information.
Consumer Protection Claims: Plaintiff loses on his California consumer protection act claims. With respect to his claim under California's unfair competition law, one of the two requirements is that the plaintiff has to have lost "money or other property" in order to bring a claim. The court holds that the UCL's standing requirements are stricter than Article III standing requirements, and require the plaintiff to have paid money or "parted with some particular item of property he formerly possessed." The court does not buy plaintiff's novel theory that plaintiff's "PII constitutes 'currency'" under the statute. No luck for plaintiff under the UCL.
Similarly, the court rejects plaintiff's claim under the California Consumer Legal Remedies Act, because the statute only applies to plaintiffs who "purchase or lease" goods or services for "personal, family, or household purposes." Here, plaintiff has not purchased or leased any goods or services.
__
Plaintiff's other claims received mixed results. The court dismissed the Computer Fraud and Abuse Act claim with leave to amend (plaintiff admitted that it cited the wrong statutory provision), found that RockYou was not liable under California's anti-hacking statute (section 502), and found that plaintiff adequately stated a negligence claim.
Data breach cases have uniformly rejected the claims of plaintiffs who have not actually lost any money out of pocket. Some cases have done so on the merits, and other cases have done so on the basis of standing (some cases, such as Krottner v. Starbucks, have rejected the claims on the merits but have expressly found standing). The big question is whether this ruling moves the needle in any way. I'm inclined to say no, but the way in which the plaintiff cast his claim and the court characterized it is interesting.
The privacy policy / breach of contract analysis was also interesting. There is case law expressing skepticism as to whether a privacy policy is even a contract that can support a breach of contract action ("When Does a Privacy Policy Breach Support a Breach of Contract Claim?"), but courts lately don't think twice about analyzing privacy policy claims under the breach of contract framework. Companies (for whatever reason) continue to include flowery language in their privacy policies that courts latch on to when putting them on the hook for privacy foibles.
Related posts:
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
Acxiom Not Liable for Security Breach--Bell v. Acxiom
The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt
Claims Brought by Express Scripts Data Breach Plaintiffs Rejected on Standing Grounds -- Amburgy v. Express Scripts, Inc.
__
Eric's comments
There is a lot to dislike about this opinion.
First, RockYou's privacy policy promised "RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information..." This is industry-standard fluff language in a privacy policy. I bet we could find tens of thousands of privacy policies with similar language. I believe the prevailing view among lawyers is that this language couldn't be actionable. It doesn't promise security or integrity; it just promises the company will deploy *some* safeguards. Further, the efforts are only supposed to be "commercially reasonable"--language which many lawyers believe is equivalent to "we'll try."
Here, the plaintiff attacks the language by arguing that RockYou didn't encrypt its data. Now, I recommend to clients that they encrypt their databases of user data in all circumstances, but is it commercially unreasonable to do so? The defendant doesn't get the decisive win it expected on that point. (The plaintiff also asserts that the defendant was derelict in patching a security flaw that allowed the bad guys to do an SQL injection attack, so the two arguments may have reinforced each other enough to convince the judge there may be something to this case). As Venkat suggests, it's time to cut the fluffy language from privacy policies. Courts and plaintiffs are overresponding to it.
Second, the court's decision not to use Article III standing to kick out the case was unfortunate. Although I am sympathetic that Article III standing dismissals are harsh on plaintiffs--they never get a chance to say anything--the doctrine has been very useful at squelching unmeritorious privacy cases early. This case is effectively indistinguishable from the other cases where Article III standing has been used; it's a garden-variety security breach with no known tangible consequences (other than lawyers looking for a little gravy). Based on the precedent, an Article III standing dismissal would have been a logical outcome.
The court's acquiescence to the plaintiff's argument ("defendant’s customers, including plaintiff, “pay” for the products and services they “buy”from defendant by providing their PII, and that the PII constitutes valuable property") smacks of the old academic debates in the late 1990s/early 2000s about whether personal data should be propertized. It was a weird debate because many of the academics who oppose copyright doctrinal expansion were simultaneously advocating for increased propertization of personal data as a privacy/anti-advertising technique. Personally, I had hoped all of those theories had been lost in the dustbins of history. Instead, this court moves in that direction. Privacy advocates might rejoice, but be careful what you wish for.
The court's embrace of a "novel" theory is especially frustrating because the court goes on to say that it has doubts about the plaintiffs' ability to prove damages in the end. So instead of doing the socially optimal thing--killing a meritless lawsuit early--the court embraces a theory likely to fuel privacy advocates to bring other meritless cases; while keeping this case open may very well cause both parties to spend a lot of money only to kill a meritless case later. This may be a situation where the judge is being just a bit too careful.
Third, assuming that personal data is "property," this isn't a situation where the vendor sold the data or misused it for advertising. Instead, there was no impairment to the users' "property right"; it was a security breach. So this is a particularly poor case for the personal-data-as-property meme.
One small piece of good news from this opinion: the court interprets California Penal Code Sec. 502 narrowly and effectively prevents the plaintiffs from converting it into a sword to be used against companies that get hacked. We don't have many Penal Code 502 rulings, but most of the extant rulings read the statute pretty broadly. I'm glad to see the court was more circumspect on that point.
Posted by Venkat at 09:19 AM | Internet History , Licensing/Contracts , Marketing , Privacy/Security , Trespass to Chattels | TrackBack
April 07, 2011
Claims that Emails were not Labeled as Ads and did not Disclose Tracking Preempted by CAN-SPAM -- Martin v. CCH
[Post by Venkat Balasubramani]
Martin v. CCH, 10-cv-3494 (N.D. Ill.; Mar. 24, 2011)
Plaintiff received two emails from CCH, with the following subject lines:
"Buy now pay Feb. 15"
[and]
"Offer extended - Buy now pay Feb. 15"
Based on these emails, plaintiffs files a putative class action against CCH alleging that CCH violated the Illinois spam statute. The court grants CCH's motion to dismiss, finding the claims preempted by CAN-SPAM.
The Illinois spam statute contains the standard prohibitions on misleading subject lines and falsifying the point of origin or transmission path of an email. The statute also requires email ads to contain "ADV: as its first 4 characters." Plaintiff alleged in the complaint that the emails were deceptive because
the subject lines do not state that the e-mails are advertisements, and the language used is misleading because it has the purpose and effect of making the recipient think the e-mail is from someone with whom he has a preexisting relationship.
The court finds that plaintiff "wisely" abandoned these arguments at the briefing stage. The emails both contained the word "buy" (and "pay") and it's hard to think of words that more clearly denote an invitation to engage in a commercial transaction. To the extent plaintiff argued that the emails were actionable because they were not labeled with "ADV:" this claim was "clearly" preempted by CAN-SPAM. With respect to plaintiff's claim that the emails improperly implied that the parties had some sort of pre-existing relationship, this did not rise to the level of fraud, or at worst, was a claim for "less than comprehensive information regarding the sender."
Plaintiff also argued that the emails were deceptive because they did not disclose the "'secret' 'information-harvesting' purpose of the e-mails." The court treats this as a misleading subject line claim. Citing to Virtumundo and Mummagraphics, the court finds that this claim is also preempted:
[t]hat claim also appears to be for 'incomplete' or 'less than comprehensive information' in the subject lines regarding the content of the e-mails. Plaintiff essentially argues that if Defendant had provided more information or 'complete' information, in the subject line, Plaintiff would not have opened the e-mail . . . . [T]wo circuits have held that less than comprehensive information outside the body of an e-mail is at best a technical allegation that finds no basis in traditional tort theories and thus falls within CAN-SPAM's express preemption clause (and outside the exception). And even if the omitted information could be deemed not only incomplete but also 'misleading,' Plaintiff's claim would still be preempted by the express language of the CAN-SPAM Act, which prohibits subject headings likely to 'mislead a recipient about a material fact regarding the contents of the message.'
In a footnote, the court also notes that the Illinois General Assembly is unlikely to have required - in the subject line of a commercial email - "a potentially lengthy and somewhat technical description of the process through which information is transmitted from recipient to sender when the recipient opens an e-mail." Indeed, in some instances, "it may not be possible to include on the subject line" the kind of disclosure plaintiff argued for.
__
Spam plaintiffs continue to come up with wacky theories of liability, and courts continue to reject these theories.
Related Posts:
"An End to Spam Litigation Factories?--Gordon v. Virtumundo"
"Fourth Circuit Rejects Anti-Spam Lawsuit--Omega World Travel v. Mummagraphics"
"Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com"
Posted by Venkat at 08:59 AM | Privacy/Security , Spam | TrackBack
April 05, 2011
March 2011 Quick Links, Part 2
By Eric Goldman
Trademark
* Apple is on the road to CrazyTown with its attempt to secure and protect trademark rights in “App Store.” Among the "highlights" this month:
- it sued Amazon. Marty’s comments. The Justia page.
- Microsoft has been scoring a lot of points in its TTAB opposition. My comments on the latest developments. This battle is so pitched, it’s devolved into a font war.
- Apple successfully “persuaded” MiKandi, an "app store" for adults, to change its description to "app market."
* Google's trademark win for "Android" is being appealed to the Seventh Circuit.
* Advocate General's opinion in the EU keyword advertising case of Interflora v. Marks & Spencer. Let me know if you have the patience to read the whole thing. I don't.
* Jim Jansen: "it probably doesn't pay, on average, to bid on competitors branded phrase."
* At SSRN: Counterfeiters: Friend or Foe? The article tries to evaluate when knockoffs create demand for the original or act as substitutes: "The advertising effect dominates substitution effect for high-end authentic product sales, and the substitution effect outweighs advertising effect for low-end product sales."
* BoingBoing: NYT shuts down the @freeNYTimes auto-retweeting account on trademark grounds because the re-tweet service blows apart NYT's paywall. BTW, given its holes, I don’t think it should be called a “paywall.” Maybe more like a “pay-chain-link-fence”?
* GoDaddy takes down a website that tried to emulate Reed College's website.
* Washington Post caves in response to demand from Washington Redskins' team and changes a blog name from "Redskin Insider" to "Football Insider."
Retailing and Manufacturing
* WSJ: Manufacturers and retailers are beginning to push back on the paradox of choice. AdAge on Walmart using its market share to promulgate private regulations on its suppliers.
* Fast Company: How to sell more carrots? Market them like junk food.
* Illinois is the latest state to enact an "Amazon tax," so Amazon and Overstock tossed their Illinois affiliates overboard. When are states going to learn that the Amazon tax doesn't actually improve their financial situation? They don't get the increased sales tax revenue, and they lose the income tax from state-based affiliates. This is the opposite of a Pareto optimal move--no one gets made better off, but some get made worse off. This is also a good example of how state tax policy can degrade our national economy.
* SaferProducts.gov is now live.
* NYT: Car manufacturers are asserting copyright to prevent the National Highway Transportation Safety Administration from republishing their “technical service bulletins” describing warranty extensions and other unusual problems with their cars.
Privacy
* From the FTC: "in the last 15 years, the FTC has brought more than 300 privacy-related actions, including: 32 data security cases, 64 cases against companies for improperly calling consumers on the Do Not Call registry, 86 cases against companies for violating the Fair Credit Reporting Act (FCRA), 97 spam cases, 15 spyware (or nuisance adware) cases, and 15 cases against companies for violating the Children’s Online Privacy Protection Act (COPPA)."
* FTC busts Chitika for having opt-out cookies expire in 10 days. According to ClickZ, Chitika claims it was a bug; the cookie was supposed to expire in 10 years.
* ClickZ: "Device Fingerprinting Could Be Cookie Killer." A follow-up story on privacy concerns.
* Time Magazine: Data Mining: How Companies Now Know Everything About You
* The FTC gave final approval to its settlement with Twitter. Prior blog post.
* Jane Yakowitz, Tragedy of the Data Commons. Brooklyn VAP Jane Yakowitz takes on Paul Ohm's reidentification paper. The abstract:
Accurate data is vital to enlightened research and policymaking, particularly publicly available data that are redacted to protect the identity of individuals. Legal academics, however, are campaigning against data anonymization as a means to protect privacy, contending that wealth of information available on the Internet enables malfeasors to reverse-engineer the data and identify individuals within them. Privacy scholars advocate for new legal restrictions on the collection and dissemination of research data. This Article challenges the dominant wisdom, arguing that properly de-identified data is not only safe, but of extraordinary social utility. It makes three core claims. First, legal scholars have misinterpreted the relevant literature from computer science and statistics, and thus have significantly overstated the futility of anonymizing data. Second, the available evidence demonstrates that the risks from anonymized data are theoretical - they rarely, if ever, materialize. Finally, anonymized data is crucial to beneficial social research, and constitutes a public resource - a commons - under threat of depletion. The Article concludes with a radical proposal: since current privacy policies overtax valuable research without reducing any realistic risks, law should provide a safe harbor for the dissemination of research data.
* Woodrow Hartzog, Promises and Privacy: Promissory Estoppel and Confidential Disclosure in Online Communities, 82 Temp. L. Rev. 891 (2009). The abstract:
Online communities often provide significant support for those who seek it. Yet in order to take advantage of that support, users must frequently disclose sensitive information such as dating profiles, candid thoughts, or even past substance abuse. What happens when other community members fail to keep this potentially harmful information confidential? Traditional remedies will likely fail to protect people when members of an online community violate the confidentiality of other members. In this Article, I contend that promissory estoppel, an equitable doctrine designed to protect those who detrimentally rely on promises, can ensure confidentiality for members of online communities. The application of promissory estoppel via a website's terms of use agreement as a method for protecting disclosure has substantial advantages over tort-based, technological, or contractual remedies. Under the third-party beneficiary doctrine or the concept of dual agency, these agreements could create a safe place to disclose information due to mutual ability to enforce promises of confidentiality.
Posted by Eric at 02:33 PM | E-Commerce , Privacy/Security , Trademark | TrackBack
April 04, 2011
Court Denies Request for Discovery of Facebook and Twitter Account Information, Finding that the Request is a "Digital Fishing Expedition"
[Post by Venkat Balasubramani]
Caraballo v. City of NY, Index No. 75535/08 (N.Y. Sup. Ct.; Mar. 4, 2011)
Plaintiff suffered personal injuries "while performing work at 417 O'Gorman Avenue, also known as 45 Keegans Lane, on Staten Island." Predictably, defendant sought discovery of
plaintiff's current and historical Facebook, Myspace and Twitter pages and accounts, including all deleted pages and related information.[emphasis added]
Plaintiff objected on the grounds that the discovery was overbroad, intrusive and the information sought was irrelevant. Defendant argued that the records from the social networking sites were:
just as relevant as plaintiff's medical records to the extent that there are photographs, status reports, [and] videos that depict plaintiff engaging in activities that contradict his injury claims in this case.
Defendant also pointed to a prior case where a defendant's request to access plaintiff's MySpace account was granted. However, in that case, the plaintiff had testified as to the types of information she had posted to her MySpace account. Here, the defendant put forth no such evidence. It tried to obtain access to the Twitter and Facebook accounts hoping to find something there. The court denies the request:
the discovery demand at issue is overly broad, and [defendant] has failed to establish a factual predicate with respect to the relevancy of the information the sites may contain. In the opinion of this Court, digital “fishing expeditions” are no less objectionable than their analog antecedents.
A previous case from a trial court in New York granted a similar request to discover plaintiff's Facebook and MySpace Posts (Romano v. Steelcase, discussed in this post: "Deleted Facebook and MySpace Posts Are Discoverable--Romano v. Steelcase".) That case dealt primarily with deleted posts, and didn't address the question of plaintiff's privacy interests in private posts or messages.
This case (like the other cases involving discovery of social network information) illustrates some of the practical difficulties that courts and litigants will face when trying to get access to a party or witness's social network information. The party seeking the information has to demonstrate that it seeks information that is relevant to the dispute (and that the account will contain such information). Defendant did not make that showing here, but if it had, was the court willing to give defendant unfettered access to the account? That doesn't seem like a tenable result. In any event, it's good to see that courts are imposing some minimal threshold before allowing litigants to access the contents of a party's social networking account.
Previous posts:
Deleted Facebook and MySpace Posts Are Discoverable--Romano v. Steelcase
"Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier"
"Court Refuses to Set Aside Order Requiring Disclosure of Twitter Users' IP Addresses"
Posted by Venkat at 07:19 AM | Evidence/Discovery , Privacy/Security | TrackBack
March 28, 2011
Website Privacy Policy Supports Pseudonymous Poster's Expectation of Privacy -- Cornelius v. Deluca
[Post by Venkat Balasubramani]
Cornelius v. Deluca, 10-Cv-027-BLW (D.Id.; Mar. 15, 2011)
A district court judge in Idaho denied a request to unmask the identity of a pseudonymous forum poster. In support of its decision, the court looked to the website's privacy policy to find an expectation of privacy.
The case revolved around comments made on bodybuilding.com which Cornelius and his company are not happy about. The lawsuit has spanned two jurisdictions (Idaho and Missouri) and spawned two rulings mentioned on this blog. Professor Goldman's initial post describes the situation as follows:
DeLuca runs bodybuilding.com, a fitness website and online retailer. The plaintiffs sell dietary supplements ("syntrax," whatever that is). The plaintiffs allege that their competitors posted shill reviews to bodybuilding.com designed to harm the plaintiffs' business. The plaintiffs sued both bodybuilding.com and the putative shillers.
The first time around, the Missouri judge awarded bodybuilding.com an easy Section 230 win to the extent plaintiff tried to hold it liable for posts made by third parties. ("Online Retailer Isn't Liable for User Comments.") In a second ruling (after the dispute moved to Idaho), the court strayed from the Section 230 path and said that bodybuilding.com could be held liable for posts made by "moderators." ("Troubling Ruling About 47 USC 230 and Moderators.") In response to this ruling, plaintiff tried to find out the identity of a pseudonymous poster named "INGENIUM," who posted the following:
despite S103's constant matrix pimping in CASEIN threads, matrix is not a micellar casein product.
[I'm not even sure what the products in question are, and what claims are being made about them, but the extensive litigation activity in this case makes me think that they must be useful in some way.]
After a November 2010 hearing, the court allowed plaintiff to discover INGENIUM's identity, based in part on defense counsel's purported concession that bodybuilding.com did not object to disclosure of INGENIUM's identity. The court's earlier decision was also based on the court's conclusion - relying on a recent Ninth Circuit case (In re Anonymous Online Speakers) - that the statement in question was commercial speech. Bodybuilding.com complained, saying that counsel was not authorized to make this concession, and requested that the court reconsider its prior ruling. Also, in between the court's earlier ruling and its reconsideration of the order, the Ninth Circuit withdrew its opinion in In re Anonymous Online Speakers and left the opinion intact, except for the language that characterized the speech as commercial speech versus core political speech.
Anonymity v. Disclosure of INGENIUM's identity: The court decides that INGENIUM's speech is neither purely commercial nor core political speech, and it then looks to the question of whether plaintiffs' need for INGENIUM's identity outweigh INGENIUM's right to speak anonymously. Without deciding the appropriate test in this context, the court looks to previous cases and settles on five relevant factors (citing Sony Music v. Does, Dendrite, 2TheMart): the plaintiff's ability to establish a prima facie case; the specificity of the discovery request; the availability of alternate means to obtain the information; the need for discovery to advance plaintiff's claim; and defendant's (or the speaker's) expectation of privacy.
The court reverses itself and finds that plaintiffs could advance their claim without obtaining INGENIUM's identity - i.e., this information was not central to plaintiffs' claims. Noting that an 'extra-high hurdle' exists when a non-party's information is involved, the court finds that plaintiffs failed to clear that hurdle here. In particular plaintiffs sought to identify the precise nature of the relationship between bodybuilding.com and INGENIUM, but plaintiffs hadn't conducted any discovery directed to bodybuilding.com on this issue. Bodybuilding.com submitted a declaration setting forth its relationship with INGENIUM (that INGENIUM was a community-elected volunteer), but plaintiffs did not bother deposing the individual who submitted the declaration. Thus, there was no need for plaintiffs to unmask INGENIUM to obtain this information, at least not at this stage.
The privacy policy: The court also added that:
INGENIUM has an expectation of privacy based on bodybuilding.com's terms of service and privacy policy. Bodybuilding.com's terms of service state that no poster may make any post that would infringe on another poster's right to privacy. Bodybuilding.com's privacy policy also states that protecting users' privacy is a top priority, and bodybuilding.com has taken reasonable measures to protect users' private information.
Ultimately, the court concludes that plaintiff's attempt to discover INGENIUM's identity "is a fishing expedition based on speculation that INGENIUM was or is an agent or representative of bodybuilding.com."
__
There have been a couple of cases dealing with website privacy policies and their effect on whether a user should be unmasked. I blogged about Sedersten v. Taylor, where the court held that language in the policy providing that the site could freely use user information did not result in a waiver of the right to post anonymously. ("Online Commenter Did Not Waive Right to Anonymity by Agreeing to News Website's Privacy Policy.") In McVicker v. King, the court held - as the court did in this case - that language in the policy created an expectation of privacy. (Here's Tom O'Toole's post on that case: "Newspaper Website's Privacy Policy Creates Expectation of Privacy for Commenters?")
The expectation of privacy that is derived from a site or service's terms is something that courts have looked to in the Fourth Amendment context, in dealing with questions of privilege or whether an employer has the right to access employee communications, and whether disclosure of a person's social networking profile and communications is appropriate in civil litigation. But thus far, it has not made an appearance in anonymity cases. There are a couple of questions or concerns that this approach raises: (1) whether looking to terms in privacy policies would leave anonymous users at the whim of website terms (which may change from time to time based on business considerations), and (2) whether it makes sense to impute the expectation of privacy on users based on policies that they don't necessarily read or digest? (See Chris Soghoian's post the Twitter/Wikileaks disclosure order on the second point: "Federal judge in Twitter/Wikileaks case rules that consumers read privacy policies.") The First Amendment cases dealing with online anonymity do not discuss whether the poster had a "reasonable expectation" of privacy, and looking to the online terms and privacy policy will just muddy the analysis. While it bolsters the poster's privacy in this case, it may leave online posters in general worse off. Also, in many instances it will not be determinative because sites tend to include wiggle room in their policies so they can disclose user information if it's in their interest to do so.
Interestingly, the issue is in front of the court only because of its ruling that bodybuilding.com could be held liable if INGENIUM is found to be an "agent or representative of bodybuilding.com." See Professor Goldman's skepticism about this conclusion in his earlier post on the case: "Troubling Ruling About 47 USC 230 and Moderators."
Posted by Venkat at 12:55 PM | Derivative Liability , Evidence/Discovery , Privacy/Security , Publicity/Privacy Rights
March 26, 2011
Illinois Identity Theft Statute Partially Invalidated--People v. Madrigal
By Eric Goldman
People v. Madrigal, 2011 WL 1074427 (Ill. March 24, 2011)
Many state anti-identity theft laws are written very broadly. This loose drafting creates the possibility that they unintentionally restrict innocent--and indeed socially desirable--activity. Today's case is a good example of sloppy statutory drafting. Fortunately, a vigilant Illinois Supreme Court fixed the legislative error.
The Illinois statute at issue said: "A person commits the offense of identity theft when he or she knowingly...(7) uses any personal identification information or personal identification document of another for the purpose of gaining access to any record of the actions taken, communications made or received, or other activities or transactions of that person, without the prior express permission of that person."
I don't understand what that means, but the court easily finds several examples of possibly criminalized conduct swept into this broad language. As one example, the court says:
doing a computer search through Google or some other search engine or through a social networking site such as Facebook or MySpace, by entering someone's name, could uncover numerous records of actions taken, communications made or received, or other activities or transactions of that person. Thus, the statute as it currently reads would criminalize such innocuous conduct as someone using the internet to look up how their neighbor did in the Chicago Marathon.
Oops. As a result, the court invalidates this provision. It appears the state legislature could fix the provision by adding a requirement that the defendant have a culpable mental state. Even better, the state could do the harder work of precisely defining the harms of identity theft and drafting the criminal provisions to precisely fit those harms.
Posted by Eric at 09:49 AM | Privacy/Security | TrackBack
March 14, 2011
Court Refuses to Set Aside Order Requiring Disclosure of Twitter Users' IP Addresses
[Post by Venkat Balasubramani with some comments by Eric]
In re: sec. 2703(d) Order; 10GJ3793; Miscellaneous Case No. 1:11dm00003 (E.D. Va. March 11, 2011) [pdf]
A federal magistrate judge refused to vacate a previously issued order granting the government's request to reveal information regarding various Twitter accounts for people allegedly associated with Wikileaks.
On December 14, 2010, at the government's ex parte request, the court entered a sealed order granting the government's request for the following information associated with the Twitter accounts of WIkileaks, rop_g, ioerror, birgittaj, Julian Assange, Bradley Manning, Rop Gonggrijp, and Birgitta Jonsodottir:
1. subscriber names, user names, and identities;
2. physical addresses, email addresses, and other contact information;
3. "connection records," records or session times and durations;
4. length of service and the types of service utilized;
5. "telephone or instrument number or other subscriber number or identity, including any temporarily assigned network addresses";
6. means and source of payment for service.
The order also required disclosure of all records and other information relating to these accounts, including the timing and method of connections, data transfer volumes, and "source and designation" IP addresses; "non-content information" associated with any communications, such as "source or destination email addresses and IP addresses;" and correspondence and notes of records relating to the accounts.
Twitter sought to have the order partially unsealed and give an opportunity for the affect account-holders to contest the order. (Kudos to Twitter for taking this step. ("Why Twitter Was the Only Company to Challenge the Secret WikiLeaks Subpoena.")) Several interested parties (Applebaum, Jonsdottir, Gonggrijp), represented by the ACLU and EFF, filed a motion seeking to vacate the order, but they were unsuccessful.
Standing Under the Stored Communications Act:
The first question was whether the moving parties had standing to challenge the order under the provisions of the Stored Communications Act. The court says that standing to challenge under section 2704(b)(1) is restricted to those customers who can show that the "contents" of their electronic communications have been sought. "Contents" are defined in the statute as information "concerning the substance, purport, or meaning" of the communications, and the court finds that the government did not seek the contents of any communication. [The court notes here that the moving parties face difficulties in challenging the application because they have not seen a copy of it - the application is under seal.]
First Amendment Arguments:
The First Amendment arguments centered around free association and the chilling effects that would result from the government being able to "create a 'map of association'" from obtaining the information in question. The court is unpersuaded by the First Amendment association argument, partially because the moving parties had "made their Twitter posts and associations publicly available." The court does not specify whether the accounts were set to private, but I assume if any of them were, the court would have mentioned it.
Fourth Amendment Arguments:
Finally, the moving parties made a Fourth Amendment argument that the disclosure order should have been vacated because it amounted to a warrantless search in violation of the Fourth Amendment. In particular, the moving parties argued that they had a privacy interest in their IP address information, and argued that requiring Twitter to produce IP address details for specific dates and times would be "'intensely revealing' as to location, including the interior of a home." The court is not sold on this argument. The court cites to a slew of federal appellate cases (including US v. Bynum, which was the subject of a brief post: "4th Cir.: No Expectation of Privacy in Internet and Phone Subscriber Info") holding that there is no privacy interest in an ISP subscriber's information. The moving parties argued that they never voluntarily conveyed their IP address to Twitter, but the court disagrees, and points to Twitter's privacy policy:
[b]efore creating a Twitter account, readers are notified that IP addresses are among the kinds of "Log Data" that Twitter collects, transfers, and manipulates . . . . Thus, because petitioners voluntarily conveyed their IP addresses to Twitter as a condition of use, they have no legitimate Fourth Amendment privacy interest.__
I had not followed the goings on closely, but the moving parties had an uphill battle given that the government did not seek the contents of any communications. This is a fact that is sometimes obscured in media reports, which often paint the picture of the government getting access to sensitive and private communications. That isn't the case. The fact that the accounts in question were not set to private did not help either. (Also, in the consumer context, courts have held that IP addresses are not personally identifiable information. See "Court: IP Addresses Are Not 'Personally Identifiable' Information.")
On the expectation of privacy issue, Chris Soghoian makes a good point that I've alluded to before - it's awkward to measure the consumer's expectation of privacy based on the language of a privacy policy because people rarely read the policies: "Federal judge in Twitter/Wikileaks case rules that consumers read privacy policies." That said, most people would expect services like Twitter to collect and use IP addresses. It's just a question of how long Twitter may retain this information for and under what circumstances it would turn this information over. On this issue, the privacy policy was of no help.
[As a side note, I think this may be somewhat indicative of how many of the Facebook privacy lawsuits may shake out. Those lawsuits are heavily dependent on federal statutes which grant protection to the contents of communications, and if all that's being collected and used is the parameters of a person's internet activity, the plaintiffs will have a tough time arguing that any statutory violations occurred.]
EFF & the ACLU plan to appeal, so this isn't the last word.
Other coverage:
EFF: "Court Rules Against Privacy in Battle Over Twitter Records"
cnet (Declan M.): "DOJ wins access to WikiLeaks-related Twitter accounts"
Wired (Threat Level): "Judge Won’t Stop WikiLeaks Twitter-Records Request"
Chris Soghoian: "Federal judge in Twitter/Wikileaks case rules that consumers read privacy policies"
_______________
Eric's comments: In my recap of top cyberlaw issues from 2010, I ranked Wikileaks as the #1 issue of the year and wrote:
Wikileaks finally forces us to confront many of the cyberspace governance issues we were debating in 1996. I'm sad to say that our government, and many private businesses, failed the test.
This ruling appears to be another datapoint in support of that assessment. The government's request for Wikileaks-related information from Twitter very well may be lawless, but this judge--like so many others confronted with Wikileaks-related issues--is willing to roll with it using highly formalist reasoning. In this respect, Wikileaks may be the new Napster--whenever its name is invoked, the rule of law gets suspended in an overall effort to kick the unwanted enterprise out of the ecosystem; and everyone who touches Wikileaks gets tarred with the taint-by-association brush.
The court's ruling on 2704 standing to challenge a 2703(c) request is a fine example of the problem. The court says that, based on the statutory wording, the affected subscribers lack standing to challenge the records request. OK, but when do the affected subscribers have standing to challenge a 2703(c) request? According to this ruling, the answer may be never. That can't be right. Surely we as citizens have some way to fight back against overreaching government requests for non-public information about us...don't we?
We encounter the same problem with the court's discussion regarding IP addresses. The court makes a troubling categorical statement: "petitioners have no Fourth Amendment privacy interest in their IP addresses." As with the 2703(c) records request, is there any circumstance where a subscriber could prevent his/her IP address from being disclosed to the government? According to this court, the answer may be no.
Overall, the court seems tone-deaf about the possible consequences of revealing the information to the government. We've made a lot of progress striking a balance regarding unmaskings in the civil context; here, the court doesn't consider the possibility of balancing at all.
I'd like to think the Wikileaks participants used anonymizers for their IP addresses. If you are doing anything likely to incur the wrath of the US government, consider this a cautionary warning of the need to use good anonymizers for your activity.
For Twitter, there is a silver lining to the ruling. In a footnote, the court says "By clicking on "create my account", petitioners consented to Twitter’s terms of use in a binding “clickwrap” agreement to turn over to Twitter their IP addresses and more." Surely Twitter likes a judicial vote in favor of its online contract formation. However, the court's citation of Twitter's privacy policy reinforces that privacy policies are not just about the private arrangements between sites and their users. The government will trawl through a site's privacy policy to cite terms against the site's users as part of the government's rapacious desire to know everything about its citizens. As drafters of privacy policies, we might consider how we balance our clients' needs for information flexibility with the fact that the government will abuse that same flexibility for its own possibly lawless interests.
UPDATE: Jennifer Granick's post on the opinion.
Posted by Venkat at 11:43 AM | Licensing/Contracts , Privacy/Security
February 27, 2011
Jan.-Feb. 2011 Quick Links, Part 2
By Eric Goldman
Search Engines
Google’s search algorithm has been very much in the news the past 2 months!
* Google’s announcements:
- “Google search and search engine spam”
- Matt Cutts explains Google penalties in a video.
- “Microsoft’s Bing uses Google search results—and denies it.” Comments from Search Engine Land and Greg Linden (on privacy)
- Interview with Amit Singhal on content farming
* Google publicly penalized numerous targets, including
- JC Penney, punished for black hat SEO (the 4th time Google had penalized them).
- Overstock, punished for coopting too many .edu domains
- Forbes, punished for passing PageRank to paid links
- Then, Google dropped the hammer on content farms
The running question with all of these changes: should we praise—or regulate—Google for fighting back against the algorithm gamers? My 2006 article on search engine bias answers that question. I recently wrote a short essay updating the 2006 article—more on that soon.
* Speaking of regulators, they are hardly standing on the sidelines:
- EU regulators hate Google. They really hate Google.
- The Italian antitrust authority dropped its investigation into Google News after Google agreed to make it easier for publishers to opt-out.
- More details emerged on the Texas AG’s investigation into Google. WSJ and AllThingsD (including the actual letter). My prior blog post.
- Interestingly, FWIW, it’s not clear consumers are sold on the need for regulatory intervention. 77% of Americans say "there is no need for government regulation of the way that search engines select the recommendations they provide in response to search inquiries." Then again, survey wording is key. I could see an equal percentage say that we should prevent search engine bias.
* Questions about Google’s algorithms:
- Techdirt: "Will Google's New Hamfisted Censorship On Autocomplete Raise Questions Of Human Meddling?"
- News.com: Google's double standard on user-generated content
Privacy
* H.R. 654, "Do Not Track Me Online Act of 2011." The law would require the FTC to promulgate regulations that “establish standards for the required use of an online opt-out mechanism to allow a consumer to effectively and easily prohibit the collection or use of any covered information and to require a covered entity to respect the choice of such consumer to opt-out of such collection or use.”
* Information Law Group's 2010 privacy law recap.
* Jeff Jarvis: "the emergence of Privacy, Inc., as a industry built on scaring people is beginning to scare me."
Remember, every regulation creates winners and losers, and we should always ask what’s in it for the winners. On that score, see James D. Campbell et al, Privacy Regulation and Market Structure, reaching the conclusion: “privacy regulation can benefit incumbents and reduce innovation.”
* Lyall v. City of Los Angeles, Not Reported in F.Supp.2d, 2011 WL 61626 (C.D. Cal. Jan. 6, 2011). Publicizing an event on MySpace made the event space into a public place for purposes of a police search.
* After Pineda v. Williams-Sonoma treating zip codes as private information, a flood of lawsuits. In response to the Supreme Court's ruling, Sacramento urgently needs to make a statutory fix to Song-Beverly to avoid business-sapping and socially wasteful litigation.
* FTC: Data Resellers Liable for Downstream Security Failures
Social Media/Web 2.0
* Reuters: "Companies warily eye new consumer complaint sites"
* Mountain View Voice: Contractor files big claim for bad Yelp review.
* Teacher is suspended for blogging about her "whiny" students. Compare Yoder v. Univ. of Louisville.
* Reuters recaps e-discovery of social networking site content.
* NYT: Is blogging passé?
* Facebook ads have really low clickthrough rates, but the clickthrough rate improves if another user "likes" the ad.
* Unintended consequences of CA's E-personation law are beginning to manifest themselves. Apple goes after the @ceostevejobs parody Twitter account.
* NYT surveys some esoteric niche online dating websites.
* U.S. v. Forde, 2011 WL 63831 (4th Cir. Jan 10, 2011):
In a post-trial motion, Forde informed the district court that while the trial was proceeding, a friend of the husband of the jury foreperson posted on Twitter an explanation of the difference between “assume” and “presume.” Ford contended that, since the posting occurred during trial, it was possible that the jury foreperson had talked to her husband about the case, her husband then talked to his friend about the case, the friend then posted the statement on Twitter, and the foreperson saw the Twitter posting. Forde thus requested that the district court hold a hearing to investigate the potential misconduct. The district court denied the request.
...Forde's string of possibilities about the origin of the Twitter posting—that the foreperson possibly talked to her husband, who possibly talked to his friend, who possibly took to Twitter in response to what the husband possibly told him—is nothing but speculation and thus falls far short of establishing reasonable grounds for investigation. The district court therefore did not err by denying Forde's request for an evidentiary hearing to investigate his claim.
Posted by Eric at 04:22 PM | Content Regulation , Evidence/Discovery , Marketing , Privacy/Security , Search Engines | TrackBack
February 11, 2011
California Supreme Court Rules That a ZIP Code is Personal Identification Information -- Pineda v. Williams-Sonoma
[Post by Venkat Balasubramani]
Pineda v. Williams-Sonoma, S178241 (Cal. Supreme Court; Feb. 10, 2011)
Plaintiff made a purchase at Williams-Sonoma and when she went to pay, the cashier asked for plaintiff's ZIP code. Thinking she was required to provide it in order to complete the transaction, plaintiff provided it.
Plaintiff sued under the Song-Beverly Credit Card Act (the Credit Card Act) which prohibits a store that accepts credit cards from:
request[ing], or requir[ing] as a condition to accepting the credit card as payment...the cardholder to provide personal identification information, which the [store] records upon the credit card transaction form or otherwise.
The statutes defines personal identification information as:
information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number.
The trial court dismissed the claims, finding that a ZIP code does not fall under the definition of personal identification information, and the court of appeals affirmed. (Interestingly, plaintiff brought an invasion of privacy claim. The court did not accept review over the invasion of privacy claim, which the court of appeals dismissed on the basis that the plaintiff did not have a privacy interest in her address, which was contained in a database.) In reversing the decision of the court of appeals, the court points out that Williams-Sonoma had a particular motivation when it asked for plaintiff's ZIP code:
[Williams-Sonoma] subsequently used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. The software matched plaintiff's name and ZIP code with plaintiff's previously undisclosed address, giving defendant the information, which [Williams-Sonoma] now maintains in its database. Defendant uses its database to market products to customers and also sell the information it has compiled to other businesses.
The court looked to the statutory language which includes the cardholder's address and telephone number as illustrative examples. Although the court of appeals took these examples to mean that more general information which can't by itself be used to locate a person was not included in the statute, this court disagreed. The court rejects the argument that the ZIP code shouldn't be included because it is only a component of an address, reasoning that under this approach a retailer could ask for portions of an address but not the entire thing (thus achieving its purpose of being able to market to the individual without asking for the entire address). The appeals court also reasoned that an address and telephone number is specific to an individual while a ZIP code refers to a group of people. (As the court notes, ZIP stands for "Zone Improvement Plan.") The court rejects this as well, noting that both residential and work telephone numbers could refer to more than one person but these are nevertheless encompassed by the statute.
Ultimately, the court looks to the intent behind the statute and finds that the legislature intended the statute to encompass:
information unnecessary to the sales transaction that, alone or together with other data such as a cardholder's name or credit card number, can be used for the retailer's business purposes.
In the court's view, any other interpretation of the statute would allow retailers to "end-run" the statute's purpose. The court also cites extensively to the statute's legislative history, which was concerned with retailers' extraction (at the point of credit card transaction) of information that would be used for marketing purposes. In addition to the statutory construction arguments, Williams-Sonoma made due process and vagueness arguments, but the court doesn't give these much credit.
__
This is an interesting one that brings to mind the debate over whether an IP address is personal information (an issue Microsoft hashed out, but which I'm guessing we'll see again). (See "Court: IP Addresses Are Not 'Personally Identifiable' Information.") There's been a dispute over whether the collection of email addresses violates the California statute, but apart from a ruling on a CAN-SPAM preemption defense, I don't recall seeing a conclusive ruling on whether an email address fits the statute's definition of personal identification information. ("California Privacy Law Not Preempted by CAN-SPAM Act.") In light of this ruling, I would say that an email address will be treated as personal identification information for purposes of the statute. On the other hand, a federal trial court held that the statute does not apply to online transactions, so email addresses collected in this context may not necessarily pose a problem. (See Saulic v. Symantec Corp., 596 F. Supp. 2d 1323 (C.D. Cal. 2009). In light of Pineda, I'm guessing plaintiffs and advocacy groups are going to try to revisit this issue.)
It's hard to muster much sympathy for Williams-Sonoma here, since they obviously used the information to market to plaintiff (this may be my bias at work - like most people, I think that catalog marketing is a truly odious practice, although Professor Goldman mentioned by email that he disagrees). On the other hand, Williams-Sonoma made a pretty reasonable argument that the statute looks like it applies to pieces of information which can be used to identify the purchaser. A cardholder's ZIP code "without more" doesn't seem like it should constitute personal identification information. You can use a person's address or telephone number to market to someone, but you can't use a ZIP code. Also, I wondered about the fact that gas stations (for example) sometimes require credit card users to input their ZIP codes as an anti-fraud measure (I'm guessing they argue that they don't violate the statute because they don't archive the information - at a quick glance I don't see a fraud exception in the statute, although there is a "positive identification" provision).
However, what sways me (and the court alludes to this in referencing a change in the statute to address retailer "requests" for information) is that stores ask customers for their ZIP codes in the context of these transactions and customers often provide it because they think it's some sort of fraud protection measure. If the retailer is going to turn around and just run this information through the database for marketing purposes, this feels duplicitous.
It looks like the statute was last amended in 1991, but since then (given the proliferation of databases), tracking someone down with bits of information has gotten much easier, and will become even easier over time. Given this, I wonder if the legislature considered prohibiting retailers from using information obtained via a credit card transaction to identify and market to customers unless the customer opts in. It's increasingly tricky to think of data as personally identifiable information versus non-personally identifiable information. Eric has posted about Professor Ohm's reidentification work, which shows how the distinction between PII and non-PII is becoming less useful: "Data Anonymization and Re-identification Lecture Featuring Paul Ohm, SCU, April 7." This looks like a good example of this.
A final note: this case highlights how online and off-line retailers live in different worlds. Off-line retailers go to great lengths to identify and stay in touch with their customers. Online retailers can just use cookies, ask consumers to check a box on their website, or get consumers to like their Facebook page.
Other coverage:
"My zip code is none of your business!" (Chris Hoofnagle)
"A Ridiculous California Court Ruling: Zip Codes are Private" (Kashmir Hill)
Posted by Venkat at 06:45 AM | Marketing , Privacy/Security
February 07, 2011
Court Dismisses Class Action Against Spokeo for Lack of Standing -- Robins v. Spokeo
[Post by Venkat Balasubramani]
Robins v. Spokeo, 10-cv-05306 (C.D. Cal. Jan. 27, 2011)
Spokeo is a website that bills itself as an aggregator of hard-to-find information about people. Robins filed a complaint against Spokeo for violation of the Fair Credit Reporting Act, arguing that the "reports generated by Spokeo.com contain inaccurate consumer information that is marketed to entities performing background checks."
Spokeo argued that it only aggregated information provided by third parties and it was entitled to immunity under Section 230. The court doesn't reach that question, finding that Robins lacked standing - i.e., he "failed to allege that [Spokeo] has caused him any actual or imminent harm." Plaintiff alleged that he had trouble seeking employment and he was "concerned that the inaccuracies in his report will affect his ability to obtain credit, employment, insurance, and the like." The court found that plaintiff's allegations of "possible future injury" failed to satisfy Article III standing requirements and dismissed the complaint without prejudice. Although this case and the Starbucks data breach case deal with the standing issue in different contexts, the court's conclusion on standing can be contrasted with the Ninth Circuit's recent conclusion in the Starbucks data breach case that employees affected by a data breach have standing based on "'generalized anxiety and stress' as a result of [the data breach]." ("Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit.")
I'm guessing this complaint will be refiled and the court will have to eventually reach the issue of whether Spokeo is entitled to Section 230 protection. Will we see Roommates.com in action? (See "Roommates.com Infects the Tenth Circuit--FTC v. Accusearch.") Or will Spokeo be treated as a syndicator that is entitled to Section 230 protection? ("Database Publisher Gets 230 Defense--Prickett v. infoUSA.")
On a related note: Spokeo is already dealing with complaints from privacy advocates, but as noted by Kash Hill, the blogger at PogoWasRight recently filed a complaint against Spokeo after profiles of hers that were removed from the site "came back to life." ("Spokeo Draws Ire (and FTC Complaints) from Privacy Advocates for its Zombie Profiles.")
Posted by Venkat at 12:05 PM | Content Regulation , Privacy/Security
February 04, 2011
Court: Husband's Access of Wife's Email to Obtain Information for Divorce Proceeding is not Outrageous
[Post by Venkat Balasubramani]
Miller v. Meyers, 09-cv-6103 (W.D. Ark.; Jan 21, 2011)
This case presents another fact pattern involving an increasingly common twist to the modern divorce proceeding - someone surreptitiously accesses his or her spouse's email and on-line accounts to gather information to be used in a family law proceeding. The now ex-spouse brings a claim for violation of statutes protecting the privacy of communications. Here, the ex-spouse gets summary judgment on her Stored Communications Act claim, and the parties shortly settle after the court's ruling.
The facts were straightforward. Anna Miller alleged that Darin Meyers used a keylogger program to access information and communications from Miller's on-line accounts, including email accounts. The parties resolved their differences in family court and entered into a settlement agreement. After finding out that Meyers accessed her emails, Miller brought claims against Meyers under the Computer Fraud and Abuse Act, the Stored Communications Act, the ECPA, and under state law.
The divorce settlement: Meyers argued that the parties resolved all of their claims in the divorce settlement, but the court rejects this argument. The court points to language in the agreement to the effect that the settlement was only intended to compromise the parties' claims "arising out of [the divorce] litigation." The court also notes that the family law court would not have had jurisdiction over plaintiff's claims anyway, so it's not reasonable to think that they would have resolved those claims by virtue of the divorce settlement.
Computer Fraud and Abuse Act: The court denies summary judgment to both parties on the CFAA claim, noting that there is a factual dispute as to whether plaintiff suffered $5,000 in damages due to the unauthorized access. Plaintiff did not argue that the use of improperly obtained evidence harmed her in the divorce proceeding, and the court may not have accepted this argument anyway. (Courts are across the board on what type of damage can be used to satisfy the $5000 jurisdictional threshold, but it looks like there were factual disputes either way.)
Stored Communications Act: The Stored Communications Act claim was open and shut. Defendant admitted he accessed the emails, and he clearly did not have permission to access plaintiff's email account. Plaintiff gets summary judgment on this claim, and the court saves the damages ruling for the factfinder.
ECPA: The court rejects plaintiff's ECPA claim, finding that plaintiff put forth no evidence that defendant "recorded any information during the course of monitoring," and in any event, through use of the keylogger software defendant only obtained the passwords and would have only opened the emails after they reached plaintiff's account. Interestingly, the court notes that there was "some indication that plaintiff was aware, or should have been aware, that defendant was monitoring her." The court does not specify what evidence defendant presented in support of this proposition (apart from the general theory that someone can monitor activity on computers in their home), and imputing consent based on a supposed expectation of monitoring seems to push the consent exception pretty far. The court also does not discuss the issue of whether the capture of the passwords themselves could have constituted an interception. (See "Scope of Electronic Communications Privacy Act may not be so narrow" (discussing Brahmana v. Lembo, No. 09-106, 2009 WL 1424438 (N.D. Cal. May 20, 2009).)
State law claims: The court grants plaintiff summary judgment on her computer trespass claim, but finds that there was no evidence at the summary judgment stage of what injury she suffered. The court defers the damages ruling for trial. The court grants defendant summary judgment on plaintiff's unlawful access to a computer claim under state law, declining to find a private cause of action where the legislature did not clearly provide for one. Plaintiff asserted a breach of contract claim based on a breach of non-disclosures of the settlement agreement. The court finds that factual disputes preclude an award of summary judgment in either party's favor.
Finally, the court rejects plaintiff's claims for intentional infliction of emotional distress, finding that defendant's conduct was not shocking or outrageous. Here the court throws out a zinger:
Defendant's conduct of monitoring the internet traffic on his home network and using a keylogger to access his then wife's emails, and then using copies of those documents in divorce and custody proceedings is not extreme and outrageous conduct. A husband prying into his wife's email, after learning that she was engaging in conversations and photo sharing, and then using damaging emails in a divorce and custody proceedings can hardly be considered "extreme and outrageous," "beyond all possible bounds of decency," or "utterly intolerable in a civilized society."
Say what? I guess all is fair in love and war (including violating federal statutes), in this court's view.
___
Apart from the court's interesting views on the outrage claim, there's not much to say about this case. The court notes that the underlying evidence which was improperly obtained was used in the family law proceeding (apparently without objection or scrutiny from the court), and I wonder how often this occurs.
In any event, the case is a good opportunity to repeat the PSA: accessing someone else's emails or accounts is not necessarily a good idea, as tempting as it may seem. It doesn't matter if the person whose email you access is your employee, spouse, or best friend! Also, using keylogger software is risky. Keylogger software should come with a disclaimer that tells you to consult with counsel before deploying it.
Posted by Venkat at 09:25 AM | Privacy/Security
January 26, 2011
Nursing School Can't Expel Students for Posting Photo to Facebook--Byrnes v. Johnson County CC
By Eric Goldman
Byrnes v. Johnson County Community College, 2011 WL 166715 (D. Kan. Jan. 19, 2011). The complaint.
You've probably already heard about this case. Four nursing students posted photos of a patient's placenta to Facebook, and the school expelled them in response. The students sued the school for reinstatement, which the court grants in this ruling.
The case turns on two key facts. First, the placenta photographs were not identifiable to the patient, even though the photos had some time-related information that could have narrowed down the possible placenta-birthing patients. This raises re-identification issues we've discussed numerous times on the blog; even if the combined facts of placenta photo + time information don't themselves identify the patient, those two pieces of data plus other datasets could lead to reidentification.
Second, the clinical supervisor knew the students were taking the photos. The students further claim they told the supervisor that they were going to post the placenta photos to Facebook, to which the supervisor allegedly responded "Oh, you girls." The court analyzes these facts by saying:
photos are taken to be viewed. When Delphia granted permission to take the photos, it was unreasonable to assume that they would not be viewed. If the photos were objectionable, to say nothing of objectionable to the point warranting expulsion from the nursing program, then it would not have mattered whether the photos were viewed on Facebook or elsewhere. By giving the students permission to take the photos, which Delphia admitted, it was reasonable to anticipate that the photos would be shown to others.
It's a little hard to parse this statement. The court could be saying that it really believes the supervisor expressly or implicitly approved the Facebook publications by saying "oh, you girls." Or, the court could be saying that even if the supervisor never knew about the students' intent to post on Facebook, the supervisor should have assumed that the photos would be seen by a larger audience at the time the supervisor approved/acquiesced to the taking of the photos. This latter interpretation isn't very comforting. Many photos are never published to the public. For example, the students could have taken the photos for archival purposes or for further self-study. So I'd like to think the court wasn't saying that consent to photo-taking automatically means consent to widespread publication of that photo.
This case reminded me a lot of Yoder v. University of Louisville. That case similarly involved a nursing school's expulsion of a nursing student in response to a social media publication. In the Yoder case, the nursing student's publication was much more troubling in that it said possibly mean things about patients. Nevertheless, both cases involve: (1) nursing students perhaps showing insufficient sensitivity towards patients' interests, and (2) nursing school overreactions to student participation on social media. I wonder if something funky is going on in the nursing school community or if these cases are just coincidences.
Posted by Eric at 05:46 AM | Content Regulation , Privacy/Security | TrackBack
January 25, 2011
Ad Networks Ordered to Drop Allegedly Infringing Site--Elsevier v. eNom
By Eric Goldman
Elsevier Ltd v. Whois Privacy Protection Service, Inc., 1:11-cv-10026-RGS (D. Mass. injunction dated Jan. 14, 2011). See the TRO from Jan. 6 and the complaint.
On the surface, this seems like a run-of-the-mill copyright enforcement. The plaintiffs Elsevier and John Wiley publish textbooks on pharmaceuticals and related topics. The website at issue, Pharmatext.org, allegedly republishes those copyrighted textbooks for free via an ad-supported website. If these were the only key facts, the publishers should be able to shut down the rogue site easily.
However, I think this is a pretty complicated case that isn't getting the nuanced legal analysis it requires. There are at least three major complexities to the case:
1) Pharmatext.org is now offline, but when I reviewed it in Google's cache, it looked like a linking site. In other words, the site itself wasn't hosting the allegedly infringing downloads but just linking to URLs where they were available. I didn't see anything in the complaint that connected the operators of Pharmatext to the uploads of the copyrighted material on third party servers.
Thus, this case could be about a website's liability for linking to infringing content. We might still conclude that Pharmatext is infringing, but we'd need to reach that through a secondary liability analysis, not a direct liability analysis. Of course none of this is mentioned in the materials I saw. The complaint does not clarify who is the direct infringer because those paragraphs are in the passive voice--is it the uploader, the individuals who download, or Pharmatext for unspecified activities that it did?
2) Pharmatext.com is owned by eNom as a privacy proxy (under its Whois Privacy Protection Service, the captioned defendant). I've previously blogged about domain name privacy proxies before and the legal troubles they are encountering (see my post on Solid Host v. NameCheap). The publishers sue WPPS for vicarious copyright infringement, alleging "it controls the domain name pharmatext.org and receives a direct financial benefit for doing so."
Hold on a sec. This is a really dense statement that requires unpacking. WPPS is the domain name registrant on behalf of an undisclosed principal. It does not "control" the domain name. Even if it did, the normal test for vicarious infringement requires the "right and ability to supervise the infringing activities." How does a privacy proxy do that? It controls the domain name, not the associated servers. See the old 9th Circuit ruling in Lockheed v. NSI. And typically vicarious infringement requires a direct financial benefit from the infringement. Sure, as a service provider, the privacy proxy gets paid by the website operator--but the payment amounts don't vary with the amount of infringement. This is like saying the electric company gets paid by an alleged infringer to supply power to the infringing website. Yes, the electric company gets paid, but no, that's not direct financial benefit from the infringement. (Ironically, in fact increased infringing activity might boost the amount of electrical consumption, so the electric company is more likely to profit from infringement than a privacy proxy.)
Finally, recall that I believe Pharmatext is a linking site that isn't the direct infringer. So WPPS is a distant service provider to a possible secondary infringer. Tertiary liability, anyone?
The court's response? It orders WPPS to disable the domain name, fork over the principal's identity, and freeze any transfer of the domain name.
I am extremely bearish on the future of domain name privacy proxy services. It seems inevitable that IP plaintiffs are going to drive that particular service offering into the ground with their litigation.
3) The publishers also sued two ad networks, Chitika and Clicksor, for contributory copyright infringement. The supporting allegations? The ad networks directly profit from the infringement and provide the funds to enable Pharmatext.com to continue its existence.
Traditionally, contributory copyright infringement requires knowledge of the infringing activity and a substantial contribution to the infringing activity. I didn't see any allegations of knowledge by the ad networks at all--no assertions that the ad networks had figured out that Pharmatext,org was a rogue website, and no assertions that the copyright owners sent a C&D or takedown notice. (I don't think the ad networks qualify for a 512 safe harbor because of the way those safe harbors are worded; but a C&D/takedown notice would still help the publishers in arguing that the ad networks knew it was a rogue website). The ad networks' only "contribution" to the infringement is the payment of money to the site, and this was expressly rejected as sufficient for liability in Perfect 10 v. Visa, which concluded that even if the payment system stopped the flow of money, it would not automatically stop the website and any associated infringement on it.
Further, if Pharmatext was a contributory infringer for linking to infringement, this means the ad networks would be contributing to a contributory infringer--another tertiary liability argument.
The court's response: it ordered the ad networks not to pay any money to Pharmatext and to drop them as customers.
From the PACER report, it appears that the defendants haven't contested the publishers' claims. I hope that will change. This is a case where the publishers have clearly overreached, and if the judge won't call them on it himself, we need the adversarial system to expose the major gaps in the publishers' logic.
Meanwhile, this case illustrates two broad themes. First, it illustrates how plaintiffs are going after an array of supporting service providers to make them responsible for their customers' activities. On the trademark front in the past 12 months, see, e.g., Louis Vuitton v. Akanoc (web hosts), Gucci v. Frontline (payment service providers), Roger Cleveland v. Price (web designers/SEO), Microsoft v. Shah (software vendors that assist website development). Plaintiffs are reading secondary liability doctrines very, very broadly, and courts aren't always slamming down those arguments as emphatically as they should.
Second, several other lawsuits have tried to nail ad networks for providing advertising support to infringing sites. As another example (also in the trademark realm), see the Vulcan Golf v. Google lawsuit. The only successful case that I can recall involves Triton Media, a ruling that was so skewed by its facts that I didn't think it was worth a full blog post. Wendy Davis discusses the comparison more.
If this lawsuit ends with the current injunction, I'll consider this ruling an interesting oddity. Any further developments in this case warrant careful scrutiny.
Posted by Eric at 09:27 AM | Copyright , Derivative Liability , Domain Names , Privacy/Security | TrackBack
January 23, 2011
Ex-Employees Awarded $4,000 for Email Snooping by Employer -- Pure Power Boot Camp v. Warrior Fitness Boot Camp
[Post by Venkat Balasubramani]
Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 08-civ-4810 (S.D.N.Y.; Dec. 22, 2010)
Email snooping and computer fraud statutes (Stored Communications Act; Computer Fraud and Abuse Act) are starting to play a starring role in litigation between departing employees and their former bosses. Plaintiffs asserting claims under these statutes often press tenuous claims, with evidence for damages that are weak at best. There are often unclean hands all around, and the disputes end up just being messy.
One such dispute is Pure Power Boot Camp v. Warrior Fitness Boot Camp. As the court describes it, Lauren Brenner, the owner of Pure Power hired Alex Fell and Ruben Belliard to work as "drill instructors" at her gym (which was "designed to replicate as closely as possible the experience of training at a military boot camp"). Fell was fired and Belliard quit, but before they left, they made plans to open a competing fitness facility in town. Fell and Belliard alleged that after they left, Brenner, or someone on her behalf, accessed and printed emails from Fell's Hotmail, Gmail, and Warrior Fitness Boot Camp accounts. The emails yielded a bounty of information about Fell's and Belliard's efforts while still at Pure Power to open a competing gym. Brenner denied that she ever accessed the emails or directed anyone to, and in any event, alleged that the emails were accessible because Fell left his username and password stored in Pure Power's computers.
The lawsuit had numerous procedural twists and turns. Brenner and her company sued in state court to enforce a non-compete after gathering the email evidence. The state court determined that the non-compete was unenforceable, and allowed Fell and Belliard to open their competing fitness center. (This was probably a good time to consider settling the dispute and not sinking more resources into it.) Fell and Belliard then removed the lawsuit to federal court and asserted claims based on Brenner's improper access of the emails. Fell and Belliard also sought a preclusion order, prohibiting Brenner from using any of the improperly obtained emails in the proceeding. The court agreed with defendants and issued an order requiring Brenner to return all emails or materials obtained "outside normal discovery procedures." The court also precludes Brenner from using any of those emails in the underlying lawsuit. In that order, the court found that the access of the emails violated the Stored Communications Act, but did not violate the ECPA. Defendants brought a motion for summary judgment on their SCA and ECPA claims.
Stored Communications Act Claims: With respect to the Stored Communications Act claim, the court held that the court's earlier preclusion order established the law of the case that the access of the accounts violated the SCA. Both sides tried to argue as to whether the preclusion order conclusively established Brenner's personal liability, but the court left that issue for another day, finding that there was a factual dispute as to whether Brenner herself accessed the emails or directed someone else to do go. However, interestingly, the court held that defendants failed to show any actual damages for the Stored Communications Act violations. Brenner argued (citing to Van Alstyne v. Elect Scritporium) that in the absence of actual damages, defendants could not recover any damages at all, but the court rejects this, finding that regardless of whether defendants put forth any evidence of actual damages, they are entitled to statutory damages. (See Tom O'Toole's blog post on Van Alstyne.)
However, the victory turns out to be a pyhrric one for defendants (on the damages front), as the court holds that defendants are only entitled to damages per instances of access (and not per email) and awards defendants the disappointing amount of $4,000. The court noted mixed authority on the issue of whether damages were appropriately awarded per email accessed or based on each instance of unauthorized access. Ultimately, the court noted that there was no evidence as to how many times the email facilities were accessed during a relatively short time period that was at issue (nine days), and the court aggregated the intrusions with respect to each individual account. The court also defers ruling on defendants' request for fees and punitive damages, finding that those questions were better suited for the jury.
ECPA Claims: The ECPA provides a civil cause of action against those who "intercept" electronic communications. The court rejects defendants' claims under the ECPA on the basis that the messages were accessed after they were delivered to defendants' accounts. The court had rejected defendants claims in its ruling on the preclusion order, and apart from arguing that the time period between delivery and access by plaintiff was "shorter than defendants had initially believed," defendants did not offer any new evidence that the interception occurred before delivery (or contemporaneous with delivery).
___
I'm not sure what to make of this case, except to say that unless there's a policy in place that clearly authorizes email monitoring, it's a minefield to access someone else's email, whether that's in the employment context or in the family law/divorce context.
Even when there's a policy in place, there's some risk that the policy may not clearly express consent for monitoring, as was almost the case in another email snooping case from Illinois. (See Shefts v. Petrakis, 10-cv-1104 (C.D. Ill.; Dec. 9, 2010).) In Petrakis, there was a policy which said that the company would monitor emails, but there was some dispute as to whether it applied to plaintiff, who was a director and shareholder, rather than an employee. There was also conflicting language in the policy that said that employees would not monitor one another's email absent express board approval. Although the employee who brought the ECPA and SCA claims made a valiant attempt to inject ambiguity into the language of the policy, the court ultimately saw things the employer's way.
You would potentially expect some sympathy from the court since in many of these cases, the monitoring results in the employer getting access to highly relevant evidence that often points to misconduct or a breach of policy (or a contractual duty) on the part of the employee, but this does not seem to be the case. Here I guess the court expressed some sympathy in the form of the small damage award given to the employees, but the employer took an even bigger hit - the court's previous order precluded the employer from using this evidence. When you consider that the information the employer accessed was information that could have been obtained through discovery (from the ex-employees), the decision to access the emails here turned out to be pretty costly.
Posted by Venkat at 08:17 PM | Privacy/Security
January 11, 2011
Court Approves TD Ameritrade Data Breach Settlement -- In re TD Ameritrade
[Post by Venkat Balasubramani]
In re TD Ameritrade Accountholder Litigation, 07-2852 (N.D. Cal.; Dec. 20, 2010) (Order granting preliminary approval of settlement)
A class action lawsuit arising out of a TD Ameritrade data breach looks like it's winding its way to resolution. Judge Walker granted preliminary approval to the class settlement, which:
(1) requires payment of between $2.5 to 6.5 million to the class - each claimant is "entitled to seek cash benefits ranging from $50 to $2,500, depending 'on the nature of the account affected by the identify theft and the type of expense and unreimbursed loss incurred . . . .'";
(2) sets a maximum of $500,000 for attorney's fees; and
(3) requires TD Ameritrade to engage a third party auditor to assess its data security practices.
[Clarification/correction: Matthew Elvey emails to note that class members are not automatically entitled to compensation. Only class members who have been victims of “identity theft” are entitled to compensation, based on a range of factors. Interestingly, I may be missing something, but don’t see a definition for “identity theft” in the settlement agreement. A common sense interpretation would mean people whose data has actually been misused. Another possible framework would have been to allow compensation for people whose data was compromised, regardless of whether the data was misused. I’ve emailed class counsel for some clarification on this and I’ll post an update when I hear back.] The precise amount of each payout will be determined by the claims administrator based on guidelines contained in Section 3 of the settlement agreement. If the amounts claimed by the class are less than $2.5 million, the difference will be paid to certain identified public interest organizations. (Access a copy of the settlement agreement here.)
The lawsuit has a tortured procedural history - the wranglings and objections are reminiscent of the Beacon class action, and involve some of the same players and issues (e.g., Kamber Edelson as class counsel, no cash compensation to class members). Judge Walker previously rejected the class settlement (in October 2009) in an order that recounts some of these wranglings. (Access a copy of Judge Walker's previous order rejecting the proposed class settlement here.)
As Judge Walker's previous order notes, the previous settlement terms proposed by TD Ameritrade principally required TD Ameritrade to: (1) post a warning regarding "stock spam" on its website; (2) retain an independent expert to audit its security practices; (3) retain a consultant to see if any of the lost data had been misused in an "organized" manner and inform any affected class members of this misuse; (4) give out a free one-year subscription to class members to an anti-virus, anti-spam security product; and (5) donate $50,000 to "specified cyber-security projects." The original proposed settlement also proposed a payment of fees to class counsel in the amount of $1,870,000. One of the class representatives (Matthew Elvey) expressed reservations that the proposed settlement "inadequately compensated plaintiffs for their injuries . . . and mischaracterized the nature of the risks associated with the breach." In addition, the Texas Attorney General also voiced its objections, arguing among other things that the proposed settlement "offered no meaningful relief to the class members," and the award of proposed fees to class counsel was "excessive." The parties incorporated some changes to the class settlement in response to the Texas AG's objections, but even as revised, Judge Walker rejected the proposed settlement, noting that the influence of the Texas AG largely "resulted in changes to the nature and scope of the notice, rather than altering the purported benefits to the class." Judge Walker also appointed Gretchen Nelson as substitute class counsel, replacing Kamber Edelson (whom he had provisionally appointed when he initially approved the original settlement). Elvey's relationship with Kamber Edelson looks like it ended less than amicably, as you can see from one of his blog posts here. In any event, it looks like new class counsel was appointed and re-negotiated the terms of a settlement which ended up looking acceptable from Judge Walker's standpoint. (Looks like Elvey still objects to the terms of the proposed settlement.) [Clarification/correction: Jay Edelson emails to note that Kamber Edelson is now two different firms (Edelson McGuire and KamberLaw) and that Scott Kamber was not “kicked off the case.” With respect to this point, I think it’s worth reproducing the court’s language in full:
The May 1, 2009 order of preliminary approval granted “provisional certification of the settlement class” and confirmed Kamber Edelson LLC, Parisi & Havens LLP, Scott A Kamber and Ethan Mark Preston (“Kamber et al”) as lead counsel. Doc #93 at 10. As the certification was provisional and preliminary to final approval, denial of final approval abrogates provisional class certification and the interim appointment of Kamber et al as class counsel. Hence, no class has been certified and no appointment of class counsel has been made under FRCP 23(g). On August 28, 2009, class member Holober suggested Gretchen M Nelson of the Kreindler and Kreindler firm to the court as substitute class counsel. . . . The court has considered Nelson’s experience in handling class actions and other complex litigation, her work in investigating potential claims in the action, her knowledge of the applicable law and the resources she will commit to representing the class. FRCP 23(g)(1)(C). Having considered these factors, it appears that Nelson is fully capable of fairly and adequately representing the interests of a class of TD Ameritrade accountholders.
Kamber remains a part of the case and his name is on the settlement agreement as well. That said, readers can come to their own conclusions as to what the court intended.]
We've blogged a bunch about data breach cases, mostly involving the rejection of data breach claims due to the absence of a showing of damages. There's a larger debate as to whether plaintiffs are harmed and what courts should require of such plaintiffs. I have a post on this that's been in the hopper for a couple of months now, and I'll get around to posting on it soon. But in the meantime, it's interesting to note that repeatedly, plaintiffs bring data breach class actions and their lawyers are quick to suggest a recovery which doesn't involve payment of any significant compensation to the class (but which of course include hefty attorney's fees awards). The Facebook Beacon ("Beacon Class Action Settlement Approved -- Lane v. Facebook") and Google Buzz ("Google Settles Buzz User Privacy Litigation") settlements both fit into this category. It's nice to see courts taking a closer look at these settlements. I wonder whether Judge Walker's insistance on some concrete benefit to the class members and discussion of the reduced fees will set a precedent for future lawsuits like this one. Is increased scrutiny likely for these types of settlements? The Facebook Beacon settlement is on appeal to the Ninth Circuit and raises some issues that are similar to the ones raised in this case. It will be interesting to see what happens with it.
Related links:
"Trials and Tribulations" (Matthew Elvey's website where he chronicles the path of this litigation, including his falling out with Kamber Edelson)
"Ameritrade Hack Settlement: $2 Per Victim, $1.8 Million for Lawyers" (one of several articles at Threat Level)
"TD Ameritrade Account Holder Litigation, Case No. C 07 2852 VRW" (Class Action Website)
"Interview: Scott Kamber On His ‘Spate’ Of Lawsuits Over Internet Privacy" (paidContent/Joe Mullin)
Earlier data breach posts:
"Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks"
"Two More Courts Close the Doors on Data Breach Plaintiffs"
"9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap"
"The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt"
"Acxiom Not Liable for Security Breach"
"When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue"
Posted by Venkat at 08:33 AM | Privacy/Security
January 02, 2011
Nov.-Dec. 2010 Quick Links, Part 5
By Eric Goldman
Taxes
* Amazon.com, LLC v New York State Dept. of Taxation & Fin., 2010 NY Slip Op 07823 (N.Y. App. Div. Nov. 4, 2010). A NY appellate court rejected Overstock's/Amazon's facial challenges to "affiliates tax" but revived the as-applied challenge. The court distinguishes between "solicitation" of business for Amazon (collection obligation imposed) and passive advertising for Amazon (no collection obligation), but doesn't clearly explain why Amazon affiliates are engaged in solicitation and not passive advertising. Among other things, the court says [I reordered quotes]:
An advertisement in a newspaper is clearly not solicitation, as it is geared to the public at large. Likewise, the maintenance of a Web site which the visitor must reach on his or her own initiative is not, under the statute, or the advisory opinions, a solicitation. On the other hand, the targeting of a potential customer by the transmission of an e-mail is no different from a direct telephone call or a mailing to a customer. Both constitute active initiatives by a party seeking to generate business by pursuing a sale...When a representative can only receive compensation for an actual sale, it is much more likely that the representative will actually solicit, rather than passively maintain a Web site.....Nevertheless, we remand for further discovery so that plaintiffs can make their record that all their in-state representatives do is advertise on New York-based Web sites.
Although I think the court's analysis is wrong, it is not fatal to affiliate programs. For example, it seems like Amazon could fix its program by (1) prohibiting email marketing by affiliates, or (2) moving to a CPC model for affiliates.
"If such retailers have total annual gross sales in Colorado of $100,000 or more, such retailers must: Provide notice with each purchase (the “transactional notice”). The transactional notice must:
• State that the retailer does not collect Colorado sales or use tax.
• State that the purchase is not exempt from Colorado sales or use tax merely because it is made over the Internet
or by other remote means.
• State that State of Colorado requires Colorado purchasers to file a sales or use tax return at the end of the year
for all taxable Colorado purchases that were not taxed, and pay tax on those purchases
• The notice must be easily seen and located near the total price.”
Miscellaneous
* Ars Technica on the Comcast/Level 3 spat. Is it a Net Neutrality red flag or a garden-variety peering disputes?
* Putting an end to one of the most over-hyped stories of the year, Craigslist shut down its adult services category globally.
In an unrelated development, Craigslist got a $6M+ judgment against ezadsuite.com, which "developed, advertised, and sold software programs to automate posting ads on Craigslist’s website and utilized other automated devices and related services meant to circumvent Craigslist’s security measures." This is one of those doctrinally troubling rulings that I choose to ignore because it's a default judgment. See the magistrate report and the judge's adoption.
* Latest NYT article hand-wringing about cyberbullying. WaPo has a myth-busting article on bullying.
* Specht v. Google, 2010 WL 5288154 (N.D. Ill. Dec. 17, 2010). Google wins a trademark battle over the term "Android." Some interesting parts:
- "on its own, the use of a domain name or e-mail address to identify an Internet host computer does not constitute a bona fide use in commerce. The use of a website address containing a trademark is not the same as use of the mark."
- "The androiddata.com website served as a remnant of a closed business. A "ghost site" such as this is not a bona fide use in commerce that can prevent the abandonment of a mark. The cost is small to maintain a domain name registration and host a several-page promotional website without e-commerce functionality, such as that which Plaintiffs contend existed at androiddata.com....Allowing a mark owner to preserve trademark rights by posting the mark on a functional yet almost purposeless website, at such a nominal expense, is the type of token and residual use of a mark that the Lanham Act does not consider a bona fide use in commerce."
* Oklahoma HB 2800: Executors can take over web accounts of the deceased.
* In theory ending another one of the year's most overhyped stories, the Borings got $1 for their trespass claim against Google. Previous blog coverage (1, 2, 3).
* Reuters: “A Reuters Legal analysis found that jurors' forays on the Internet have resulted in dozens of mistrials, appeals and overturned verdicts in the last two years.” Previous blog coverage.
* The Starwood v. Hilton Hotels corporate espionage lawsuit has settled. I tested this dispute on my IP course last year (see the exam and sample answer).
* California State Bar Standing Committee on Professional Responsibility and Conduct Opinion No. 2010-179:
Whether an attorney violates his or her duties of confidentiality and competence when using technology to transmit or store confidential client information will depend on the particular technology being used and the circumstances surrounding such use. Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client’s instructions and circumstances, such as access by others to the client’s devices and communications.
* Another ill-conceived California law: large companies have to disclose on their websites their efforts to reduce slavery and human trafficking in their supply chains. Are you kidding me???
* Fun with Google Books Ngram viewer: cyberlaw vs. other terms; but different results when the terms are capitalized.
* Inside Higher Ed: "professors ‘caught on tape’ is a growing genre, and some think it could have a chilling effect on academe."
* HuffPost: You're Out: 20 Things That Became Obsolete This Decade.
* Tell your favorite male bloggers (besides Venkat and me, of course) how you really feel about their strengths.
Posted by Eric at 07:54 AM | E-Commerce , Marketing , Privacy/Security , Trade Secrets | TrackBack
December 29, 2010
Nov.-Dec. 2010 Quick Links, Part 2
By Eric Goldman
Wikileaks
Wikileaks has been on my mind for the past 2 months, but the stories have moved faster than I can. From my perspective, Wikileaks is principally a story about The Empire Strikes Back (It is a dark time for the Rebellion....). You may recall John Perry Barlow's classic cyberspace exceptionalist screed, "A Declaration of the Independence of Cyberspace" and its government baiting: "Governments of the Industrial World, you weary giants of flesh and steel...[y]ou have no sovereignty where we gather....[y]ou have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear."
For a dying dinosaur, the US government has shown remarkable agility marshaling forces to combat Wikileaks. Think of all of the private companies that shunned Wikileaks because it was ticking off the US government: PayPal, Visa, Mastercard, Amazon, EveryDNS, Swiss banks, etc.; and many US government agencies tried to block their employees from accessing Wikileaks. Recall in The Empire Strikes Back how Darth Vader relentlessly and single-mindedly pursues Luke and his band across the galaxy (The evil lord Darth Vader, obsessed with finding young Skywalker, has dispatched thousands of remote probes into the far reaches of space). That’s kind of like how the US government is chasing Wikileaks throughout the Internet galaxy.
As several people have pointed out, the US government would be lauding Wikileaks as heroes if they were releasing secret Chinese government documents. But, because they are releasing US government secrets, some have hyperbolically called them terrorists who should be assassinated. Hypocrisy alert! (More on this from Techdirt).
Despite the US government’s relentless efforts to pursue and destroy Wikileaks, its failure to excise Wikileaks-published secrets from the Internet is telling. It reminds us that efforts like COICA and domain name seizures are tools of censorship, but those efforts will not effectively suppress unwanted activity. (More on this from Derek Bambauer and WaPo).
There has only been a little discussion about Wikileaks’ US legal liability. As a republisher of third party material, Wikileaks--and all of its upstream service providers--presumptively qualify for 47 USC 230. However, there are a variety of criminal doctrines restricting the dissemination of US government secrets (although, as this CRS points out, none are a slam dunk; but see Declan’s perspectives), and federal criminal prosecutions are outside the scope of 230. As a result, the possible criminality here helps explain why Wikileaks could face significant legal risk and why all of Wikileaks’ service providers fold like a house of cards when confronted with requests/pressure from the US government.
Obama Administration
In so many ways, both important and not, the Obama administration hasn't deviated from the paths set by the Bush administration. However, in the past couple months, some new winds have been blowing from the Obama administration.
* The FCC's net neutrality proposal (NYT, WaPo, Reuters). Given the steadfast opposition from Congress to the FCC’s power grab and the likelihood that the courts will say the FCC overstepped its authority, are these DOA?
* The FTC released a report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, digesting over a year’s worth of FTC hearings (see my recap of the Berkeley hearing) and warnings. Among other things, the report advocates for browser vendors to incorporate a “do not track” feature analogous to the Do Not Call registry (an unhelpful analogy for reasons I explore in this article). Vladeck’s testimony on Do-Not-Track. In response, Microsoft will integrate a “do not track” feature into the Internet Explorer 9 browser, and Mozilla will add something similar in Firefox.
* The Commerce Department’s proposed Privacy Bill of Rights for online consumers (NYT, WaPo).
Privacy
* US v. Warshak (6th Circuit Dec. 14, 2010). Email is protected by the Fourth Amendment.
* Doe v. Shurtleff, No. 09-4162 (10th Cir. Dec. 1, 2010). Amended 10th circuit opinion that sex offenders can be required to register their Internet aliases.
* Dunbar v Google (E.D. Tex. complaint filed Nov. 17, 2010): class action that Google's scanning of emails in Gmail to trigger ads violates the ECPA. This is such a déjà vu back to 2004!
* WSJ: Deep packet inspection coming back on an opt-in basis?
* In re Quantcast Advertising Cookie Litigation, No. 2:10-cv-05484-GW-JCG (C.D. Cal. proposed settlement filed 12/3/10) and In re Clearspring Flash Cookie Litigation, No. 2:10-cv-05948-GW-JCG (C.D. Cal. proposed settlement filed 12/3/10). Persistent flash cookie lawsuit proposes to settle for $2.4M.
* Shefts v. Petrakis, 2010 WL 5125739 (C.D.Ill. Dec. 8, 2010). President of telecommunications company sues when the company monitors his email (using SpectorPro software) as part of a sexual harassment investigation.
Posted by Eric at 08:43 PM | Content Regulation , Privacy/Security | TrackBack
December 24, 2010
Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues
[Post by Venkat with comments by Eric]
Mortensen v. Bresnan Comm., CV 10-13-BLG-RFC (D. Mont. Dec. 13, 2010)
A district court in Montana hearing one of the many NebuAd "deep packet inspection" lawsuits partially granted a defendant's motion to dismiss. This lawsuit arises out of NebuAd's alleged attempt to monitor and use an end user's internet activity for advertisement targeting purposes - i.e., not using cookies or other tracking, but actually routing the communications themselves through NebuAd's "appliance." There have been a slew of lawsuits out of this practice; this lawsuit involved claims against Bresnan Communications, an Internet access provider, who is accused of letting NebuAd install the appliance for its profit.
Electronic Communication Privacy Act Claims: Bresnan first argued that it did not engage in any interception itself, so it could not be held liable under the ECPA. The court rejects this argument on the basis of plaintiff's allegation that Bresnan "allowed" NebuAd to install its device on Bresnan's network, and but for the appliance, the monitoring would not have occurred.
However, the court accepts Bresnan's argument that the plaintiffs agreed to the interception based on disclosures in the terms of service and elsewhere. The court quotes from Bresnan's "Online Privacy Notice," which says:
the equipment used to provide the service collects information . . . [including] information about . . . 'electronic browsing,' and the text of email or other electronic communications the [users] send or receive using [the] services.
The notice also references that the information that is collected will be disclosed to third parties. Bresnan's "Online Subscriber Agreement" contained similar disclosures. Finally, the court notes that Bresnan alleges that it provided customers "specific notice" and a link to opt-out from information collections.
Shockingly, plaintiffs did not contest that "they agreed, by way of Bresnan's Privacy Notice and Subscriber Agreement to the interception." (??) Instead, plaintiffs quibble with the scope of the documents in question and argued that Bresnan construes plaintiffs' consent "cavalierly." The court rejects plaintiffs' argument, and grants Bresnan's motion to dismiss the ECPA claim on the basis of consent.
Invasion of Privacy Claims: Plaintiffs brought a common law invasion of privacy claim. The court finds that the notice and disclosure (discussed above) undermines any expectation of privacy plaintiffs had in their use of the service. This ends the court's discussion.
Computer Fraud and Abuse Act Claims: Although the court rejects plaintiffs ECPA claim, the court allows plaintiffs' Computer Fraud and Abuse Claim to go forward. The court concludes (based on Bresnan's disclosures to its customers) that Bresnan's access of plaintiffs' computers had some authorization. Nevertheless, the court finds that Bresnan may have exceeded the authorization that was initially granted. The court bases this conclusion on the fact that the notices provided by Bresnan did not clearly apprise plaintiffs that "their computer settings were to be actively altered or tampered with by Bresnan." The court concludes that for purposes of surviving a motion to dismiss, plaintiffs have sufficiently alleged that:
Bresnan's act of tampering with the security and privacy protocols exceeded any authorization that Plaintiffs may have given.
The court also addresses the jurisdictional damage requirement, under which a CFAA plaintiff must show that the unauthorized access caused $5,000+ in damages. The court notes that plaintiffs' allegations of emotional distress are not compensable, since only economic losses are recoverable under the CFAA. However, the court finds that plaintiffs satisfy the jurisdictional damage threshold since they allege they were "forced to mitigate Bresnan's invasive actions by expending time, money and resources to investigate and repair their personal computer's diminished performance."
Trespass to Chattels: Finally, the court allows plaintiffs' trespass to chattel claims to go forward. With respect to the trespass claim, the court says that the plaintiffs sufficiently alleged an interference with their chattel (their computers).
__
Venkat's Comments:
This is one of many privacy lawsuits that are percolating through the courts right now. I think this one differs qualitatively from many of the others in that here, there is an allegation of improper monitoring of the contents of the plaintiffs' communications. It's one thing to surreptitiously find out what websites someone has been visiting or leak someone's unique user ID. It's another thing entirely to read their email and the contents of what they access while browsing. This is an important distinction to keep in mind. I don't think you can necessarily extrapolate a tentative result in the other cases based on this result. Apart from the damages issue (discussed below) a key unknown in the pending cases is to what extent the information that is captured or disclosed are covered by the statutes in question.
I was somewhat surprised to see little or no discussion from the court on whether the policies were presented in a "leak proof" manner, or whether the disclosure satisfied FTC standards. Was there evidence that plaintiffs could not access the service without encountering the policy? (See Prof. Goldman's post on that topic: "Clickthrough Agreement With Acknowledgement Checkbox Enforced.")
The court's conclusion on the consent issue is also somewhat perplexing, in light of the exact same judge's earlier order denying Bresnan's request to compel arbitration, which you can access here. BNA recaps the decision denying Bresnan's request to subject the claims to arbitration as follows: "A mandatory arbitration clause in an internet service provider's terms of service—which was presented in capitalized text in the ninth paragraph of the unsigned document—was an inconspicuous part of a contract of adhesion and unenforceable under Montana law."
On the other hand, if plaintiffs conceded the consent/disclosure issue, then the court did not need to get into it. [What were the plaintiffs thinking, conceding this? If you are bringing this type of a lawsuit, you have to be able to put together enough allegations of no-consent to get past the motion to dismiss stage.]
At the end of the day, if consent is going to be the basis to defend against these types of privacy claims, defendants would be well advised to really be thorough in procuring this consent. In fact, I'm surprised that Bresnan - given that it is an IAP allegedly engaging in gray area practices - didn't just secure written consent at the time it first provided the service.
I'm also surprised at the court's conclusion on the Computer Fraud and Abuse Act damage issue, given its conclusion on the ECPA issue. If it was going to split hairs on the notice and consent (as it did with respect to the CFAA claims), it could have probably done so on the ECPA claims as well. Courts often keep in claims they may otherwise dismiss if they decided that some claims are going to survive. Also, some cases construe the CFAA narrowly as requiring damage to the protected computer (or an interruption in data). It's conceivable that plaintiffs could have suffered the requisite loss (which can be aggregated in the class action context), but the court's discussion of plaintiffs' allegations made the damage allegations seem awfully light. (Two posts from Nick Akerman look at some recent CFAA dismissals and discuss the restrictive approach taken by some courts with respect to the CFAA's jurisdictional damage requirement: "Dismissal of CFAA Claim for Lack of Jurisdiction" and "Why Two District Courts Dismissed Valid Computer Fraud and Abuse Claims for Lack of Jurisdiction.")
The dismissal of the ECPA claim as opposed to the CFAA claim could have some ramifications on the damages front. Statutory damages are available under the ECPA, but not under the CFAA. For what it's worth, there's conflicting authority on the issue of whether non-economic damages are recoverable under the CFAA. (See Garland-Sash v. Lewis, 348 Fed. Appx. 639 (2d Cir. 2009) (construing the phrase "compensatory damages" - which was added to a provision of the CFAA after the DoubleClick case came down - to include damages for pain, suffering, and other emotional harms").) Even if for some reason the court decides that plaintiffs are entitled to non-economic damages, it will be interesting to see how plaintiffs prove up these damages.
The trespass claim is a bonus claim, but again, the court doesn't dig in to the damage issue with respect to common law trespass. Although the court cites to California law, the court does not discuss damage or slowdown to the machine in question as articulated by the California Supreme Court in Intel v. Hamidi (an email bombardment case) or as interpreted by the Fourth Circuit in the Omega v. Mummagraphics case.
I'm not sure how much light this ruling will shed on the many pending privacy lawsuits that involve things like surreptitious tracking, sniffing, and leakage of personal information. Damages issues aside, the ruling may highlight the importance of choice, consent, and the requirement that any disclosures or disclaimers be conspicuous, all issues the FTC seems to frequently opine on and issue reports about.
(h/t Wendy Davis)
__
Eric's Comments:
As Venkat notes, this ruling is an inconsistent mix of formalism and realism. In light of the judge's ruling last month that Bresnan made inadequate disclosures to uphold an arbitration clause, it's odd for the judge to now find that Bresnan made adequate disclosures to wipe away the ECPA and privacy invasion claims via dense/buried EULA language plus an opt-out notice; while that same consent wasn't good enough to wipe away the CFAA and Trespass to Chattels claim. The CFAA ruling on damages was also oddly formalist given the consent ruling. I respect formalist judges for being careful and methodical, but it would have been nice if this judge had been a little more aggressive about calling a spade a spade.
I am not a fan of deep packet inspection (DPI) by IAPs done on anything but an opt-in basis. We're basically back to the old battles about unwanted adware/spyware getting onto users' hard drives as part of some bundle. Sure, the adware vendors could claim user consent through a formalist reading of the contracts, but there wasn't true consumer consent, and we all knew it. I'm reminded a little of the FTC's bust of Sears for its trackware installations--Sears paid people for the installation, but the software did things far beyond anything users might have expected, even though these attributes were putatively explained deep in the EULA. If you're an IAP trying to implement DPI on an opt-out basis, bonne chance, and don't expect a lot of friends to rally around your cause.
At the same time, I'll be interested to see if the plaintiffs can marshal any true evidence of harm. If the plaintiffs are advancing a recycled version of the old, tired and completely laughable arguments that installing cookies on a user's computer creates cognizable harm, I hope this judge will quickly give them the boot they deserve. In that respect, I'm disappointed the judge didn't more aggressively police the trespass to chattels claim on the harm requirement per Hamidi. Personally, I think these plaintiffs should have been forced to put-up-or-shut-up on the harm issue early. Then again, this case came out the day before the Ninth Circuit's recent Starbucks case, but perhaps it's consistent with it.
Overall, this ruling is just another small data point in a much larger struggle over targetable consumer data. My Coasean Analysis of Marketing article doesn't directly address DPI by IAPs, but the article tells the story of how different intermediaries are fighting with each other to capture better datasets of targetable consumer behavior. After the flameout of the early 2000s model of adware, IAPs are trying to squeeze into the middle by using their more favorable position (compared to websites) to see more complete consumer data. Similarly, Facebook is trying to use tools like Beacon nee Instant Personalization to sweep up targetable consumer data from throughout the web, not just the smaller dataset it can capture at facebook.com. Meanwhile, Google is trying to move onto the desktop (the toolbar, Desktop, Chrome and its various OSes) to let it get closer to the honeypot of consumer data residing there, rather than just rely on the data it can get at google.com properties. Adware circa 2005 may be dead, but battles between different intermediaries fighting to get the good stuff is a perennial. For more, see my posts Adware is Dead and Relevancy Trumps Creepiness.
Posted by Venkat at 09:00 AM | Derivative Liability , Licensing/Contracts , Privacy/Security , Publicity/Privacy Rights , Spam , Trespass to Chattels
December 17, 2010
Domain Name Privacy Protection Services Not Liable for Failure to Disclose Identity of Alleged Spammer -- Balsam v. Tucows
[Post by Venkat]
Balsam v. Tucows, No. 09-17625 (9th Cir.; Dec. 16, 2010)
Prolific spam litigant Dan Balsam sued the registrant of [adultactioncam.com] under California's spam statute for allegedly sending Balsam thousands of pieces of spam. Balsam obtained a default judgment in the amount of $1,125,000 (!) against Angeles Technology, Inc., who was listed as the registrant of [adultactioncam.com]. Balsam was ultimately unable to recover against Angeles and then sued Tucows. His beef with Tucows was that Tucows refused to turn over the identity of the registrant of [adultactioncam.com] (when he conducted his initial search, apparently, Angeles was the registrant, but at some point later, Angeles opted into Tucows' privacy protection services). He demanded that Tucows disclose the identity of the registrant "or pay the default judgment." Tucows predictably refused, and Balsam sued, trying to hold Tucows liable. I should note that the court's description of the facts is much better than mine, although it's somewhat charitable to Balsam. The court concludes its recitation of facts by saying that "[a]lthough [Balsam's] approach is novel and creative, it cannot survive a motion to dismiss."
Balsam's main argument is that Tucows as the registrar is bound by the ICANN registrar accreditation agreement, which contains the following provision (Sec. 3.7.7.3):
A Registered Name Holder licensing use of a Registered [domain] Name . . . shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly disclosed the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.
As the court notes, Balsam's claim against Tucows depends on his status as a third party beneficiary to the RAA agreement between ICANN and Tucows. The court concludes that Balsam is not a third party beneficiary because among other things, the agreement contains an explicit "no third party beneficiary clause," and because the agreement itself does not contain terms applicable to ICANN or any registrar - it merely provides that a a registrar must include certain terms (including this one) in its domain name registration agreements. Balsam responded that the "no third party beneficiary" clause does not relieve Tucows of its obligation as a registrant (which it or one of its affiliated entities is in name when it provides privacy protection services) but the court rejects this argument as well. Tucows entered into the agreement as a registrar, and didn't agree to bind itself as a registrant.
__
Balsam has an uphill battle arguing that the RAA creates third party rights. See Register.com v. Verio, 356 F.3d 393 (2d Cir. 2004.) (Interestingly, Register v. Verio dealt with the use of WHOIS information where Verio sent unsolicited emails to Register registered domain names advertising Verio's services.) However, more relevant to the court's discussion is a recent case involving proxy registration services - Solid Host v. NameCheap - where the court found that NameCheap could be held liable for contributory cybersquatting based on the actions of the registrant-in-fact. Here's Prof. Goldman's post on the muddled ruling in that case: "Contributory Cybersquatting and the Impending Demise of Domain Name Proxy Services?--Solid Host v. NameCheap." As he mentions in that post, it's important to be clear about who is the registrar and registrant (and in what capacity a particular entity is acting when it's providing services). He raises the issue of whether registrars will shy away from providing privacy protection services. I don't know the answer to that, and although it may be early to assess the fallout (if any) of the NameCheap case, this case seems to indicate that proxy registrars don't roll over and readily disclose registrant information absent a court order.
In any event, I don't think Balsam had a strong argument here since Angeles's utilization of the privacy protection services did not contribute in any way to the alleged harm. Although the facts aren't crystal clear, it seemed like Balsam obtained a judgment (after having determined that Angeles was the registrant) and only then did Angeles opt in to the privacy protection feature. The damage (if any) was done by the time the privacy protection feature entered into the picture. Additionally, as the district court's order notes, the Angeles lawsuit was pending at the time Tucows declined to reveal the underlying registration info - Balsam had an obvious solution (which he failed to take advantage of). He could have issued a subpoena seeking the registrant information and could have easily obtained it. There may be some set of facts under which a refusal to reveal the registrant information could support a claim, but those facts were not present here.
This also raises the issue of the appropriate response from a company who provides private registration services. The registrars have an interest in not freely disclosing registrant information absent a court order, but NameCheap suggests that in some cases, a failure to disclose may result in liability to the provider of privacy protection services. (NameCheap raised the issue of whether the registrar was acting in its capacity as registrar or in another capacity - in its capacity as registrar, it may be able to take advantage of an ACPA safe harbor. As I mentioned in my previous post about this case, Tucows may have been able to take advantage of a Section 230 defense, although ultimately it didn't end up needing to invoke the protections of Section 230, given the court's ruling.) This case indicates that courts are reluctant to freely impose liability on a registrar who provides proxy registration services, which isn't necessarily a bad thing from the standpoint of protecting registrant anonymity and privacy. A finding of possible liability in this case could have resulted in registrars getting more nervous when they receive requests for the identity of the underlying registrant.
Related posts:
Posted by Venkat at 09:29 AM | Derivative Liability , Domain Names , Privacy/Security , Spam
December 15, 2010
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
[Post by Venkat]
Krottner v. Starbucks, Nos. 09-35823 and 35824 (9th Cir.; Dec. 14, 2010) (Memo affirming dismissal) (Opinion re Standing)
Starbucks employees sued Starbucks due to a data breach resulting from the theft of a laptop computer which contained "names, addresses, and social security numbers of approximately 97,000 Starbucks employees." The trial court dismissed the lawsuit, finding that Washington law doesn't recognize a cause of action where the sole damage is "risk of future harm." The trial court also held that the plaintiffs had not alleged sufficient facts to bring an implied contract claim.
The Ninth Circuit largely agreed, noting that under Washington law, "actual loss or damage is an essential element" of a negligence claim. The sole plaintiff who alleged that his data had been misused did not point to any actual loss from the data misuse. Finally, the court notes that plaintiffs waived the argument that "anxiety constitutes actionable injury." With respect to the contract claim, the court found that none of the documents (employee policy statements) included "an offer to safeguard data." Although the plaintiffs sought to have the question certified to the Washington Supreme Court, the Ninth Circuit declined, finding that resolution of the case was sufficiently clear under Washington law.
Separately, the court issued an opinion finding that the plaintiffs had Article III standing ("'generalized anxiety and stress' as a result of [the data breach] is sufficient to confer standing"). Unfortunately, this represents the hollowest of victories for the plaintiffs, since the court found that even though plaintiffs had Article III standing, they still could not maintain a cause of action under Washington law.
I'm not sure what to make of the fact that the Ninth Circuit spent the bulk of its energy discussing the standing issue while at the same time affirming the dismissal of claims in an unpublished opinion. It's tempting to see the Ninth Circuit's standing decision as a glimmer of hope, but I don't think that's the case. Other cases have found standing in the data breach context, only to turn around and rebuff the claims for lack of cognizable harm. (Pisciotta v. Old National Bankcorp, discussed by the Ninth Circuit in this case, is one example.) Whether a data breach claim is cognizable typically turns on state law (absent an applicable statute), and I'm not aware of any cases (whether or not they find plaintiffs have standing) that have allowed data breach plaintiffs to recover, absent out of pocket loss. Even in California! In any event, the uniform trend is that if you're proceeding under state negligence or contract claims, no out of pocket loss = no recovery. (See, e.g., Ruiz v. Gap; Amburgy v. Express Scripts, Inc.; Pinero v. Jackson Hewitt; Bell v. Acxiom; In re JetBlue.) While the Article III ruling may be of interest from the point of view of legal doctrine, it doesn't much help the plaintiffs here. Also, you have to see this ruling as hostile to data breach plaintiffs. Although the court gave a nod to the possibility of an claim premised on anxiety or risk of future harm, the court rejected the appeal in a case that stemmed from a data breach potentially encompassing 97,000 employees. If there was ever a case where a friendly court would have contorted the rules to give plaintiffs a chance, this would have been it.
One interesting data point (or lack of a data point) is that the data breach occurred in this case on October 2008. The data of some 97,000 employees was compromised. Yet, in the trial court proceedings (a year later) plaintiffs put forth no evidence of anyone having actually suffered out of pocket loss. I realize that the plaintiffs are not required to put forth this type of data at the pleading stage, but if hordes of people actually had their data misused, you would think counsel of plaintiffs would have casually mentioned evidence to this effect? (During oral argument (which is well worth a listen and which you can access here), one of the judges asked whether plaintiffs counsel "[had] any idea how many of the 97,000 people have suffered identity theft that's traceable to this [incident] . . . [and whether plaintiffs made] any allegations to that effect." In response, counsel for plaintiff cites to one example of the named plaintiff who had a bank account opened in his name, but who did not suffer any out of pocket loss as a result.) The fact that plaintiffs did not do so is not conclusive, but I think is telling, and this larger point is something worth exploring when thinking about data breach and harm generally. What does the data say about whether and to what extent plaintiffs who have had their data compromised actually suffer out of pocket losses?
Previous post:
"Starbucks Data Breach Plaintiffs Try Their Luck in the 9th Circuit"
Related posts:
"9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap"
"The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt"
"Acxiom Not Liable for Security Breach"
"When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue"
Posted by Venkat at 09:58 AM | Privacy/Security
December 08, 2010
Court: Search of Contents of Student Cell Phone Covered by Qualified Immunity -- J.W. v. Desoto County School Dist.
[Post by Venkat]
J.W. v. Desoto County School Dist., et al., 09-cv-00155-MPM-DAS (N.D. Miss.; Nov. 1, 2010)
The Virginia Attorney General set off a small firestorm (e.g., "Should Teachers Be Searching Cell Phones?") when he issued an opinion to the effect that principals and teachers may seize student cell phones and laptops and access their contents in order to combat "cyber bullying." (You can access a copy of the opinion here: [pdf].) Interestingly, earlier last month, a federal court in Mississippi held that individual defendants were shielded from civil claims (by qualified immunity) based on an allegedly improper search of a student cell phone.
The facts of the Mississippi case are fairly straightforward. R.W., a student, opened his phone (while in class) to receive a text message from his father. A school district disciplinary rule prohibited students from possessing or using cell phones while at school. A school district employee confiscated the phone and, according to the plaintiff, "opened the phone to review the personal pictures stored on it." The employee discovered photos of another student holding a B.B. gun. R.W. was escorted to the principal's office where other school employees viewed the contents of his phone. As a result, R.W. was suspended for violating a rule which prohibits students from "displaying messages associated with any gang . . . [or] criminal activity." [The order isn't totally clear, but it looks like the school administrators must have found other photos as well.] R.W. was expelled and brought suit, alleging that the search and expulsion violated his constitutional rights.
The court held that the actions of the individual defendants were protected under qualified immunity (under which public officials can only held liable for damages if they violate "clearly established" constitutional rights). The court gives an obligatory nod to the relaxed standards for when searches are appropriate in schools. Although R.W. argued that there was no reason for the school officials to look at the contents of his phone, the court found otherwise, noting that the search could be viewed as reasonable for a variety of legitimate reasons (e.g., to find evidence of cheating or that the student was improperly communicating with another student via his cell phone).
The court distinguished a recent case from Pennsylvania (Klump v. Nazareth Area School Dist., 425 F. Supp. 2d 622 (E.D. Pa. 2006) [pdf]) where the court denied qualified immunity for individual defendants, on the basis that in the Pennsylvania case, the officials "appeared to use [the accident of the phone falling out of the student's pocket] as a pretext to conduct a wholesale fishing expedition into the student's life." In the Pennsylvania case, the facts of the search were more egregious: administrators used the student's phone to call other students, accessed the student's voicemail and text messages, and even had an AOL Instant Message conversation with someone using the student's phone.
Nevertheless, the court in this case had an awkward time distinguishing the two cases. There was little justification in this case for the officials to view the contents of the phone, much less the photos on there. That said, the court was clearly bothered by the facts of the case, and the fact that the search resulted in discipline for off-campus conduct. Although the court let off the individual defendants, the court was skeptical of the propriety of the school district's conduct overall, and admonished the school district to "give serious consideration" to settling the case. The court also chastises the school for its inconsistent reasons for expelling R.W. - the actual offense of bringing a phone to school was only punishable by a three day suspension, and justifying the expulsion based on the photos on the cell phone was akin to "call[ing] in a student on a Monday morning and ask him to explain, under penalty of expulsion, why he was observed wearing a particular piece of clothing or seen running around with a 'bad crowd' over the weekend." The court also notes that R.W. didn't actually "display" any of the photos. R.W. has a good chance of persuading the court to set aside the expulsion, but this may not end up being of much use to him. (At the time of the summary judgment ruling, R.W. was well into the school year at another school. He can only get money damages against the individual defendants, and the court found them to be protected by qualified immunity. While he may get equitable relief, this could come too little too late.)
The Virginia AG's opinion is somewhat narrow, and hints at the unreasonableness of the search in this case. Although the opinion only looks at the hypothetical posed by a specific factual scenario, it OKs a search of the contents of the phone based on a report from a student that a message from another student that is "either threatening or criminal or violates the school's bullying policy" - i.e., when the contents of the phone are related to the alleged violation in the first place. It was tough to make that argument here, although the court allowed the individual defendants to slide based on its view that the law was not clearly established.
Posted by Venkat at 10:16 AM | Privacy/Security
December 04, 2010
Message Board Operator Fights Discovery Order Requiring Broad Disclosure [Update] -- Concerned Citizens for Crystal City v. City of Crystal City
[Post by Venkat]
Concerned Citizens for Crystal City v. Crystal City, No. ED94135 (Mo. Ct. App.; Nov. 30, 2010) (amended order)
I posted in October about a discovery dispute involving a message board operator who was subject to an overly broad discovery order. ("Message Board Operator Fights Discovery Order Requiring Disclosure of Identities and Private Messages.")
The trial court dismissed the lawsuit in response to the message board operator's refusal to comply with the order. Although the appeals court reversed, the previous post mentioned that the appeals court offered little by way of direction to the trial court, in particular regarding the private messages that the message board operator was ordered to produce.
The appeals court on its own motion issued a revised opinion, adding the following language:
In order to narrow the scope of discovery concerning private messages, Defendants will need similar access to the text or other information as to the content of those messages, with identifying information removed, as was provided concerning the public postings. This will enable the parties and the court to then determine which private messages and what identifying information about those messages is properly discoverable. [emphasis added]
It's nice to see the court (on its own motion) give a bit more clarity to the issue. Unfortunately, the order didn't cite the blog post, so I can't claim credit for this.
Posted by Venkat at 09:48 AM | Privacy/Security
October 30, 2010
Message Board Operator Fights Discovery Order Requiring Disclosure of Identities and Private Messages -- Concerned Citizens for Crystal City v. City of Crystal City
[Post by Venkat]
Concerned Citizens for Crystal City, et al. v. City of Crystal City, et al., No. ED 94135 (Mo. Ct. App.; Oct. 26, 2010)
In 1991, Pittsburgh Plate and Glass Company shut down a factory in Crystal City (Missouri), and Crystal City undertook efforts to redevelop this property. Wings Enterprises expressed an interest in the property and met with the City regarding potential redevelopment efforts. Thomas Kerr, who owned the adjoining property formed Concerned Citizens for Crystal City, a non-profit that opposed the Wings redevelopment proposal (and presumably, had its own ideas for what form the redevelopment should take).
William Ginniver became the president of CCCC and set up a forum for concerned citizens to discuss the Wings proposal. Posters could post anonymously but had to register by providing an email address in order to post to the forum. Ultimately, the City approved the Wings proposal, and CCCC filed suit, alleging among other things that the City violated Missouri's Sunshine Law in connection with the redevelopment discussions. Wings intervened in the lawsuit as a defendant.
In the course of discovery, Wings sent over a request for production to Ginniver seeking:
a complete copy, in native format, of all information in [Ginniver's] possession that had been posted on the domain http://www.clearpillar.com;
a complete copy, in native format, of all databases in [Ginniver's] possession related to any forum that [had] appeared on http://www.clearpillar.com, with all copies to include, among other things, the IP addresses related to each post, member names and email addresses, and the text of private messages on the database.
Ginniver objected, and the trial court largely rejected his objection, ordering him to produce "a full and complete copy, in native format, of all information in his possession or control, that [had] been posted [to http://www.clearpilllar.com]." The court also ordered Ginniver to answer deposition questions regarding the identity of users who posted on the forum.
Ginniver filed an interlocutory appeal of the discovery order but neither the Court of Appeals nor the Missouri Supreme Court decided to hear the appeal. Ginniver then produced a copy of all public messages posted to the forum but withheld "unposted private messages," and "any information that could have uniquely identified the users of the forum." In response, Crystal City and Wings moved for default judgment as a sanction. The trial court granted this request.
The Court of Appeals held that dismissal as a sanction was overly drastic, and the discovery requests were overly broad to begin with. The content of the postings were sufficient for the City or Wings to seek identification of particular posters (or bring this issue before the court at a later time). The court cited to the rules regarding protective orders and hinted that a previously offered stipulation by defendants (to a protective order) may sufficiently address any concerns on the part of the posters (or on Ginniver's part), and that if CCCC failed to comply with a properly narrowed discovery request, the sanction of dismissal may then be appropriate.
__
This looks like a narrow escape for plaintiff from what looks like an initial bad ruling from the trial court. The Court of Appeals has an opportunity to clear up confusion regarding the various categories of information, but beyond providing some vague guidance, the Court of Appeals did not give the trial court much to work with.
Status of private messages: It appears that Ginniver sought to withhold private messages, but the court didn't delve into whether the messages were truly private and what that would have meant for purposes of discovery. I recently posted on a decision from Pennsylvania ordering disclosure of a plaintiff's log-in and passwords for his Facebook and MySpace pages, where the court didn't delve into the various categories of information and whether they were truly public or private. ("Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway.") That decision also did not discuss the effect (if any) of the Stored Communications Act on private messages. This court's decision suffers from many of the same problems.
Identification of anonymous posters: Although the court alludes to the standards for when a litigant can identify an online poster, and hints that First Amendment interests are at stake here, it's unlikely that defendants would satisfy any of the standards for identifying all of the posters. This case involves citizen communications criticizing the government's activity, and the First Amendment interests are therefore particularly strong. Even if it did not announce the applicable test, it would have been nice for the court to recognize this, and send a message that a fishing expedition seeking to identify all of the posters was inappropriate.
This case looks like a good candidate for intervention by one of the many public interest groups who have fought (and won) battles around online anonymity.
Posted by Venkat at 01:50 PM | Evidence/Discovery , Privacy/Security
October 25, 2010
My RapLeaf Profile is Amusingly Mistaken. This is What the Fuss is All About?
By Eric Goldman
The latest in the Wall Street Journal's "scare journalism" series of privacy articles is a hatchet job on RapLeaf. I don't know much about RapLeaf, but at conferences, privacy advocates frequently invoke RapLeaf as an omnipotent, omniscient privacy violator--a stereotype the WSJ article seeks to inflame.
This morning I decided to see what the fuss is about. Rooting around for the opt-out mechanism mentioned in the WSJ article, I discovered that I could see what information they know about me, and I could even customize it. With a little trepidation given its reputation, I logged in to RapLeaf via my primary email account [egoldman@gmail.com] and this is what I learned (I edited the format but not the substance):
_______
Below is information we provide to companies to personalize the content and advertisements they show you. This information comes from public information you have posted online as well as information from some of our partners (from sources like surveys, census data, and public records).
Personalization Info
Companies use this information to personalize content for you. We'll continue to update this view with more information as we obtain rights from our partners, and as we continue to add new information. You can remove segments by clicking on the "Remove" link to the right and soon you'll also be able to add new segments. Some of this information may go into a cookie.
Your interests:
Entertainment
Entertainment > Music
Internet
Internet > Online Streamers > Photo Sharing Consumers
News & Current Events
News & Current Events > Online News
Shopping
Shopping > Auctions
Shopping > Online Shopping
Social Networks & Online Communities
Social Networks & Online Communities > Blogging Resources & Services
Social Networks & Online Communities > Business Networking
Social Networks & Online Communities > Journals & Personal Sites
Social Networks & Online Communities > Social Networks
Your demographics:
Age: 18-20
Gender: Male
Location: San Francisco, California, United States
Influencer Score: 81-90
Children in the Household: No Children Present
Household Income: 0-15k
Marital Status: Single
Home Owner Status: Own
Your Online Profile
The following is public information we gathered online which we have associated with you. We do not use any identifying information (like a social network id, email address, name, or any other ID) in Rapleaf cookies. The data below is only accessible by companies approved by Rapleaf who are personalizing services to you. You can remove attributes by clicking on the "Remove" link to the right. You can also opt out altogether here.
Name: Eric Goldman
Location: San Francisco, California, United States
Occupations:
Assistant Professor at Marquette University Law School
Law professor at Santa Clara University School of Law
Cooley Godward
Epinions
Sites:
Facebook
Flickr
Friendfeed
Friendster
Linkedin
Multiply
Myspace
Plaxo
Twitter
__________
Some comments:
1) The site appears to have partially confused me with another Eric Goldman, as evidenced by the age (wrong by almost a quarter-century), marital status (married nearly 13 years), parenthood status (two super kids), and household income (off by a lot, fortunately).
2) The interest categories are amusingly generic. They aren't provably wrong (though my wife would guffaw at listing me as a "shopper"), but they don't really do anything to uniquely describe my idiosyncratic interests. So an Internet user is interested in news, entertainment, shopping, social networking...? Pretty insightful, guys.
3) The listed websites are also laughable. For example, the most defamatory thing in the profile is that it accuses me of having a MySpace account. Uh, no. In fact, the linked MySpace profile is http://www.myspace.com/jodydog12. Huh? I do have a Friendster account I created in 2003 and never used. I don't know if I created a Multiply account, but it's content-free. I have several Flickr accounts but it links to the one I don't use. It does accurately reflect my Twitter, Friendfeed and LinkedIn pages, all of which have lots of accurate information about me--which makes RapLeaf's other factual errors less excusable.
_______
This RapLeaf profile raises two questions:
1) Why doesn't RapLeaf do a better job knowing me? The WSJ story has examples (intended to be horrifying) of deep insights into users. Despite my spending 14 hours/day on the Internet, RapLeaf sure hasn't gotten many good insights into me. One hypothesis: I don't hang out in the dicier areas of the Internet. For example, a number of the examples in the WSJ article appear to be tied to using Facebook apps, and I categorically don't use apps. I think Facebook has a serious brand/consumer trust issue with bad behavior by its apps providers.
More generally, RapLeaf's shoddy profile reflects how hard it is for any web service to know everything it wants to know about consumers. I discuss this challenge in my Coasean Analysis of Marketing article.
2) Should I be bothered by RapLeaf maintaining a profile about me, accurate or not? I am more sanguine about data profiling than most people. As I wrote earlier, "relevancy trumps creepiness." Nevertheless, it's embarrassing for RapLeaf to do such a poor job figuring out who I am given how much information I've made public. If RapLeaf can't solve its data quality problem pronto, it seems like the marketplace will take care of it faster than any regulator could.
Even so, RapLeaf remains a scary "privacy threat" that creates moral panics among regulators. Whatever RapLeaf's fate in the market, I would hate for us to overreact to its existence in developing privacy regulations. I can think of several websites (Google, Facebook and LinkedIn come to mind) that know way more about me--including my email address and real name--that could be adversely affected by miscalibrated regulatory intervention.
Posted by Eric at 11:45 AM | Marketing , Privacy/Security | TrackBack
October 24, 2010
Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway
[Post by Venkat]
McMillen v. Hummingbird Speedway, Inc., et al., Case No. 113-2010 CD (Pa. Ct. of Common Pleas) (Sept. 9, 2010)
There have been several recent cases dealing with discovery of social networking evidence in a civil dispute. A central issue in the background of all these cases is that an opponent is typically entitled to relevant information from the other side's social networking profiles, but turning over the entire profile wholesale may not adequately protect the privacy interests of the party whose information is turned over. One court in Pennsylvania didn't bother grappling with this dispute, and went to the extreme. The court didn't just order relevant portions of the profiles turned over, it granted defendant's discovery request seeking the plaintiff's passwords (i.e., ordered the plaintiff to turn over his passwords to the defendant).
Background: The basic facts should sound familiar by now. Plaintiff suffers personal injury (in this case he was rear-ended during a "cool down lap" following a stock car race at the defendant's track). Following the injury and the lawsuit, plaintiff posts material about his recreational activities (in this case a fishing trip and attendance at the Daytona 500 race). Defendant seeks full discovery of plaintiff's social networking sites to look for evidence which discredits plaintiff's claim that plaintiff is unable to enjoy life as a result of the injury.
Here, rather than asking the plaintiff to turn over the content of the profiles or relevant information in the profiles, counsel for defendant actually asked plaintiff for the login names and passwords for any of plaintiff's social networking accounts.
The court's ruling: The court looks to whether the information is privileged under Pennsylvania law. The court starts off from a skeptical point, noting that no "social network site privilege" had been adopted by the legislature or appeals courts. The court is reluctant to recognize a new privilege but nevertheless looks at the test for when a privilege applies. After walking through the four factor test that a party seeking to assert a privilege must satisfy, the court focuses on confidentiality, which is one of the four elements. With respect to confidentiality of communications, the court cites to the Facebook and MySpace terms of service which (according to the court) make clear to users that there should be no expectation of confidentiality in anything that is posted to (or sent through) Facebook or MySpace. The court additionally thinks that the social nature of the sites make any expectation of confidentiality on the users' part unrealistic:
Facebook, MySpace, and their ilk are social network computer sites people utilize to connect with friends and meet new people. That is, in fact, their purpose, and they do not bill themselves as anything else. Thus, while it is conceivable that a person could use them as forums to divulge and seek advice on personal and private matters, it would be unrealistic to expect that such disclosures would be considered confidential.
This, along with several provisions of the Facebook and MySpace terms lead the court to reject the privilege. The court also applies Wigmore's test for when it is appropriate to recognize a privilege, and comes to the same conclusion:
no person choosing MySpace or Facebook as a communication forum could reasonably expect that his communications would remain confidential, as both sites clearly express the possibility of disclosure. Confidentiality is not essential to maintain the relationships between and among social network users, either. The relationships to be fostered through those media are basic friendships, not attorney-client, physician-patient, or psychologist-patient types of relationships, and while one may expect that his or her friend will hold certain information in confidence, the maintenance of one's friendships typically does not depend on confidentiality. [emphasis added]
Ouch!
__
This seems like a pretty untenable conclusion, for a variety of reasons.
For starters, the court totally glosses over the relevance analysis. There is no way that all of the information in the plaintiff's social networking site can be relevant to the dispute, and the court's decision grants defendant access to both relevant and irrelevant information. There's also information that is likely to be private or sensitive and which may subject the plaintiff to embarrassment. State evidence rules likely protect against disclosure of this type of information, or at least place limitations on the use of this information, and the court's order doesn't take this into account at all.
The court's read on Facebook and MySpace's ability to disclose or access the content of profiles also seems off. As mentioned in Crispin v. Audigier, these sites make available private messaging functionality that is similar to email. Several courts have concluded private messages sent through social networking sites are protected from disclosure by the Stored Communications Act. The court's decision here contains no discussion of this, and disclosure may even violate the Stored Communications Act. Although these companies make private messaging and email services available, this should not cause them to be viewed as a third party "in whose presence" the communication is made. (Accepting the court's view would mean that communications made through Google, Yahoo, and every other ISP or email provider would not be confidential and could never be protected by any privilege.)
There's also the issue that disclosure of the passwords may provide defendant access to plaintiff's other accounts (such as his account with Amazon or his bank account), given that people use the same password among multiple sites. The password also allows the defendant to post as the plaintiff, to edit the plaintiff's profile, use or download apps, change privacy settings (etc.). I would guess there's some implied obligation on the part of the defendant (or its counsel) to not misuse the password, but the court did not even bother spelling out that the defendant had to maintain the password as confidential or not use it for any of these purposes.
Finally, there's the issue that disclosure of the password and access by the defendant probably violates the Facebook and MySpace terms of use!
One hopes that the court takes a second look at this and changes course (or that the decision will be reversed on appeal), because it certainly seems like there are some key issues that the court did not take into account. Interestingly, I don't think Facebook weighed in on this (it may not have had notice). It should weigh in.
Takeaways for litigants: One big takeaway for litigants is that anything posted to social networking sites is fair game, among other reasons, because courts may not appreciate the nuances between truly private messages and public posts. There are gradations of private information, and Facebook itself says that it gives users the tools to control how private or public they want their messages to be. (The private user group posts from the Finkel v. Facebook case is a good example of information that's sort of in-between.) In any event, courts don't always seem sensitive to the nuances here, and as a result, information that a user reasonably thought was private may end up being disclosed in litigation. The prudent course is to not post information on (or even send information through) a social network that you don't want to disclose to the world at large.
Takeaways for lawyers: A possible takeaway for lawyers as well. As new modes of communication emerge, and lawyers start to embrace these methods of communication, there's a question of whether lawyers should worry about things like confidentiality or attorney/client privilege for these types of communications. The obvious concerns are the social networks themselves, third parties, and communication snafus, but this case illustrates that courts may not always get it right when it comes to these communications. Lawyers probably would be wise to adopt a policy of not engaging in confidential or privileged communications with clients via social networking sites (at a minimum, until courts reach clarity on issues such as the one presented in this case).
(h/t K&L Gates's Electronic Discovery Law)
Related posts:
"Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville"
"Deleted Facebook and MySpace Posts Are Discoverable--Romano v. Steelcase"
"Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier"
Posted by Venkat at 10:24 AM | Evidence/Discovery , Privacy/Security
October 07, 2010
Two More Courts Close the Doors on Data Breach Plaintiffs
[Post by Venkat]
There are a slew of cases that reject data breach claims brought by plaintiffs who have not suffered out of pocket losses. Recently, courts in Maine and Oregon joined the group of courts rejecting such claims.
In re Hannaford Bros Co. Customer Data Security Breach Litigation, (Maine Supreme Court; Sept. 21, 2010): This is one of the cases arising out of the compromise of Hannaford Bros. computer system (which resulted in the theft of "up to 4.2 million debit and credit card numbers, expiration dates, security codes, PINs and other information"). The merchants and service providers (and insurance companies) sparred separately, but this case involved claims asserted by affected customers. A group of 21 plaintiffs filed a lawsuit. Of these, one had a non-reimbursed or unresolved credit card charge, and the other plaintiffs had either not experienced any unauthorized charges or their charges had been resolved. Hannaford moved to dismiss, and the federal district court (where the case was originally filed) dismissed the bulk of the claims. (An earlier post of mine has some details of the district court decision: "Hannaford Data Breach Plaintiffs Rebuffed in Maine.") After the district court's ruling, the only plaintiff who suffered out of pocket loss had the charges reimbursed by the bank. The plaintiffs then moved for reconsideration, asserting that time and effort expended to "avoid or remediate" harm was sufficient damages under Maine law. The plaintiffs also moved to have the district court certify this issue to the Supreme Court of Maine.
The Maine Supreme Court answered the certified question in the negative, holding that "time and effort alone, spent in a reasonable effort to avoid reasonably foreseeable harm, is [not] a cognizable injury under" Maine law. The court notes that plaintiffs are required to mitigate damages, and in certain circumstances, plaintiffs are allowed to recover for their mitigation efforts. However, the court concludes that plaintiffs must "establish[] that the time and effort expended constitute a legal injury rather than an inconvenience or annoyance."
Paul v. Providence Health System-Oregon, (Ore. Ct. App. Oct. 6, 2010): this case involved the theft of patient care information, which was stolen as a result of an employee's decision to take data-laden disks and tapes home and leave them in his car overnight. [I'm guessing he will never leave anything valuable overnight in a vehicle ever again.] "The disks and tapes contained unencrypted patient records for approximately 365,000 individuals; the records included names, addresses, phone numbers, social security numbers, and patient care information." Plaintiffs asserted claims under negligence and an unfair trade practices statute.
The court cited to Oregon precedent rejecting claims brought by smokers who sought to recover for the increased risk of developing lung cancer. In rejecting the smokers' claims, the Oregon Supreme Court held that increased risk of future physical injury is not a cognizable injury in the negligence context, and that the economic cost of ongoing medical monitoring was not a sufficient injury to provide a basis for a negligence claim. Focusing on the second issue, the court framed the issue as whether a special relationship existed between the plaintiffs and Providence that warranted a departure from the general rule that you cannot recover for purely economic damages from a stranger. According to the court, the exception arises where there is a "special relationship" between the parties, for example where one party has "relinquished control over the subject matter of the relationship to the other party." Plaintiffs pointed to laws that required physicians to preserve the confidentiality of patient information, but the court held that this duty gave rise to a claim where there is an "affirmative disclosure" of confidential information, which the court awkwardly distinguished from the present case, which involved a mere failure to safeguard.
Finally, the court also dismissed the unfair trade practices claim brought by plaintiffs on the basis that plaintiffs did not allege "ascertainable losses."
___
Neither decision is particularly groundbreaking. I recently blogged about Ruiz v. Gap, which arrived at the same result ("9th Circuit Affirms Rejection of Data Breach Claims Against Gap"), but this is a relatively well established trend. Both courts engage in judicial contortions (that seemed strained at certain points) to arrive at the same conclusion: no out of pocket loss = no claim. Interestingly, neither the Hannaford case nor the Providence Health case contain much discussion of credit monitoring services, which many data breach defendants offer as a matter of course.
Related: Professor Solove at Concurring Opinions wrote a post in reaction to the Hannaford ruling that warrants some additional discussion: "Are People Really Harmed By a Data Security Breach?" I'll save that for a later post, hopefully this week.
Previous blog posts on data breach cases:
When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue (Dec. 2005)
Acxiom Not Liable for Security Breach--Bell v. Acxiom (Oct. 2006)
The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt (Jan. 2009)
Starbucks Data Breach Plaintiffs Try Their Luck in the 9th Circuit -- Krottner v. Starbucks (Nov. 2009)
Claims Brought by Express Scripts Data Breach Plaintiffs Rejected on Standing Grounds (Dec. 2009)
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap (Jan. 2010)
Posted by Venkat at 10:05 AM | Privacy/Security
September 29, 2010
Deleted Facebook and MySpace Posts Are Discoverable--Romano v. Steelcase
By Eric Goldman, with additional comments from Venkat
Romano v. Steelcase Inc., 2010 WL 3703242 (N.Y. Sup. Ct. Sept. 21, 2010).
On my personal blog, I have repeatedly blogged about plaintiffs who tell one story in court only to have that story undone by their postings to social networking sites. See, e.g., Sedie v. US, People v. Franco (despite the tragedy, my personal favorite) and Embry v. State.
This case is in the same vein. Romano claims that she is largely bedridden/housebound, but her public Facebook pictures show her apparently enjoying herself away from home. The defense requests access to her non-public posts on Facebook and MySpace, which the judge grants.
The short opinion focuses on the defense's ability to access the private posts, but the actual order covers both current as well as deleted material. Specifically, the court orders "Defendant STEELCASE's motion for an Order granting said Defendant access to Plaintiff's current and historical Facebook and MySpace pages and accounts, including all deleted pages and related information, is hereby granted in all respects." The court didn't discuss the deleted material separately in its analysis, but this seems like a gotcha. Once a person posts material to Facebook or MySpace, there may not be a meaningful "undo"--even deleting it does not eliminate the material as future discoverable evidence for the duration of Facebook's and MySpace's retention periods.
[This raises the related Q of how long the sites archive deleted material. Facebook's privacy policy had the opaque statement "Removed and deleted information may persist in backup copies for up to 90 days, but will not be available to others." Putting aside the ambiguity of not being available to others--an untrue statement given the subsequent privacy policy statement about cooperating with legal requests--I couldn't tell if this was the retention policy. So, if I delete a photo from Facebook on day 1, does this statement mean that the photo will become undiscoverable by day 91?]
[UPDATE: I had a few conversations with Facebook and my understanding is that deleted photos indeed would be unavailable for discovery within 90 days in many cases and perhaps substantially less time. Other content items are more complicated, but overall Facebook does not retain complete copies of "everything" indefinitely.]
This case only tells us what we already knew--never post anything online that will be inconsistent with the story you're planning to tell others. The inconsistent material can surface even if the post is made in a non-public venue and even if you delete it later. Unfortunately, this well-known "rule" appears to be about as teachable as the rules regarding making sex tapes.
Other comments on this ruling:
* Kashmir Hill, pointing out the seeming inconsistency of this ruling with the Crispin ruling from earlier this year. I do think it's conspicuous that the court seems to treat all material on Facebook as equally discoverable, even though some material might be governed as private communications under the ECPA and other material clearly wouldn't be. An apropos academic article worth checking out: Lior Strahilevitz, A Social Networks Theory of Privacy (2004).
* Evan Brown
* Mike Masnick
* Bruce Boyden
___
Venkat's comments: I don't know when people will learn the "never post anything online that will be inconsistent with the story you're planning to tell others" lesson. Perhaps a public awareness campaign is in order? People also tend to be surprised that, absent a specific privilege, personal communications, recollections, notes, and even a party's diary are discoverable in a civil lawsuit. In fact, this evidence often tells the most accurate version of the story from the person's perspective.
The wrinkle is the federal statute prohibiting the disclosure of private electronic communications such as emails, and on this basis, at least one court has ruled that the social networking site should not turn over private Facebook or MySpace messages to a party who issues a subpoena. ("Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier.") But this does not mean that the party seeking the discovery is not entitled to the relevant information. It just means that it should not be turned over by the social networking site absent a waiver or consent, and there is nothing to stop a court from requiring you to consent in order to proceed with your claims. I can't see any universe in which you can bring a lawsuit alleging emotional damages or that an injury affected your lifestyle, and then claim your Facebook or MySpace postings are off limits. (I think it's worth being clear about the different types of postings as well: there are truly private messages (which are similar to emails) and there are postings for your "friends," which are quasi-public anyway. All of this should potentially be discoverable.)
This scenario presents an awkward logistical issue. Steelcase is entitled to postings from the plaintiff's Facebook and MySpace pages, but does this mean that Steelcase can just rummage around in the plaintiff's accounts? This seems invasive. It allows Steelcase to make the decision of what is and is not relevant and, in the process, get access to potentially sensitive and private information that is not relevant to the lawsuit in any way. I suppose the judge could offer to become Facebook friends with the litigants, but this seems clunky at best. ("Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville.") Other alternatives are to have a neutral third party view the material and decide what is relevant (this is expensive) or to require Facebook to provide a log of account activity (doesn't necessarily work with pictures).
I'm not a big fan of courts citing to a bunch of company-drafted policies and concluding that Facebook and MySpace posts should be disclosed because no one expects them to be private anyway. Information that is stored in social networks can be used by several different parties, including law enforcement, the social network itself, and an outsider seeking information in the context of a civil lawsuit. To say that there is no expectation of privacy in your postings obscures the fact that these parties can access the information in different ways and subject to different restrictions. Does the court's take on the privacy expectations of Facebook and MySpace users mean that law enforcement can freely access your private Facebook posts? This doesn't seem like a tenable conclusion.
Finally, the fact that the court allowed access to certain deleted posts is interesting. I'm sure parties often receive advice to delete their accounts. Setting aside spoliation of evidence issues, as a practical matter, this may just not be an effective way to delete the material you want deleted.
Posted by Eric at 08:46 AM | Evidence/Discovery , Privacy/Security | TrackBack
September 09, 2010
Google Settles Buzz User Privacy Litigation
[Post by Venkat]
In re Google Buzz User Privacy Litigation, Case No. 5:10-CV-00672-JW (N.D. Cal.) (Sept. 03, 2010).
Google recently settled the lawsuits relating to its privacy practices for Buzz. (h/t Wendy Davis) The terms of the settlement, which are subject to the court's approval:
(1) Google sets aside $8.5 million;
(2) the lawyers can claim up to 30% of this amount ($2.5 million), without objection from Google;
(3) class representatives get up to $2,500 each;
(4) Google makes (or has already made) changes "to the Google Buzz user interface that clarify Google Buzz's operation and users' options regarding Google Buzz;" and
(5) Google agrees to disseminate "wider public education about the privacy aspects of Google Buzz."
The bulk of the $8.5 million fund goes to "organizations focused on Internet privacy policy or privacy education," which will be selected by mutual agreement of the parties. The settlement agreement does not result in payment of damages to the class members (other than the representative class members). This is similar to the structure of the Facebook Beacon settlement, except Facebook created a foundation which it funded and which some allege will be beholden to Facebook. (Here's a blog post on the Facebook settlement, which is currently only appeal to the Ninth Circuit.)
There's nothing wrong with a class action defendant paying out money to a public interest organization instead of paying damages to class members, but in privacy cases, I wonder if it reinforces the idea often advanced by defendants in these cases that there's no harm. With cases like this one and Facebook's Beacon settling with no damages paid to class members, you have to wonder. Also, with plaintiffs' lawyers becoming more organized, and companies continuing to stumble when it comes to rolling out new services which affect the privacy of consumers, the whole privacy lawsuit-settlement cycle has a toll-like feel to it.
Another interesting aspect of the settlement is that although Google agreed to make changes as part of the settlement, the settlement agreement does not specify any changes. Google admitted some errors in its roll out of Buzz, and I'm curious to see what changes Google made in response to the lawsuit as opposed to in response to public outcry. The settlement agreement notes that Google produced documents relating to operation of Google Buzz, changes, and consumer feedback regarding Buzz. I assume these documents will be made public and that may answer this question. (Also, Google agrees as part of its educational efforts to incorporate comments and suggestions from class counsel. I assume interested parties can submit their comments as well and Google will consider them. It may be unwieldy, but a public process around this would be nice.)
None of this necessarily undermines the claims brought by the class or the settlement, but the terms of the settlement and their similarity to the Beacon settlement are worth noting.
Separately, EPIC filed a complaint with the FTC around Google's Buzz practices. Here's the EPIC page for Google Buzz: "In re Google Buzz."
Posted by Venkat at 01:12 PM | Privacy/Security
September 06, 2010
July-August 2010 Quick Links, Part 2
By Eric Goldman
IP
* As expected, Rosetta Stone appealed its trademark loss against Google. My previous blog post.
* Reality Blurred successfully counternoticed to overcome CBS's DMCA takedown notice for the Survivor contract/rule book.
* Doctor's Associates, Inc. v. Subway.SY LLC, 2010 WL 3187899 (D. Minn. July 30, 2010). Subway sandwiches wins an enforcement action against a possible Syrian knockoff advertising subway.sy and promoting itself on Facebook.
* Tur gives up his lawsuit against YouTube. My previous blog post. In a partially related development, more copyright owners are choosing to leave infringing videos up and have YouTube monetize the videos for them.
* Blizzard Wins $88 Million in Private Server Lawsuit.
* Christen v. Iparadigms, LLC, 2010 WL 3063137 (E.D. Va. Aug. 4, 2010). An effort to sue Turnitin for non-copyright claims fails due to copyright preemption. See my post on the copyright challenge against Turnitin.
* CMLP issued a report on news aggregators.
* F.B.T. Productions v. Aftermath Records (9th Cir. Sept. 3, 2010). An interesting opinion with possible implications for the First Sale doctrine as well as the sale/license distinction. The court says: "where a copyright owner transfers a copy of copyrighted material, retains title, limits the uses to which the material may be put, and is compensated periodically based on the transferee’s exploitation of the material, the transaction is a license" and not a sale.
* Mark Zuckerberg gets the paparazzi treatment courtesy of Gawker.
* In re Facebook Consumer Privacy Litigation, No. 5:10-cv-00429-JF (N. D. Cal. notice of dismissal July 22, 2010). BNA reports: "Plaintiffs in a putative class action against Facebook Inc. July 22 voluntarily dismissed a lawsuit claiming changes the social networking website made to its privacy policies last year misled users about how their personal data would be used and protected."
* In re Facebook PPC Advertising, 5:09-cv-03043-JF (N.D. Cal. Aug. 25, 2010). The anti-click fraud disclaimer in Facebook’s advertising contract “disclaimer does not cover Defendant’s own actions, irrespective of their purpose; nor does it cover the actions of third parties if the action is not for fraudulent or improper purposes.” The court further says that what constitutes an “improper purpose” is ambiguous. Previous blog post.
* Bob Sullivan on Facebook's inflection point: Will it grow into an eBay or wither into a MySpace? In a related development, Facebook got panned in a survey of consumer satisfaction.
* After a public spat between Google and Yelp, Yelp's reviews are no longer included in Google's Places pages.
* In Re Google Buzz User Privacy Litigation, 10-cv-00672 (N.D. Cal.). Google settles the Buzz privacy lawsuits for $8.5M.
* Hypocritical NYT editorial/attack piece on Google algorithm. Responses from Danny Sullivan and Wired. Partially related article on SEL: Does Google want diverse search results?
* 37 states are chasing Google over the Street View fiasco. The Google Street View lawsuits have been consolidated in the Northern District of California before Judge Ware. Meanwhile, a UK review suggests that Google didn't collect any useful data via Street View.
* Wired recounts Google’s rocky 2010. Danny Sullivan piles on with some of Google's biggest failures.
Privacy/Anonymity
* In re Anonymous Online Speakers (9th Cir. July 12, 2010). Potentially important ruling on the legal standards for unmasking anonymous online commenters.
* Rep. Rush introduced a new federal privacy bill (HR 5777).
* A troublesome data sale of personal information by XY.com is avoided.
* Republishing social security numbers is protected by the First Amendment.
* The California legislature passed an anti-“e-personation” bill. EFF coverage.
Posted by Eric at 03:27 PM | Copyright , Licensing/Contracts , Privacy/Security , Search Engines , Trademark | TrackBack
August 03, 2010
Baidu Can Maintain Negligence Claims Against Register.com for Lax Security Practices Which Allegedly Facilitated Cyber-Attack - Baidu v. Register.com
[Post by Venkat]
Baidu, Inc. v. Register.com, Inc., Case no. 10 Civ. 444 (DC) (S.D.N.Y.) (July 22, 2010).
Background: Baidu registered the
The cyber-attacker gained access to Baidu's account with Register through engaging in an online chat with a Register customer service representative. The representative asked the intruder for Baidu's security verification information. The intruder did not provide the representative with the correct information, "but the [representative] nonetheless emailed a security code to the email address that Baidu had on file." When asked for the security code, the intruder did not provide the correct code (the intruder did not have access to the Baidu email address on file). Notwithstanding the discrepancy in the security codes, at the intruder's request, the representative changed the email address on file (to "antiwahabi2008@gmail.com"). From here, the intruder was easily able to access the account, by utilizing the "forgot password" function.
Discussion: Baidu brought claims for breach of contract, negligence (gross negligence), recklessness, and contributory trademark infringement.
The limitation of liability clause: Register pointed to the limitation of liability clause in its Master Services Agreement. The clause provided that Register would not be held liable for, among other things, "termination . . . or modification of [the Services,] . . . inability to use the Service[s], . . . loss incurred in connection with [the customer's] services," or "any other matter relating to [customer's] use of the Service[s]." The agreement also contained a limitation of liability clause that limited Register's liability at five hundred dollars, and also provided that it was the customer's "responsibility to safeguard the User name, password and any secret question/secret answer . . . from any unauthorized use."
The court held that as a general matter, courts in New York enforce limitations of liability clauses, particularly where these limitations are contained in a contract entered into by "those of equal bargaining power." However, New York courts do not enforce such limitations where they purport to limit liability for willful or grossly negligent acts. This "gross negligence exception" applies even to agreements between sophisticated commercial parties, although the standard for gross negligence is somewhat higher in this context. The court held that the complaint satisfied this standard, in alleging that:
(1) the rep proceeded with processing the intruder's request even though the intruder provided an incorrect response to the security question; (2) the rep didn't even bother to compare the code provided by the intruder with the security code on file; (3) the rep failed to notice the red flags raised by the rep providing the "antiwahabi2008@gmail.com" email address (which was tied to Google, a Baidu competitor); and (4) the rep ultimately provided the intruder with Baidu's user name.
Ultimately, the court found that Register's failure to follow its own security procedures (or any minimal security procedures, for that matter) were sufficient to get Baidu past the gross negligence hurdle. Register also pointed to the provision in the contract that the customer was responsible for maintaining the security of any password/security information and thus Register had no duty to maintain any security procedures with respect to Baidu's account. The court rejects this argument, noting that although Register may not have had any duty to provide any security, once it undertook to do so, it was required to do so in a non-negligent manner:
The attack by the Intruder was reasonably foreseeable - it was precisely because these cyber attacks are foreseeable that the security measures were adopted.
Lanham Act Claim: With respect to the Lanham Act claim, Register argued that it was entitled to immunity as a registrar and in any event Baidu failed to adequately allege the elements for contributory trademark infringement.
The court rejects the registrar immunity argument out of hand (registrars are only entitled to immunity when they act as registrars - i.e., "when [a registrar] accepts registrations for domain names for customers"). However, the court agreed with Register that Baidu failed to allege the elements for contributory trademark infringement. Citing to Inwood Labs., Inc. v. Ives Labs., Inc. (a flea market case) the court notes that contributory liability only attaches where the defendant either intentionally induces infringement or continues to supply products or services to the infringer where the defendant knows or has reason to know that the infringer is engaged in infringement. The court also cites to the Tiffany v. eBay case (discussed by Professor Goldman here).
___
The interesting aspect of this case is the fact that Register's broad contractual protections did not protect it against Baidu's claims. It's unclear as to whether the court's ruling would encompass a situation where someone just plain hacked into Register's system and gained access to Baidu's accounts. I would think not. Disclaimers often insulate service providers (see Duffy v. The Ticketreserve and Grace v. Neeley) but here the facts alleged by Baidu with respect to Register's negligence were pretty egregious. Given the exception in New York law for gross negligence and reckless conduct, I'm not sure any sort of limitation/disclaimer could have saved Register here.
The trademark claims are curious. To be honest, I can't even see where there's basic trademark infringement by the cyber-attacker. The cyber-attacker was not interested in selling any products or services, and the Baidu webpage text clearly stated that the website had been hacked. Moreover, any finding of infringement would have been based on the much-discredited initial interest confusion doctrine. In any event, it's tough to see - given Baidu's allegations of an attack - how Register would have harbored the requisite knowledge to have been able to prevent the infringement.
It's worth noting also that this isn't a typical domain name conversion case (a la sex.com). The case is really about failed security procedures, and the ease of gaining access to an account through social engineering. There's a big lesson in the Register rep's alleged dealings with the cyber-attacker.
Added: This interview with Elisa Cooper by Dancho Danchev ("Hundreds of High Profile Sites Unprotected From Domain Hijacking") looks at the efficacy of using Verisign's "Registry Lock Service." Some interesting bits from the interview:
1. The Registry Lock Service offers protection at the registry-level so even if the registrar account is compromised, the attacker will not be unable to update any domain settings.
2. Elisa notes that DNS hijacking may only amount to a PR/brand hit unless the website is collecting information or conducting transactions.
3. "[D]omains that are registered by large retail registrars are . . . highly vulnerable to social engineering attacks." [That's exactly what happened in the Baidu case.]
Of course, the registrar does not have an obligation to implement the additional security measures that are mentioned in the interview. It would be up to the registrant to do so.
Posted by Venkat at 11:54 AM | Domain Names , Licensing/Contracts , Privacy/Security , Trademark
July 26, 2010
Facebook's Anti-Spam Filter Blocks Legitimate Conversations about Power.com
By Eric Goldman
On Friday, Venkat and I posted about the latest ruling in Facebook v. Power.com. After Venkat or I make a blog post, I typically post the blog headline and URL to Twitter. I have enabled the app that makes my Twitter posts into my Facebook status reports as well, so the headline and URL on Twitter should automatically propagate to Facebook. On Friday, I tweeted the following:
"Blog Post: Important ruling on California's anti-computer trespass statute--Facebook v. Power.com http://bit.ly/bM7hQT"
However, I noticed that the Twitter-to-Facebook app didn't work properly and the headline didn't appear. So I tried to manually enter the headline and URL and got this message from Facebook:
"This message contains blocked content that has previously been flagged as abusive or spammy. Let us know if you think this is an error."
I do think that's an error, and I reported the problem through Facebook's automated reporting tool on Friday. Not surprisingly, I still haven't gotten a response to that. But I was baffled how my headline and URL could have been "flagged as abusive or spammy." Who flagged it? Why?
After a little more experimentation, I discovered that every instance of the character string "power.com" is blocked in Facebook. Therefore, every time I put "power.com" into my status reports or in comments to those status reports--even if it's the only content in the post/comment--I get the "blocked content" message. However, it's easily avoided; I can post "power . com" (notice the spaces before and after the period) just fine. Basically, Facebook is using a very dumb word filter.
I emailed my PR contacts at Facebook about this. They pointed to their anti-spam filter and this blog post from June. The blog post explains that "we've been working to improve our warnings and make them more clear" and that "people misunderstand one of these systems. They incorrectly believe that Facebook is restricting speech because we've blocked them from posting a specific link."
So this is where things have gone wrong. Facebook told me it has blocked Power.com because "we found that Power was spreading links to its pages in a way that violated our Statement of Rights and Responsibilities. For example, when a Power user accessed Facebook, Power would automatically create an event on Facebook (typically called 'Power.com Party' or something similar) without the person's knowledge or permission. It would then send invitations to all of the user's friends." Fair enough, and I'm glad Facebook is trying to keep its system safe for users.
However, Facebook's dumb word filter block means that every reference to "power.com," even if it's in plaintext and not linkable, is still treated as a link and therefore is blocked as well. The messaging then disparages the plaintext reference as "blocked content that has previously been flagged as abusive or spammy" when, in fact, a link to the URL, not the plaintext reference I made, has been flagged. So much for clearer error messages.
I pointed out to Facebook's spokespeople the difference between a plaintext reference to a company's name ("Power.com") and a spammy URL/link. Their response? "Spammers turning their malicious urls into plain text is the oldest trick in the book. Not blocking all of the variations of a bad URL leaves a gaping hole."
There is a kernel of truth to this, of course. A plaintext URL is not materially different from an active hypertext link--if the user chooses to cut-and-paste the link into the browser (or right-clicks on it, or whatever). However, Facebook's method of blocking spammy links by blacklisting every instance of the character string actually has the effect of blocking *every* discussion of a blacklisted company with the name [noun].[tld]. Because the main word in the name is a noun (e.g., "Power"), referencing the name without the TLD can lead to semantic ambiguity. However, the system prevents me from using the complete name (Power.com) because it can't distinguish between a link and a plaintext reference to a company's name that acts as a URL. I received a private email that another Facebook user encountered a similar block with the string seppukoo.com, the Facebook suicide tool.
In my case, the net consequence is that Facebook automatically blocks any conversations involving the string "power.com"--including my headline to my blog post--and provides an error message telling me that I am posting spammy/abusive content when I try to make the posting, which makes me feel like I did something wrong. With all of the bright engineers at Facebook, I bet they could figure out a way to more precisely tune the filter so that a plaintext reference to [noun].[tld] gets through while active links to that URL, or more fulsome plaintext URLs, remain blocked.
That is, assuming Facebook actually wants to enable Facebook users to talk about Power.com or Seppukoo.com or other enterprises that threaten the Facebook franchise. Frankly, I haven't seen much evidence of Facebook's interest in those conversations. In light of Power.com's antitrust challenges against Facebook, the fact that Facebook's system suppresses legitimate conversations about Power.com (whether it had a censorious intent or not) struck me as particularly noteworthy.
Posted by Eric at 10:33 AM | Content Regulation , Domain Names , Privacy/Security , Spam | TrackBack
July 23, 2010
Judge Denies Facebook’s Request for Judgment on the Pleadings and Strikes Power.com Counterclaims -- Facebook v. Power.com
[Post by Venkat, with additional comments by Eric]
Facebook v. Power Ventures, Inc., Case No. C 08-05780 (N.D. Cal. July 20, 2010)
Background: Facebook and Power Ventures (Power.com) have been locked in a battle over whether Power.com should be allowed to access Facebook on behalf of users outside Facebook’s developer channels. Facebook wants all developers to go through its channel. Power.com seemed to go down in path but decided at some point that it didn’t like Facebook’s developer channel. It accessed (on behalf of its users) Facebook’s network. Facebook sued, and Power.com became an unlikely poster child for why data portability is important.
There’s been a lot of motion practice in this case. Facebook brought the typical array of copyright/computer fraud and abuse act claims that survived a motion to dismiss from Power.com. Power.com brought antitrust counterclaims that the court knocked out (with leave to amend). Facebook focused on its attention on its claims under the California computer crime statute (section 502), and moved for judgment on the pleadings. EFF filed an amicus brief arguing for a narrow construction of the statute. (In the meantime, there was a recusal by the judge who initially drew the case and dealt with the preliminary motions.) The court now deals with Facebook’s request for summary judgment or judgment on the pleadings that Power.com violated section 502, as well as a few other motions.
The Court’s Treatment of the Claims:
Standing under section 502: Power.com argued that Facebook lacked standing under section 502. The court easily disposes of this argument by noting that Facebook was forced (or decided it was prudent) to implement technical measures following its discovery that Power.com accessed its network. The court notes that there’s no dollar amount threshold, and rejects Power.com’s attempt to rely on its declaration that Facebook would not have had to invest any substantial amounts to implement these new technical measures.
Power.com’s liability under section 502: Facebook argued that Power.com accessed Facebook’s network without authorization because it exceeded the scope of the authorization allowed by Facebook’s terms of service. The court looks to the legislative history behind section 502 and declines to give legislative statements the broad-reaching meaning that Facebook urges. Facebook argued that any access in excess of authorization constitutes a violation of section 502, and the court doesn’t seem to agree with this. EFF filed an amicus brief arguing for a narrow interpretation of section 502. EFF also argued that Power.com’s actions did not violate section 502. The court settles on an interpretation of section 502 that requires some sort of circumvention of :
Technical or code-based barriers that a computer network or website administrator erects to restrict the user’s privileges within the system, or to bar the user from the system altogether.
[The court also drops a footnote noting that even though the defendant may not be liable under section 502, the defendant may still be liable for breach of contract. The footnote does not mention claims under the Computer Fraud and Abuse Act.]
Ultimately, the court leaves Facebook room to still make out a claim but says that (under section 502 at least) it can’t merely be based on a terms of service violation:
the Court finds that Power did not act “without permission” within the meaning of Section 502 when Facebook account holders utilized the Power website to access and manipulate their user content on the Facebook website, even if such action violated Facebook’s Terms of Use. However, to the extent that Facebook can prove that in doing so, Power circumvented Facebook’s technical barriers, Power may be held liable for violation of Section 502.
Power.com’s counterclaims based on Facebook’s alleged anti-competitive conduct: Facebook moved to dismiss Power.com’s antitrust claims against Facebook. The court focuses on Power.com’s allegations about Facebook’s acquisition of monopoly power. According to Power.com, Facebook gained monopoly power through allowing users to invite their friends (and making it easy), allowing people to access other networks through Facebook, while at the same time not allowing people to access Facebook through other networks. Power.com also alleged that Facebook alleged baseless intellectual property claims to dissuage new entrants into the market.
The court rejects these arguments, finding that Facebook has no obligation to allow others to access its network and it can set the terms of access without running afoul of antitrust rules. The court also finds that taking steps to protect its rights does not mean that Facebook is engaging in anti-competitive behavior.
Power.com’s affirmative defenses: The court previously struck Power.com’s affirmative defenses of copyright misuse and fair use. Power.com amended their pleadings and the court lets these affirmative defenses stand. The court’s discussion is a little sparse on whether these defenses actually are viable, but the court declines to strike them on the basis that the allegations provide Facebook with enough facts to put Facebook on notice as to what is being claimed.
__
I’d say overall it was not a big loss for Facebook. It still has viable claims under the Computer Fraud and Abuse Act and potentially copyright (in addition to auxiliary spam and other) claims. It has a chance to prove a violation of section 502 by showing that Power.com engaged in circumvention of a technical measure (IP address blocking, or additional security measures which Facebook implemented).
This is somewhat of a win for EFF, which got a ruling with a narrow construction under section 502. I’m not sure how useful this ruling will be in the Computer Fraud and Abuse context. Also, the court’s willingness to use circumvention of any technical measure to find a violation of section 502 sets a low bar. Still, in the garden variety context where an individual accesses a network in violation of the terms of service, section 502 claims don’t seem as likely (under the court’s ruling).
Power.com continues to slog it out. I’m guessing it will see this litigation as fairly unprofitable sooner rather than later, particularly with its antitrust claims out the window (I can’t imagine they thought these were terribly viable to begin with, judging by their initial set of allegations). Of course, they can bring their affirmative defenses and engage in some discovery, but this is not likely to bend the will of a company such as Facebook.
Additional Coverage:
Wendy Davis: “Facebook Rebuffed In Case Against Social Aggregator Power.com”
ars technica: “Social network aggregator no crook for violating Facebook TOS”
________
Eric's comments: A very small number of rulings have interpreted California Penal Code Sec. 502, the state law analog to the Computer Fraud & Abuse Act and a partial statutory codification of common law trespass to chattels. Based strictly on the statutory wording, Penal Code 502 (which authorizes civil suits in addition to being a criminal sanction) is the most plaintiff-friendly of the three doctrines because it does not require the plaintiff to show any minimum quantity of loss or harm from the defendant's harm.
This ruling partially reinforces why Penal Code 502 remains the most plaintiff-friendly of the three doctrines. Effectively, Facebook made the requisite showing of harm from Power.com's conduct even though Facebook's only purported harms appear to be remediation efforts. As the court says:
Defendants’ admissions that Facebook attempted to block Power’s access and that Power provided users with tools that allowed them to access the Facebook website through Power.com demonstrates that Facebook expended resources to stop Power from committing acts that Facebook now contends constituted Section 502 violations.
This is a bootstrapped type of loss that will be true in almost every anti-server use case.
The court then takes a decidedly less favorable turn when it comes to the authorization/permission question. Many CFAA rulings have allowed user agreements to delimit the authorized use of the plaintiff's servers. The court rejects that approach here, saying, in effect, that because Penal Code 502 is a criminal statute, allowing the user agreement to establish the boundaries of permitted server use is improper. I agree with that statement (some of you may recall my posts about the Lori Drew prosecution, conviction and dismissal). However, I would note Facebook's lawsuit is a civil case, not a criminal case, so the court could have distinguished between the legal requirements of criminal and civil cases. In particular, it was odd to see the court discussing constitutional limits to criminal prosecutions in a case where neither litigant really cared directly about the scope of criminality.
Even if the contract does not provide adequate notice to defendants, the court allows plaintiffs to delimit the permitted/authorized use of their severs technologically, and transgressions of those technological limits appears to satisfy the Penal Code 502 requirements and the constitutional protections applicable to a criminal prosecution. The court says:
the Court finds that accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers is “without permission,” and may subject a user to liability under Section 502.
This is because defendants are adequately put on notice when they encounter a technical block and try to route around it; therefore, with the technical block requirement, the statute will satisfy even the more stringent notice requirements of criminal law. There remained a factual dispute about Facebook's technical blocking efforts in this case based on the procedural posture of the case, so that point remains open for now.
If this case ends up setting the precedent that a user agreement cannot set the boundaries of authorized uses of computer servers in the California Penal Code Sec. 502 context, then this is a pretty important ruling. However, I don't really believe that result will necessarily be reached in other cases, especially given that Judge Ware disagreed with Judge Fogel's ruling in Facebook v. ConnectU on the same question.
In Cyberlaw I teach that an anti-computer trespass civil claim satisfying the four elements will probably win:
* Third party system use
* Damage
* Actual notice that use unpermitted
* Technological self-help
If Facebook can show these four elements, it has a good chance at winning the Penal Code 502 case; indeed, this ruling indicates that under Penal Code 502, the damage element is easy to meet and the notice/self-help elements effectively merge together. If you are prepping an anti-trespass case, the more clearly you can show all four elements, the more likely the court will find a legal doctrine to help you.
Posted by Venkat at 12:29 AM | Content Regulation , Licensing/Contracts , Privacy/Security , Trespass to Chattels
July 13, 2010
AOL's Disclosure of Search Data May Support Claims Under California Law
[Post by Venkat]
Does v. AOL LLC, Case No. C06-5866 SBA (N.D. Cal.; June 22, 2010)
Plaintiffs bringing a class action against AOL for improper disclosure of search data scored in an initial victory in the Northern District of California. The court denied AOL's motion for judgment on the pleadings, and allowed claims (under California consumer protection laws) to go forward.
Background: AOL "records and stores member search queries in a manner rendering it possible to connect the stored search queries with a particular member." In July 2006 AOL "packaged" (??) approximately 20 million search records into a database which it then inadvertently posted on its website "for the public to download." The database contained records of 685,000 AOL members that were stored in a two month period in 2006. The disclosed data includes sensitive information such as names, social security numbers, addresses, telephone numbers, credit card numbers, user names, passwords, and financial bank/account information.
Shortly after it posted the database, AOL pulled the database. However, by this time it had been downloaded and reposted on other websites. According to the complaint, "AOL's response to the disclosure has been to do nothing." AOL attempted to impose conditions on third parties who downloaded the database but it hadn't taken any action to restrict such use.
Plaintiffs sued alleging federal claims (under the Electronic Communications Privacy Act) and state claims (under section 1750 and California false advertising statutes).
Discussion: The case is in an atypical procedural setting, but one that may be helpful to plaintiffs. AOL initially moved to dismiss and have the case transferred to Virginia based on the venue clause in its Member Agreement. The district court agreed and initially dismissed the lawsuit so it could be re-filed in Virginia. The Ninth Circuit reversed (in 2009) and held that the venue provision in AOL's Member Agreement was unenforceable as to California residents bringing claims under "California consumer law." On remand AOL moved to dismiss one of the named plaintiffs who is not a California resident and dismiss the claims that did not arise under California consumer law. The district court granted that motion. Plaintiffs appealed and asked the district court to stay resolution of the California consumer law claims until the Ninth Circuit resolves the issue of whether the remaining claims were properly dismissed. [That's a lot of procedural wrangling!]
Standing to seek injunctive relief: The court denies plaintiffs' motion to stay. Moving on to the substantive claims, the complaint seeks an injunction, and AOL argued that plaintiffs lacked standing to seek injunctive relief. Injunctive relief would be available if there's some risk that the complained of conduct would continue to occur. The court finds that plaintiffs had the requisite standing because plaintiffs alleged that AOL engages in a practice of storing search queries and "has taken no steps to ensure that such information is not disclosed again."
California Consumer Legal Remedies Act: AOL argued that plaintiffs did not sufficiently plead injury under the CLRA. The court notes that the CLRA sets a "low but nonetheless palpable threshold of damage," but encompasses harm "other than pecuniary damages." Getting to plaintiffs' allegations, the court notes that AOL allegedly "held itself out to the market as being a leader in internet security and privacy and represented . . . that its service was 'safe, secure and private.'" The information disclosed by AOL includes highly-sensitive information, financial information, social security numbers. "Also disclosed was information regarding members' personal issues, including sexuality, mental illness, alcoholism, incest, rape, adultery, and domestic violence." [emphasis added] The court concludes that this is more than enough to allege injury under the CLRA.
AOL also argued that the CLRA claim sounded in fraud and must be pled with particularity. The court finds that plaintiffs satisfied this requirement, in specifying that "misrepresentations were made in AOL privacy policy and other statements posted on AOL's website, and that the representations were false in that they assured members that AOL would endeavor to maintain the privacy and security of their personal confidential information." AOL finally argued that plaintiffs failed to allege causation, but the court quickly dispenses of this argument, noting that where there are representations in a privacy policy regarding safeguarding personal data, a reasonable consumer would only sign up to disclose personal information in reliance of representations contained in the privacy policy. At the end of the day, plaintiffs' CLRA claims are allowed to move forward.
UCL and FAL: AOL's arguments around the unfair competition and false advertising laws were similar to its arguments against the CLRA claims. The court rejects these arguments. Finally, the court dismisses plaintiffs' claims under the "Consumer Records Act," which requires businesses to take "reasonable steps" to dispose of customer records when they are no longer "retained" by the business. The court (citing to the legislative history) notes that the statute was intended to prevent "dumpster diving," and was not intended to encompass the situation in the present case.
__
It's tough to assess what happened (and what will happen) at the pleading stage, but if AOL really disclosed those sensitive records and didn't take any steps to remedy the situation what was AOL thinking?
It's been blogged to death that breach of a privacy policy is not actionable in the typical consumer context. (See for example: "When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue;" "9th Circuit Affirms Rejection of Data Breach Claims Against Gap [citing cases].") What's different here? For one thing, there's a statute which has a pretty low threshold for damages, and plaintiffs are wisely avoiding the negligence route. To the extent these are paying customers, they also can argue disgorgement and get their money back (or a portion of it). Finally, they're arguing about the disclosure of information (intimate and personal details) where the harm lies in the disclosure and not the misuse of the data.
It was also interesting to see that the court focused on flowery language in AOL's privacy policy. The FTC did something similar in its informal investigation of Twitter. ("The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?.")
The case is a reminder of the huge quantity of personal information that networks store about users. One can never be reminded of this often enough.
Other coverage: Wendy Davis (MediaPost): "AOL Suffers Blow In Lingering 'Data Valdez' Case."
_______
Eric's Comments: In retrospect, AOL's decision to release the dataset was, at best, a ill-considered decision (and one that already cost several AOL employees their jobs). However, AOL claimed to release the dataset for research purposes, and it remains one of the few public datasets of how actual users search. (For obvious reasons, I don't anticipate new ones being posted any time soon). While it's hard to praise AOL here, the lawsuit has problems of its own. For one, Venkat mentions the damages/harm problem. Also, the ECPA claim raises the disconcerting specter that search queries are private communications between searchers and search engines--a legal proposition with potentially far-reaching effects that I've never been able to wrap my head around. If you want more information on these issues, this case is one of several explored in Paul Ohm's paper on re-identification that I've praised repeatedly.
Posted by Venkat at 11:56 AM | Privacy/Security , Search Engines
July 11, 2010
Q2 2010 Quick Links Part 3 (Special Facebook Edition)
By Eric Goldman
It’s been an exciting quarter for Facebook, which earned its own special quick links edition. I’ve also been prompted to take a step back and reassess my relationship with Facebook.
From about 2007 through 2009, I really loved Facebook. It was a valuable tool that allowed me to do things I wanted to do and talk with people I wanted to talk with. As a result, during that time, Facebook was an essential part of my daily routine.
Then, something went wrong. It wasn’t really one single thing, but rather the accumulation of a series of missteps. For example, I was highly irritated that Instant Personalization required me to opt-out in FOUR different places. I’m a highly educated man and a reasonably sophisticated Internet user, but I couldn’t be sure if I had done everything required to completely opt out. That’s terrible.
Perhaps the last straw was this New York Times interview with Elliot Schrage of Facebook, which caused me to do a double-take when I saw this gaffe:
[Reader Q:] “Why not simply set everything up for opt-in rather than opt-out?...”
[Schrage answer:] “Everything is opt-in on Facebook. Participating in the service is a choice….”
What??? Sorry, but I’m going to have to call BULLSHIT on that. This is one of those “black-is-white” word twists that practically begs for an FTC enforcement action. It’s true that I “opted in” to voluntarily create a Facebook account, and it’s also true that I voluntarily participate in the service. However, it is not true that I therefore have “opted in” to every subsequent product choice Facebook makes, ESPECIALLY WHEN FACEBOOK CHANGES how it handles user data. A user does not “opt-in” to a new product change unless the user knowingly and affirmatively assents to the change—which Facebook didn’t solicit, especially when it launched Instant Personalization on an opt-out basis. As a result, I have to assume that Schrage’s response was either knowingly disingenuous or unbelievably naïve. Either way, I don’t really want to spend a lot of time with a service that doesn’t understand something as fundamental as the proper definition of “opt -in.”
So Schrage is right that I can choose to participate in the service, and I’m largely choosing not to. Three examples:
1) I used to have my profile fully public--and therefore fully indexable in the search engines--but I have since changed my profile to be visible only to friends. I’m not trying to keep secrets or maintain a dual persona; in fact, I don’t say anything different on Facebook than I would say elsewhere. I just don’t want Facebook to get my indexable content or any link love.
2) I have reengaged my Twitter-to-Facebook API so that my Twitter posts automatically populate to the Facebook newsfeed, which further reduces my visits to Facebook.
3) I used to read my newsfeed pretty religiously and comment on other folks’ posts routinely, but I rarely do that now. I had already reduced my commenting after a previous Facebook product change automatically posted my comments to my newsfeed despite my explicit opt-out of such postings.
Personally, I think this is how Facebook is going to go down. It’s not going out in a fiery blaze of mass account deletions. Instead, it will atrophy from the collective but individual decisions of people choosing to spend less time on Facebook and spend that time elsewhere. (I talk about this disengagement phenomenon in the context of virtual worlds here). That’s certainly what I’m doing. Indeed, there is some evidence that Facebook’s traffic is plateauing, so perhaps I’m not the only disengaging user. This is why new account signups aren’t the right measure of Facebook’s success any more, especially when the new accounts are coming from late adopters like my mom and my mother-in-law (both recent signups), both of whom have no idea what to do with their accounts and are not actually engaging in the service.
When Facebook reaches the negative tipping point, no one will go there because no one else is posting interesting content—a self-reinforcing downward spiral. As a prime example, I still have my Orkut and Friendster accounts, but I can’t imagine why I would go back because neither services offers any interesting content to me. Similarly, Facebook may become a virtual depopulated ghost town with interesting relics.
Other interesting links regarding Facebook’s imbroglio from last quarter:
* EFF: Facebook's Eroding Privacy Policy: A Timeline.
* “How Do I Delete My Facebook Account” is a popular search, which has led to bonus traffic for wikiHow’s web page on the topic. However, as I said, I don’t expect mass account deletions; mass account disuse is much more likely.
* Chris Kelly, Facebook’s former Chief Privacy Officer, disavowed himself from Facebook’s product changes as part of his unsuccessful candidacy for California attorney general. I’m hear you, Chris, but maybe could you tell us a little more about Beacon…wasn’t that on your watch??? The NYT recaps how Kelly’s Facebook background was a mixed bag for his campaign.
* EFF: Facebook should follow its own principles.
* CNET’s retrospective on some of Facebook’s missteps over the years. One they missed: Facebook v. Power.com. I am not entirely sympathetic to Power.com based on existing legal doctrine. However, the whole lawsuit would be completely unnecessary if Facebook provided a bona fide tool that lets users port their own data off Facebook—something Facebook has shown zero interest in doing. (Recall, for example, the Facebook representative painfully ducking the data portability question at the FTC’s Berkeley privacy workshop).
* Facebook’s product crisis caused an internal rift among Facebook execs.
A couple of other Facebook tidbits from the last quarter:
* Facebook's automated "Community Page" generator is leading to some wacky results for law firms.
* NYT: High school students are changing their Facebook names to aliases during college admission season.
Posted by Eric at 11:30 AM | Privacy/Security | TrackBack
July 07, 2010
Q2 2010 Quick Links Part 2
By Eric Goldman
Marketing and Advertising
* Good talk from FTC Chair Leibowitz: “we have great hopes for self-regulation….So long as self-regulation is making forward progress, the FTC is not interested in regulating” behavioral targeting.
* NYT on teaching middle schoolers how to interpret ads. We're going to need to teach kids how to consume information if we have any chance to survive infoglut.
* The LA Times and Chicago Tribune are integrating paid text links into story content.
* Search Engine Land: Google: Now Recommending Brands For Searches.
* Keeller v. Groupon Inc., No. 10 CH 8666 (Ill. Cir. Ct. Cook Cty. March 2, 2010). Groupon settles lawsuit over expired and unused coupons.
* NYT: Online coupons may not be as anonymous as people assume.
* An inside look at the MPAA's self-regulatory effort to police movie ads.
* Avi Goldfarb & Catherine Tucker, Privacy Regulation and Online Advertising.
* Microsoft sues for click laundering. Coverage at Search Engine Land and WSJ
* The FTC shut down Pricewert/3FN.net.
Contracts
* News.com: Second Life sued by its users for changing the terms of land “ownership.” Evans v. Linden Research complaint.
* Shell v. AFRA: website venue selection clause not binding just because web visitors viewed it.
* Omri Ben-Shahar & Carl E. Schneider, The Failure of Mandated Disclosure. This paper shows why mandatory disclosures fail in part because regulators think in terms of what consumers SHOULD want to know rather than what information consumers ACTUALLY want to know.
* WaPo: Reality TV secrets are hard to keep in the age of social media. My 2003 analysis of using contract law to keep reality TV secrets.
* Want to be on the TV show Survivor? Check out its contract first.
* Anderson v. Bell, No. 20100237 (Utah June 22, 2010): “electronic signatures may satisfy the Election Code’s requirements under section 20A-9-502 regarding unaffiliated candidates wishing to run for statewide office.” Tom O’Toole’s writeup.
Trademarks/Copyrights
* Jim Jansen: “Only 4% of sponsored ads were triggered by competitors’ trademarked terms. When it does happen, the results are pretty much what consumers are use to seeing, so there doesn't appear to be many negative consequences….Thus, competitive use of trademarked terms to trigger online ads does not appear to be a widespread phenomenon and is similar to the query suggestion feature that many search engines employ.”
* Michael Geist on the first Canadian keyword advertising ruling (a nice defense win).
* 2010 Joint Strategic Plan on Intellectual Property Enforcement.
* Qassas v. Daylight Donut Flour Company LLC, No. 09-663 (N.D. Okla. June 10, 2010). A company and its entrepreneur are liable for their web developer's infringements when creating the company's own website.
Miscellaneous
* Stephen Wu on Estate Planning for Online Assets
* Declan at News.com lauds Justice Stevens' Internet jurisprudence. We owe Justice Stevens many thanks for helping the Internet bloom.
* Anthony v. Yahoo!, Inc., 2010 WL 1552819 (9th Cir. April 20, 2010). Upholding Yahoo's settlement in a class action lawsuit over its online dating site. My original blog post on the case.
* Tom O'Toole reports on various stupid state efforts to regulate technology, inadvertently making the case that they are a terrible laboratory of experimentation.
* Vacation Club Services Inc. v. Rodriguez (M.D. Fla. April 22, 2010). No CFAA action against the buyer of data from a database the seller allegedly acquired in violation of the CFAA.
* Lawyers behaving badly on the Internet.
* 23 state AGs have contacted Topix about its takedown procedures, including its fee for expedited takedown review.
Posted by Eric at 03:18 PM | Copyright , E-Commerce , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Trademark , Virtual Worlds | TrackBack
June 24, 2010
The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?
[Post by Venkat]
In the Matter of Twitter, Inc. (FTC; June 24, 2010) (Consent Order) (FTC Press Release)
Twitter recently agreed to a consent order with the FTC that requires Twitter to implement a variety of security measures with respect to "nonpublic consumer information" of Twitter users. The FTC probe (which was resolved by agreement) stemmed from highly publicized security breaches where hackers gained "unauthorized administrative control of the Twitter system." In the first incident, hackers gained control of 35 high profile Twitter accounts, including the accounts of Bill O’Reilly, Britney Spears, the Huffington Post, and Facebook. Separately, someone gained access to a Twitter employee's email account, which contained the employee's admin password for Twitter.
The consent order requires Twitter to implement a variety of security features which are above and beyond what many sites have in place. The consent order also requires Twitter to undergo a period audit by an outside auditor, and comply with some onerous-looking record-keeping requirements (retain consumer complaints, "widely-disseminated statements" about its security and privacy practices, etc.). Interestingly, the FTC faulted Twitter for failing to comply with security standards which many sites probably do not meet:
• requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;
• prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
• suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
• providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
• enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
• restricting access to administrative controls to employees whose jobs required it; and
• imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
The million dollar question, of course, is, what this means for other websites. Should Facebook be taking a look at the consent order (which in any event is a useful best practices-type guide)? It's tough to say. One thing worth noting is that the FTC focused on language in the older version of Twitter's privacy policy:
The privacy policy posted on Twitter’s website stated that 'Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.'
This language was contained in Twitter's initial privacy policy, but was removed from its privacy policy during a revision which Twitter implemented in November 2009. (Here's my blog post at the time, noting this change in particular: "The old policy made some statements regarding security measures implemented by Twitter which Twitter [wisely] removed from the current version.".) While it's tempting to look at this settlement as the FTC taking a hard line on Twitter's current privacy and security practices, this may not necessarily be the case. The FTC focused on representations made by Twitter to end users (in its old policy) that may have lulled the end users into a false sense of certainty around Twitter's privacy and security practices. Either way, Twitter took on some pretty serious obligations as a result of the settlement.
I'm not sure what the moral of the story is here. One clear takeaway is to not include flowery language in your privacy policy or terms that provide end users false assurances about your security practices. Another one may be to not "borrow" your terms of service from another website (or be careful when drawing "inspiration" from another website when putting together your own terms of use and policies).
NB: I noticed a few tweaks to Twitter's policy which was revised a couple of weeks ago. The revised policy makes clear that: (1) Twitter tracks user interactions with links; and (2) Twitter uses more than just Google analytics. Neither of these changes seem particularly material, although it's always nice to be reminded that websites track your interactions with links. Either way, I thought they were worth noting:
Links: Twitter may keep track of how you interact with links in Tweets by redirecting clicks or through other means. We do this to help improve our Services, including advertising, and to be able to share aggregate click statistics such as how many times a particular link was clicked on.
Third Party Services: Twitter uses a variety of services hosted by third parties to help provide our Services, such as hosting our various blogs and wikis, and to help us understand the use of our Services, such as Google Analytics. These services may collect information sent by your browser as part of a web page request, such as cookies or your IP request.
Added: The BBC reports (June 24, 2010) that "Obama's Twitter hacker receives a suspended sentence." According to French investigators, the hacker (Francois Cousteix) "deduced the passwords of Twitter administrators from public information on the web, thus gaining access to the accounts of important and famous individuals." Mr. Cousteix's actions spurred (in part) the FTC probe. Also, Gawker thinks that Twitter got off too easy: "The Pathetic Punishment of Twitter." Many people probably had the opposite reaction, but that's neither here nor there.
Additional coverage:
FTC analysis: [pdf] ("Analysis of Proposed Consent Order to Aid Public Comment
In the Matter of Twitter, Inc., File No. 0923093")
TechCrunch: (FTC Bars Twitter "For 20 Years From Misleading Consumers" About Privacy After 2009 Hacks)
Wired: (Twitter Settles With FTC Over 'Happiness" Breach)
CNET: ("Twitter, FTC reach agreement on security")
Posted by Venkat at 02:23 PM | Privacy/Security
June 09, 2010
Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville
[Post by Venkat]
Barnes v. CUS Nashville, LLC, (M.D. Tenn) (June 3, 2010)
I mentioned Barnes v. CUS Nashville in my post about Crispin v. Audigier, a case where a court found that production of private Facebook messages and postings pursuant to a civil subpoena would be barred by the Stored Communications Act. In Barnes, the court also dealt with a civil subpoena to Facebook, and summarily denied a motion to compel, finding similarly that the Facebook information sought by the defendant was covered under the Stored Communications Act. The parties in Barnes engaged in further wrangling (wrangling is an understatement) over the Facebook information of plaintiff and other witnesses, and the magistrate judge came up with an interesting way to resolve the underlying discovery issues.
Barnes is a slip and fall case where plaintiff alleged claims based on injuries arising out of her fall one evening at the "Coyote Ugly" saloon in Nashville:
On or about September 19, 2008, Plaintiff was a business invitee of the Saloon and in that capacity was encouraged by employees of the Saloon to climb onto the Saloon's bar to dance. At the time of said encouragement, the Saloon's bar was wet and extremely slick. As a result of the Saloon's employee's encouragement, Plaintiff did attempt to climb onto the bar to be photographed with her friends. In so doing, Plaintiff slipped on the wet and slick bar and fell backwards a considerable distance, striking the back of her head on the ground.Defendant subpoenaed Facebook for plaintiff's Facebook information, including photos of plaintiff and her friends dancing on the bar. The court quashed the subpoena to Facebook, and in response, defendant issued a subpoena to plaintiff's friends, who are witnesses in the case. The defendant sought photos posted by plaintiff and her friends that depicted the events on the night in question. The court finds that the subpoenas issued to these witnesses cannot be enforced by the district court in Nashville, and if defendant wants to move to compel, it must do so in Colorado and Kentucky, the districts where the subpoenas were issued out of.
The magistrate judge chastises both parties for their failure to cooperate in the discovery process, and specifically calls out the defendant for its "mishandling of the Facebook subpoena." The judge then offers to create a Facebook account "for the sole purpose of reviewing photographs and related comments in camera . . . and disseminat[ing] any relevant information to the parties." Assuming the non-party witnesses (who will be located/contacted via email (!)) will accept the judge's Facebook friend requests, the magistrate judge agrees to review their Facebook information, provide any relevant information or photographs to the parties, and then close the Facebook account. (It doesn't seem like the court will store copies of the non-relevant portions of the Facebook pages, even under seal.)
I have to give credit to the court for coming up with this novel approach for resolving this issue. And they say judges are not technically savvy. It's nice to see a member of the judiciary who doesn't share the over-the-top view of Facebook friending that's held by the bar regulators in Florida. (That said, there may be a slew of issues lurking in the background here.)
To Magistrate Judge Brown: Nice work your honor! You should keep in mind those pesky default privacy settings on Facebook. We wouldn't want you to friend the witnesses, and in the process, disclose to the entire world the private contents of their Facebook pages. Alone these lines, I don't know the answer to this, but you should confirm the Facebook terms of use to make sure that your creation of a Facebook page and friending of these witnesses doesn't somehow run afoul of the Facebook terms of service.
Posted by Venkat at 10:56 AM | Evidence/Discovery , Privacy/Security
June 08, 2010
Google Street View Litigation Mania--Seven Class Action Lawsuits and Counting
By Eric Goldman
It appears that virtually the entire plaintiff’s bar saw Google's blog post that it captured wi-fi payload data as part of its data collection for Google Street View. At least 7 class action lawsuits have been filed:
* Berlage v. Google (N.D. Cal. filed May 20)
* Carter v. Google (E.D. Pa. filed June 2)
* Colman v. Google (D.C. D.C. filed May 26)
* Galaxy Internet v. Google (D. Mass. filed May 25). I'm not sure about standing in this case because Galaxy Internet is an Internet access provider complaining that Google snooped on its customers' traffic.
* Keyes v. Google (D.C. D.C. filed May 28)
* Redstone v. Google (S.D. Ill. filed May 28, 2010)
* Van Valin v. Google (D. Ore. filed May 17). This is the first lawsuit filed, and it has already reached a ruling requiring Google to fork over the collected data.
Undoubtedly, all of these lawsuits (and any more still coming) will be consolidated into a single action. Let the jockeying for lead counsel position begin!
Looking at the group of complaints as a whole, I'm impressed with all of this previously undisclosed expertise with the ECPA, a notoriously tricky statute that I rank as one of the most indecipherable statutes of all time. With all of these newly identified ECPA experts, perhaps this will contribute to the birth of a new ECPA plaintiffs' bar?
It's remarkable that these lawyers were able to conclude to their satisfaction that their named plaintiffs in fact had their payload data captured in the process--presumably by confirming that payload data was actually being transmitted at the precise time the cars drove by. I'm not sure how I would research this issue sufficient to satisfy my Rule 11 obligation, but these attorneys surely didn't just assume Google captured their clients' payload data...did they?
Finally, it will be interesting to see how these cases will be affected by the countervailing legal trends requiring privacy breach victims to show some actual harm from the breach (see, e.g., Ruiz v. Gap). I'm not sure this showing will be required for the ECPA claims, but it could wreak havoc with the ancillary claims.
Posted by Eric at 06:27 AM | Privacy/Security , Search Engines | TrackBack
June 04, 2010
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
[Post by Venkat with a few comments from Eric at the bottom]
Ruiz v. Gap, Inc. (9th Cir. May 28, 2010)
In a decision that does not bode well for plaintiffs bringing privacy-based claims against Facebook in California, the Ninth Circuit recently affirmed the trial court's rejection of data breach claims against Gap.
Facts: The case arose out of the theft of two laptop computers from a Gap vendor who processed job applications for gap. The stolen laptops contained personal information of applicants who applied for a job at Gap. Ruiz, one of those applicants, brought claims on behalf of a putative class under theories of negligence, breach of contract, unfair competition (17200), the California constitution, and California Civil Code section 1798.85 (which addresses when a social security number could be required to access a website).
The district court rejected Ruiz's claims largely on the basis that he failed to articulated any cognizable injury. Increased risk of future harm was not sufficient to state a negligence claim under California law, and risk of future harm and credit monitoring were not recognizable damages for a breach of contract claim. In any event, Gap had offered credit-monitoring services, which Ruiz failed to avail himself of. (See Tom O'Toole's coverage of the case here.)
The Ninth Circuit's Ruling: The Ninth Circuit agreed with Judge Conti.
Negligence: With respect to the negligence claim, the court held that nominal damages cannot vindicate a "technical right" in the absence of "actual loss." While in the toxic exposure context, the court recognized that damages for monitoring may be available, the court declines to decide whether that rule should be extended to this context, given the total evidence of any time or money spent on credit monitoring. (And the fact that Ruiz failed to take up Gap's offer of credit monitoring, or demonstrate why it was insufficient.)
Breach of Contract: With respect to the breach of contract claim, the court held that controlling 9th circuit authority holds that a breach of contract claim "requires a showing of appreciable and actual damage." This ruling is fairly consistent with the majority rule that breach of a privacy policy is not actionable absent a showing of economic loss, and increased monitoring generally doesn't qualify. In re JetBlue Airways Corp. Privacy Litigation is the seminal case, but many cases since have followed this route. In JetBlue, there was some discussion of whether a privacy policy even constitutes an enforceable contract in the first place, but ultimately, the court assumed that even if it constitutes a contract, a failure to allege damages is fatal. Cases since have included Pinero v. Jackson Hewitt, Bell v. Acxiom, and many many others.
17200 (UCL) Claim: The court ruled that recovery under California's unfair competition statute is limited to individuals who suffer "actual losses of money or property." Ruiz could not make a colorable argument that he was entitled to any restitution from Gap, so this claim was a loser.
California Constitution: There were two problems with Ruiz's claim under the California constitution. First, cases have found that the breach must be egregious, and have yet to extend a cause of action under this theory to negligent or accidental conduct. Second, the court says Ruiz only alleges a "risk of privacy invasion, rather than an actual privacy invasion." In the court's eyes, the actual invasion only occurs when someone actually misuses the data which they obtained from Gap's vendor.
Section 1798.85: Ruiz also brought a claim under California Civil Code 1798.85. The court ruled that, by its terms, this section only required a person or entity conditioning access to a website on the use of an individual's social security number to also require the use of a password, a unique personal identification number, or an authentication device. Here, the social security number was not used to access the website of Gap's vendor, so the section did not apply.
___
This is not a surprising result. The overwhelming majority of courts have rebuffed data breach claims brought by affected persons (particularly those that have been offered monitoring) on the basis that those individuals have not suffered any appreciable injury. While a few cases have taken a different legal route by holding that these plaintiffs lack Article III standing, the end result is always the same: No actual injury = no recovery (and risk of future identity theft does not equal cognizable injury).
This news is probably depressing to two groups of plaintiffs who recently sued Facebook: Robertson v. Facebook and Gould v. Facebook. Both of these lawsuits allege that Facebook improperly disclosed the user name and other information of Facebook users who accessed content on the web. Claims in both lawsuits are premised around Facebook's violation of its privacy policy. As this case makes clear, the plaintiffs in these cases are unlikely to be able to show actual damages, and their breach of contract, negligence, and unfair competition claims are likely dead on arrival.
___
Eric's comments: In the past few months, I've noticed a disturbing trend. Whenever Google or Facebook make a privacy gaffe, the plaintiffs' lawyers go into full-tilt litigation mode. There have been too many complaints filed to blog them all, although I've been posting many of the complaints to my Scribd account. Unfortunately, Google and Facebook have made their lives harder by making too many unnecessary mistakes, but many of these mistakes are obviously inconsequential in the grand scheme of things. But the most disturbing thing is that so many plaintiffs' lawyers seem completely uninterested in pleading how their clients suffered any consequence (negative or otherwise) from the gaffe at all. Their approach appears to be that the service provider broke a privacy promise, res ipsa loquitur, now write us a check containing a lot of zeros.
Although this case was designated non-published and therefore isn't binding on the 9th Circuit, this case nevertheless illustrates that most of these plaintiffs' lawyers are wasting their time and significant social resources with their poorly developed cases. Instead, if they truly believe the privacy gaffe is worth suing over, they should do the advance legwork to find at least one plaintiff representative who actually suffered some harm. If they can't even do that, society would be better off if the lawyers redirected their energies elsewhere.
Posted by Venkat at 10:27 AM | Licensing/Contracts , Privacy/Security
June 03, 2010
April-May 2010 Quick Links Part 1 (IP Edition)
By Eric Goldman
[Note: I just got back from the Netherlands, where I had extremely limited Internet connectivity, so sorry for my absence in the last week (although you were in good hands with Venkat). I will be posting more material from my Netherlands trip to my personal blog and Twitter. You might want to follow me at those places too. I have a long list of "quick links" to share with you as I get the opportunity. The first installment:]
Copyright
* NYT: Current TV defeats a claim that in-line linking is copyright infringement.
* Google won a copyright challenge against Image Search in Germany, apparently on implied license grounds.
* Smoking Gun reports that ESPN sportscaster Erin Andrews has acquired the copyrights to the peephole videos made of her, which should make it a little easier for her to go after online republishers.
* UMG v. Veoh has been appealed to the Ninth Circuit. Although Veoh declared bankruptcy, its law firm, Winston & Strawn, is still fighting it. Ben Sheffner has posted the amicus briefs on behalf of UMG.
* Ben Sheffner also reports that Scott v. Scribd did not get class certification. My initial blog post.
* Arista Records LLC v. Doe 3 (2d Cir. April 29, 2010). P2P file sharer can't claim anonymity to resist copyright owner's subpoena. This ruling also signals that the Second Circuit will take a dim view of fair use claims in P2P file sharing cases and might import the Napster standards for secondary infringement claims.
* Lyrics website hit with preliminary injunction, but not the shutdown requested by the plaintiffs. The court rejects a 17 USC 512 defense because the defendant did not file the required agent designation with the copyright office.
* The RIAA’s campaign to sue file sharers led to a bubble in copyright litigation activity. Ars Technica suggests the bubble may be coming back.
* International Swaps and Derivatives Ass'n, Inc. v. Socratek, L.L.C., 2010 WL 1780999
(S.D.N.Y. 2010). Socratek aggregates agreements from EDGAR and resells them on its website. The plaintiff is upset that Socratek aggregated and resold the plaintiff’s allegedly copyrighted order form for ordering derivatives. The plaintiff sells blank forms, but Socratek grabbed completed versions that had become material agreements for SEC filing purposes. The court denies Socratek’s dismissal motion but also denies a preliminary injunction.
* The Second Circuit upholds the dismissal of Bio-Safe v. Hawks. My initial blog post.
* Zusha Ellison of the Recorder catches up on three copyright First Sale cases pending before the Ninth Circuit. This is a good time to remind you about our November 5 conference on the First Sale doctrine.
* Cosmetic Ideas v IAC InteractiveCorp (9th Cir. May 25, 2010): "receipt by the Copyright Office of a complete application satisfies the registration requirement of § 411(a)."
Trademark
* Google has won the Rosetta Stone case, but we’re waiting to see the written opinion to figure out why (and how good the win is).
* Au-Tomotive Gold v. VW (9th Cir. May 6, 2010). Post-sale trademark confusion trumps the First Sale doctrine. We'll also be discussing trademark exhaustion at the November 5 conference!
* Boston Marathon sues CafePress and Zazzle for trademark infringement.
* Dan Burk, Cybermarks, Minnesota Law Review. The abstract:
The commercial development of the Internet has been punctuated with legal disputes over the use of trademarks as domain names, as metatags, as search terms, and as advertising keywords. As in previous disputes in copyright over the legal status of software, these Internet trademark disputes arise from the overlap of communicative and functional symbols in information technology. Such “cybermarks” are not merely indicators of product source, but function both as symbolic indicia for human recognition and as strings of computer code in the operation of automated search and indexing mechanisms. Application of trademark law’s functionality doctrine, perhaps with some modest amendment, could begin to resolve disputes over the use of cybermarks.
* Nature’s Footprint, Inc. v. Providnet Co Trust, 2010 WL 1903183 (W.D. Wash. May 11, 2010): “The Court is convinced that plaintiff sought to use its superior position vis-a-vis the trademark to, cause harm to a competitor. Given this Court’s strongly-held belief that a significant part of this litigation was motivated by plaintiff’s desire to quash competition, no fees will be awarded under the Lanham Act’s ‘exceptional case’ authority.”
Posted by Eric at 11:06 AM | Copyright , E-Commerce , Marketing , Privacy/Security , Trademark | TrackBack
June 02, 2010
Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier
[Post by Venkat]
Crispin v. Audigier, Case No. CV 09-09509 MMM (JEMx) (May 26, 2010)
With the proliferation of the use of social network profile evidence, it was only a matter of time before a court dealt with the issue of whether you can subpoena someone's Facebook page in a civil lawsuit. A judge in the Central District of California looks at the issue in Crispin v. Audigier [scribd].
Facts: Crispin sued Audigier, alleging that Crispin granted Audigier an oral license to use some of Crispin's works of art in connection with the manufacture of garments by Audigier. Crispin alleged that Audigier (1) failed to include Crispin's logo on the garments; (2) wrongly attributed Crispin's work to another artist; and (3) wrongly sublicensed Crispin's copyrighted material without permission. Crispin brought a variety of claims, including copyright infringement claims. Audigier subpoenaed third party businesses, including Media Temple, Facebook, and MySpace, seeking communications between Crispin and a tattoo artist (those communications which referenced or related to Audigier). [If I were the judge, I would have said this was awfully close to fishing expedition territory.]
14 days after Audigier served the subpoenas, Crispin moved to quash the subpoenas. [Facebook, MySpace, and Media Temple did not appear or file pleadings.] The magistrate judge found that the Stored Communications Act did not apply, and in any event only precluded voluntary disclosure (and did not apply to compelled disclosure pursuant to a civil subpoena). Finally, the magistrate judge found that the SCA only prohibited disclosure of communications held "in storage," which wasn't the type of information covered by the subpoena.
The Court's Ruling: The court largely reverses Magistrate Judge McDermott's ruling in an order that contains a lengthy discussion on the applicability of the Stored Communications Act to Facebook and MySpace profiles, wall posts, and messages. I can't tell if this case breaks any new ground (or whether the case gets it right), but given the growing importance of social networking evidence, I thought it was worth mentioning. (This post by David Johnson provides a good, basic overview of the issues at play: "Employer Access of Employee Digital Communications and Federal Wiretap Laws: It's Easier to Be Found Immune if the Communications Reside on Your Servers.")
A summary of the court's order:
1. The Stored Communications Act (passed in 1986) is woefully out of date, and was "enacted before the advent of the [web] and before introduction of the web browser . . . " In those days, "few could afford to spend hours casually exploring . . . [the internet] . . . ."
2. A third party whose information is sought by this type of a subpoena has "standing to move to quash a subpoena seeking personal information protected by the SCA."
3. 18 U.S.C. sec. 2703(e) does not permit disclosure pursuant to a civil subpoena.
4. Do not, under any circumstances, cite to Wikipedia as a source for a key factual issue (the court drops a footnote citing to Badasa v. Mukasey ("Respondent is admonished from using Wikipedia as an authority in this District again. Wikipedia is not a reliable source at this level of discourse.")). [emphasis added]
5. Facebook, Media Temple, and MySpace provide "private messaging or email services . . . such services can constitute ['electronic communications services'] . . . ." Case law looking to the treatment of private BBS services is helpful. Public BBS services are not entitled to protection under the SCA.
7. The privacy settings of services such as Facebook affect the outcome:
[since] Facebook permits wall messages to 'be viewed by anyone with access to the users profile page'. . . there is no basis for distinguishing between a restricted-access BBS and a user's Facebook wall or Myspace comments. There similarly is no basis for distinguishing between Media Temple's webmail and Facebook's and MySpace's private messaging, on the one hand, and traditional web-based email on the other. As a consequence, the court concludes that each of Media Temple, Facebook, and MySpace is an ECS provider.
8. That Facebook, MySpace and Media Temple are ECS providers doesn't end the analysis. "The court must also determine whether the information sought by the subpoenas . . . constitute 'electronic storage' within the meaning of the statute."
9. Citing to the City of Detroit text messaging decision (Flagg v. City of Detroit) the court notes that "an ECS provider [becomes] an RCS [remote computing service] provider after a communication has been read and stored." It seems factually unclear (but legally relevant) as to whether the services provide storage or backup/archival services.
10. Unlike the "messages," the "Facebook wall and MySpace comments present a distinct and more difficult question":
in the context of a social-networking site such as Facebook or MySpace, there is no temporary, intermediate step for wall postings or comments. Unlike an email, there is no step whereby a Facebook wall posting must be opened, at which point it is deemed delivered. Thus a Facebook wall posting or a MySpace comment is not protectable as a form of temporary, intermediate storage.The court concludes that "the postings, once made, are stored for backup purposes . . . Facebook and MySpace are ECS providers as respects wall postings and comments. . . ."
11. In the alternative, the court holds that Facebook and MySpace are RCS providers with respect to the wall postings and comments.
End Result: the court quashes the portions of the Facebook and MySpace subpoenas that sought "private messaging," and remands for further development of the record on the wall postings and comments.
__
It's a pretty dense order that is worth reading, if nothing, to get a sense of the complexity of the issues that arise in this context, and the lay of the land as far as case law.
From a practical standpoint, obtaining Facebook messages and private profile information in a civil lawsuit seems fairly tricky (although judging from media reports, people must do it all the time). Assuming you can't get access to some or all of this information through a subpoena, one option is to get the party (whose records are sought) to sign a consent or waiver. This has the downside of giving the party seeking the information access to all of the witness's information, including irrelevant, privileged, or other information that should remain private. As best as I know, Facebook doesn't perform e-discovery services on the side - you can't provide Facebook a set of search parameters and get Facebook to produce information that falls under those parameters. (Here's a good post on the topic, with references and suggestions: [pdf] "Obtaining Records From Facebook, LinkedIn, Google and Other Social Networking Websites and Internet Service Providers.")
Another interesting aspect of the dispute is that Facebook didn't appear or file any pleadings. I assume Facebook has a blanket policy objecting to these types of subpoenas, but maybe timing was an issue here? In contrast, Facebook recently successfully quashed a subpoena issued to it in another civil case (Barnes v. CUS Nashville, LLC, No. 3:09-0764 (M.D. Tenn.) (May 27, 2010)). There, the magistrate judge concluded that "the SCA prohibit[ed] the disclosure of [the sought after] information in response to a subpoena" [citing Flagg v. City of Detroit].
Finally, the court looks to the effect of privacy settings for Facebook pages. I wonder if the ability of Facebook friends to "share" postings affects the outcome? How about Facebook's constantly changing privacy policy and settings?
In any event, parties (employers, and even lawyers) should tread carefully here. See, e.g., Theofel v. Farey-Jones and Hillstone Restaurant Group v. Pietrylo.
Posted by Venkat at 08:13 AM | Evidence/Discovery , Privacy/Security
May 27, 2010
EFF Weighs in on Facebook v. Power Ventures -- Facebook v. Power Ventures
[Post by Venkat]
Facebook v. Power Ventures, Case No. 5:08-cv-05780 JW (N.D. Cal.) (Facebook Motion) (EFF Amicus Brief)
Facebook and Power Ventures have been locked in a dispute over whether Power Ventures can access Facebook's website and network outside of Facebook's authorized developer channels. The dispute yielded an interesting ruling on Power.com's motion to dismiss. The parties are both seeking summary judgment on the issue of whether Power.com's conduct violates California Penal Code section 502(c). EFF recently weighed in with an amicus brief which makes the already interesting dispute even more interesting.
The Dispute: Facebook brought Computer Fraud and Abuse Act claims and copyright claims (along with a slew of other claims) against Power.com. Setting aside the peripheral trademark and CAN-SPAM claims, Facebook's key allegations are that (1) Power.com accessed Facebook's network "without authorization" in violation of the Computer Fraud and Abuse Act (and section 502(c), the California computer crime statute); (2) Power.com accessed Facebook’s network in violation of the Facebook terms of use; and (3) Power.com copied the copyrighted portions of the Facebook website in the process of allowing Facebook users to access Facebook through Power.com's interface. (There's also an anti-circumvention claim tied to the unauthorized copying claim.) The court denied Power.com's motion to dismiss. (See coverage of the court's initial ruling on Power.com's motion to dismiss from Tom O'Toole, Jeff Neuburger, and Cyberlaw Cases.)
At this point, the parties are jousting over whether Power.com's conduct violates California Penal Code section 502(c). I'm surprised the parties are focusing their initial battle around this statute, rather than the Computer Fraud and Abuse Act. That said, given that California courts have held that Computer Fraud and Abuse Act decisions are persuasive when it comes to interpreting Section 502(c), what the court does here will be a good indication of what the court will do with the Computer Fraud and Abuse Act claim.
EFF's Amicus Brief: The brief comes at an opportune time for Power.com. I speculated earlier as to whether Power.com would settle this dispute, but given the recent barrage of negative publicity surrounding Facebook (including planned protests/mass deactivations (or deletions ?) of Facebook accounts, and criticism from numerous high profile users and technology commentators), this round of motions could ratchet up the pressure on Facebook. [As a sidenote, Judge Fogel, who originally presided over the dispute and who seemed sympathetic to Facebook's position, recused himself. He didn't give any reasons for the recusal (nor is he required to). I'm not sure what effect this will have on the dispute, but I thought it was worth mentioning.]
EFF urges for a narrow interpretation of section 502(c) in a way that avoids liability to Power.com. The EFF brief argues that finding liability based on access in excess of Facebook's terms of service is similar to attempting to hold Lori Drew liable for creating a MySpace profile in violation of MySpace terms of service. ("[In] Facebook's view . . . [a] user who is twelve years old violates the criminal law every time she uses Facebook.") According to EFF this results in allowing a private entity to define the bounds of criminal conduct, and does not give end users sufficient advance notice of what's permitted and what is criminal conduct. Notwithstanding the difficulties in analogizing a criminal case to a civil one, EFF's argument resonates, in light of the fact that Facebook has changed its terms of service over the past few years. (EFF: "Facebook's Eroding Privacy Policy: a Timeline.") Facebook's terms are difficult to read and digest for a lawyer; for a non-lawyer end user, they are even tougher. Although length is not a proxy for whether a document is understandable, a popular refrain on the internet was that Facebook's terms are longer than the Constitution.
Does Access in Violation of Facebook's Terms of Service Violate the CFAA: There are cases holding that repeated unauthorized access of a website through automated means may violate the CFAA (for example: EF Cultural Travel BV v. Zefer Corp.; EF Cultural Travel BV v. Explorica, Inc.; Southwest Airlines v. Farechase, Inc.; Register.com, Inc. v. Verio, Inc.). Power.com does not have an easy road when it comes to legal precedent. EFF's brief cites to a recent case from the employment context where the Ninth Circuit narrowly interpreted the Computer Fraud and Abuse Act (LVRC Holdings, LLC v. Brekka, discussed by Jeff Neuburger here). Brekka was a case where an employee accessed his employer's computers and servers for his own purposes (and contrary to his employer's interests). The employer never expressly rescinded Brekka's access. The Ninth Circuit granted summary judgment in favor of the employee (Brekka), reasoning that once authorized, the authorized user cannot violate the CFAA unless the authorization has been rescinded or where the authorized user "exceeds authorized access" - i.e., by accessing the computer to obtain or alter information" that the authorized user is not entitled to obtain or alter. The court in Brekka acknowledges that the Seventh Circuit took a different approach in International Airport Centers v. Citrin, where it concluded that an employee can lose "authorization" when the employee "resolves to act contrary to the employer's interest."
There's one key difference between Brekka and this case, which is that in this case, there was never any dispute as to whether Power.com or Facebook end users are authorized to access Facebook's servers through Power.com's service. In any event, Facebook sent Power.com a cease and desist letter making clear that Facebook viewed Power.com's access as unauthorized. Interestingly, one of the CFAA sections covers unauthorized access where the defendant "obtains information" which the defendant is not entitled to obtain. Arguably Facebook end users are not "entitled" to obtain information from Facebook through channels that are not authorized by Facebook. However, the information that end users are looking to access is clearly not Facebook's - it's the end users own data. (The Computer Fraud and Abuse Act has several different sections, but broadly, it requires (1) access or the transmission of information that is unauthorized; (2) which causes damage or effects fraud, and (3) with a certain level of culpability. The EFF's internet law treatise page on the CFAA is a good resource for background.)
The CFAA component of this dispute reminds me in some ways of Southwest Airlines v. BoardFirst, a case where Southwest Airlines tried to shut down BoardFirst's service, which assisted passengers in checking in to Southwest's flights. The court denied Southwest's motion for summary judgment, and the parties ultimately settled. The court's ruling denying Southwest's motion for summary judgment [scribd] contains some good discussion about whether access in excess of a website terms of use constitutes a violation of the Computer Fraud and Abuse Act. As that case makes clear, however, even if there are problems with Facebook's Computer Fraud and Abuse Act claim, Facebook most certainly has a valid terms of service-based claim. Finding that there's been no terms of service violation would require some serious judicial contortions, and would undermine a pretty basic principle that a website owner is free to define the bounds of access of its website through a terms of service. There have been decisions which have invalidated portions of terms of service based on the fact that the terms are grossly unfair (or are unconscionable) but it's tough to see this part of Facebook's terms fitting into this category. (On a related note, Professor Goldman recently blogged about Miller v. Facebook, a case where Facebook successfully invoked the venue provision of its user agreement to get a copyright dispute transferred from Georgia to California.)
Facebook also has a copyright claim. As tenuous as Facebook's copyright claims may be, there are cases which support Facebook's position, and a judge in this case has already ruled that Power.com doesn't get a pass if it is found to have accessed Facebook's copyrighted material (even for the purpose of allowing end user access).
__
While recent events have made Power.com's arguments more tenable, I think it still has a tough battle, among other things because it's a competitor of sorts. That said, there are a variety of factors which make this case a harder one for Facebook than I initially thought. It is interesting to see people rally around Power.com, who judging from Facebook's pleadings, has some baggage - the type that makes a clear win for Power.com unlikely. As far as data portability goes, Power.com is an unlikely champion. On the other hand, Facebook doesn't look so great blocking Power.com's efforts.
Other Third Party Services: Another interesting aspect to this dispute is that a plethora of third party services have arisen which arguably address the privacy and data concerns of Facebook's end users. Are these services allowed to access end user data in violation of Facebook's terms? Facebook has tried to force some of these applications to stop, but I think some of these applications may have a more compelling argument than Power.com, which is just a point of aggregation for various social networking profiles. For example, if Facebook didn't provide a way for end users to delete their user data, could a third party provide this service?
1. Openbook: "Facebook helps you connect and share with the people in your life. Whether you want to or not." An interesting site that lets you search public Facebook status updates to show how often embarrassing information is shared through Facebook.
2. ReclaimPrivacy.org: a "website provides an independent and open tool for scanning your Facebook privacy settings."
3. Seppukoo: an app that lets you kill your online profiles - in response to a Facebook cease and desist [pdf], the site stopped killing Facebook accounts.
Facebook has a good argument that it needs to regulate access for security reasons. Along these lines, Facebook recently implemented "anti-hacking" features which may make access through third party channels more difficult.
Other coverage:
Techdirt: "Facebook Abusing Computer Crime Law To Block Useful Service"
ReadWriteWeb: "Facebook Suing Power.com for Auto-Logging"
EFF: "EFF Seeks to Protect Innovation for Social Network Users"
Wendy Davis: "EFF: Violating Terms Of Service Isn't Computer Fraud"
Posted by Venkat at 10:23 AM | Privacy/Security , Trespass to Chattels
May 26, 2010
Beacon Class Action Lawyers Awarded $2.3MM in Fees -- Lane v. Facebook
[Post by Venkat]
Lane v. Facebook, Case No. 08-3845 RS (N.D. Cal.) (Order re Attorney Fees)
The lawsuit over Facebook's ill-fated Beacon program generated three lawsuits, a lot of wrangling by class action lawyers, and more than a few blog posts (e.g., "Beacon Class Action Settlement Approved;" "Stop Saying 'We Can Amend This Agreement Whenever We Want'!;" "Texas Class Action Aims to Derail Facebook Beacon Settlement"). Judge Seeborg recently approved the settlement, which included the formation of a privacy foundation funded by Facebook. (Here's an earlier post of mine summarizing the then-proposed terms of the settlement.)
The one item pending was the amount of fees which class counsel would be entitled to. Judge Seeborg issued an order on Monday awarding plaintiffs' counsel $2,322,763.00 in fees and $42,210.58 in costs, for a total award of $2,364,973.58. Counsel expended approximately 2500 hours of work on the case, and sought a multiplier of 2.4. The court ruled that a multiplier of 2 was appropriate. The court also found that the hours attributable to the Harris plaintiffs should be "excised," given that "those attorneys attempted to derail the settlement of [Lane v. Facebook] at the preliminary approval stage, before later coming to support it."
[For an explanation of the lawsuit brought by a second group of plaintiffs (Harris v. Facebook) who initially objected to the settlement, check out this post: "Texas Class Action Aims to Derail Facebook Beacon Settlement."]
Although several of the named plaintiffs recovered nominal amounts for their efforts, the class members recovered zero dollars as part of this settlement. The settlement was heralded because it brought significant non-monetary benefits: (1) the establishment of a privacy foundation and (2) a change in Facebook's behavior. Given recent events, I'm sure many are probably left questioning the efficacy of one or both of these.
Posted by Venkat at 08:27 AM | Privacy/Security
May 19, 2010
Web-based Email Bombardment Campaign Does Not Amount to a Violation of the Computer Fraud and Abuse Act -- Pulte Homes, Inc. v. LiUNA
[Post by Venkat]
Pulte Homes, Inc. v. Laborers' International Union of North America, et al. (E.D. Mich.) (May 12, 2010)
Background: Pulte Homes, "the largest new home builder in the United States" terminated eight employees. Defendant Laborers' International Union of North America (LiUNA) is a labor organization that represents workers in the construction industry. LiUNA claimed that seven of the eight employees were fired for expressing support for LiUNA. Plaintiff alleged that in response to the terminations LiUNA began a "targeted effort to sabotage and interrupt" plaintiff's business operations. Plaintiff argued that LiUNA's email campaign was a violation of the Computer Fraud and Abuse Act (sections 1030(a)(5)(A), 1030(a)(B), and 1030(a)(C)):
Defendants have encouraged LiUNA supporters to inundate Plaintiff with mass quantities of phone calls and e-mails . . . . LiUNA's website featured a 'call to action,' which provided a pre-typed e-mail voicing opposition to Plaintiff's alleged termination of employees for supporting the union. This e-mail was pre-addressed to Plaintiff and allowed users to send it to Plaintiff with the click of a few buttons.
The Court's Ruling:
Unlawful transmissions: The unlawful transmission prong of the CFAA requires the transmission of information as a result of which the defendant "intentionally causes" damage to a protected computer. The court dismissed this claim because plaintiff failed to allege that LiUNA's email campaign caused any appreciable damage to plaintiff's computer system.
Unauthorized access: The unauthorized transmission prong of the statute requires intentional access "without authorization," along with resulting loss. The court concludes that LiUNA did not "access [plaintiff's] computer under the CFAA merely by leaving a voice-mail or sending an e-mail." The court rejects plaintiff's attempt to rely on an older AOL spam case (AOL v. National Health Care Discount, Inc.) where the Northern District of Iowa held that the transmission of bulk email through AOL's servers could constitute a violation of the CFAA. (The court there expressed serious reservations as to whether the Computer Fraud and Abuse Act even covered unsolicited bulk emails: "it is not clear that a violation of AOL's membership agreements results in 'unauthorized access.'") The AOL case was decided pre-CAN-SPAM, and as the court recognized, stretched the bounds of the Computer Fraud and Abuse Act. It's tough to conclude that sending an email to an email address that's designed to receive emails from the general public constitutes "unauthorized access" under the Computer Fraud and Abuse Act. AOL argued that mass emails were "unauthorized," because they were a violation of AOL's terms of service, but this argument suffers from the same problems that any terms of service-based Computer Fraud and Abuse Act claim suffers from.
[Anyone engaging in this sort of a mass email campaign may want to stagger the emails or otherwise take steps to minimize potential damage or slowdowns to the recipient's servers. Where there's no damage or slowdown, courts are reluctant to find liability.]
__
This case is reminiscent of Intel v. Hamidi, another case involving a departing employee who was sued for sending mass emails. In Hamidi, the California Supreme Court held that the departing employee could not be held liable under a trespass to chattels theory because the emails he sent did not damage Intel's servers. As in this case, in Hamidi, the plaintiff seemed more concerned about the content or peripheral effects of the emails, rather than any effect the emails had on plaintiff's servers.
Related:
The case also brings to mind the contempt order slapped on "television-pitchman" Kevin Trudeau. Trudeau was a defendant in a case brought by the FTC who exhorted "his radio and web followers to deluge U.S. District Judge Robert Gettleman with e-mail" in an attempt to persuade the judge to side with Trudeau in the FTC proceeding. Judge Gettleman found that this interfered with his administration of justice, and sentenced Trudeau to 30 days. That decision is on appeal to the Seventh Circuit. (See coverage from Wired's Threat Level blog here.)
Another union activity case which Prof. Goldman blogged about recently (in that case, involving trademarks) is Cintas v. Unite Here ("Union Organizers' Activist/Gripe Sites Don't Support Trademark Claims").
UPDATE FROM ERIC: This case also vaguely reminds me of the Utube v. YouTube lawsuit, where Utube claimed that YouTube was trespassing its domain name because people were lousy spellers.
Posted by Venkat at 11:28 PM | Privacy/Security , Spam , Trespass to Chattels
May 17, 2010
FTC Busts Check-Issuing Website for Unfair Practices--FTC v. Qchex
By Eric Goldman
Federal Trade Commission v. Neovi, Inc., 09-55093 (9th Cir. May 14, 2010)
Qchex allowed registered users to create and send checks via a website. Initially, users could submit bank account information and payee information, and Qchex would manufacture a check and send it (in some cases physically, in other cases electronically, depending on the sender's request) to the payee. Given that bank account information is widely available (i.e., it's on every check we send and receive), it sounded like it was trivially easy for fraudsters to submit other people's bank information and send an official-looking check drawing on an innocent bystander's account. These bogus checks can wreak havoc on the payment system when they are presented and then bounce (or worse, clear). According to the opinion:
Indeed, over a six-year period, Qchex froze over 13,750 accounts for fraud. Those accounts spawned nearly 155,000 checks, supplied over 37,350 bank account numbers, and were the source of checks totaling more than $402,750,000—an amount more than half of the total drawn during that time.
Eventually, Qchex enhanced its security procedures to deposit a small amount in a bank account and then require the accountholder to report that amount back to Qchex to authenticate the account. For a variety of reasons, this authentication procedure did not eliminate fraud.
The FTC pursued Qchex for unfair trade practices under Section 5 of the FTC Act. Qchex defended on lack of causation, saying the users supplied the relevant information and therefore were responsible for the bum checks. The court's response:
Qchex created and controlled a system that facilitated fraud and that the company was on notice as to the high fraud rate. Qchex’s approach would immunize a website operator that turned a blind eye to fraudulent business made possible only through the operator’s software. Even if the creation of the checks was impossible without user input, that does not mean Qchex did not create the checks that it later delivered.
(I dig the double/triple/quadruple negative in the last sentence. Say what?)
Even if the court's statement is true, isn't this exactly what 47 USC 230 was supposed to immunize? Amazingly, 230 isn't referenced in the opinion at all, although the court does cite the 230-based Accusearch case in support of its conclusion. It's not like 230 was unfamiliar to this panel; the opinion author is Judge McKeown, who also authored a pro-230 dissent in the Roommates.com en banc case.
Put the doctrinal finery to one side for a moment. We know Qchex has to go down for its sloppy authentication processes and the calamitous effect on our banking system. Fine. But the legal reasoning in support of this takedown is troubling. First, it's based on Section 5's unfairness restrictions, a lightly used prong because "unfairness" is unbelievably subjective and malleable. Second, it's based on some type of but-for causation theory, which applies universally to many service providers throughout the Internet (i.e., without PayPal, there would be no PayPal fraud). Third, the courts gave typical deference to the FTC—but perhaps too much deference. Finally, the causation discussion superseded any discussion about 47 USC 230--a conspicuous omission given that Qchex's whole system was premised on user-supplied content.
Having said that, it's not clear that Qchex’s 230 defense would have succeeded. The court emphasizes that liability is due to Qchex's conduct, not its users’. The court says "Qchex caused harm through its own deeds—in this case creating and delivering unverified checks." I expect any other businesses manufacturing inadequately authenticated fake checks will suffer a similar fate. However, I’m not sure this explanation adequately distinguishes between first party and third party content/actions.
It will be interesting to see how the plaintiffs try to misuse the language I quoted above for other types of claims. For example, replace the word “fraud” with “defamation” and see how the language reads. My hope is that the courts will entertain such citations only in FTC Act unfairness cases and not others, but I expect plaintiffs will try to expand its scope nonetheless.
This case brought to mind an old blog post on a site called "Cheezus," which provided a tool that people could use to create and print fake newspaper articles about another person's sexual misconduct. (Unlike Qchex, the user printed the resulting article). Cheezus caught my attention when a mischievous teen used the tools to prank his teacher and got disciplined. I thought the site was irresponsible, but under this rationale, is the Cheezus tool also illegal because it engaged in Sec. 5 unfair practices? If not, why not?
Posted by Eric at 01:55 PM | Content Regulation , Derivative Liability , E-Commerce , Privacy/Security | TrackBack
May 13, 2010
4th Cir.: No Expectation of Privacy in Internet and Phone Subscriber Info -- U.S. v. Bynum
[Post by Venkat]
United States v. Bynum, Case No. 08-4207 (4th Cir.) (May 5, 2010)
The FBI observed Marques Bynum's activities in a Yahoo! chat room. Bynum had uploaded photos of children engaged in sex acts. The FBI served an administrative subpoena on Yahoo! seeking the subscriber information and IP address associated with Bynum's profile. Based on the information provided by Yahoo!, the FBI identified the internet service provider associated with the IP address (UUNET). The FBI then subpoenaed UUNET and obtained the email address and telephone number for the customer associated with the IP address. Finally, the FBI subpoenaed the phone and internet companies that operated the dial-up service used by the user, which revealed the "physical address from which the uploads emanated" (which happened to be the defendant's mother's house). The FBI also accessed publicly available information from the defendant's Yahoo! chat profile such as his photo, demographic information, and interests.
The defendant made what appeared to be a half-hearted argument that the Government's use of administrative subpoenas (which precluded disclosure of the subpoenas to the defendant) to obtain his subscriber information violated his Fourth Amendment rights. The court rejects this argument, noting that there was no evidence that defendant "had a subjective expectation of privacy in his internet and phone 'subscriber information' . . . ." He voluntarily provided the information to his internet and phone companies and "assumed the risk" that these companies would reveal this information to the authorities. Even if he was able to show that he had a subjective expectation, he would not be able to show that this expectation would be objectively reasonable. The court notes that "every federal court to address this issue has held that subscriber information provided to an internet provider is not protected by the Fourth Amendment's privacy expectation." Finally, the court footnotes the fact that the defendant did not allege a privacy interest in the IP address the FBI initially obtained from Yahoo!.
As this Ars Techinca article notes, although the New Jersey Supreme Court took a slightly different approach (and required a grand jury subpoena based on the state constitutional right of privacy and the fact that the IP address-identity connection is sufficiently private to warrant some protection) federal cases pretty uniformly follow the approach taken by the Fourth Circuit in this case. In light of the case law, the court's decision does not seem surprising. That said, as someone who doesn't follow the case law very closely in the criminal context, I was surprised at how easy it is for the government to track down your IP address, and through that, your account information and personal details (email address, street address, etc.). From what I understand, an "administrative subpoena" - which was used in this case - is nothing more than a letter from the FBI.
Related:
Tom O'Toole blogged recently about a file sharing (civil) case where subpoenaed Doe defendants unsuccessfully fought to remain anonymous: "File Sharers Have Little But Not Zero Privacy"
A 2009 MediaPost article discusses a decision by Judge Jones of the Western District of Washington where Judge Jones ruled that IP addresses are not "personally identifiable information": "IP Addresses Are Not 'Personally Identifiable' Information"
FourthAmendment.com covers U.S. v. Bynum: "CA4: No reasonable expectation of privacy in subscriber info with ISP"
Posted by Venkat at 11:49 AM | Privacy/Security
May 11, 2010
Internet Access Provider & Blocklist Publishers Denied 230(c)(2) Immunity for Anti-Spam Efforts
By Eric Goldman
Smith v. Trusted Universal Standards in Electronic Transactions, Inc., 2010 WL 1799456 (D.N.J. May 4, 2010)
It's usually a drag to read opinions in pro se lawsuits. Most of the time, the litigant gets flattened mercilessly. Occasionally, however, the judge bends over backwards to give the litigant the benefit of the doubt. Either way, the opinions are messy and untrustworthy.
This case fits that description. The judge says he can't figure out the facts from the complaint. but here's his best guess. It appears that Smith is a Comcast Internet subscriber. Comcast blocked his outgoing mail twice because he was allegedly sending spam. When pressed why it thought Smith's emails were spam, Comcast pointed the finger at IronPort (owned by Cisco), who in turn pointed the finger at Spamhaus. Smith then filed a "Consumer Watchdog" complaint against Comcast with TRUSTe (misnamed as the lead defendant).
Independently, Microsoft put Smith's email server on its Frontbridge blocklist. Smith separately filed a TRUSTe complaint against Microsoft for that. Smith ultimately decided to sue TRUSTe, Comcast, Cisco and Microsoft for 8 different legal violations in one big litigation fiesta.
Smith's claims go nowhere. The court dismisses all of them with leave to amend the complaint, so the story turns out largely happily for the defendants. Unfortunately, the plaintiff does get one more chance, and he even attached a massive 404 page (!) draft amended complaint. (Note: this is 404 pages, not a 404 error, although it certainly is an error). The court reminds the plaintiff that the rules require a short and plain statement of the claims.
Along the way, the court reaches a decidedly defendant-unfriendly conclusion by rejecting Comcast's, Cisco's and Microsoft's 230(c)(2) defense, the statutory immunity for online filtering decisions--and the often overlooked cousin of 230(c)(1) which I have blogged about many times. Worse, the court reaches its conclusion in the face of several clearly applicable precedent cases. In my opinion, this is an example of how Smith's pro se status causes the court to be overly cautious…to the point of reaching the wrong result.
The court starts off right by concluding that spam could qualify as "otherwise objectionable" content under 230(c)(2) (cite to e360insight v. Comcast). Doing a light ejusdem generis analysis, the court says "nothing about the context before or after that phrase limits it to just patently offensive items."
However, Comcast is denied 230(c)(2) on a motion to dismiss because Smith alleged that Comcast acted in bad faith. In support of this, Smith alleged that Comcast told him that they didn't mind his emails, but he just needed to upgrade to a more expensive subscription. The court says if this is true, "Comcast was not concerned that people were receiving large quantities of emails, or concerned about the content of the emails, but rather was concerned that Plaintiff had not purchased a sufficient level of service. This is not a good faith belief that the emails were objectionable, but rather a belief that they violated a service agreement."
This is a garbled statement at best. What I think the court was trying to say is that Comcast had a pink contract that allowed spam if the user paid enough money, and Smith hadn't gotten a pink contract. If so, then I can see the court's point that Comcast is being duplicitous arguing that spam is objectionable content because Comcast's assessments could be bought.
I was uncomfortable with the court's almost off-hand reference that "One would expect that if an interactive computer service had acted in good faith, it could and would come forward with the legitimate basis for its actions when questioned (though the Court is not suggesting they must do so)." First, as the court notes, this is a motion to dismiss, so Comcast can't proffer new evidence. Second, this is a burden-shift. As regular readers know, I believe 230 is an immunity against suit, not an affirmative defense, so the plaintiff has the burden to show why the service provider did not possess the requisite subjective good faith when making its filtering decision. It's not Comcast's responsibility to prove its own subjective good faith beliefs. (How does one prove those in any case?)
Cisco and Microsoft both published blocklist-type information. They try to fit into 230(c)(2)’s statutory definition of "access software providers," which requires them to show that they "provide or enable computer access by multiple users to a computer server." This issue was litigated in the Zango v. Kaspersky case, where Kaspersky distributed anti-spyware software that phoned home for new definitions. The Ninth Circuit said that the phone home feature satisfied the statutory requirement. In contrast, the court appears to say that pure blocklist publishers (i.e. those who do not distribute accompanying software with a phone home capacity) do not; this reading effectively kicks blocklist publishers out of the statute.
As the court acknowledges, this conclusion seemingly conflicts with the 2004 OptInRealBig decision, where the court held that IronPort as a blocklist publisher qualified for the statute because it was a user of an interactive computer service. The court doesn't explain why IronPort doesn't still qualify as an ICS user except to say that IronPort didn't make the requisite showing. The court also does not note that the OptInRealBig case was a 230(c)(1) decision (not a 230(c)(2)) because IronPort republished third party reports, and that should have applied here as well. The court also does not address the extensive 230(c)(1) precedent effectively treating online content publishers (which would include blocklist publishers) as "users" of ICSs, ranging from Barrett v. Rosenthal to the implicit conclusion in Novins v. Cannon.
More specific to 230(c)(2), the court doesn't explore either Pallorium v. Jared or MAPS v. Black Ice (an old 2000 case), both of which arguably contradict this particular conclusion in the 230(c)(2) context. Thus, because the court did not engage the applicable precedent, was overly solicitous to a pro se litigant, and knew that its discussion was dicta because it was ruling for the defendants anyways, the court chunks the analysis.
For more on 230(c)(2), see my 230(c)(2) talk notes from last summer.
One other noteworthy aspect of the ruling. Smith alleges that Comcast breached its privacy policy, but the court dismisses the contract claim because he doesn't show any loss from the alleged breach. This is yet another case holding that merely breaching a privacy policy isn't an actionable contract breach without more. See, e.g., the cited JetBlue case.
UPDATE: John Levine provides some perspectives about what might have happened.
Posted by Eric at 10:37 AM | Content Regulation , Derivative Liability , Privacy/Security , Spam | TrackBack
April 19, 2010
Online Publishers, Advertising and Privacy Considerations
By Eric Goldman
I recently spoke at OMMA Global on a panel entitled "Can Publishers Take Ownership of Privacy?" This panel focused on the role of online publishers in the marketing-and-privacy discussions. Most of the privacy angst has focused on other intermediaries in the advertising ecosystem, such as ad networks. However, online publishers play a crucial but under-discussed role in privacy considerations as well.
I made the following three points in my brief introductory remarks:
1) Our privacy regulatory architecture of "notice and choice" requires that publishers actually give their consumers notice and choice, but I'm routinely flummoxed by publishers who balk at doing both. Publishers often rely on dense obfuscating language to mask their true behavior--eviscerating the notice part of "notice and choice"--and will broadly interpret user consent or opt-in beyond the consumer's clear consent. If publishers want to enjoy the benefits of a "notice and choice" regulatory regime, then they have to deliver accordingly. No excuses, no corner-cutting, no BS.
2) I am also amazed at how often publishers let third party vendors place web beacons on their pages or otherwise let third parties have access to their server logs. Routinely consumers are "informed" in obscure or vague privacy policy references that third party vendors might have access to logs (i.e., "we might use third party vendors, so trust us"). At best, the privacy policy links the consumer to the vendor's own privacy policy, at which point the publisher pats itself on the back and feels like it has checked off the "notice and choice" box. But this isn't notice or choice; 99% of consumers won't even look at the privacy policy, and exactly what choice do they have...to follow the daisy-chain of privacy policies to try to assemble the overall picture of what is happening to the consumer and his/her data?
More importantly, I think publishers underestimate the competitive risks of letting other vendors put web beacons on their pages. Every vendor who's listening in via the web beacon knows pretty much everything about the publisher's online business. The publisher can try to handcuff the vendor's enjoyment of that data in the contract; but as we know, too many contracts are not worth the piece of paper they're written on.
As a result, I think publishers need to think long and hard about letting vendors put beacons on their pages or otherwise granting vendor access to the publisher's server logs. Publishers need to evaluate it from a competitive standpoint, and publishers need to act as a proxy for their consumers' interests given that consumers don't have any meaningful notice or choice in the situation. After all, if something blows up, it's the publisher's trust relationship with its consumers that will suffer.
3) Personally, I don't have any problem with providing publishers with more information about me--even PII--so long as they actually provide enhanced value to me. However, in far too many situations, I don't see any extra value from the publisher despite the information I provide. I keep getting the same crappy ads I'd get if they knew nothing about me. So, publishers: if you want better info about me, deliver better value to me. On the flip side, when publishers keep doing a crummy job after asking me to personalize my experience, I will absolutely hold it against them.
Posted by Eric at 09:44 AM | Marketing , Privacy/Security | TrackBack
April 14, 2010
Yahoo! Chat Logs Admitted Over Defendant's Objections Based on Eavesdropping Statute -- People v. Nakai
[Post by Venkat]
State v. Singh Nakai, 2010 Cal. App. LEXIS 446 (Cal. App.) (Div. 2) (April 2, 2010)
Division two of the California Court of Appeals recently rejected a defendant's argument that California's eavesdropping statute precluded the admission of Yahoo! chat logs. (Warning: the case contains strong language.)
The case arose out of chats between defendant Singh Nakai and "Coleen," who was actually 35 years old but posing (and posting) as a 12 or 13 year old in internet chat rooms.* Defendant was convicted of "attempting to send harmful matter to a minor with the intent to seduce the minor," and acquitted of trying to commit a lewd act with a minor. Defendant argued (among other things) that the Yahoo! chat logs were improperly admitted over his objection.
Section 632 of the California Criminal Code prohibits the recordation of a "confidential communication . . . without the consent of all parties" to that communication, and provides that any information obtained in violation of section 632 is not admissible in any proceeding. Section 632 defines a "confidential communication" as "any communication carried on in circumstances as may be reasonably indicate that any party to the communication desires it to be confined to the parties thereto . . . . but excludes a communication made in . . . . any other circumstance where the parties to the communication may reasonably expect that the communication may be overheard or recorded." [emphasis added]
The prosecutor argued that "it was not objectively reasonable to believe that the Yahoo! chat dialogues were not being recorded, due to the dialogues being sent and received in a recorded format, i.e., writing." The prosecutor also argued that Yahoo!'s chat privacy policy undermined any reasonable expectation of confidentiality because the policy provided that Yahoo! would share information as necessary to "prevent . . . illegal activities."
The policy stated that Yahoo! could disclose information:
if [Yahoo!] believe[s] it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud situations involving potential threats to the physical safety of any person, violations of Yahoo!'s terms of use or otherwise required by law.
The policy also stated that participants in Yahoo! chat communications should not necessarily expected the chats to remain confidential.
The appeals court held that the chats could not reasonably be seen as "confidential": (1) the privacy policy indicated that chat logs may be shared; (2) the policy warned users that chat logs can be archived and printed by the receiving party; (3) the defendant was communicating with someone he didn't know (and could not reasonably trust); and (4) the defendant himself expressed concern as to whether the receiving party's parent would discover the communications (which reflected awareness that the communications could be viewed or printed).
__
Rather than delving into the Yahoo! chat privacy policy and how this affected the expectation of confidentiality, I'm surprised the court didn't just say that chats don't fall under the statute because chat logs are "recorded" as a matter of course by the sender and recipient, and leave it at that. No one ever asks consent to record and retain chat logs. For some reason, people always seem to equate them with telephone calls as far as whether chats leave behind a recording and whether permission is required. With respect to how this ruling may apply to other scenarios, surreptitiously obtained chat communications are often used in civil cases, such as divorce proceedings. While other laws may come into play, it looks like the California eavesdropping statute will not.
Either way, the case is a good reminder that chat logs (like texts and emails) may be admissible.
[* As I read the case I wondered about the propriety of these types of stings, and whether the legality of internet stings, including those conducted by private citizens or "investigators" was well settled. Given that the defendant didn't even raise the issue in this case, it didn't appear to be a viable argument (in California at least). As a civil practitioner, this issue is pretty far outside my realm of experience. But Cyb3rcrim3 has a post that talks about how attacks on private internet stings have played out.]
Posted by Venkat at 07:00 AM | Evidence/Discovery , Privacy/Security
April 08, 2010
Unmasked Judge/Commenter Sues Newspaper for $50mm -- Saffold v. Plain Dealer
[Post by Venkat]
Saffold v. Plain Dealer Publishing Co., Cuyahoga County Court of Common Pleas (filed April 7, 2010) [scribd]
A judge/commenter who was unmasked by the Cleveland Plain Dealer is reportedly suing the newspaper for 50 million dollars. (h/t ABA Journal) There are plenty of bad facts to go around, but I see an uphill battle for the plaintiff.
Background: Cuyahoga County Common Pleas Judge Shirley Strickland Saffold (or someone with access to her email, commenting as "lawmiss") allegedly left some eighty plus comments on the website of the Cleveland Plain Dealer (at cleveland.com). Some of the comments included:
All of these criminals committing crimes against women must stop. None of them should get out of prison, EVER.
Rufus Sims (lawyer of Sowell and of a bus driver convicted of vehicular homicide) did a disservice to his client. If only he could shut his Amos and Andy style mouth ... This was not a tough case, folks. She should've hired a lawyer with the experience to truly handle her needs. Amos and Andy, shuffling around, did not do it.
I'm confused. There's three stories. The first accuses Saffold of being a bully and demeaning the presence of this reporter for no reason. The second indicates that she refused to allow the Plain Dealer reporters to view the proceedings today, and the last indicates that the defense attorneys and the prosecutors agreed that the court needed to find out who the leak was, but they disagreed about the leaking spoiling the pool. What did Saffold do that was wrong??
The Plain Dealer decided to "unilaterally . . . unmask" Judge Saffold and wrote an article about the unmasking. The Plain Dealer and Judge Saffold were not on the best of terms prior to this incident. While Judge Saffold allegedly commented on pending capital murder cases, her comment dealing with the mental health of a relative of Jim Ewinger, a Plain Dealer reporter, supposedly led to the unmasking. (Wendy Davis covered this in an article here: "Cleveland Paper Unmasks Judge As Commenter".)
The Complaint: The Complaint asserts various claims based on the privacy policy (including a promissory estoppel claim), a claim for fraud, a claim for invasion of privacy/false light, and a claim for defamation.
Privacy Policy: The privacy policy claim is tough. For starters, the privacy policy is not clear that it guarantees anonymity. Second, claims for damages based on a breach of privacy policy are not very easy to make. Many recent cases rejected privacy policy-based claims for lack of actual damages (and some jurisdictions have a rule that precludes recovery for emotional damages unless a physical injury is involved). (See, for example, Pinero v. Jackson Hewitt; Bell v. Acxiom; Pisciotta v. Old National Bancorp [pdf].) There's even a case which expressly rejects a claim based on the disclosure of an email address in violation of a privacy policy. (Cherney v Emigrant Bank) Of course, all of these cases are based on the view that disclosure in itself does not cause damage, and Judge Saffold's case presents different facts. She will probably get past the damages hurdle, but she will have to deal with any provisions in the terms of service that the paper could use to undercut her claims or at least limit damages (disclaimers of warranty, limitations of liability, etc.). Her bigger challenge is to prove that the privacy policy actually guaranteed anonymity, and as Wendy's article points out, the policy envisions that the newspaper would use personal information in a variety of scenarios, including for the newspaper's own benefit.
Invasion of Privacy: The invasion of privacy claim is similarly tough because it will probably turn on whether plaintiff reasonably expected that her comments would remain anonymous. Anyone using the internet will tell you that there's no guarantee of anonymity, and in addition to the ambiguity of any guarantee in the policy, the paper will likely argue that the policy made clear that there are a variety of circumstances in which any user's personal information would be disclosed. Disclosure in response to a subpoena is obviously the classic example. Use of personal information for business purposes is another example.
First Amendment/Media Privilege Defense: At the end of the day, plaintiff will have a challenge proving that she reasonably expected some guarantee of anonymity, and even if the court finds that there was a guarantee, the newspaper could also try to invoke some sort of First Amendment/media privilege defense. It's certainly newsworthy for a judge to have commented on pending cases. While this wasn't what prompted the newspaper's unmasking of the plaintiff, this could bolster the newsworthiness argument. The fact that the judge used the same online profile to supposedly comment on a case she was presiding over (!) is extremely problematic and will cut against the expectation of anonymity. A litigant in that case certainly has a shot at discovering the identity of the commenter in order to support a recusal motion, and once the litigant figures out the judge's identity, the cat is out of the bag. The lawyers litigating the serial murder case Judge Saffold was presiding over (and allegedly commented on) are actually making this argument. ("After Web Post About Serial Murder Case, Judge Should Step Down, Lawyer Says"; "‘Lawmiss’ Comment on Accused Serial Killer Is Linked to Judge Overseeing His Case") This makes the Judge's expectation of anonymity argument that much harder. Had the newspaper found this information out from another source, the First Amendment argument would probably be a fairly strong one. However, given that the Plain Dealer doesn't seem to have the cleanest hands, I'm not sure how much mileage this will get here.
__
There are two strong facts on the other side, in the plaintiff's favor. First, the paper seems to have been engaged in a feud with her, and the reporter may have had his own personal score to settle. This will not look good for the paper. Second, media entities can't pick and choose. It certainly is arbitrary for a paper to say "we have a privacy policy and will protect your anonymity . . . except when your identity as a commenter is newsworthy, in which case we'll exploit that to our benefit." Newspapers are in a tricky position as far as commenter anonymity, and no one will reasonably think that media can have it both ways, which is what they'll have to end up arguing. Finally, while the newspaper could have disclosed the Judge's identity in response to a subpoena, that doesn't mean the paper should voluntarily disclose it in order to publish something it thinks is newsworthy (or to settle a score).
The key question here, is how, why, and when the newspaper decided to check out the real identity of "lawmiss."
When all is said and done, plaintiff will finally have to actually prove damages, and suffer the additional embarrassment of a very public dispute around her comments on a newspaper website. Discovery sure is not going to be pretty. (Interestingly, the complaint cites to many public statements made by the Plain Dealer. The Plain Dealer should have adhered to the "less is more rule," when making statements about potential disputes.) Regardless of how the dispute plays out, I guess it illustrates that when interacting online, people need to keep common sense at the forefront. To the extent the she commented on a serial murder case she was presiding over, what was she thinking? On the other hand, what was the newspaper thinking when it decided to "check out the identity of a commenter?"
The case raises the issue of the ethical quandary inherent when a newspaper is the custodian of anonymity. To the extent the newspaper has access to the identity of commenters, there will always be the temptation to check out who particular commenters are. The newspaper in many situations ends up making the call on when to release the identity of the commenter, when to publicize it, and when to fight for anonymity. There will always be conflicting considerations and ethical issues present here.
A final note. Whether someone had the expectation of privacy when dealing with a website or social network is becoming an increasingly litigated issue. I question how useful it is to use the actual language of a privacy policy to determine the expectation of privacy. These are clunky documents that no one ever reads, much less understands. I cringe every time a court wades through a privacy policy, picking and choosing among language it thinks supports or detracts from an expectation of privacy. I blogged about a recent case where a court held that a newspaper website commenter did not waive the expectation of privacy based on language of a policy: Sedersten v. Taylor. Tom O'Toole makes a similar point in a post about another recent case, McVicker v. King: "Newspaper Website's Privacy Policy Creates Expectation of Privacy for Commenters?"
Update: I've added a few additional links below, and clarified that the comments were left with someone who shares the same email address as Judge Saffold. (Judge Saffold's daughter is taking credit for the comments, or at least some of them.) The Plain Dealer reported that someone with the same email address as Judge Saffold left the comments, and verified some of the information behind its reporting through a public records request. It reported that its public records request revealed that someone used Judge Saffold's work computer to access the paper's website at the same exact time as when someone left some of the comments.
Additional Coverage:
Courthouse News has a post which provides some good factual background: "Judge Demands $50 Million From Plain Dealer"
ABC News has a post which also contains some interesting background facts: "Judge Saffold Files $50M Suit Against Cleveland Newspaper Over Online Comments" (It looks like the Judge's daughter who is or was a law student says she was the one who made some of the comments! An Ohio law professor is also quoted as saying it would have been a "major ethics violation" for the judge to have commented on pending cases.)
Cleveland Plain Dealer: "Cuyahoga County Judge Shirley Strickland Saffold files $50 million lawsuit against The Plain Dealer and others"
Gawker: "Can Anonymous Commenters Be Outed if They Do Something Newsworthy?"
The Newsroom Law Blog had a good post about the ethics of the unmasking: "Cleveland Newspaper Unmasks Anonymous Commenter" The post makes a good point about what this may mean for future anonymity arguments asserted by the Plain Dealer on behalf of anonymous commenters. [The Plain Dealer's John Kroll comments on the post . . . fodder for discovery?]
Posted by Venkat at 08:36 AM | Privacy/Security , Publicity/Privacy Rights
April 01, 2010
Facebook Privacy Class Action Filed by Lanier Firm Voluntarily Dismissed -- Melkonian v. Facebook
[Post by Venkat]
Melkonian v. Facebook, Orange County Superior Court Case No. 30-2009-00293755-CU-BT-CJC [complaint]
In August of last year, prominent plaintiffs' lawyer Mark Lanier filed a privacy lawsuit against Facebook on behalf of a group of plaintiffs. [WSJ Law blog] [Techdirt] The complaint seemed sort of all over the place, with no core allegations of misconduct by Facebook. The fact that it was filed by the Lanier Firm (which, incidentally, has a Facebook page, as does Mark Lanier) made it noteworthy.
Curiously, the lawsuit was voluntarily dismissed with prejudice. [dismissal] It's somewhat old news (the dismissal was entered in early February), but given that there's been no public mention of it, I thought it was worth noting. If there's a backstory, I'm definitely curious about it.
Note: Although Facebook dodged a bullet by settling the Beacon class action against it, and getting rid of this case, this is far from the end of Facebook's privacy woes. There are another couple of class actions against Facebook arising out of Facebook's recent revisions of its privacy settings. (Wendy Davis reports on those suits, which were recently consolidated here.) And Facebook implemented yet another set of privacy changes, which brought about a fresh round of criticism. ("Facebook Keeps Chipping Away at User Privacy"; "Facebook Mulls Privacy Changes, Causes More Outrage".)
Posted by Venkat at 07:10 PM | Privacy/Security
March 31, 2010
March 2010 Quick Links
By Eric Goldman
Internet Exceptionalism
* Stern v. Sony Corp., CV 09-7710 PA (C.D. Cal. Feb. 8 2010) "to the extent Plaintiff is suing Sony as a manufacturer of video games, and the provider of online services, Sony is not a ‘place of public accommodation’ and is therefore not liable for violating Title III of the ADA" Nice complement to the Estavillo case. My prior post on Internet exceptionalism.
Online Competition
* Microsoft’s head algorithms guru says that Google's search engine beat Microsoft because Microsoft ignored the long tail of search queries. If Google and Microsoft made different product design choices and the marketplace liked Google's choices better, doesn’t this make it hard for Microsoft to complain about Google’s "anti-competitive" practices? I wonder if this talk was pre-cleared by Microsoft’s antitrust counsel.
* SJ Mercury News: Google's most recent 10-K lists some new self-identified competitors, including Yelp, Kayak & WebMD. By identifying some vertical players as competitors, such as Kayak and WebMD, does Google lend credence to the arguments by TradeComet and myTriggers that Google does compete with vertical search engines?
* In re eBay Seller Antitrust Litigation, 2010 WL 760433 (N.D. Cal. March 4, 2010). eBay wins summary judgment in an antitrust challenge: "Despite the voluminous briefing permitted in connection with both of the instant motions-which includes hundreds of pages of supporting documents-Plaintiffs have not drawn the Court's attention to any actual proof of antitrust injury caused by eBay's alleged anticompetive acts-on an individual or a classwide level."
Online Pornography
* U.S. v. Beckett, 2010 WL 776049 (11th Cir. March 9, 2010). A man posed as a 17 year old girl on MySpace and AOL, engaged boys in discussions, induced them to send nude photos, and then coerced them to have sex with him to prevent his dissemination of the photos.
* Miller v. Mitchell, No. 09-2144 (3rd Cir. March 17, 2010). This is the case where the government prosecutor threatened to bring felony charges against girls for "sexting." The court upholds a preliminary injunction against requiring the girls to go through an education program in lieu of felony prosecution.
* U.S. v. Durdley, 2010 WL 916107 (N.D. Fla. March 11, 2010). No privacy expectations in a flash drive left in a public computer.
Online Security
* Cormac Herley of Microsoft Research, "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users." In my observations, users are actually intensely rational when it comes to privacy and security issues, and privacy and security advocates who don't fully account for this user behavior do so at their peril.
* Reuters takes a deep look at Innovation Marketing, a Russian scareware operation.
User-Generated Content
* Josh King explains why Avvo supports the proposed federal anti-SLAPP law.
* T.V. ex rel. B.V. v. Smith-Green Community School Corp., 2010 WL 935574 (N.D. Ind. March 11, 2010). Denying class formation for a lawsuit in response to a ridiculously harsh school suspension for a MySpace photo of ribald off-campus activity.
* Melton v. Boustred, 2010 WL 881919 (Cal. App. Ct. Mar 12, 2010). Boustred throws a ragin' party and advertises it via a MySpace open invitation. The plaintiffs show up and were beaten and stabbed at the party by unknown assailants. The court concludes that Boustred isn't liable for the physical injuries. Note to self: stay away from parties advertised via MySpace.
* Yelp Litigation Mania!
- Cats & Dogs Animal Hospital v. Yelp first amended complaint
- LaPausky v. Yelp complaint. A write-up.
- Levitt v. Yelp complaint.
- ClickZ: Ex-Yelper Helps Law Firms Go After Yelp
Anonymity
* Park West Galleries, Inc. v. Global Fine Art Registry, LLC, 2010 WL 742580 (E.D. Mich. Feb. 26, 2010). Using an online pseudonym can lengthen the defamation statute of limitations.
* White v. Baker, 2010 WL 1009758 (N.D. Ga. March 3, 2010). Mandatory reporting of Internet usernames by registered sex offenders violates the First Amendment.
Advertising and Marketing
* ClickZ: New Facebook Policies Clamp Down on 'Loose' Ad Copy.
* Coyote Pub., Inc. v. Miller, 2010 WL 816936 (9th Cir. March 11, 2010). Upholding the constitutionality of Nevada's restrictions on advertising prostitution.
Trademark
* WSJ: It's a crowded namespace for bands.
* 1-800Contacts, Inc. v. Memorial Eye, P.A., 2010 WL 988524 (D. Utah March 15, 2010). It was not objectively baseless for 1-800 Contacts to bring a trademark enforcement action over competitive keyword advertising.
* Rhea Drysdale tells how she busted the trademark application for "SEO."
* The Utah governor has signed SB 26, which (among other things) creates a bastardized version of ACPA. My initial comments on the proposed bill.
Copyright
* James Grimmelmann on Reed Elsevier v. Muchnick.
* Ben Sheffner has some updates in the Scribd lawsuits. My initial post on Scott v. Scribd.
* Ars Technica on an experiment to block users who are using ad blocking software from accessing its site.
General
* Hudson v. University of Puerto Rico, 2010 WL 1131462 (D. Minn. March 23, 2010). Passive blog does not confer general jurisdiction.
* Doe 1 v. AOL LLC (N.D. Cal. Feb. 1, 2010). "Plaintiffs' claims for violation of the ECPA (Count I), unjust enrichment (Count VI) and for public disclosure of private facts (Count VII) are subject to the forum selection clause because none are California consumer law claims." Prior blog post.
* Commonwealth v. Interactive Media Ent’mt and Gaming Ass’n, Inc., No. 2009-SC-000043-MR (Ky. Mar. 18, 2010). Challenge to Kentucky's seizure of 141 gambling-related domain names tossed on standing grounds. Prior blog post.
Posted by Eric at 08:42 AM | Content Regulation , Copyright , Domain Names , E-Commerce , Internet History , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Trademark , Virtual Worlds | TrackBack
March 18, 2010
Beacon Class Action Settlement Approved -- Lane v. Facebook
[Post by Venkat]
Lane v. Facebook (Case No. 09-3845 RS; March 17, 2010) [scribd link]
Judge Seeborg yesterday issued an order approving the class settlement in Lane v. Facebook, the class action lawsuit arising out of Facebook's Beacon program.
Background: Shortly after the uproar around Facebook's launch of its Beacon program, a group of plaintiffs filed a class action lawsuit in the Northern District of California. Prior to this lawsuit, another group of plaintiffs sued Blockbuster in Texas, based on Blockbuster's participation in the Beacon program. Both plaintiffs asserted, among other claims, violations of the Video Privacy Protection Act, a statute which protects against disclosure of video rental records.
In Texas, Blockbuster argued that the claims should be subject to arbitration based on a terms of service. The court rejected Blockbuster's arguments on the basis that the terms of use were illusory because they contained language saying that they could freely be amended at any time. (Here are posts by Professor Goldman and Tom O'Toole on this potentially far-reaching ruling.) Blockbuster appealed this ruling.
Meanwhile, the California plaintiffs (represented by Scott Kamber) announced a settlement of their claims. The proposed settlement did not provide for monetary damages to the plaintiffs; Facebook agreed to set aside a chunk of money to fund a "privacy foundation," which would be staffed by nominees of counsel for the parties. (Here's a summary of the proposed settlement terms at CircleID.)
Once the Texas plaintiffs found out about the settlement, they moved to intervene in the California lawsuit. They argued that the two class actions should have been consolidated and that the California plaintiffs could not release claims on behalf of the class against Blockbuster, since those claims were first asserted by the Texas plaintiffs in the Blockbuster class action. Judge Seeborg denied the motion to intervene, a ruling which the Blockbuster plaintiffs appealed.
The parties engaged in a round of wrangling in the Northern District of California, and behind the scenes. Ultimately, Blockbuster settled with the Blockbuster (Harris) plaintiffs by agreeing to pay $50,000. More importantly, counsel for the two classes probably came to some sort of agreement regarding fee sharing. Counsel for the Blockbuster plaintiffs then withdrew their objections to the proposed settlement pending in front of Judge Seeborg. This left a few objections raised by individuals and public interest organizations. Judge Seeborg rejected these objections and approved the settlement.
The Court's Disposal of The Objections:
Form of Notice: One interesting objection was raised by Shan Huangfu. He argued that notice of the settlement was sent via email, was caught in his spam filter and therefore inadequate. (Here's an article by Wendy Davis flagging this objection.) I didn't pick up on this at first, but interestingly, the parties wanted to use email notice in lieu of notice through Facebook accounts, and Judge Seeborg did not agree with this. Ultimately, it looks like Facebook sent notice via email and through the potential class member's Facebook account, but did not send any paper notice. I wonder if people who cancelled their Facebook account in reaction to Beacon were more likely to fall through the cracks?
Whether The Privacy Foundation Will be Beholden to Facebook: One of the biggest objections to the proposed settlement was that the foundation created as a result of the settlement would be beholden to Facebook and wouldn't provide any public benefit. Judge Seeborg found that there had been "no persuasive showing that the Foundation will be a mere publicity tool for Facebook, or in any meaningful sense under Facebook's direct control." The foundation will initially staffed by Chris Hoofnagle, Larry Magid, and Tim Sparapani (Facebook's Director of Public Policy and a formerly Senior Legislative Counsel to the ACLU in Northern California). (Interestingly, Sparapani shares a fair amount of personal information on his publicly accessible Facebook profile.)
The Fact That No Monetary Relief Was Awarded to Class Members: Another significant objection was that the class members will not receive any compensation under the settlement (except for the named plaintiff who would receive $10,000, two named representatives would receive $5,000 each, and the remaining named representatives would receive $1,000 each). Judge Seeborg dismissed this objection on the basis that the damages available (principally, the statutory damages under the Video Privacy Protection Act) would be "speculative at best." Because of the speculative nature of the statutory damages, and the risks inherent in litigation, the settlement as structured could be viewed as reasonable.
Observations:
1. The appeal in Harris v. Blockbuster (the Texas action) has been dismissed by the parties. However, they haven't moved to vacate the trial court's ruling so it looks like it will stay on the books. (EPIC filed an amicus brief in favor of the Harris plaintiffs: [pdf]. EPIC's page on Harris v. Blockbuster is worth checking out.)
2. There were approximately 3.6 million potential class members. 100 opted out, and 4 objected. These numbers understandably swayed Judge Seeborg. I'm surprised no one mounted a vigorous "opt out of the Beacon settlement" social media campaign. This would have probably been the most effective method to derail the settlement.
3. This plaintiffs in the California action were left in the awkward position of arguing that the lawsuit that they brought would not support the award of significant damages. In fact, Scott Kamber's declaration [scribd link] argues that it would be tough to hold Facebook liable under the Video Privacy Protection Act, among other reasons because Facebook does not fall under the statute's definition of a "video tape service provider".
4. The Harris plaintiffs were in this position as well. Additionally, the Harris plaintiffs settled separately with Blockbuster, and Blockbuster agreed to pay "Plaintiffs $22,500 and also . . . pay Plaintiffs' counsel $27,500 [in fees]." (Access the Blockbuster settlement agreement on Scribd here.) From the settlement agreement, it appears that the named plaintiffs will receive settlement payments but the remaining members of the class receive nothing. In fact, the court hearing the Blockbuster lawsuit did not approve the settlement. I suppose you could say that the Blockbuster plaintiffs were receiving these amounts for their efforts expended in representing the class, but there was no class award and no class to represent. Shouldn't the remaining Harris plaintiffs receive some compensation? Another factor here is Blockbuster's precarious financial condition.
5. Judge Seeborg deferred ruling on counsel's request for fees, asking for some additional evidence on time spent by counsel. The request for fees states that the Lane class counsel incurred $1.1mm in fees and the Harris class counsel incurred $820,000. After adjustments, between the two, they seek approximately $2.8mm in fees.
6. It's interesting that a piece of legislation passed in the wake of then-Judge Bork's Supreme Court confirmation hearing ended up being influential in this context. I doubt when the legislation was passed, Congress envisioned that the statute would be central to a significant dispute around online advertising and would result in a settlement of this scale. There's no counterpart to the Video Privacy Protection Act for magazines, books or newspapers. Just videos.
7. The Video Privacy Protection Act reared its head in another privacy dispute recently. Netflix just settled with the FTC and agreed to discontinue the sequel to its recommendation engine contest. (Forbes/The Firewall) Professor Ohm flagged the issue in September 2009 post and urged Netflix to reconsider its decision to launch the second contest. While the settlement between the FTC and Netflix wasn't expressly based on the Video Privacy Protection Act, Scott Kamber also sued Netflix under this statute. Netflix announced on its blog that this lawsuit has been settled, but the terms have not been made public.
8. I guess someone can appeal. Public Citizen objected, maybe they will?
__
(h/t Wired's Threat Level)
Wendy Davis at MediaPost has been following this lawsuit closely. Here is a link to her article on Judge Seeborg's decision.
Posted by Venkat at 10:42 AM | Privacy/Security
March 15, 2010
Data Anonymization and Re-identification Lecture Featuring Paul Ohm, SCU, April 7
By Eric Goldman
University of Colorado law professor Paul Ohm has written one of the most provocative privacy-related papers of the past few years, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. Using examples such as the AOL "Data Valdez" release of search logs and the NetFlix personalization contest, he shows that seemingly innocuous datasets can still become personally identifiable when combined with other data sources. This puts significant pressure on our regulatory distinctions between "personally identifiable information" and non-personally identifiable information, as the combination of datasets can convert non-PII into PII. The implications potentially shake the privacy literature to its core.
Paul will be presenting his research on April 7, 6-8 pm, at SCU. I've heard Paul present this paper a few times and it's always a treat. To spice things up, we'll have two commenters on his work: Cynthia Dwork, a computer scientist at Microsoft, and Chad Raphael, an SCU communication professors. The event is free, and it includes an hour of free CLE if you want it. You can register through this URL. Hope to see you there.
Posted by Eric at 09:36 AM | Privacy/Security | TrackBack
February 02, 2010
FTC Privacy Roundtable Recap
By Eric Goldman
[Introductory note: I have repeatedly criticized the FTC on this blog, and this post may implicitly criticize them as well. At the same time, I want to share a couple of compliments for the FTC. First, the FTC did a terrific job preparing for this event. For the panel I participated on, we had two official group organizing calls, plus I had at least 3 individual calls as well. I can’t recall another event which had more pre-event preparation efforts. Second, I remain consistently impressed with the dedication of the FTC staff attorneys. The FTC attorneys I've met uniformly seem to be trying to do the right thing, even if bright minds might disagree about what that is.]
Last week, the FTC held the second of three privacy roundtables at UC Berkeley. A large crowd (I estimate 200+ people) showed up, and I know that many other people watched online. Combined with my conversations with the FTC folks prior to the event, I took away a few meta-observations:
1) The FTC is Facebook-obsessed. FTC staff kept citing Facebook examples. It's clear that the FTC is paying extraordinarily close attention to Facebook.
2) The FTC has embraced the idea of "data as currency." The concept is that online services that don't make consumers pay with cash instead make consumers "pay" by providing their personal data. This didn't come up much at the second roundtable, although I understand it was a big issue at the first.
It's a little dispiriting to see this argument gain traction. I have repeatedly criticized this concept before (see my Coasean Analysis of Marketing and Data Mining and Attention Consumption articles), so I will only briefly recap its deficiencies here. Basically, the concept treats the provision of personal data as an automatic detriment to the consumer, which creates a zero-sum game—just like the transfer of cash, the service provider wins at the consumer's expense. Although consumers may suffer negative consequences from providing their personal data to service providers, the overall concept is wrong because many service provider-consumer relationships are "win-win" where both the consumer and the service provider are better off due to the data transfer. I build some economic formulas in my articles to explain these scenarios with more rigor. Win-win can occur, for example, if the service provider can provide better services to the consumer based on access to personal data. Personalized search is one example. Ultimately, any policy proposals predicated on treating data as currency are likely to overregulate by reducing or eliminating potential win-win scenarios.
3) The term "privacy enhancing technologies" or PETs lacks a consensus definition. Because we didn't agree on what qualifies as a PET, we couldn't determine if they had been successful or not.
Construed narrowly as add-on technologies that guard against specific vectors of privacy intrusions, it's clear that PETs have failed as a mass-market offering. Hardcore privacy folks may seek out tools that advance their interests, and they may even be willing to pay for those tools, but most folks don't care enough to pursue such solutions--even those available for free. (I highlight this tension in my 2002 Forbes editorial.)
However, if we construe PETs more broadly, they have been massively successful. For example, I would consider anti-spam/anti-spyware/anti-virus software as PETs. Obviously those software programs have other benefits, such as security protection, but they solve a variety of privacy-related problems too. For example, my Gmail spam filter learns my preferences and, over time, blocks some types of unwanted emails (such as repeat emails meant for other “egoldman”s like Emma Goldman) from showing up in my in-box. Similarly, PETs have been incorporated into the browsers and provide default protection to their users. If we can get past the one-off single-vector conception of PETs, we may find lots of successful examples.
4) The online "privacy" dialogue hasn't advanced very far in the past 15 years. I felt like much of the 2010 roundtable's discussion would have been apropos 15 years ago. For example, instead of discussing cookies in 1995, in 2010 we are discussing flash cookies and supercookies. There's no real difference in the underlying principles; we're simply at a new point in the technological arms race. Just like technology evolved to provide user control over cookies, it will eventually catch up to flash cookies and supercookies and super-duper-cookies or whatever the next iteration of persistent client-side identifiers is called. Unless we look past the specific technological implementations and focus on broader concepts, we are doomed to repeat the same conversations.
5) Due to the semantic ambiguity of the word "privacy," "privacy" inquiries are guaranteed to fail. Ultimately, I found much of the roundtable discussion unenlightening because the "privacy" umbrella is too broad and ambiguous. From my perspective, the term "privacy" is always fatally ambiguous to any productive conversation; I just don't understand what it means. As a result, at the roundtable, panelists were simultaneously discussing privacy, security, anonymity and a variety of other concepts. The result was a jumbled doctrinal mess and a lot of talking past each other.
At the same time, the "privacy" umbrella hindered the inclusion of non-privacy concepts that might have helped overcome the deja vu tendency. The panel titles were:
Panel 1: "technology and privacy"
Panel 2: "privacy implications of social networking and other platform providers"
Panel 3: "privacy implications of cloud computing"
Panel 4: "privacy implications of mobile computing"
Panel 5: "technology and policy"
My latest project on reputation is relevant to the issues discussed at the roundtable, but where does "reputation" fit into these panels? Everywhere--and nowhere. Similarly, I was hoping to discuss the implications of 47 USC 230(c)(2), the immunization for filtering technologies, but where does that fit in? I hoped to discuss it in the first panel but we ran out of time. Using a classic "privacy" structure for the discussion implicitly stifles these important non-privacy considerations from emerging. As a result, this structure almost guarantees a "same old, same old" discussion by precluding new concepts from joining the discourse.
Before the panel, lame-duck Commissioner Pamela Jones Harbour gave some opening remarks. She expressed displeasure with Facebook's resetting of privacy defaults and disagreed with Mark Zuckerberg's quoted remarks that the technology change reflects emerging social attitudes. She also gave a lengthy shout-out to Paul Ohm's paper on de-anonymization/re-identification of non-PII. Note that we will have an evening panel event featuring Paul Ohm at SCU on April 7. Please put that on your calendar now. Paul's paper is already affecting the considerations of FTC Commissioners; come hear what the fuss is about.
After Commissioner Harbour, David Vladeck (head of the FTC's Bureau of Consumer Protection) gave some opening remarks as well. He summarized three conclusions from the first roundtable:
* Consumers don’t understand commercial information-collection practices (ex: data brokers, behavioral targeting).
* Lengthy privacy policies aren’t effective, but privacy disclosures are important.
* Consumers care about privacy.
He concluded his remarks with an ominous threat. He noted that the FTC continues to bring privacy-related enforcement actions, and in particular (a quote from his prepared remarks) "we are currently examining practices that undermine the effectiveness of tools consumers can use to opt out of behavioral advertising, and we hope to announce law enforcement actions in this area this year." I'm not sure what this means. Perhaps the FTC is fed up with NAI's behavioral ad network opt-out tool? I have not been able to make the tool work properly for years.
Finally, I'll mention a few thoughts from the social networking panel, which featured Erika Rottenberg of LinkedIn, Nicole Wong of Google and Tim Sparapani of Facebook. Given all the Facebook-bashing throughout the day, Tim was in the hot seat!
One of Tim’s talking points was that 35% of users customized their privacy settings in response to Facebook's privacy default resetting and its subsequent requirement that they review the settings. 35% user participation would be a remarkably high percentage for any website, and it’s incredible for Facebook with 350M claimed users.
Tim's other talking points didn't go over as well. He claimed that there are no barriers to entry for other social networking sites. This is technically true but woefully incomplete. It could very well be that the optimal number of social networking sites that consumers can actively embrace is precisely one, and there is good reasons to believe that social networking sites experience powerful network effects. See, e.g., Reuter's article about the tipping point between MySpace and Facebook.
Further, although the friendship relations are sticky, Facebook’s real stickiness comes from the self-published content on Facebook that cannot be exported to another site. Tim completely chunked the question about data portability from Facebook, slavishly espousing his talking point that Facebook will delete user accounts on their request--a non-sequitur that made most people in the audience quietly groan. We all understand that Facebook will kill content upon request, but the question on the table was how Facebook will allow users to move their extensive content to a competitor. Tim ducked that question because Facebook doesn't enable it. Facebook does not offer a front door for data portability, and Facebook has been shutting down the backdoor by suing folks like Power.com who try to create an unsanctioned portability method. To be clear, I'm not 100% convinced that Power.com is the good guy in that dispute, but I'm pretty confident that Facebook doesn't tolerate backdoor data portability.
Even so, I think Facebook's biggest threat is itself. Few users will get so mad that they will delete their accounts (I still have my Orkut and Friendster accounts, for example). Instead, Facebook should be concerned that users will simply reduce their usage because they get burned out or lose trust in Facebook. Ultimately this will cause users to migrate elsewhere, so the end game for Facebook could be a whimper, not a bang.
As an example of this latter phenomenon, Tim’s talking points claimed that Facebook gives users control over who they want to share every piece of data at the time they publish the data. He rightly praised this granularity but I am still grumbly that Facebook killed the setting that kept my comments and likes off my profile page. Now, if I don't want those items to show, I have to manually delete each one. So I do have control over my publications as Tim touted, but the additional transaction costs cause me to comment on and like other posts less frequently than I used to. This seems like more of a bug than a feature in my book.
In contrast to Facebook, Nicole Wong hammered the point that Google embraces data portability and builds it into the design of many of its services. As she said (I'm paraphrasing her), because users can leave with a click, we have to better with every product every day, and it makes us build better products. That's the spirit! Facebook, are you listening?
Posted by Eric at 04:04 PM | Internet History , Privacy/Security | TrackBack
January 19, 2010
4th Amendment Updates in the State Courts
The US Supreme Court is not the only Supreme Court to recently focus on 4th Amendment privacy issues critical to technology.
By Ethan Ackerman
This blog recently covered the US Supreme Court's decision to hear a 4th Amendment case dealing with texting privacy. While technology privacy cases are fairly rare at the US Supreme Court level, many of the 50 states' highest courts have dealt with similar issues recently. The waning months of 2009 saw three fairly important state-level 4th Amendment cases that could potentially have a big impact on electronic and online privacy.
Searching Suspects' Cellphones
In December, the Ohio Supreme Court addressed the searches of an arrestee's cell phone. In a 4-3 split, the court held that police searches of a suspect's cell phone, even though incident to the suspect's arrest, required a warrant. The court's decision grappled with the scope of 'a search incident to arrest,' which is one of the few exceptions to the warrant requirement the 4th Amendment usually imposes. Susan Brenner helpfully lays out the details surrounding the exception and its scope here. The court noted that federal courts were split on the issue; the Supreme Court hadn't addressed cell phones or anything similar. So the court proceeded to look at the underlying justification for the exception (officer safety, evidence protection). The court held that the exception wasn't necessary and ruled that a warrant was necessary to protect the private and extensively detailed personal information cell phones often hold.
It's perhaps an understatement to say that this area of the law isn't settled, and the Ohio court's focus on two federal cases is just a small chunk of the universe of cases on this issue. In-house counsel at the Federal Law Enforcement Training Center has helpfully catalogued the cases on this issue. So is the outcome sensible? Orin Kerr is a bit skeptical, but as of yet undeclared.
In a necessary reminder that the 4th Amendment matters even in non-criminal cases, the Mississippi ACLU has taken a civil case over a student's expulsion stemming from a cell phone search.
Fourth Amendment Protection for Records Held by Third Parties
The second state Supreme Court case, Colorado v. Gutierrez, doesn't occur online or even address online activities. It's about the impropriety of a (paper) search warrant for the (paper) tax records kept in the (physical) office of a tax preparer. Politicizing it just a smidge, the prosecutor in the case is running for the US Senate, and the taxpayer in the case was a Mexican immigrant. But the case's principal issue, whether information stored with a 3rd party retains 4th Amendment protections, is one of the core issues of online privacy. Facebook, Google Docs, every other "cloud" service, Skype, Hotmail, Google chat, Verizon wireless voicemail, and even Quicken all are 3rd parties holding private communications and information generated by their users. While privacy policies and state and federal statutes grant (or deny) some protections to this information, the 4th Amendment remains the cornerstone of much of the protection this information has. Several past US Supreme Court cases on the 4th Amendment have latched onto the "3rd party" present in these types of relationships to sometimes find that there was no reasonable expectation of privacy in information given to the 3rd party and thus no 4th Amendment protection. This phenomenon was common enough to get its own name as a legal doctrine - the '3rd party' doctrine. 4th Amendment scholar Orin Kerr recently published a law review article mostly praising the doctrine, and skillfully addressing its applications and shortcomings in the online world.
One of the major exceptions to the 3rd party doctrine is when a statute or protected type of relationship may still preserve a reasonable expectation of privacy despite transmission to a 3rd party. Evidentiary privileges like the attorney-client or marital privilege are examples of this. Less clear is the degree to which statutes protecting privacy may preserve the expectation. The Supreme Court has occasionally found statutes insufficient to protect the expectation (e.g. US v. Paynter, the Bank Secrecy Act was an insufficiently privacy-protecting law) but hasn't to my knowledge yet found a statute sufficient.
In Colorado v. Gutierrez, the Colorado Supreme Court found the federal and state laws protecting the privacy of tax records were sufficient to create a reasonable expectation of privacy in those records, even though they were held by the 3rd party tax preparer. Will a court hold that ECPA's protections for email, or the SCA's protections for chat logs or a Google doc, are sufficiently similar and strong to create a reasonable expectation of privacy in those records?
GPS Tracking of Vehicles
The third recent case is really a trilogy of recent state cases on GPS tracking of vehicles. Long ago in the 1990's, GPS tracking was a world of cops and scorned spouses sticking bulky devices under cars. In the past decade with the (government-mandated) addition of GPS tracking to cellphones, and their increasing ubiquity, the prospect of after-the-fact and real-time tracking of a person's every move is closer now than its ever been. How state courts handle these three car cases might give us some clues to how they'll handle the phone cases in the next few years.
New York, Wisconsin and Massachusetts went three different ways on the issue; finding, denying, and punting on 4th Amendment protections. Jeff Bone does an excellent summary of all three cases on his employers blog, so I'll just point you there. To give you a flavor of how the issue splits across the country and between different federal Circuits, read an earlier email of mine helpfully archived on the internets. Once again go-to scholar Orin Kerr also has thoughts on the general issue. Continuing its record as the best place on the internet for intelligent comment debates, Concurring Opinions is host to a 2008 comments debate between Kerr and fellow scholar Renee Hutchins on the issue.
Posted by Ethan Ackerman at 09:48 AM | Privacy/Security | TrackBack
January 18, 2010
File Names Can Help Predict File Content in Child Porn Prosecution--US v. Beatty
By Eric Goldman
United States v. Beatty, 2009 WL 5220643 (W.D. Pa. Dec. 31, 2009)
This is a child porn prosecution. Using Phex P2P software, an undercover investigator accessed the Gnutella network and conducted searches using search terms known to be used by child pornographers. The investigator identified IP address 76.188.64.82 with 11 files with troubling titles such as:
* r@ygold-pedo-13yo brother fucks 11yo sister and sperm inside 61943812.mpg
* (Pthc) 14yo Isabel-(Rape and Fuck) (R@ygold).mpg
* Little young girl hardfucked by me-7 yrs R@ygold illegal pedo sex.mpg
* (Hussyfan) (pthc) (r@ygold ) (babyshivid) Jessica 11y o get fucktgood.mpg
The investigator then matched hash tag fingerprints of the 11 files with child porn files in a database maintained by the Wyoming Internet Crimes Against Children (ICAC) Task Force. Subsequently, the investigator connected Beatty to the IP address. Based on this information, the government got a search warrant for Beatty's home, found hundreds of incriminating files on his home computer, and got incriminating statements in an interview.
Beatty challenged the government's right to search his home computer. The judge and the litigants agree that the government can legally conduct remote warrantless searches of P2P share directories, but the government apparently argued that they were free by extension to look through Beatty's entire computer. The judge rejected such a broad position, saying:
even if the Defendant suffered no Fourth Amendment intrusion by virtue of Trooper Pearson's conduct in remotely accessing certain shared computer files, the Defendant nevertheless retained a reasonable expectation of privacy in his computer and his home such that he possesses "standing" to challenge the merits of the subject search
This shifts the inquiry to the officers' probable cause for the warrant. Apparently, the investigator did not download the files to review them or attach the files as evidence when requesting the search warrant. I'm not sure why the investigator didn't do either step other than to avoid the toxicity of child porn generally. As a result, Beatty challenged the warrant because the warrant-approving magistrate did not see the files directly or get an affidavit from the investigator stating what he saw in the files. However, the magistrate did have the file names and the matching hash tags. Beatty challenged both.
The judge and the litigants agree that file names do not dispositively predict the actual file's content. As we know, file names can be inaccurate for a variety of reasons: plain error, semantic ambiguity, an effort to surreptitiously install malware, and as a way of increasing the content's perceived illicit value (see, e.g., the discussion in the uncited Perfect 10 v. ccBill case about websites with names like "illegal.net" and "stolencelebritypics.com"). The court correctly concludes that "common knowledge dictates that actual file content cannot be definitively determined from the file name alone."
Nevertheless, the court says that file names have some predictive value:
one can also envision circumstances where the file name is so explicit and detailed in its description as to permit at least a reasonable inference as to what the actual file is likely to show. Many, if not most, of the files at issue here had titles that contained highly graphic references to specific sexual acts-including ejaculation, sexual intercourse, oral sex, and anal sex-involving children ranging in age from 7 to 13 years. Several of the files also reference terms such as "child_sex," "pedofilia," "illegal pedo sex," "incest," or "Lolita." The unmistakable inference which arises from such highly descriptive file names, is that the content includes material pertaining to the sexual exploitation of children-i.e., evidence of criminal activity, if not outright contraband. Given the number of files in question and the pointed references in their titles to specific sexual acts involving young children-described in the most coarse and vulgar terms, this inference is a strong one.
I'm reminded of the admonishments that airport security is not a joking matter, so don't make jokes about having a bomb while going through the airport security line. (I've seen a few airports, including the New Orleans airport, post reminders about this). Similarly, child porn is so toxic that no one in their right mind would falsely use a file title suggesting the file is child porn.
The judge also credits the file titles because accurate file titles enable searches by others. So, if you want to distribute child porn in a searchable way (a seemingly illogical proposition because, as this case illustrates, doing so puts you on a fast track to Club Fed), then you need to use keywords that match search terms. The court says:
As a matter of common sense, the very fact that individuals utilize search terms with P2P software to produce results (i.e., file names ) consistent with their chosen search terms suggests a substantial degree of correlation between file names and file content; if file names were, as a general rule, completely random and bearing no relation whatsoever to their content, then there would be no point in conducting a search in the first place and the whole purpose of peer-to-peer file sharing would be frustrated because there would be no meaningful method for locating the sought-after file content.
I agree with this only superficially. It's true that searchable metadata must have some relationship to the underlying content to make a successful match, but community outsiders might think the metadata looks inaccurate or even completely random. Consider how Napster users used alternative spellings to route around the court-ordered blocks on various names. Now, go one step further: if a group of Napster users agree (in an offsite discussion forum) to tag Britney Spears' songs using "Lolita" (a not wholly inappropriate appellation given some of the videos she made before the age of majority), then a block on searches for "Britney Spears" will eliminate an obvious matchmaking route but will fail to stop matchmaking completely. Indeed, subcommunities can develop multiple synonyms that are opaque to outsiders. For more on this, look at the Urban Dictionary to see how slang can have multiple meanings, and note my article on how a single search term can have dozens of possible meanings. As a result, the search matchmaking process may be more complicated--and the value of "accurate" file descriptors is lower--than the court contemplates.
In any case, it wasn't clear how much traction Beatty expected from reducing the predictive value of file names. Ultimately, the search warrant was issued based on the combination of the file names with the fingerprint matches. It's not like the investigator or the judge had no idea what the files might contain--they had a hash value fingerprint matching a known child porn file. (Beatty unsuccessfully argued that the underlying fingerprinted files should not be credited as known child porn ) Then again, there is no reason why law enforcement isn't routinely preserving copies of suspect files they think are child porn and describing the file contents (or submitting the files) when seeking search warrants, easy steps that would have largely mooted Beatty's challenges.
Posted by Eric at 10:23 AM | Content Regulation , Internet History , Privacy/Security , Search Engines | TrackBack
December 27, 2009
November-December 2009 Quick Links, Part 2
By Eric Goldman
Copyright
* Want Ad Digest Inc. v. Display Advertising Inc. (N.D.N.Y. Sept. 3, 2009). A classified ads publisher wants to stop a competitor from republishing its classified ads. The court said that advertisers, not the publisher, generally own the copyrights to each individual ad, but the publisher claimed it had edited those ads sufficient to claim a copyright interest in them as well. This factual allegation prevented summary judgment. The publisher also claimed a compilation copyright based on the organization of individual ads into various headings and subheadings. The court said that the placement of ads within headings and the headings themselves weren't protectable. The organization of subheadings might support a compilation copyright, but the republisher didn't use the same organization and therefore didn't violate any compilation copyright. A little known fact: one of my key summer associate projects in 1993 was to analyze republication of classified ads. Note to my assigning attorney: it may be 16 years later, but I think I got my analysis right!
* Moberg v. 33T LLC, 08-625(NLH) (D. Del. Oct. 6, 2009). Publication of a photo on a German website does not constitute "publication" in the United States sufficient to require the copyright owner to register the photo before suing for copyright infringement in a US court.
* Sony v. Tenenbaum. Downloading copyrighted works via peer to peer software isn't fair use (something we already knew from BMG v. Gonzalez), but it might have been a closer call with a better litigation strategy by the defense.
* Rebecca on EsNtion Records v. TritonTM, an impressive copyright infringement and 1202 defense win.
Virtual Worlds
* The FTC thinks virtual worlds should clean up their act to keep kids away from online porn.
* GameSpot: Estavillo has appealed his loss in the Sony case and expanded his litigation to Microsoft and Nintendo.
* Prof. Miriam Cherry on employment law issues in virtual worlds.
Defamation
* Marine Pile Drivers, LLC v. East Coast Marine Pile Drivers, LLC, 2009 WL 3753526 (W.D. La. Nov. 9, 2009). Allegedly defamatory blog post gives rise to jurisdiction in the plaintiff's home court.
* Salyer v. The Southern Poverty Law Center, Inc., 2009 WL 4758736 (W.D. Ky. Dec. 7, 2009). The CMLP page. Subsequently linking to and referencing an allegedly defamatory online article does not reset the statute of limitations under the single publication rule.
* Colette Vogele put together an excellent presentation discussing plaintiff-side considerations when pursuing anonymous posters.
Miscellaneous
* The Feds dropped their appeal in the Lori Drew case, finally bringing to an end a case that never should have been brought.
* The FTC and other agencies have promulgated model Gramm-Leach-Bliley privacy policies. Five years in the making and battled tested by consumers. The instructions are pretty specific about font size, font color, page orientation, etc. Although the tabular format should make scanning the notices easier, it will be interesting to see if these notices actually do a better job than the current notices on any dimension that matters.
* LA Times: An in-depth look at Facebook's “judicial system.”
Posted by Eric at 08:41 AM | Content Regulation , Copyright , Privacy/Security , Virtual Worlds | TrackBack
December 15, 2009
When the Supreme Court gets in your inbox
The Supreme Court agrees to review one of the very few Circuit Court opinions finding 4th Amendment protection for in-box content. Should netizens tremble or rejoice?
By Ethan Ackerman
The Supreme Court has agreed to hear an appeal by a California city from an earlier 9th Circuit ruling finding the city had violated the Constitutional and statutory rights of one of its police officers by recovering and reading the officer's pager text messages. While some appellate commentators expected the Supreme Court to take the case, many 4th Amendment scholars (and this author) were surprised by the Court's action in granting certiorari in the case of USA Mobility Wireless, Inc. v. Quon.
The Quon case is notable because it contains two major issues: the 4th Amendment privacy issue and the somewhat unique issue surrounding employer monitoring when the employer is also the government.
The latter aspect had previously driven much of the attention focused on the Quon ruling. In fact, 4th Amendment scholar Orin Kerr even suspects it is the public employee legal standard dispute that may be driving the cert. grant, especially in light of the arguments and authors of the dissent.
Prior to the Supreme Court's action, most of the legal commentaries and even a majority of the web search results for the case were from employer-side law firms telling their clients that private sector employee monitoring was still OK. For example:
* NelsonMullins attorneys, in an article oxymoronically titled "Employer Monitoring Best Practices," informed their clients that that there was no need to change "the surveillance approach used by U.S. employers."
* Greenberg Traurig reminded all employers that "electronic communications policies must be drafted and implemented to effectively eliminate any reasonable expectation of privacy," and that it was advisable to preemptively obtain employee consent to the disclosure of employee communications, even on 3rd-party services. However, Greenberg Traurig also pointed out the "limited direct applicability to private employers" of the case.
* Proskauer Rose explained that the "decision appears to change very little for private employers who wish to review employee communications stored on, or sent through, their own servers and computers" but also (regretfully?) concluded that federal law does "limit employers’ ability to request from third-party providers the contents of employees’ electronic communications."
* Foley & Lardner attorneys undercut the certainty of their recommendations, including that "text messages should be included in monitoring policies," by confusing cellphones and old-fashioned alphanumeric pagers in their discussion of the case.
Even much of the media coverage of the Supreme Court's decision to review the case focuses on the government employer-employee aspect, with both the LA Times and CNN devoting significant discussion to the fact that it was Quon's boss doing the reading and Quon was a police officer (salaciously) using department property.
Warning, a brief blogger-criticizes-some-mainstream-journalism rant: You'd think that a major news organization like CNN, able to employ someone with the presumably competent title of "CNN Supreme Court Producer," wouldn't get fundamental elements of this story wrong. The Court pointedly did not "accept[] a pair of appeals on this free-speech and privacy dispute" - it denied one and granted one. And "free speech dispute?" There's nothing remotely free speech about this case.
Employment law issues aside, this case is, at its core, a classic 4th Amendment case addressing when someone has a reasonable expectation of privacy in a communication. Quon's holding is notable for two things: (1) it finds a fairly expansive protection of 4th Amendment rights in electronic communications, and (2) it's one of a very small number of Circuit Court cases to do so. Rare cases like this can be privacy gold - they effectively stand until the Supreme Court reverses them. Further, because there are so few cases on the issue, a circuit split or other conflict is unlikely to occur, lessening the chance of Supreme Court reversal. This fact alone is reason for fans of an expansive 4th Amendment to be wary of any Supreme Court review.
Posted by Ethan Ackerman at 09:49 AM | Privacy/Security | TrackBack
December 14, 2009
Online Commenter Did Not Waive Right to Anonymity by Agreeing to News Website's Privacy Policy -- Sedersten v. Taylor
[Post by Venkat]
Sedersten v. Taylor, 2009 U.S. Dist LEXIS 114525 (Case No. 09-3031-CV-S-GAF) (W.D. Mo. Dec. 9. 2009).
A Missouri district judge rejected a plaintiff's attempt to unmask an online commenter based in part on the argument that language in the website's privacy policy resulted in a waiver of anonymity.
Plaintiff allegedly suffered injuries at the hands of defendant Taylor. Plaintiff sued Taylor, the City of Springfield, and its chief (the claims against the city and the chief were based on theories of negligent hiring and retention). The Springfield News-Leader published an article about the incident in question and the prosecutor's decision to drop charges against Taylor. A commenter "bornandraisedhere" criticized the prosecutor's decision. Plaintiff issued a subpoena to the News-Leader requesting the identity of the commenter.
The court rejected plaintiff's motion to compel the production of information sufficient to identify "bornandraisedhere." The court found that the sought after information was cumulative, and the identity of "bornandraisedhere" would add little to plaintiff's argument (that the city negligently hired Taylor).
Plaintiff argued that "bornandraisedhere" waived any right to anonymity by agreeing to the terms of the News-Leader's privacy policy, which provided that the News-Leader:
reserve[s] the right to use, and to disclose to third parties, all of the information collected from and about [users] while [users use] the Site in any way and for any purpose . . . .
I haven't seen the waiver argument come up in online anonymity cases. It came up in oral argument in the Brodie case but the court did not mention this argument in its opinion. (See coverage by Citizen Media here). Courts in other contexts (e.g., employer monitoring, government surveillance, attorney-client privilege) have looked to the operative terms or policies to determine whether there's an expectation of privacy. (See Jennifer Granick's discussion of Quon v. Arch Wireless here, Jeff Neuburger's discussion of Alamar Ranch, LLC v. County of Boise here (imputed knowledge of employer monitoring results in waiver of attorney-client privilege), and PogoWasRight's discussion of the Oregon case involving gmail/Fourth Amendment notice here.) Here, despite a policy which allowed for disclosure, the court found that there was no waiver. Among other reasons, the court relied on the fact that the provision governing disclosure was buried in a privacy policy which the commenter probably did not read in the first place. The online anonymity cases (which involve the First Amendment right to anonymity) present slightly different issues than the employer and government surveillance cases, but in any event, as Jennifer Granick notes in her post about Arch Wireless, "user consent to access for some purposes [should not destroy] the expectation of privacy for every purpose."
Kudos to the News-Leader for spending the resources to protect the privacy of "bornandraisedhere," notwithstanding the News-Leader's extremely open-ended privacy policy. (Websites typically retain the right to disclose personal information in response to subpoenas or law enforcement requests, but the News-Leader's policy allows it to disclose personal information "in any way and for any purpose.")
Related: The Supreme Court today accepted review of the Arch Wireless case, which involved a public employee's privacy rights in text messages. (See coverage by the LA Times here.) Also, the EFF is pursuing a claim for attorney's fees (under a California statute) against a company who is trying to out an anonymous commenter: "USA Technologies Attempts to Out Anonymous Online Critics, Runs Into New California Fee Statute."
Posted by Venkat at 02:46 PM | Privacy/Security
December 11, 2009
Court Rejects Computer Fraud & Abuse Act Claim Based on Unsolicited Text Messages--Czech v. Wall Street on Demand
[Post by Venkat]
Czech v. Wall Street on Demand, Inc., No. 09-180 (DWF/RLE) (Dec. 8, 2009).
A Minnesota district judge rejected claims brought under the Computer Fraud and Abuse Act based on the receipt of unsolicited text messages. There's not much to the facts, except that plaintiff received unwanted text messages from Wall Street on Demand, Inc. She did not have a prior business relationship with WSOD. She (vaguely) alleged that she incurred fees and charges related to her receipt of these messages. Based on her receipt of unwanted text messages, she filed a claim against WSOD alleging violations of the Computer Fraud and Abuse Act and state statutes.
The Court's Ruling: The court dismisses plaintiff's amended complaint in an order that helpfully provides a summary of the Computer Fraud and Abuse Act (and recent 2008 tweaks) as it's used in the civil context. Plaintiff brings three possible claims: (1) a claim for obtaining information from her phone; (2) a claim for transmitting information or code through her phone; and (3) a claim for "accessing" her phone.
Information Claim: The court rejects the information-based claim because there's no information that WSOD allegedly obtained through accessing the plaintiff's phone. Plaintiff analogizes to websites and argues that any time someone sends a message to a mobile phone, information is "obtained" in the same way that information is obtained any time someone accesses a website. The court rejects this analogy, finding that "there is a fundamental difference between viewing websites and communicating with wireless devices such as cell phones by sending text messages." Even if the transmission of an unwanted text message somehow resulted in the "obtaining of information," the court concludes that there's no loss as a result of defendant having obtained the information.
Transmission Claim: The transmission claim requires plaintiff to allege that WSOD caused the transmission of code or information and as a result "intentionally caused damage without authorization" to plaintiff's device. The complaint fails on both counts. There wasn't a credible allegation of damage (there was no allegation of impairment to the machine) or of WSOD's intent to cause the damage.
Access Claim: The court rejects the access claim since plaintiff does not adequately allege that the unauthorized access was intentional.
My Take: The Computer Fraud and Abuse Act is an often abused statute, and this seemed like another example of a situation where the statute is being stretched to fit the conduct/harm that was not intended to be covered by the statute. I was surprised that plaintiffs cited to the Lori Drew case [link], which many people view as a classic example of stretching the statute to its breaking point. In some ways this case is reminiscent of ISPs using the Computer Fraud and Abuse Act to attack spam. Some courts were open to this; other courts expressed reservations to the applicability of the Computer Fraud and Abuse Act to spam. See, e.g., America Online, Inc. v. National Health Care Discount, Inc., 121 F. Supp. 2d 1255, 1275 (N.D. Iowa 2000) ("A disturbing issue is whether subsection (a)(5)(c) is intended to address UBE at all.").
The case is also somewhat reminiscent of Abrams v. Facebook, a lawsuit based on the fact that Facebook sent SMS messages to cellphone numbers provided by its users and would keep sending those messages even if the cellphone number changed owners. In a lengthy article, Prof. Goldman discussed the weaknesses of using phone numbers as identity authenticators.
Advice to plaintiffs. If the court dismisses your complaint, come back with additional facts. Do not merely add what the court here calls "background discussion" about the issue you are complaining about. In five or six separate instances, the court mentions the fact that the amended complaint is just a bulkier, more "dressed up version" of the old complaint . . . with no new facts. At a broader level, the court's understandable skepticism towards the damage claims in this case illustrates how difficult it is to bring claims based on unsolicited marketing communications (whether received via your phone or your computer).
Advice to defendants. Transmitting unsolicited text messages is not free of risk. The Telephone Consumer Protection Act is one possible avenue for plaintiffs, and courts are not always deferential to broadly (and poorly) worded opt-ins. (See Eric's post on Satterfield v. Simon & Schuster here.)
Posted by Venkat at 12:27 PM | Marketing , Privacy/Security , Spam
December 03, 2009
Claims Brought by Express Scripts Data Breach Plaintiffs Rejected on Standing Grounds -- Amburgy v. Express Scripts, Inc.
[Post by Venkat]
A federal court in Missouri recently rejected a class action brought by consumer plaintiffs on standing grounds. Given the long line of consumer plaintiffs who have suffered a similar fate I thought this case was somewhat unexceptional, but I think it's worth mentioning for a couple of reasons. (Amburgy v. Express Scripts, Inc., Case No. 4:09-CV705 FRB; Nov. 23, 2009 (E.D. Mo). Access a copy of the order at scribd here.)
Consumer plaintiffs who have tried to bring claims arising out of data breaches have all pretty much failed, unless they are able to show that someone actually misused their data (for example, by withdrawing money from their account). A good recent example of this is the Citizens Financial case mentioned here and here, where the court allowed plaintiffs to sue a bank which tried to hold the plaintiff liable for funds that were hacked from plaintiff's bank account. Where the plaintiff or class of plaintiffs have not had their data actually misused by the person who stole it, courts have uniformly rejected class actions trying to seek redress. Typically the company who suffered the loss of data will offer monitoring services effectively mooting the issue of whether this is something plaintiffs should be able to sue for.
Express Scripts provides "pharmacy benefit management services." It suffered a data breach coupled with an extortion attempt by someone who threatened to disclose customer information. (WSJ Health Blog [link] covered the story in 2008.) Although Express Scripts notified the FBI, a quick Google search didn't unearth any news reports of the bad actors having been caught. The Express Scripts webpage [link] which provides notice of the incident states that in August 2009 the perpetrator sent a similar letter threatening to expose consumer information. Plaintiffs sued alleging negligence, breach of contract, and state law satutory claims.
The court granted the motion to dismiss brought by Express Scripts on Article III standing grounds. Language used by the court expressed some hostility to the underlying claims - in describing the hypothetical nature of the injury, the court states:
[f]or plaintiff to suffer the injury and harm he alleges here, many "if's" would have to come to pass. Assuming plaintiff's allegation of security breach to be true, plaintiff alleges that he would be injured "if" his personal information was compromised, and "if" such information was obtained by an unauthorized third party, and "if" his identity was stolen as a result, and "if" the use of his stolen identity caused the harm. These multiple "if's" squarely place plaintiff's claimed injury in the realm of the hypothetical. If a party were allowed to assert such remote and speculative claims to obtain federal court jurisdiction, the Supreme Court's standing doctrine would be meaningless.
[quotations in original]
The result is pretty typical, but two things struck me about this case. I didn't realize this at first, but the records at issue included prescription information. Medical information is subject to a higher degree of privacy and subject to specialized rules. Either the plaintiff didn't allege violations of these specific rules or the rules weren't implicated. Either way, the court only made a passing reference to the fact that the data included prescription information. Second, the bad actor is still at large. There are cases where an information breach occurs as part of another incident (such as a theft of a laptop). It's less clear in those cases whether someone just stole a laptop or whether they were focused on obtaining information. Here, there's no dispute that a bad actor has the customer information. Express Script received not one but two extortion letters which contained specific information demonstrating that the third party had access to Express Scripts information. And the person who sent the letters has not yet been caught. (On the other hand, the fact that they were seeking to extort Express Scripts tends to point in the direction that they didn't necessarily use the information. The bad actors lose leverage by using the information and using the information increases the likelihood of being caught.)
I wonder if anyone has compiled data on what actually happens to these data breach class action plaintiffs - i.e., how many of them suffer damages as a result of identity theft, etc. I would think this type of data would be useful.
[Added: see additional coverage of this case from Proskauer's Privacy Law Blog here.]
Posted by Venkat at 06:51 AM | Privacy/Security
November 20, 2009
A Look at Twitter's Updated Privacy Policy (November 19, 2009)
[Post by Venkat]
As noted on Twitter's blog, Twitter refreshed its privacy policy yesterday. Given that virtually everything Twitter does is placed under the microscope, I'm sure the policy will be pored over in detail. (Here's a link to the updated policy and a link to the old policy.)
General thoughts on the policy: The policy is short, easy to understand, and in plain English. The thrust of the policy is that most users typically use Twitter to publicly disseminate information, and users should expect any of this information to be broadly disseminated. This includes dissemination by Twitter, third party applications, search engines, etc. To the extent you want to restrict use of this information, Twitter gives you the tools to do so in your profile settings.
Much of what's in the policy is very typical of what you would find in the privacy policy of any other website or social network. However, a few things are worth mentioning:
1. Geolocation: The policy provides that you can turn geolocation on and off, and if you have it turned on, your location information is obviously broadcast and also used by Twitter. Geolocation is opt-in and this makes sense.
2. Cookies: The policy also mentions that Twitter places cookies on your computer. Virtually all privacy policies contain this, since most websites use cookies. But for some reason this part of the privacy policy jumped out at me. I guess it's a reminder of the tremendous advertising power that Twitter could wield. Everyone who uses Twitter expresses their preferences through Twitter, by clicking on links, using applications, and just through general usage. Most people probably do more, such as expressing their food, drink, entertainment, political, and other preferences. (Some more than others.) By being able to identify the computer of someone who expresses those preferences, Twitter can build a valuable network that would be useful to advertisers. I'm not only talking about advertising on Twitter.com (the web client), but also advertising on other websites or networks as well. This is pretty common in the industry, and subject to attack by privacy advocates, some of whom are pushing for an opt-in system for this type of tracking. Thus far Twitter has been free of advertising, but this is likely to change, as indicated by Twitter's own statements. (See Scoble's link below.)
3. Metadata: Interestingly, the policy also treats tweet metadata as public information ("information you are asking us to make public"). This seems to create some grey area between information which you broadcast and is truly public, and information which is available to Twitter (but not to your followers) from your use of Twitter. Robert Scoble has a post with comments from Twitter's COO signaling Twitter's turn to advertising and possible use of metadata in this context. I didn't pick up on this at first, but I think this is significant.
4. Subpoenas: The part of the policy that talks about disclosing information in response to a subpoena provides plenty of wiggle room to either require law enforcement (or a civil litigant) to obtain a subpoena or for Twitter to respond to a "legal request" (presumably, this could be a letter from law enforcement). It's probably unreasonable to expect these types of companies to always take a stand and require a subpoena or fight for the privacy rights of users when a third party tries to unmask a commenter or user, but it would be nice from the user perspective to have some clarity. I'm guessing in practice Twitter provides notice when a third party seeks information from or about a user's account, but this doesn't seem to be required under the policy. (The social media dynamic is probably a strong check here.)
What Changed?: Other than the points mentioned above, I didn't notice any other significant changes to the policy (the cookie stuff was leftover from the old policy). The old policy made some statements regarding security measures implemented by Twitter which Twitter [wisely] removed from the current version. The provision that any transfer of information in connection with a sale of the business would be subject to the provisions of Twitter's privacy policy remains, although Twitter removed the notice provision.
It's worth mentioning that neither the old policy nor the new one clearly speak to whether Twitter or any third party can build a "profile" using information which you make publicly available. Twitter can crunch the data contained in someone's Twitter stream and obtain a wealth of information regarding a particular person. Anything ranging from their sleeping patterns, to their dietary habits and their political preferences. Of course, people make this information publicly available anyway, so they have no real argument as to why a third party should be prevented from using this information, but realistically, it would be tough to construct such a profile without access to Twitter's data and tools. Do users expect Twitter to use user information in this manner? Probably not at this juncture, but as a general matter there's nothing from a legal standpoint that would prevent this, and the privacy policy does not preclude it. These types of applications are not that far-fetched, given reports of tools to analyze someone's social network and assess their credit worthiness ("Rapleaf") or psychological profile ("TweetPsych"). Recently a story made the rounds about an insurer who denied an insurance claim based on the insured's photos posted on Facebook ("Depressed Woman Loses Benefits Over Facebook Photos"). (A host of specialized rules could come into play in this instance - ranging from rules governing financial privacy and fair credit to rules governing the employment relationship - so a privacy policy wouldn't necessarily provide a definitive answer to the question anyway.)
How Does it Compare to Facebook's Recently Revised Policy?: As far as volume, in comparison to Twitter's policy, Facebook's policy [link] reads like a (painful-to-read) epic saga. This is partially due to the fact that information sharing and interaction on Facebook is more complex, but Facebook's policy is simply impossible to read and digest in one sitting. The two policies are somewhat similar in their approach, although Facebook differs in that users don't make their Facebook data "public" in the same sense that Twitter users do. Of course, Facebook has a bit of a history of advertising initiatives and pitfalls that probably prompted the additional complexity. Facebook's policy has some interesting tweaks such as a "memoriam" for Facebook users where friends and relatives can post items about a deceased person. Also, Facebook has a deletion policy, which I didn't see in Twitter's privacy policy. (Deletion policies will become increasingly important as people try to obtain information (deleted by the user) from social networking sites in the context of litigation.)
***
The Trademark Guidelines: It's worth mentioning that Twitter also refreshed its trademark guidelines. They are pretty standard fare, but contain some rules that people pretty clearly are not following right now, for example: (1) use only the current Twitter logo to link to and promote your Twitter account ("40 cute free Twitter badges"); (2) don't use Twitter's logo on the cover of your book ("The Twitter Book"); (3) don't use screenshots of third party profiles or tweets without the third party's permission; (4) don't use Twitter marks on apparel or merchandise without Twitter's permission ("Sock Guy Socks"). The trademark guidelines also address some of the sore spots in the area of third party use of Twitter's trademarks (or terms which Twitter is trying to obtain trademark protection for): (1) "don't use Twitter in the name of your website or application;" (2) "don't register a domain name containing 'twitter';" and (3) "don't apply for a trademark with a name including Twitter or Tweet (or similar variations thereof)." Both Twitter and third party developers are trying to obtain trademark protection for the term "tweet," (see for example "CoTweet") and it's unclear as to how the battle between Twitter and these third party developers will play out. It's difficult to tell at this juncture whether Twitter's new trademark guidelines signal a true change in policy or whether it's business as usual. (See posts by Tom O'Toole here and Mike Masnick here for some discussion of Twitter's "laissez faire" attitude with respect to third party use of Twitter trademarks.)
[Edited: to add the point about disclosure in response to subpoenas or law enforcement requests. I should probably also note that I've been using Twitter for the past 15 months or so. I was going to say that I'm a "casual user," but at 5000+ updates, that's a tough claim to make!]
Posted by Venkat at 12:15 PM | Privacy/Security , Trademark
November 15, 2009
Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse -- Hayes v. SpectorSoft
[Posted by Venkat]
In what probably belongs in the "software doesn't surreptitiously record conversations, people do" file, a federal court in Tennessee rejected Electronic Communications Privacy Act and product liability claims brought by someone whose ex-spouse used software to log internet activity and communications. (Access a copy of the order here [scribd].)
The case presented a now-familiar fact pattern of the use of monitoring (in this case keylogger) software by a spouse to keep track of the online activities of the soon-to-be ex-spouse. The plaintiff (Thomas Hayes) sued SpectorSoft, which produced two pieces of software used by his ex-spouse and someone else to monitor his instant message, email, and browsing activities. Hayes alleged violations of the Electronic Communications Privacy Act and also asserted negligence and product liability claims. The court granted SpectorSoft's motion for summary judgment and dismissed the case.
With respect to the ECPA claims the court concluded that Hayes needed to prove that SpectorSoft intended for the communications to be wrongly intercepted, and that Hayes's evidence that SpectorSoft marketed the software to spouses who were conducting surveillance was insufficient to show this intent. According to the court, the type of intent required by the ECPA was that the defendant must have the "conscious objective" to cause the result (i.e., the unlawful surveillance and disclosure). The court cites to In re Pharmatrak where the First Circuit found that a web-monitoring company's gathering and inadvertent disclosure of information about web users did not violate the ECPA due to lack of intent. The court also relied on the fact that the person who installed the SpectorSoft software clicked through a terms of use agreement which contained a representation that the software would only be installed on computers which the user owned, or computers on which the user was authorized to install the software. (SpectorSoft is a classic passive conduit and presented ample evidence that it did not know of the underlying violations.)
Plaintiff also made a creative argument that the SpectorSoft software was "unreasonably dangerous." The court expressed doubt as to whether software qualified as a product at all, and in any event concluded that plaintiff failed to demonstrate that the software was unreasonably dangerous by putting forth evidence that SpectorSoft could have taken alternative measures that would have prevented the inadvertent disclosure.
The court's decision is not surprising, given that (1) SpectorSoft did not conduct the eavesdropping but only provided the tools to facilitate it and (2) the software could be used to conduct multiple lawful activities (monitoring children, employees, archiving messages). The decision was also not surprising given that the installation and use of the software could have been avoided if the user had taken adequate security precautions. (Sidenote: I wonder if it's farfetched to argue that one spouse has the right to access the email and other accounts of another spouse based on some community property-like theory?)
I guess at the extreme end of the spectrum a court may be willing to hold a software company liable for developing software where the only possible use is to conduct unlawful surveillance, but this fact pattern wasn't even close. Holding the software company in that instance would also raise potential First Amendment/crime-facilitating speech issues (?).
Related: In late 2008, a federal court halted sales of keylogger/do it yourself spyware software. (See coverage at Wired and JOLT Digest.) Also, this type of a claim has a higher likelihood of success when brought against the ex-spouse, rather than the software company, as noted by Tom O'Toole here.
Posted by Venkat at 08:13 PM | Privacy/Security
November 11, 2009
Starbucks Data Breach Plaintiffs Try Their Luck in the 9th Circuit -- Krottner v. Starbucks
[Post by Venkat]
A lost laptop computer containing the personal information of Starbucks employees prompted a class action lawsuit against Starbucks (in Washington). The lawsuit received some coverage (see, for example Bob McMillan here, and Starbucks Gossip here), but the trial court's dismissal of the lawsuit received almost no coverage. (I mentioned the lawsuit, but failed to note the court's dismissal of it. Here is the one mention I came across of the dismissal.) Plaintiffs appealed the dismissal to the Ninth Circuit, and their just-filed appeal brief is worth a look. Access a copy of the brief at scribd here.
Background: As described in the complaint, in 2008, someone stole a laptop containing the personal information of approximately 97,000 employees. Starbucks notified the police and affected employees (plaintiffs claim Starbucks was slow in effecting this notice). Starbucks also offered one year of free credit monitoring to affected employees. The plaintiffs fall into a couple of categories, but significantly, one of the plaintiffs was notified that someone tried to open a bank account without his authorization. It was never determined whether this attempt to open a bank account with the information of one of the plaintiffs was connected to the underlying breach.
Ruling by Judge Jones: Judge Jones granted the motion to dismiss filed by Starbucks, finding that Washington courts would not recognize a cause of action as asserted by plaintiffs. (Access a copy of the order by Judge Jones dismissing the claims here: [scribd].) After concluding that plaintiffs had standing (given the broad scope of Article III standing this wasn't a surprise), Judge Jones focused on the issue of whether plaintiffs stated cognizable claims in negligence under Washington law. Judge Jones noted that Washington courts don't typically recognize claims where the sole injury is "risk of future harm," and if Washington courts were to recognize a common law cause of action arising from a data breach, they would be alone in doing so. Judge Jones also noted that the overwhelming majority of courts that have looked at the issue have declined to find that plaintiffs could recover merely because their data was stolen, and those that have recognized a possible cause of action have typically ruled against plaintiffs due to insufficient proof of misuse of the data. In Judge Jones's view, the Washington Supreme Court would likely conclude that the issue is best left to the legislature. In a footnote, he notes the enactment of data breach laws in other states, but points out that none of those laws provide for private causes of action, "much less a private right to damages."
With respect to the plaintiffs who did not have any proof that their personal information was misused, the court found that they could "claim only monitoring costs" as a potential injury, and these wouldn't fly under Washington law. With respect to the plaintiff who presented proof that someone tried to open a bank account in his name, the court acknowledged that "the timing of the [events permitted] the inference that someone acquired [plaintiff's] personal information from the laptop and misused it." Nevertheless, the court concluded that he did not assert a cognizable claim because he didn't suffer any out of pocket loss. The plaintiffs also asserted a claim based on implied contract, but the court didn't need to address whether Starbucks breached any implied obligations since it found that plaintiffs did not suffer any type of injury for which Washington law affords a remedy.
What to Make of the Appeal? Plaintiffs' appeal brief (filed on Monday) sort of canvasses the various theories under which plaintiffs should be entitled to relief under Washington law. Plaintiffs spend a fair amount of space discussing how Starbucks breached its (implied) contractual obligations to plaintiffs - Starbucks obtained this information in the employment context, and had policies in place which required employees to safeguard employee information. Given that Starbucks failed to fulfill these obligations, plaintiffs argue that the law would fashion some sort of remedy for the injured plaintiffs. Plaintiffs also attack the trial court's dismissal of the negligence claim from all angles, pointing out that stolen data is often misused long after it is compromised, and the fact that the underlying data breach is unsolved means that Starbucks can't conclusively show that the data will not be misused at some point in the future.
The dispute raises the familiar issue of whether the harm in the data breach context lies in the breach, or the actual misuse of the data. Courts have pretty uniformly taken the view that the harm flows from the actual misuse of the data, rather than the loss of the data. That said, the outcome here depends on the vagaries of state law, and what the Ninth Circuit predicts the Washington Supreme Court would do. My anecdotal observation is that Washington courts are very privacy friendly, but somewhat middle of the road when it comes to crafting "new" causes of action. Plaintiffs also asked the Ninth Circuit to certify the issue to the Washington Supreme Court, something the Ninth Circuit did recently in a spam case (Kleffman v. Vonage).
The Ninth Circuit has dealt with this issue once in an unpublished decision (Stollenwerk v. Tri-West Healthcare Alliance, 254 Fed. Appx. 664 (9th Cir. 2007).) In that case the Ninth Circuit affirmed the dismissal of data breach claims brought by plaintiffs who did not allege misuse of their data, but reversed as to the plaintiff who made a basic showing that the data could have been misused. Stollenwerk was inconclusive in that the Ninth Circuit (again, in an unpublished decision) merely stated that if the plaintiff was able to show actual damages, he would be entitled to relief. Interestingly, Stollenwerk was settled shortly after remand, on the heels of the district court's denial of a motion for class certification. One possibility to consider is that a monitoring claim seems much easier to fit into a class. An "actual damage" claim may be less amenable to class resolution.
On a related note, there's talk of federal data breach legislation winding its way through Senate. (Two proposals are mentioned here.) To my knowledge, neither of the proposals contain a private right of action, and both merely speak to notification upon a breach. There's also the familiar call for a federal standard which would displace disparate state standards. This debate sounds somewhat similar to the one that surrounded the passage of the CAN-SPAM Act.
Related: Tom O'Toole has a post from a while back about Ruiz v Gap Inc., a case from the Northern District of California also involving the loss of employee/applicant data (coincidentally, from an unencrypted laptop): "Court Finds No Cognizable Damages in Gap Laptop Theft Case."
Posted by Venkat at 03:51 PM | Privacy/Security
November 03, 2009
Court Sanctions Lawyer for Including Social Security Number and Date of Birth Information in Filing -- Engeseth v. Isanti County
[Post by Venkat]
I've blogged about parties who complain when opposing counsel wrongly includes personal information (usually social security numbers) in court filings. Attempts to assert counterclaims based on this type of conduct typically fail. For one example, see In re Killian, discussed here. (You can see a list of other cases rejecting these types of claims noted here.)
However, a judge in Minnesota recently sanctioned a lawyer for including the "full social security numbers and dates of birth for 179 individuals" in a court filing. (Engeseth v. Isanti County, Case No. 06-CV-2410 MJD/RLE (D. Minn.; Oct. 20, 2009).) After issuing a show cause order on its own motion (as best as I can tell, none of the parties complained), the court concluded that counsel's inclusion of the social security numbers and date of birth information in a filing violated Federal Rule of Civil Procedure 5.2(a), and demonstrated poor judgment. That rule requires truncation of certain personal information (e.g., social security number, taxpayer identification number) in court filings unless otherwise ordered by the court. (Here is a link to the rule: "Privacy Protection for Filings Made with the Court".)
The sanctions imposed by the court included: (1) notice to all injured parties, along with "individualized credit reports and credit monitoring," and (2) payment of $5,000 to the Second Harvest Heartland food bank.
Without minimizing the seriousness of the privacy interests at issue, it seems rough for the court to impose these types of sanctions on its own motion. The credit monitoring makes sense, but I'm not sure what's up with the donation to the food bank. Particularly rough from the lawyer's perspective, given that this appears to be a pro bono case where the lawyer achieved a good result for the clients. The filing containing the social security numbers was an accounting affidavit filed by the lawyer detailing the disbursements of settlement proceeds to his clients. I'm not suggesting that you don't have to follow the rules in pro bono cases. You obviously do, but the sanction must have stung, coming at the end of a successfully prosecuted pro bono case.
My own anecdotal observation is that courts are very reluctant to sanction lawyers these days, and I've seen courts reject sanctions for a lot worse. Nevertheless, the court's order illustrates the importance of adhering to court orders and rules that govern the inclusion of private information in court filings. As to whether this means that parties can assert claims based on the wrongful inclusion of personal information in filings, the answer is, no, they probably cannot. In any event, I would think the relief awarded by the court would be limited to notice and credit-monitoring, as is typically the case in consumer data breach cases. In other words, it's difficult to gain leverage in a case based on the opposing party's wrongful inclusion of personal information in a court filing.
Added: additional coverage at the Minnesota Lawyer Blog here (which first noted the order) and The Register here. The Minnesota Lawyer Blog also provides access to the order itself: [pdf].
(h/t Cathy Gellis)
Posted by Venkat at 01:04 PM | Privacy/Security
November 02, 2009
October 2009 Quick Links
By Eric Goldman
Just a reminder that I am posting most of these types of links exclusively to my Twitter feed.
* Tricome v. eBay, Inc., 2009 WL 3365873 (E.D.Pa. Oct 19, 2009). Court upholds eBay user agreement's venue selection clause. Evan Brown covers the case.
* The AutoAdmit case is over. Above the Law and the Yale newspaper.
* Google doesn't want to hear your complaints about your reputation management.
* Moneygram settles with the FTC (to the tune of $18M) that its money wiring service was used to perpetrate fraud.
* The FTC scores a rare COPPA settlement, this time with Iconix for $250,000.
* John Wiley & Sons, Inc. v. Kirtsaeng, 2009 U.S. Dist. LEXIS 96520 (SDNY Oct. 19, 2009). Another federal court holds that the purchase of foreign-manufactured textbooks and resale in the US via the Internet is blocked by the importation right and not excused by the First Sale doctrine. My coverage of the analogous Pearson v. Liu ruling.
* Utah's "Don't Spam the Kids" registry survived a constitutional challenge. That doesn't make it good policy!
* Saadi v. Maroun. Blogger hit with $90k judgment for defamation. MLRC coverage. My initial blog post on the case.
* Erik Estavillo, the gamer who sued for being kicked off the PlayStation Network, is appealing his district court loss to the Ninth Circuit. I guess he wants to lock in the adverse ruling as the binding law of the Western United States. My blog post on the district court ruling.
* Rep. Paul Kanjorski wants to end 47 USC 230 with respect to bogus stock investing info? This legislation needs careful monitoring due to its potential perniciousness.
* Venkat has his own version of Quick Links on his site.
Posted by Eric at 05:08 PM | Content Regulation , Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Privacy/Security , Spam | TrackBack
October 29, 2009
Court: Prosecutors Can't Rummage Around in a Defendant's Gmail Account -- U.S. v. Cioffi
[Post by Venkat]
The government is prosecuting a couple of Bear Stearns hedge fund managers for securities fraud and related offenses. I came across a story that prosecutors obtained evidence from the gmail account of one of the defendants which prosecutors recently disclosed. ("E-Mails Seen as a Flash Point in Bear Stearns Fund Managers' Fraud Trial") In some ways I think this illustrates one of the pitfalls of using a service such as gmail. Gmail stores your data forever - or at least doesn't give you a ton of control over when it is deleted - so it's much easier for prosecutors to obtain this evidence. If you stored the data on your own servers, you may be able to get by with deleting the data pursuant to a regular document retention/destruction policy. And more importantly, there's a much higher likelihood of you knowing when the data has been or is about to be seized. (It's more difficult to obtain email from a service provider in a civil case.)
Interestingly, the defendant whose email was disclosed by the government as evidence in the Bear Stearns case prevailed in a motion to suppress the gmail evidence. (US v. Cioffi, et al., Case No. 08-CR-415 (FB) (E.D.N.Y.; Oct. 26, 2009).) (Access a copy of the ruling at Scribd [pdf] here; see the WSJ story here ("In Setback for Bear Stearns Case, Judge Suppresses Email").)
Facts: The government initially obtained an email sent through non-company email accounts between Cioffi and Tannin (the two defendants) talking about how the "subprime market looks pretty ugly . . . ." The government used this email to support its allegations that Tannin used his personal (gmail) account to commit or further the crimes. The government's affidavit argued it needed to search the gmail account, but offered certain limitations on the access - for example, the search would be limited to emails created on or before the day prior to the defendant's retention of counsel, in order to avoid interception of privileged communications. The affidavit also noted that "the nature of electronically stored data" required the authorities (rather than Google) to search through the email account.
The magistrate judge issued the warrant, but did not attach the affidavit to the warrant. The government went to Google, which initially wrote to the government that "it was no longer able to extract the information requested in [the warrant] because Tannin's account had been deleted." Several months later, "on the eve of trial," Google advised that it had located a copy of the account and delivered a copy of its contents to the government. (??)
The Court's Ruling: The critical issue in front of the court was whether the warrant was sufficiently particular as to minimize unnecessary invasions into the suspect's privacy. The court noted at the outset that Tannin had "a reasonable expectation of privacy in the contents of his personal email account." The government did not dispute this point. (This doesn't seem to be a settled issue, as noted in the case mentioned below.) Turning to particularity, the court notes that searches of documents, data, computers, and email accounts raise tricky issues as to what level of particularity is required. A couple of different approaches have been used to avoid a general search by the government: (1) providing keywords or other search parameters in advance; or (2) having a third party conduct the search and segregate responsive information from non-responsive information.
The court noted that an overly broad warrant may be cured by incorporation of an affidavit that would constrain the agents' search, but Second Circuit cases have been less receptive lately to this approach. (In the context of a digital search, it would seem that this wouldn't work as well as it would with respect to physical objects. Exposure to data that doesn't fall within the search warrant would compromise the suspect's privacy and would undermine the whole point of particularity in this context.) Regardless of whether the affidavit could have cured the warrant's particularity problem, the affidavit was not actually attached to the warrant, so this argument was not in play.
The court ultimately concludes that the warrant did not comply with the Fourth Amendment. The government sought to invoke exceptions in order to have the evidence admitted notwithstanding these issues, but the court rejected both of these attempts. With respect to the good faith exception, the court was emphatic:
[t]his case . . . is not about search terms or firewalls. It is, rather, about the fundamental and venerable prohibition on general warrants. Since 'it is obvious that a general warrant authorizing the seizure of evidence without mentioning a particular crime or criminal activity to which the evidence must relate is void under the Fourth Amendment . . . no reasonably well trained officer could believe otherwise.'
As to inevitable discovery - the second exception - the court's ruling is also interesting. The court seemed to say that the government could only satisfy particularity after having seen the emails procured by the overbroad warrant: "the government's timing still presents a problem: [h]aving seen the November 23rd email, the government is now in a position to obtain a warrant with perfect particularity. There is, in other words, no way to purge the taint of its unconstitutionally overbroad search."
***
I can't tell if the government just dropped the ball here or whether there's something more to it. One view is that if the government had a narrow warrant application and the magistrate judge issued a narrow warrant, the government could have probably obtained the information they ultimately sought? On the other hand, the court is rightly skeptical that the government could have obtained the emails at issue by providing a set of keywords to Google. After all, wasn't this the argument the government used to justify the fact that the search needed to be conducted by the government, rather than by Google or by a third party? The court's rejection of the government's inevitable discovery argument seems significant. My practice does not stray into the realm of criminal cases so take that with a grain of salt. I'm curious to see what people like Orin Kerr and Scott Greenfield have to say. (Congrats to Professor Kerr, whose "Searches and Seizures in a Digital World" article is cited by the court. He has also posted extensively on a recent Ninth Circuit decision that bears on these issues: United States v. Comprehensive Drug Testing, Inc., 579 F.3d 989 (9th Cir. 2009).)
Interestingly, Professor Kerr notes a recent decision from federal court in Oregon where the court held that email was not covered by the Fourth Amendment. [Clarification: see this post for a clarification.] Pointing to the Google terms of service, the court held that most users expect their emails to be shared with Google employees and other third parties, and the account-holder was thus not entitled to notice before the government obtained a warrant to search someone's gmail account. I think (but I'm not sure) the account-holder still has the ability to challenge the search after-the-fact, as did the defendant in Tannin. Either way, the ruling seems noteworthy, and raises issues around process where the government subpoenas your email records from the service provider. When do you as the account-holder receive notice of a government search? Does Google have a consistent policy on this?
I'm still sticking with my instinct that using a third party service such as gmail raises the risk that your emails end up in the hands of prosecutors. I'm also curious about Google's policies for dealing with these sorts of issues.
Added: You can check out Professor Kerr's post on this ruling here. His conclusion: "the basic Fourth Amendment holding was likely right," but the court should have applied the good faith exception. He also posts a clarification to his earlier post about the Oregon decision, which I linked to above: court's conclusion only speaks to notice to subscribers, which the court concludes is not required under the Fourth Amendment.
Posted by Venkat at 09:14 AM | Privacy/Security , Search Engines
October 23, 2009
Judge Rejects Attempts by Texas Plaintiffs to Intervene in Beacon Class Action--Harris v. Facebook
[Post by Venkat]
I mentioned last week that a group of plaintiffs sought to intervene in the class action filed against Facebook in the Northern District of California. The Texas plaintiffs who sought to intervene were part of a class action filed against Blockbuster (Harris v. Blockbuster - this lawsuit was filed before the the Northern District of California class action). The Texas plaintiffs argued that the two lawsuits were "related," and that the parties to the California lawsuit should have filed a "notice of related action," so the California court could have evaluated whether the lawsuits should be consolidated.
In orders issued today, Magistrate Judge Seeborg denied the request to intervene brought by the Texas plaintiffs and conditionally approved the class certification and settlement ironed out by the parties to the Northern District of California lawsuit. Judge Seeborg noted that although the lawsuits were "related," the Texas plaintiffs were aware of the California class action in September 2008. Thus, their request to intervene was untimely.
Quick thoughts on the ruling:
1. The court notes that to the extent the Texas plaintiffs have substantive objections to the settlement, these objections can be raised at a later date.
2. With the caveat that I'm not familiar with the nuances of class action procedure, I would guess it will become tougher to object to a settlement further down the road. As a practical matter, conditional approval will set in motion the process of notifying potential class members and providing them the opportunity to opt-out. A low number of opt-outs may be viewed as an indication that there's not really enough of a separate class that objects to the terms of the settlement conditionally approved by Magistrate Judge Seeborg to warrant a second class action. (On a related note, I wonder if the Texas plaintiffs will mount some sort of campaign to try to demonstrate that a substantial number of potential plaintiffs object and the settlement should not be given final approval. I'm guessing they won't set up a Facebook group as part of this campaign, but you never know!)
3. It's sort of awkward for a group of putative plaintiffs who filed their lawsuit first to have their claims extinguished by a later filed class action. Blockbuster was named in the second filed action (in California) and to the settlement in the California lawsuit is approved, my instinct is that this may effectively kill the class claims asserted in the Texas lawsuit against Blockbuster. (There was some activity in the Texas lawsuit about whether the claims are subject to arbitration. The court in Texas found that Blockbuster's terms of service were "illusory," and rejected Blockbuster's request to arbitrate. Blockbuster has appealed this ruling.)
4. The terms of the settlement in the California lawsuit do not provide for payment of compensation to non-named class members. (See the notice approved by the court here: [pdf].) On the other hand, the Texas lawsuit alleged violations of the Video Privacy Protection Act, which provides for statutory damages.
5. The notice of settlement will be published through newspapers, and of course, "through Facebook updates."
It will be interesting to see how this plays out.
Posted by Venkat at 04:50 PM | Privacy/Security
October 18, 2009
Q3 2009 Quick Links, Part 4
By Eric Goldman
Spam
* Ars Technica: "a disturbing number of e-mail users respond to spam, and not just because they're dumb—some of them did so because they were actually interested in the product or service." I collected some empirical research establishing this point in 2004.
* SpamFighter: Software Creator Admits to Aiding & Abetting Spam
Fraud
* Reuters: A virtual bank rips off depositors in EVE Online.
* Click fraud concerns at Facebook: TechCrunch; Unified ECM v. Facebook complaint (one of at least three pending).
* There can be legitimate circumstances where it makes sense for a vendor to automatically pass a user's credit card number to another vendor, but the practice seems ripe for regulation.
Contracts
* BNA: End of the Notice Paradigm?: FTC's Proposed Sears Settlement Casts Doubt On the Sufficiency of Disclosures in Privacy Policies and User Agreements (BNA Subscription required)
* In August, the NYT interviewed David Vladeck, who suggests that the FTC v. Sears settlement could signal a changing of the guard at the FTC.
* Jonathan Ezor on common drafting mistakes in privacy policies.
* Hines v. Overstock.com, Inc., 2009 U.S. Dist. LEXIS 81204 (E.D.N.Y. Sept. 4, 2009). Browsewrap terms aren’t enforceable “because the website did not prompt her to review the Terms and Conditions and because the link to the Terms and Conditions was not prominently displayed so as to provide reasonable notice of the Terms and conditions.”
* Timothy D. Cedrone, Morals? Who Cares About Morals? An Examination of Morals Clauses in Talent Contracts and What Talent Needs to Know, Seton Hall Journal of Sports & Entertainment Law. I have given my first year contracts students an exercise involving morals clauses that I think worked pretty well (see the links on this page under the "endorsement contract" bullet).
Miscellaneous
* The USPTO has not renewed the peer-to-patent program.
* ABA Journal: E-Discovery is $4B/yr industry but is experiencing consolidation.
* Paul Ohm's paper on re-identification of putatively anonymous databases. This may be one of the more important privacy law papers in some time, as it indicates that we cannot meaningfully distinguish between personally identifiable and non-personally identifiable information.
Posted by Eric at 02:43 PM | E-Commerce , Licensing/Contracts , Patents , Privacy/Security , Spam , Virtual Worlds | TrackBack
October 16, 2009
Texas Class Action Aims to Derail Facebook Beacon Settlement--Harris v. Facebook
[Post by Venkat]
In late September, Facebook announced the settlement of a class action challenging its ill-fated "Beacon" program. Facebook set aside $9.5 million to settle the class claims and agreed to set up a privacy foundation. Facebook also agreed to not oppose a request for fees up to $3 million. A group of plaintiffs who filed a separate class action against Blockbuster are trying to object to this settlement.
The California Class Action (Lane v. Facebook): Facebook launched Beacon in late 2007. Consumers were not particularly happy, and in 2008, one set of plaintiffs filed a class action in the Northern District of California. (Lane v. Facebook, Inc.; Justia Page.) After "thorough, extensive, ongoing negotiations," which started in December 2008, a settlement was finally reached in this lawsuit. (Some details are recounted in the motion to approve settlement: [pdf].)
The Texas Class Action (Harris v. Blockbuster): Meanwhile, a separate set of plaintiffs sued Blockbuster in April 2008 in the Eastern District of Texas, also alleging injuries based on beacon. This lawsuit was filed before the class action in the Northern District of California, and Facebook was not named. Blockbuster argued that the claims were subject to arbitration. In April 2009, Judge Lynn of the Northern District (where the lawsuit was transferred) issued a ruling [pdf] rejecting Blockbuster's motion to compel arbitration. Judge Lynn found that Blockbuster's terms of service were "illusory," because the terms could be unilaterally changed by Blockbuster. See Eric's post on that ruling. (This ruling raised some eyebrows. See, e.g., BNA's TechLaw here, and an earlier post from me here.)
The Harris Plaintiffs File Against Facebook in Texas: Apparently the two sets of plaintiffs were not keeping each other apprised of what was going on. The Harris (Blockbuster) plaintiffs recently filed a class action in the Northern District of Texas against Facebook alleging violations of the Video Privacy Protection Act based on Facebook's implementation of beacon. (Here's a link to the complaint: [pdf].) The Harris plaintiffs are not too happy about the fact that apparently "[d]espite the requirements of the Local Rules of the Northern District of California, neither Blockbuster nor Facebook informed the District Court in the California Litigation of the pendency of the Texas Litigation." The Harris plaintiffs allege that Facebook agreed to indemnify Blockbuster of all wrongdoing, including those acts underlying the Harris action, and this agreement was a violation of public policy. They also argue that Facebook "in furtherance of the civil conspiracy outlined [in the complaint], also sought to achieve for Blockbuster what Blockbuster could not achieve for itself - resolution of any [Video Privacy Protection Act] liability through a non-arbitral forum."
Predictably, the Harris plaintiffs also filed a motion in the Northern District of California seeking leave to intervene and object to the Lane settlement: [pdf]. According to a minute entry, the court heard argument on this motion and will issue a written ruling. The motion to intervene contains one fact which is potentially damning if true. The Harris plaintiffs informed all parties to the Lane action (in April 2008) that the two cases were related and that the parties to the Lane action should bring this to the court's attention. The parties to the Northern District of California lawsuit apparently declined to do so. On the other hand, I did not come across anything indicating that the Harris plaintiffs informed the court in Texas about the existence of the Lane class action.
What to Make of all This? I don't have a sense of how viable these arguments are. The dispute smacks of some amount of jockeying between two sets of plaintiffs' lawyers around the fee award that will be paid out. (Not that there's anything wrong with this.) My instinct is that the two cases were related enough that it was worth being conservative and informing both judges as to what was going on in the other cases. Blockbuster was named as a party in both cases, although the Northern District of California lawsuit was being defended primarily by Facebook. Also, the proposed settlement in the Northern District of California class action lets Blockbuster off the hook. Since there was a class action going in Texas while the Northern District of California settlement was being negotiated, it strikes me as odd that all of the parties were not folded into one big settlement (particularly since the Texas lawsuit was filed first).
In an earlier post at Circle ID looking at the terms of the Facebook settlement, I mentioned the Blockbuster case, and wondered what would happen if a chunk of plaintiffs opted out and pursued their claims separately. I guess we may have an opportunity to see what happens.
One thing is for sure. Someone could end up getting an earful from one or both of the judges.
Posted by Venkat at 02:17 PM | Privacy/Security
October 14, 2009
Q3 2009 Quick Links, Part 1
By Eric Goldman
My system of managing news items that don't warrant a full blog post but can't fit into a 140 character Twitter post has broken down. So, I'm belatedly catching up on my backlog of things that caught my attention in Q3 2009. This part focuses on online content issues:
Defamation
* Ava v. NYP Holdings, Inc., 2009 WL 1885099 (N.Y.A.D. July 2, 2009). A NY Post story quoting part of the plaintiff's MySpace page and characterizing it as a "fantasy" wasn't defamatory.
* Terrific post by Paul Levy on Ripoff Report, InfomercialScams.com, Video Professor and UGC sites that go bad
* A tweet about moldy apartment leads to a defamation lawsuit. MLRC and CMLP coverage.
* Cohen v. Google, Inc., 2009 WL 2883410 (N.Y. Sup. Ct. Aug. 17, 2009). Calling a woman a “skank,” in the context of a blog with photos and other critical material, was prima facie defamation sufficient to support a pre-action disclosure of the anonymous blogger’s identity.
* Cash4Gold sued Consumerist but then dropped it as a defendant.
* You may recall my earlier blog post on the Higher Balance lawsuit, a nice 230 defense win. Subsequently, the Higher Balance defendants were awarded over $50k in attorneys fees.
* Crookes v. Newton, 2009 BCCA 392 (Sept. 15, 2009). A British Columbia appellate court says that linking to defamatory content isn’t defamation.
* Joe Mullin: "Troll Tracker" blogger defamation lawsuit settles
Cyberbullying
* Larry Magid on the definitions of cyberbullying
* US v Voneida: 3d Circuit says student's MySpace postings were "true threats" that supported 19 month sentence
* Smoking Gun: Placing a bogus Craigslist ad is being prosecuted as felony cyberbullying.
* News.com: A Missouri prosecution under Missouri's new Megan Maier anti-cyberbullying aw.
Blogs and Social Networking Sites
* A New Jersey court says a blogger isn't entitled to the reporter shield.
* Pietrylo v. Hillstone Restaurant Group, No. 06-5754 (D.N.J. June 16, 2009). Jury verdict against a restaurant owner that forced employees to allow it to view their private MySpace group.
* HB1314: Illinois bans sex offenders from using social networking sites. Evan Brown explores the statute's constitutionality.
* Facebook Beacon is dead…and yet another privacy organization springs up in its wake. News.com, settlement agreement and motion for settlement.
* Public Citizen v. Louisiana Attorney Disciplinary Board, 2009 WL 2390866 (E.D. La. Aug. 3, 2009). A federal court struck down Louisiana’s state bar rules restricting lawyer advertising via the Internet.
Posted by Eric at 10:15 AM | Content Regulation , Derivative Liability , Privacy/Security | TrackBack
August 06, 2009
State of the Net West Recap
By Eric Goldman
Yesterday, the High Tech Law Institute and the Advisory Committee to the Congressional Internet Caucus co-sponsored the Third Annual State of the Net West event at Santa Clara University. The featured participants were 3 members of Congress (Boucher, Goodlatte and Lofgren) and the White House CTO Aneesh Chopra, supplemented by 8 distinguished discussants. In a jam-packed morning, we covered a lot of interesting and important ground on broadband, privacy, antitrust, immigration and open government. This blog post recaps some highlights from the discussion.
Boucher on Broadband
Rep. Boucher emphasized the importance of broadband availability to economic activity and expressed concern that the US wasn't keeping up with broadband deployment (he said, "we can do better"). He offered three policy proposals for ways the federal government could help:
* revise the Universal Service Fund to allow dollars to be spent on broadband deployment; and require USF fund recipients 5 years from now to be offering broadband or be cut off from USF
* federally preempt state laws prohibiting municipal broadband offerings (which about 25 states have)
* get the FCC to develop a broadband deployment plan
He expressed disappointment with the guidelines that NTIA and the Department of Agriculture have adopted to give away the $7.2B broadband fund that was part of the stimulus package. It appears he will be encouraging both entities to rethink their guidelines.
My colleague Al Hammond was the broadband discussant. Al made a number of good points, including noting that broadband deployment is both a rural and low-income issue (Boucher appeared to be focusing more on the former) and raising concerns about municipalities not playing fair and the FCC overcounting actual broadband availability.
Boucher on Privacy
Rep. Boucher also gave a preview of the privacy bill he is planning to introduce next month. He started off by saying he likes ad targeting, especially first party targeting (he said he buys items based on customized recommendations). So he wants to encourage "appropriate" ad targeting, not eliminate it. His bill is expected to contain the following elements:
* websites collecting data will be required to post a prominent privacy policy
* users can opt-out of first party targeted ads. This also includes data sharing necessary to enable first party ads
* websites that want to share data with unaffiliated third parties will need opt-in. However, behavioral ad networks can proceed on an opt-out basis if they allow users to see and edit their behavioral profile, except for sensitive information categories that would always be opt-in
* both the FTC and state AGs would have enforcement authority
To the extent that the mandatory privacy policy and opt-out options codifies existing industry practices, this proposal generally seems benign but not worth the effort--the costs of the inevitably poor statutory drafting outweighs any benefit we might get from regulatory codification. Requiring opt-in would likely eliminate third party behavioral ad networks, which (as I've discussed before) is more likely to be a detriment than a win.
I was especially intrigued by the proposal that behavioral networks can flip from opt-in to opt-out by letting users access a user profile. I need to see more details about Boucher's thinking, but doesn't this superficially sound crazy? The most obvious problem is authentication of the user before seeing his or her profile. How would this be done? The networks usually don't know the identity of the specific individuals they are profiling, so they can't authenticate identity. And just tying profile access privileges to a cookie or machine sounds like a recipe for disaster for all shared computers. Plus, a web interface seems to increase the security risks that the bad guys can see profiles they shouldn't be able to see. On first blush, it sounds like this part of Boucher's proposal may need a complete rewrite, with unknown consequences for the entire structure of his proposal.
Mike Hintze of Microsoft was the privacy discussant. He espoused Microsoft's standard line that there should be a comprehensive privacy law.
In the Q&A, Boucher appeared willing to consider concurrent privacy enforcement authority by self-regulatory organizations, so long as they enforced the law's minimum requirements. But any self-regulatory effort wasn't a substitute for other aspects of his bill.
Lofgren on Antitrust
Rep. Lofgren said that if the Bush administration did too little on antitrust enforcement, the Judiciary committee is now concerned that Obama and Varney will do too much. Lofgren is particularly focused on the chilling effects of the mere threat of antitrust scrutiny, not just the actual successful prosecution in court of cases. Thus, an "informal" DOJ expression of interest can deter innovative activity by high tech companies.
She also expressed skepticism that antitrust laws remain effective at protecting technology markets, which are marked by fast innovation and low barriers to entry. (I believe her exact words were "traditional antitrust measures of marketplace behavior might no longer work.") At minimum, any technology-related antitrust enforcement actions should be focused on improving innovation rather than trying to manage current marketplace prices.
Finally, she said that copyright restrictions should be considered in antitrust inquiries. Mike Masnick has more to say on this.
Michael Katz of UC Berkeley was the most colorful respondent. He shared Lofgren's concern that antitrust law may be counterproductively squelching innovation, especially when companies try to capture antitrust enforcers to hassle competitors. He had especially harsh words for the FCC, calling it much less disciplined than the DOJ and observing how the FCC can blackmail companies using its leverage. He also complained that the FCC's review of mergers takes too long, and as an example of their lack of discipline, the FCC will impose merger conditions that have nothing to do with the merger.
Tim Bresnahan of Stanford and my colleague Cathy Sandoval were the other respondents.
At the end of her talk, Lofgren praised the Google Book Search settlement, saying that in some ways it lowers barriers to entry. She also said she was grateful that Google appears to have found a back-door way to liberate orphan works given that she wasn't able to pass an orphan works bill. I'm all in favor of orphan works reform, but a class action settlement seems like a weird way to get there.
Chopra on Open Government
Aneesh Chopra is the new White House CTO, a role that never existed before, which puts Chopra at Obama's elbow on all technology issues. This was Chopra's first Silicon Valley trip since he undertook his new role. His first talk was on Tuesday night at a Churchill Club event; we were his second. Lots of people were very interested in learning more about him. He was the big draw for the press, and we got an unprecedented number of walks-in based in part (we think) on his talk. He was also mobbed before and after his talk--everyone seemed to want a piece of his attention (then again, I'd love to have a chance to kick some stuff around with him one-on-one myself!).
It's easy to see why Chopra sparks such curiosity. My impressions were that he was genuinely affable, smooth without being slick, substantive without being bookish, a big fan of crowdsourcing and an even bigger fan of assessment and measurement of outcomes.
He started off by discussing the importance of technology and how the US's rate of technological performance is lagging against other countries. He then identified three ways to "turn the ship around":
1. invest in innovation building blocks, such as a smart/secure infrastructure, more R&D and improved workforce expertise
2. healthcare reform, especially improvements to the information technology side of healthcare delivery
3. an improved education system, including distance learning and more emphasis on lifelong learning
He then discussed open government issues and gave examples of ways technology can facilitate participatory governance.
Goodlatte and Discussants on Immigration
Rep. Goodlatte laid out the Republican's high tech agenda, which includes:
* skilled workforce, including immigration reform
* patent reform
* trade issues
* taxation, including efforts to define when activity in a state triggers tax obligations
* net neutrality (don't regulate but improve antitrust enforcement)
* privacy (opt-out except for sensitive information)
The panel then drilled down on immigration reform. I was really excited to have this panel because workforce issues are so central to the Silicon Valley's "secret sauce" and yet I couldn't recall a time that the HTLI had sponsored a discussion about them. Obviously immigration issues are age-old and are well-trodden, but I nevertheless found the discussion helpful--with the one caveat that everyone on the panel agreed with everyone else, so there was a lot of preaching to the choir. I learned an interesting factoid that both Reps. Goodlatte and Lofgren were formerly immigration attorneys, so they have some front-line domain expertise in this area.
First discussant was AnnaLee Saxenian of UC Berkeley. She talked about how skilled immigrants have fueled innovation in this country. She gave a number of stats in support of this, including that a majority of Silicon Valley engineers are foreign-born, and a high percentage of technology entrepreneurs and patent applicants are foreign-born individuals. She also noted that foreign-born skilled works create net new jobs and also help build better ties to their home country.
We benefit from the best and the brightest from around the world, who come to the US because of our higher education system and historically have chosen to stay. However, she is concerned about this retention because of bureaucratic barriers. She is also concerned that companies, frustrated by their lack of access to development talent, will offshore their R&D.
Finally, she pointed out that immigration discussions kludge together the issues of skilled and low-skilled workers, even though their issues are very different.
Keith Wolfe of Google reinforced many of AnnaLee's points from Google's specific experiences.
My colleague Deep Gulasekaram was the last discussant. He pointed out that free marketplaces may require free movement of labor, which isn't consistent with our current immigration policy. He raised concerns about state and local anti-immigration policies and the negative consequences of tying foreign workers to specific jobs (by linking their visa to the job).
Rep. Lofgren added a few remarks:
* Obama told her that it's time for comprehensive immigration reform. [This led to a polite back-and-forth between Lofgren, who favors comprehensive reform, and Goodlatte, who would settle for piecemeal immigration reform]
* Immigration reform is not a substitute for educating the US workforce
* We should give permanence to people we want to keep (i.e., not keep them on some treadmill with the possibility of a forced exit, which prevents their long-term life planning)
* We need to address the family of skilled immigrants, not just the immigrants themselves
More Coverage of the Event
* ABC 7 News
* KCBS radio
* Zusha Ellison of the Recorder
* Joyce Cutler of BNA (BNA subscription required)
* Mike Masnick
* Joel West
* Colette Vogele
* Warren's Washington Internet Daily also ran a story (not web-linkable) "Boucher Promises Online Privacy Bill Draft Soon"
* The extensive Twitter discussion at hashtag #sotnw. Twitterers included @ipolicy, @caminick, @persistance, @miss_eli, @techpolicygirl, @cathygellis, @mmasnick, @nextgenweb, @marianmerritt, @larrymagid, @christinela, @mblatkin, @seangarrettnow, @vogelelaw (who didn't always use the hashtag--we will try to publish a standardized hashtag at future events). Whew! Apologies if I missed anyone. I can't recall seeing more Twitterers in an audience--everyone seemed to have their Twitter page up constantly. As usual, I didn't turn on my computer at the conference (I take notes by hand and blog them later), so my comments seem woefully out-of-date already!
We plan to post the event audio soon so you can listen for yourself. I'll announce the audio posting at my Twitter account when it's live.
UPDATE: Audio now available: Download (item 27) or Stream
Posted by Eric at 10:54 AM | Adware/Spyware , Copyright , E-Commerce , General , Internet History , Marketing , Patents , Privacy/Security | TrackBack
July 07, 2009
June 2009 Quick Links, Part 2
By Eric Goldman
State Regulation of the Internet
* iAWFUL, the Internet Advocates Watchlist for Ugly Laws
* Texas HB 2003. Part of the anti-cyber-harassment mania. Very broad statute with lots of room for prosecutorial mischief.
* BNA (BNA subscription required): "State Legislatures Consider Criminal, Civil Restrictions on Ticket Purchasing Software": "At least six state legislative bodies are considering bills this session that would place restrictions on the use of “ticket bots.""
* Because states are embracing the Amazon affiliate tax, the online affiliate industry is shrinking as we speak (1, 2, 3). But in one of his rare good moves, Schwarzenegger has vetoed CA's attempt to impose the Amazon tax.
* Clive Thompson in Wired: "By severing the link between location and geography, the internet turned everything upside down. Now mobile phones are inverting everything again, in the other direction — because your location becomes most important thing about you. So how is the return of geography going to change our lives?" My previous commentary on geolocation and the law.
Blogs/Social Networking Sites
* Yath v. Fairview Clinic, 2009 WL 1751767 (Minn. App. Ct. June 23, 2009). Posting illegitimately obtained health information to a MySpace page qualified as “publicity” for purposes of an invasion of privacy claim. The court says: “Yath's private information was posted on a public MySpace.com webpage for anyone to view. This Internet communication is materially similar in nature to a newspaper publication or a radio broadcast because upon release it is available to the public at large.” As a result, the publication qualified as “publicity” even if the material was posted for less than 48 hours and the plaintiff could only prove that a small number of folks actually saw it. Compare the Moreno v. Hanford Sentinel case, where republication of information the plaintiff voluntarily published on her MySpace page could not support an invasion of privacy claim.
Nevertheless, the defendants were excused because they had not created the MySpace page, even though they had supplied the information republished on the MySpace page.
* Richerson v. Beckon. Ninth Circuit upheld reassignment of teacher-mentor based on negative blog comments. My blog post on the district court opinion.
* Kaufman v. Islamic Soc. of Arlington, -2009 WL 1815641 (Tex. App. Ct. June 25, 2009). An online-only journalist qualified as a "member of the electronic or print media" for purposes of an interlocutory appeal statute.
* After von Brunn committed his hate crime outside the US Holocaust Museum, a bunch of his digital trails went dark as websites newly realized his vitriol was posted there.
* If you're looking for a paper topic, here's one: the use of MySpace, Facebook and other social networking sites in family law disputes, especially over child custody. I'm seeing cases every week where social networking site postings are being introduced to corroborate or contradict testimony about a parent's fitness.
Security
* FTC v. Pricewert. The FTC takes down an allegedly rogue Internet access provider. To the extent that the IAP is engaged in criminal activities, no problem; but it's less clear to me if the FTC can get a civil injunction under its Sec. 5 authority to stop the IAP from serving its putatively illegal customers. Such an action could be preempted by 47 USC 230. The FTC, in its brief, says the IAP fits into a Roommates.com exception, an argument presumably bolstered by their 10th Circuit win in FTC v. Accusearch.
* Johnson v. Microsoft Corp., 2009 WL 1794400 (W.D. Wash. June 23, 2009). This is a putative class action over Microsoft’s use of Windows Genuine Advantage (WGA) to validate copies of Windows XP. In this ruling, Microsoft gets SJ on the claim alleging that the contract prevented Microsoft from doing WGA validation. Especially interesting is the court’s conclusion that IP addresses are not personally identifiable information.
* Microsoft v. Lam. Microsoft brings a lawsuit against alleged click fraudders who caused Microsoft to issue $1.5M in credits to advertisers. The NYT article.
* EFF on the most recent amendments to the Computer Fraud & Abuse Act.
Miscellaneous
* Expedia tagged for $184M in damages for improperly marking up its service fees.
* In re Jamster Mktg. Litig., 2009 U.S. Dist. LEXIS 43592 (S.D. Cal. May 22, 2009). Wireless carriers aren’t liable under RICO and false advertising laws for various deceptive practices by wireless content providers.
* New unmeritorious patent lawsuit trend: lawsuits over patent markings for expired patents.
* NYT: Investing in Lawsuits, for a Share of the Awards
* Oddee: 15 geekiest license plates:
Posted by Eric at 09:18 PM | Content Regulation , Derivative Liability , E-Commerce , Licensing/Contracts , Marketing , Patents , Privacy/Security , Publicity/Privacy Rights , Search Engines | TrackBack
ABA Antitrust Section Consumer Protection Conference Recap
By Eric Goldman
Last month I attended the ABA Antitrust Section’s Consumer Protection Conference. This post recaps some highlights from the event.
A few overarching themes:
* in light of the country’s economic malaise, the FTC is focusing its enforcement on economic harms. This is both to combat those who prey on victims of the economic downturn as well as curbing some of the excesses that contributed to the economic downturn.
* there was significant confusion, and some apprehension, about the proposed new Financial Product Safety Commission and how it will affect other government agencies, including the FTC. If nothing else, the proposed new agency creates some turf wars and might send an implicit message that the FTC somehow wasn’t up to the job (a characterization I wouldn't necessarily agree with).
* not exactly news, but the FTC is itching to do something different about regulating online privacy.
* on a related theme, there is widespread hand-wringing about the failures of consumer notices to effectively educate consumers and improve their decision-making. I agree with this, and in fact I’ve noted before that we are experiencing a “crisis of contracts.” While some UI improvement can be made in how information is presented to consumers, we are also stuck with the bigger problem that some consumer decisions are more complicated than consumers are able to handle, no matter how effectively the complexity is disclosed. There is no clear regulatory solution to this problem.
David Vladek’s Opening Remarks
David Vladek, the new director of the Bureau of Consumer Protection, outlined some things to expect from the FTC going forward:
1) The FTC will keep up/step up its aggressive pace of litigation, education and policy-making. In particular, the FTC will have to do more on economic fraud.
2) He expects the FTC will look more at privacy regulation. He said he did not find the notice/consent and harm paradigms for regulating privacy convincing. Regarding the notice/consent paradigm, he said it is hard to know what a person is consenting to. Notices are unintelligible, and they don’t address secondary uses. The harm paradigm doesn't address harms we feel but can’t quantify. So he is wondering, how the FTC can rationalize privacy approach going forward?
3) He expects the FTC to take a hard look at Internet behavioral advertising and ads directed to vulnerable sub-populations.
4) Echoing proposals that have been floated before, he said that the FTC should be on equal footing as other government agencies, including better rule-making authority, civil penalty authority and independent civil litigation authority.
More on Vladek’s presentation from Arnold & Porter, Perkins Coie and Rebecca Tushnet. While there, make sure to look at Rebecca’s introductory remarks, which were excellent but came before I was ready to take notes!
Former Chairmen’s Panel
John Villafranco moderated a panel of Bob Pitofsky and Tim Muris, both former FTC chairmen. The panel’s overriding theme is how much Bob and Tim agree with each other, even though they come from opposite sides of the political spectrum.
Villafranco asked some questions about the FTC’s past. He noted that 40 years ago, the FTC was derided, and there were calls to shut it down. Bob explained that the FTC was viewed as the “Little Old Lady on Pennsylvania Avenue” because it was preoccupied with trivial cases, hired experienced lawyers who weren’t very accomplished, didn’t take advantage of its broad mandate, and was widely regarded as weakest agency in Washington. Bob and Tim also explained why there were deep divisions between commissioners and between commissioners and staff at that time.
Villafranco asked about the biggest misconception by outsiders. Bob said that staff runs the place; Tim said that antitrust lawyers can do consumer protection.
Villafranco also asked about the staff’s biggest misconception about companies they investigate. Tim said that staffers deal with pathologies, so sometimes they assume every business is bad actor. Bob said that the FTC’s rules are on the vague side, so good-intentioned companies can get into trouble because they didn’t understand the rules.
Rebecca’s recap of this panel.
Privacy/Behavioral Advertising Panel
Eileen Harrington of the FTC: Disseminating content online means that the sender surrenders control over that content, even when not wanted or intended. Categories of content dissemination:
* blogging/microblogging
* social networking sites
* first party collection/behavioral advertising (ex Amazon, NetFlix). In these contexts, data collection/use is intuitive, and the consumer can always leave if he/she doesn’t like the site’s practices.
* Gmail ads, which she distinguishes from first party collections. Google discloses its ad practice but buried in a big privacy policy. Also, consumers may expect greater privacy in email. [Eric’s note: I really didn’t understand how Gmail is different from Amazon in this regard, and I didn’t get a chance to push Eileen about this. Having used Gmail for a very long time, the value proposition and the ad presentation is unambiguously clear to me.]
* Third party collection practices. She further broke these down into:
- Third party ad networks. Websites are unrelated and no relationship between consumer and ad network. Consumer may not understand why they receive ads. Also, data sharing increases risks.
- Researchware. Improper disclosures that consumers won’t understand.
- Deep packet inspection. May be less transparent/voluntary. Consumers don’t know to look at their contracts with their connectivity suppliers. Deleting cookies won’t help.
In response to a question about whether there is there a different way to communicate privacy to different generations/subcommunities, Eileen expanded on David Vladek’s comments by saying that it’s time to look again at the commission’s privacy framework. For a time, the FTC followed Fair Information Practices. Then, the FTC moved to a framework focused on harm. The FTC still thinks notice-and-choice can work in some circumstances, but it fails in other circumstances. There is concern that notice hasn’t prevented harm. The FTC wants to develop a better framework, but business practices are constantly changing around the FTC.
I asked Eileen how companies can decide what is important enough to be disclosed. I pointed out that Sears’ privacy policy fully disclosed its researchware practices but only deep within its privacy policies. Eileen responded that Sears wasn’t a close call because their disclosures were completely inadequate and the pop-up ads offered consumers a different value proposition.
Perkins Coie’s recap of Eileen’s remarks.
Wendy Seltzer’s presentation did a nice job summarizing the privacy advocate’s view. What’s new online = more data + better data crunching. Most responses have been self-regulatory and focus on notice and choice. Self-regulation works only if there an effectively functioning market for privacy. Market failures:
* information costs of reading privacy policies.
* Behavioral economics/psychology. Consumers have difficulty evaluating near vs. distant events (i.e., hyperbolic discounting). Consumers are too optimistic that they won’t experience harm, even if disclosed to them. Technology moving too fast, so consumers can’t anticipate future developments (such as better deidentification).
In response, Leslie Harris of the CDT added that the latest generation of kids may value its privacy, they just may not have been faced with privacy challenges yet. We don’t know what we don’t know, and we shouldn’t assume people don’t care about privacy.
Leslie also lauded the FTC behavioral advertising principles because it discourages distinctions between PII and non-PII. Also, self-regulatory efforts have been shaped by FTC’s intervention. But she is not persuaded that self-regulation works.
Rebecca’s recap of this panel.
Research on Consumer Decision-Making
Alan Levy from the FDA. Regulators’ biggest mistake is thinking consumers read labels to learn more information about the product. Instead, consumers read labels when they have specific Qs that the label can answer. But framing the Q requires consumers to have lots of domain knowledge already, and consumers often don’t know enough to ask the Qs.
The function of label-based product claims is to ease consumers’ information search. Consumers want to make good decisions, but they satisfice. They look for products that can meet minimum adequacy standard and won’t embarrass them if asked to justify their decision. Most decisions aren’t life-and-death, and consumers usually can fix most bad decisions with their next purchase. Product claims work because they are convenient for consumers and help satisfice.
Consumers assume advertiser claims signal unique attributes of their products compared to their competitors. Consumers don’t generalize claims to the product class. Consumers want new and relevant information. The most effective marketing tells consumers something they do not already know. So claim effectiveness depends on heterogeneous consumer experience and knowledge.
Consumers need reliable information to satisfice. Consumers will accept information if it’s consistent with what they already know and legitimate on its face (i.e., not seemingly manipulative). Disclaimers about product claims can actually make claims more effective or are just ignored.
Health claims on package label front truncates a consumer’s product search—when a claim is on front, consumers won’t read the back of the package label.
Policy-makers focus too much on trying to perfect claim language, and not enough on helping frame the decision for consumers. This is based on mistaken assumption that claims don’t work well enough at educating consumers, but the real risk is that claims work too well at motivating consumer decision-making.
Michael Mazis of American University. Lessons:
* disclosure medium matters. Disclosures are more effective in media that give consumers more time to review them.
* Consumer motivation matters to the efficacy of disclosures
* Marketing claims trump other disclosures/disclaimers
Broadcast ads: text disclosures don’t work.
Print ads: consumers aren’t in search mode, so disclosures aren’t relevant
Web ads: consumers are in product search mode, so disclosures are more likely to be effective
Ways to improve disclosure effectiveness: proximity, prominence, easy to find, comprehensible, no legalese (consumers discount these disclosures), no repetitive “throw away” disclosures.
Findings from a research study about testimonial ads:
* when consumers see testimonials in ads, they assume that results are typical
* general disclosures that “results aren’t typical” aren’t effective
* specific disclosures about lack of typicality are somewhat more effective than general disclosures, but still aren’t very effective
Rebecca’s recap of this panel.
Role of Consumer Surveys in Enforcement/Litigation
Chris Cole of Manatt Phelps said that in every false advertising case, parties disagree about whether claims are literal or implied. Courts vary widely about what constitutes a literal claim; much depends on advocacy quality and the judge’s intuition (results-oriented judgment). There is no uniform standards for survey admissibility. There is a trend towards accepting non-traditional evidence such as internal brand tracking surveys not specifically prepared for the litigation.
Chris also talked about the difficulty designing a defensive survey because it’s hard to prove a negative (i.e., the absence of consumer confusion). To do so requires lots of directed (but not leading) questions to present enough evidence to convince the judge. Further, the other side often tries to reinterpret survey results, which is another reason not to conduct a defensive survey in the first place.
He also said there is no reason to give FTC or State AGs’ interpretation of ad claims any extra deference. The government should have to prove its case.
Finally, Chris discussed problems with trying to do surveys over the Internet, which may be more representative of consumers in practice than mall intercept surveys—who goes to a mall any more? However, he noted that the screen display may not be the same (ex: TV ads shown on a computer monitor may be harder to read), and there may be questions about the motivation and representativeness of panelists who are incented to participate.
Lee Peeler, a long time FTC staffer, said that years ago, FTC was perceived as not using extrinsic evidence because surveys might prove defendant’s case or get tossed out. Now, FTC looks at extrinsic evidence, but non-exclusively.
Patricia Conners of the Florida AG’s office said that state AGs don’t like to do consumer surveys because (1) they are not statutorily required, (2) they are expensive and time-consuming, (3) they distract the case from substantive issues to focus on survey methodology, and (4) many cases are against really bad actors, so survey evidence isn’t necessary to prove the case. On the flip side, defendants often overclaim their extrinsic evidence when trying to avoid regulatory intervention, which makes the regulators skeptical.
Rebecca’s recap of this panel.
More on the Conference
* Rebecca on financial products safety
* Rebecca on green marketing and internet issues. Arnold & Porter on the green marketing panel.
* My post on my talk on 47 USC 230 and consumer protection law.
Posted by Eric at 08:24 AM | E-Commerce , Licensing/Contracts , Marketing , Privacy/Security | TrackBack
June 30, 2009
Roommates.com Infects the Tenth Circuit--FTC v. Accusearch
By Eric Goldman
F.T.C. v. Accusearch Inc., 2009 WL 1846344 (10th Cir. June 29, 2009). My blog post on the district court opinion.
Introduction
June has been an active month for 230 jurisprudence. Cases this month include Doe IX v. MySpace (actually a May opinion but I blogged it in June), Gibson v. Craigslist, the Barnes v. Yahoo amendment, and Zango v. Kaspersky--all defense-favorable outcomes. As I mentioned in my post on the Doe IX case, the Ninth Circuit Roommates.com en banc decision has not cast a long shadow on 230 jurisprudence; it has been cited less than 10 times in the past year, and prior to yesterday, only once in favor of the plaintiff. Unfortunately, those good times may be over. The Tenth Circuit has largely adopted the rule and reasoning of Roommates.com in FTC v. Accusearch, effectively making Roommates.com the governing law west of the Rockies.
The FTC's Enforcement Action Against Accusearch
This is a prime example of bad facts making bad law. Accusearch runs Abika.com, a website that tried to style itself as a matchmaker between customers seeking, and vendors selling, private/personal records about people. The specific records at issue here contain "customer proprietary network information" (CPNI), the metadata about telephone calls. CPNI resales were probably illegal at the relevant time periods; following the Hewlett-Packard pretexting scandals, Congress cleared up any confusion and criminalized the resale of CPNI via the Telephone Records and Privacy Protection Act of 2006, 18 U.S.C. §1039.
If Abika.com was structured as a pure advertising site to facilitate off-site transactions, like Craigslist or eBay, perhaps Abika.com would have a stronger case for qualifying for 47 USC 230 protection for the sale and delivery of CPNI reports from Abika's vendors to their customers. However, Abika.com apparently was structured as a classic retailer in that it advertised the third party reports, processed customer payments, and delivered the subsequent reports to customers as if the reports were its own (Abika.com even stripped out the third party vendor's identifying information). So the veneer of Abika.com simply being a passive intermediary between customers and vendors may have been overwhelmed by Abika's active and overwhelming presence in the transaction.
The FTC went after Accusearch claiming that Abika.com was engaged in "unfair" trade practices under the FTC Act. (Note: the FTC has the power to pursue unfair commercial practices, even when they are not deceptive. However, the standards for "unfair" are amorphous, making such enforcements potentially problematic and controversial. Fortunately, the FTC generally wields this power sparingly). Accusearch's principal defense was 47 USC 230 on the theory that Accusearch procures the CPNI reports from third party vendors and merely republishes the third party reports to Accusearch's customers.
It's really hard to defend CPNI resales, and the court says that Accusearch had the requisite scienter that such resales were illegal/impermissible. With the combination of scienter, illegal transactions, active intermediation and the FTC as a plaintiff, it really seemed to me that Accusearch had no chance of winning this case. But this combination also tempted the judges to use loose reasoning to reach that unavoidable result.
The Opinion’s Discussion of 47 USC 230
A defendant must establish three elements of a successful 230 defense, and the majority opinion muddles the discussion on all of them:
1) "provider or user of an interactive computer service." Based on the funky definition of ICS, the FTC argued that websites qualify for 230 protection only when they enable user-to-user communications. The majority declines to accept this argument but doesn't reject it outright either, basing its decision on another prong. Although the statute could be clearer (like, for example, saying that websites qualify for 230 protection), the caselaw is extremely thick that every website qualifies for 230 protection. Unfortunately, with the majority's pathetic response, I wouldn't be surprised if plaintiffs unnecessarily put this issue into play in future 10th circuit cases.
2) "publisher or speaker of content" The concurring judge argues for a speech/conduct distinction and argues that the FTC is pursuing Accusearch for its conduct, not its speech. The speech/conduct distinction is almost meaningless in this case given that Accusearch was reselling information, which means that Accusearch was electronically republishing that information. The majority disagrees with the speech/conduct distinction but otherwise doesn't discuss this prong.
3) "created or developed by another information content provider." Adopting the arguments from the Roommates.com case, the majority says that Accusearch didn't "create" the reports but it was "responsible" for "developing" the reports. To reach this conclusion, the majority defines "responsible" and "develop":
* citing old French, "develop" means to "unwrap." Huh? Thus, "when confidential telephone information was exposed to public view through Abika.com, that information was 'developed.'" Does this definition make "develop" a synonym for "publish"?
* the majority initially says when "responsible" doesn't mean: "to be 'responsible' for the development of offensive content, one must be more than a neutral conduit for that content." This reference to "neutral conduit" parallels the Roommates.com case, which used the term "neutral tools" five times but never defined the term once.
The majority then says "a service provider is 'responsible' for the development of offensive content only if it in some way specifically encourages development of what is offensive about the content." This phrasing allows the court to distinguish the old 10th Circuit Ben Ezra precedent, which absolved AOL of liability for republishing inaccurate stock quotes. There, AOL didn't ask its vendors to give it false reports; here, the majority says that Accusearch asked its vendors to get information it knew was illegal to obtain:
Accusearch solicited requests for such confidential information and then paid researchers to obtain it. It knowingly sought to transform virtually unknown information into a publicly available commodity. And as the district court found and the record shows, Accusearch knew that its researchers were obtaining the information through fraud or other illegality.
Implications
I doubt the literal holding of this case is all that troubling to most folks. If you're in the business of reselling illicit phone records and the FTC comes calling, 230 isn't likely to help you.
However, this opinion could be problematic for any online retailers who thought they could use 230 to insulate themselves. It's never been clear how much 230 protects online retailers when they are making sales for their own account (as opposed to advertising services like eBay or Craigslist), and this opinion raises the specter that 230 won't apply even when "retailing" involves republishing third party content. Indeed, the loose language means the case could be a major carveback of 230's coverage in the Tenth Circuit. As the concurrence points out, the majority's reading is "an unnecessary extension of the CDA’s terms 'responsible' and 'development,' thereby widening the scope of what constitutes an 'information content provider' with respect to particular information under the Act."
Then again, between its role as a retailer and the illicit nature of its goods, Accusearch was always at the periphery of 230's coverage. Today, 230 would be irrelevant if a federal government agency pursued a CPNI reseller under the new criminal provisions in 18 U.S.C. § 1039. So I think a better interpretation of this case is that where an online provider is dabbling too close to third party illegal activity, judges simply will ignore 230 as a bailout. Framed that way, this ruling is akin to Roommates.com, which was a largely a normative judgment by the Ninth Circuit that the Fair Housing Act should trump 230 regardless of 230’s precise statutory contours.
I'll conclude with a few more thoughts about the concurrence. Although the concurrence's proposal to distinguish between speech and conduct wasn’t a good one, there was a useful nugget embedded in it. To bypass 230, perhaps the case could have focused on first party content published by Accusearch--namely, copy written by Accusearch advertising the availability of CPNI records, including any express or implied statements that it was reselling legitimate records. I've repeatedly blogged on the challenges of first-party/third-party content distinctions in 230 (see, e.g., my recent discussion about 230 and consumer protection), but in this case, I think focusing on Accusearch's own representations may have led to a cleaner doctrinal result than the one we got.
Finally, in the concurrence's FN5, Judge Tymkovich says:
If Accusearch had run a traditional business out of a physical location and offered similar services, it would seem the FTC would have the same unfair business practices complaint. Nothing would immunize Accusearch’s conduct had it chosen to deliver the confidential telephone records to requesters through hard copy print-outs either in person or through the mail. Accusearch’s duty to refrain from engaging in the solicitation and distribution of unlawfully-obtained confidential telephone records should not depend on the medium within which it chooses to operate.
Uh, NO. As with some other bright judges dealing with 230 cases, Judge Tymkovich has fallen into the mental trap that smart common law judges applying their powers of reasoning can simply intuit what the law should be. Congress has made it abundantly clear that it did exactly what Judge Tymkovich rejects; via 230, Congress created medium-specific rules that make some activities online permissible even if their offline analogue would not be. As challenging as it may be, judges should resist the temptation to make these kinds of normative assumptions in the face of clear Congressional intent.
Posted by Eric at 10:28 AM | Derivative Liability , E-Commerce , Privacy/Security | TrackBack
June 10, 2009
Stop Saying "We Can Amend This Agreement Whenever We Want"!--Harris v. Blockbuster
By Eric Goldman
Harris v. Blockbuster Inc., 2009 WL 1011732 (N.D. Tex. April 15, 2009). The Justia page.
[I've been sitting on this case for a couple of months, but it's such an important case that it still deserves a write-up even at this comparatively late date.]
This case is part of the legal detritus from the Facebook Beacon program. As you recall, Facebook Beacon included purchases from third party e-commerce sites into the buyer's Facebook status reports. This required the e-commerce sites to report Facebook users' purchases back to Facebook. A Blockbuster user claimed that Blockbuster's reports to Facebook violated the Video Privacy Protection Act, which prevents disclosures of PII about video customers without their consent. (Beacon did have an opt-out of debatable efficacy). Blockbuster moved to compel arbitration of this lawsuit based on the mandatory arbitration clause in Blockbuster's user agreement.
Blockbuster used an industry-standard and entirely typical introductory clause to its user agreement, which said:
Blockbuster may at any time, and at its sole discretion, modify these Terms and Conditions of Use, including without limitation the Privacy Policy, with or without notice. Such modifications will be effective immediately upon posting. You agree to review these Terms and Conditions of Use periodically and your continued use of this Site following such modifications will indicate your acceptance of these modified Terms and Conditions of Use. If you do not agree to any modification of these Terms and Conditions of Use, you must immediately stop using this Site.
This industry-standard and entirely typical clause does not fare well in this courtroom. Among other defects, the judge notes that "there is nothing in the Terms and Conditions that prevents Blockbuster from unilaterally changing any part of the contract other than providing that such changes will not take effect until posted on the website." As a result, the court deems the arbitration clause "illusory," an odd Texas law descriptor that appears to be a cousin of lack of consideration.
I could wax philosophic about the ontological meaning of a "contract" that one party can amend unilaterally at any time without notice. However, I'd rather focus on the simple practical implication from this ruling. I've never been a fan of the language Blockbuster used, and I had hoped many websites would reconsider the language after the Ninth Circuit trashed such provisions in 2007 in Douglas v. Talk America (also see my follow-up post). Yet, these clauses are still ubiquitous, even at big websites that "should know better," so let me boil it down for you into a single all-caps mantra:
STOP PUTTING CLAUSES INTO YOUR CONTRACTS THAT SAY YOU CAN AMEND THE CONTRACT AT ANY TIME IN YOUR SOLE DISCRETION BY POSTING THE REVISED TERMS TO THE WEBSITE
This language has a significant risk of killing the entire contract, which would strip away a lot of very important provisions that should be/need to be in the contract. So far Blockbuster has only lost its mandatory arbitration clause, but it's possible other important risk management clauses (warranty disclaimer, liability limits, dollar caps, etc.) will similarly fall. If those clauses fail, let the plaintiff feasting begin!
I recognize that weaning ourselves from very flexible amendment language leaves us as drafters with few good options to modify online user agreements over time. I discussed this dilemma in my post on the Douglas case. I haven't found any better solutions in the past 2 years, but I can say with confidence--DON"T DO WHAT BLOCKBUSTER DID.
UPDATE: I got the following email from a reader proposing a good alternative to current amendment notification processes: "To avoid the spam-filter problem, the provider could give notice via an RSS feed as well, and then disclaim like crazy about the problems with the email option (which would indeed simply be an option -- a link to a page where users can sign up to receive notices)." I love this idea! RSS is a true opt-in with few of the challenges of email.
Also, this brought to mind the EFF's new TOSBack service, which I'll mention more in a future blog post, that effectively provides a third party service to track amendments of various user agreements into an RSS feed. I LOVE IT! I have subscribed to TOSBack and plan to blog on interesting user agreement amendments it reveals--and I suspect I'm not the only one queued up to do so. TOSBack is a game-changer for public scrutiny of agreement amendments--sites being monitored in TOSBack are now on notice that their user agreement amendments are being watched!
Posted by Eric at 10:26 AM | Licensing/Contracts , Privacy/Security | TrackBack
June 09, 2009
May 2009 Quick Links Part 2
By Eric Goldman
Blogs and Boards
* WSJ: Bloggers, Beware: What You Write Can Get You Sued
* j2 Global Communications v. Zilker Ventures, CV 08-07470 SJO (AJWx) (C.D. Cal. April 22, 2009). A consumer review website can putatively qualify for anti-SLAPP protection, but not in this case because the plaintiff established its prima facie case.
* Biggs Cardosa Associates Inc. v. Bradbury, 2009 WL 1508703 (Cal. App. Ct. May 29, 2009). Here's another one for all of you Rip-off Report fans. A former employee lost a jury trial (and was hit with over $100,000 of damages) for breaching a "non-disparagement" clause in his separation agreement by posting negative comments about his former employer and colleagues on a variety of online fora, including numerous posts on the Rip-off Report.
* Houston Chronicle article on a lawsuit against a website operator for a user post saying that a woman has herpes when she, in fact, does have herpes. She is claiming public disclosure of private facts. [Stupid Houston Chronicle expired the article and moved it to its archives, breaking a number of links throughout the web. Here's a short recap of the article.]
* Stengle v. Office of Dispute Resolution, 2009 WL 1138119 (M.D. Pa. April 27, 2009). The contract of an independent contractor government "hearing officer" was non-renewed because she blogged on the topics of her hearings, raising questions about her impartiality. As the court says in dismissing the resulting lawsuit from the hearing officer:
To reiterate, this Court fully recognizes the cherished right of free speech, as well as the commendable goals of the RA. But these cannot wash away the bona fide concerns that arise when a judicial officer elects to disseminate her opinions in cyberspace with little or no restraint. Because of her position, Plaintiff's attempts to qualify her stances as solely her own were entirely ineffectual. With particular jobs come certain precise responsibilities. In Plaintiff's case, one of these included avoiding even the appearance of bias via extra-judicial comments. Plaintiff's deep concerns about the special education issues and the resulting creation of her blog ultimately caused her to face a dilemma that she alone created. The choices she freely made thereafter led to her non-renewal, and as aforestated we do not find any of the Defendants' conduct actionable under the circumstances.
This case reminded me some of Richerson v. Beckon from last year.
* JuicyCampus redux: People's Dirt. Let the angst over anonymous online forums begin anew.
* Doe v. Ciolli, 2009 WL 1204361 (D. Conn. April 30, 2009). In the AutoAdmit lawsuit, the court rejected Matthew Ryan's (aka ":D") motion to dismiss for lack of jurisdiction.
* Facebook v. Power Ventures, Inc., 2009 WL 1299698 (N.D. Cal. May 11, 2009). Largely following the troublesome Ticketmaster v. RMG case, Power Ventures' motion to dismiss Facebook's copyright and DMCA claims was denied. (Other claims survived too). Comments from Jeff Neuburger and Tom O'Toole.
Miscellaneous
* Colleen Chien, Of Trolls, Davids, Goliaths, and Kings: Narratives and Evidence in the Litigation of High-Tech Patents, North Carolina Law Review, Vol. 87, 2009
* Mazur v. eBay Inc., 2009 WL 1203937 (N.D. Cal. May 5, 2009) Class certification denied. My blog post on this case’s more troubling ruling about 47 USC 230.
* Riggs v. MySpace, Inc., 2009 WL 1203365 (W.D. Pa. May 1, 2009). Venue selection clause in MySpace user agreement upheld.
* Salter v. State, 2009 WL 1409484 (Ind. App. Ct. May 20, 2009). Saving pornographic photos of a minor to a CD does not constitute the "creation" of child porn, even though a new "copy" has been created.
* State v. Bell, 2009 WL 1395857 (Ohio App. Ct. May 18, 2009). MySpace chat sessions aren't MySpace "business records" for hearsay purposes.
* Forbes: the Hidden Costs of Privacy. This article has been written, and written again, many times in the last decade; yet the regulatory dynamics have not improved.
Posted by Eric at 10:35 AM | Content Regulation , Copyright , Derivative Liability , Patents , Privacy/Security , Publicity/Privacy Rights | TrackBack
June 08, 2009
May 2009 Quick Links Part 1
By Eric Goldman
Just a reminder that I'm posting some quick links exclusively to my Twitter account.
Trademarks
* Texas International Property Associates v. Hoerbiger Holding AG, 2009 U.S. Dist. LEXIS 40409 (N.D. Tex. May 12, 2009). Domainer loses ACPA claim over typosquatted domain name. The PPC advertising constituted bad faith intent to profit. Ryan Gile recaps the action.
* GunBroker.com LLC v. Heckler & Koch Inc., No. 09-cv-00051 (M.D. Ga. complaint filed May 14, 2009). Interesting lawsuit by an online auction site for guns seeking a declaratory relief action against a trademark owner who deployed an enforcement agency, Continental Enterprises, to send a driftnet takedown letter that apparently targeted used gun resales or compatible goods. Ryan Gile has more.
* Miranda v. Guerroro, 2009 WL 1381250 (S.D. Fla. May 14, 2009). Miranda is “Paola Morena,” a Latin singer. Her former manager convinced her to do some nude photo shoots in an effort to get a Playboy gig. The Playboy gig didn't materialize, and the manager stopped representing Miranda/Morena. After Morena's career took off, the manager then allegedly threatened to publicly post the photos unless she paid him $70k. Morena rebuffed the request, so the manager allegedly followed through with his threats by launching a website paolamorena.com [I got a nasty Google malware warning when I tried to visit the site], calling it her “official” site and posting some of the photos. The court enjoined the manager under trademark law. I'm a little confused how Morena had protectable trademark rights in her name. Did she make any use in commerce in the United States? Did her name achieve secondary meaning? This could be another case where trademark law is being stretched to stop bad behavior.
* Eric Menhart, the self-purported owner of a trademark in the term Cyberlaw, has gotten his very own personal gripe site.
Advertising and Marketing
* How much can Behavioral Targeting Help Online Advertising? HT Greg Linden
* Yingling v. eBay, 5:2009cv01733 (N.D. Cal. complaint filed April 21, 2009). A class action lawsuit alleging that eBay Motors overcharged merchants.
* IAB has issued its Click Measurement Guidelines designed to answer the Q “What is a Click?” See if their 28 page report actually answers the Q.
* A confusingly written LA Times article reports that 4 South Korean dissident bloggers are being criminally prosecuted for artificially inflating impression counts in order to game rankings of most popular pages.
* Perennially funny: unfortunate product names.
Copyright
* Solicitor General recommends against granting cert in Cartoon Network v. CSC.
* AV v. iParadigms, April 16, 2009. The Fourth Circuit says that the Turnitin system is fair use. My initial blog post on the district court ruling.
Security
* News.com: Interview with FBI cybercrime agent working undercover.
* Oddee: problematic CAPTCHAs. Funny.
* Everyone wants to talk about whether Google is a monopolist
- In early May, I heard Susan Athey, Microsoft's Chief Economist, give a lunchtime attack speech on Google at a George Mason event
- Google is circulating a document explaining why it's good for competition
- Google is blanketing DC with lobbyists too.
- And Google says it's actually small potatoes.
- Wired: Will Wolfram Alpha forestall antitrust inquiry into Google? As I've argued before, we continue to see new entrants into the search business all the time—it’s just too big a market to ignore.
- NYT weighs in too. And the Washington Post discusses how Microsoft and others are complaining about how many Google folks are going into the Obama administration.
* Danny Sullivan: State Of Search: Google Will Stay Strong Despite Bing & Yahoo
* Wired: Secret of Googlenomics: Data-Fueled Recipe Brews Profitability
Posted by Eric at 04:03 PM | Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Trademark | TrackBack
May 28, 2009
Contributory Cybersquatting and the Impending Demise of Domain Name Proxy Services?--Solid Host v. NameCheap
By Eric Goldman
Solid Host, NL v. NameCheap, Inc., 2:08-cv-05414-MMM-E (C.D. Cal. May 19, 2009)
Facts
This case involves an alleged domain name theft. Solid Host is a web host and initial owner of the domain name solidhost.com, which it registered through eNom in 2004. Solid Host claims that in 2008, a security breach at eNom allowed an unknown interloper (Doe) to steal the domain name and move the registration to NameCheap. Doe also acquired NameCheap's "WhoisGuard" service, a domain name proxy service that masked Doe's contact information in the Whois database. Solid Host contacted Doe and sought the domain name; Doe asked for $12,000, and Solid Host took a pass. Instead, Solid Host demanded that NameCheap hand back the domain name and identify Doe, but Doe claimed that he had bought the domain name legitimately. NameCheap, apparently feeling like the cheese in a sandwich, demurred to Solid Host's requests. Solid Host then got a TRO ordering NameCheap to transfer the name and reveal Doe's identity, both of which occurred. For unclear reasons, Solid Host hasn't amended the complaint to name the Doe, but it is proceeding against NameCheap on various claims, including an Anti-Cybersquatting Consumer Protection Act (ACPA) claim.
The Opinion
Who is the Registrant?
My understanding of domain name proxy services is that the service acts as the legal registrant, thus supplying its contact information, but it registers the domain name for the benefit of its customer, making the customer the beneficial registrant. An analogy: a bank may take legal title of a property as part of securing a loan on the property, but the borrower retains beneficial title to the property.
So, for purposes of the ACPA, is the proxy service the “registrant” of the domain name? ICANN’s agreement with registrars seemingly contemplates this characterization in Section 3.7.7.3 of its Registrar Agreement, which says “A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.” However, it’s not clear to me that a proxy service “licenses” the domain name, especially if you accept my lender-borrower analogy above. Alternatively, if the proxy service is the “agent” of the customer, the licensing analogy also breaks down.
Whether the proxy service is the registrant matters a great deal to the legal outcome, and unfortunately, the court’s analysis of this important question was cursory, muddled, and possibly internally inconsistent.
In this case, the court’s inquiry is made more difficult by the fact that NameCheap acted as both the registrar and the proxy service provider. As a registrar, an ACPA claim against NameCheap should be squarely preempted by the domain name registry/registrar safe harbor enacted as part of the ACPA (15 U.S.C. §1114(2)(D)). For example, 1114(2)(D)(iii) says:
A domain name registrar, a domain name registry, or other domain name registration authority shall not be liable for damages under this section for the registration or maintenance of a domain name for another absent a showing of bad faith intent to profit from such registration or maintenance of the domain name
(This provision only moots damages, not an injunction, but since Solid Host has the domain name back in its possession, damages seem like the only remaining issue).
The court concludes that NameCheap is not eligible for the domain name registrar safe harbor because NameCheap is the domain name registrant. It says, "NameCheap is, by virtue of the anonymity service it provides, the registrant of a domain name that allegedly infringes Sold [sic] Host’s trademark." Thus, NameCheap is ineligible for the registrar safe harbor, which applies only when the registrar acts as a registrar.
But, having rejected the domain name registrar safe harbor because NameCheap was the domain name registrant, the court then inconsistently says that NameCheap is not the registrant for purposes of the prima facie ACPA claim. Instead, for ACPA purposes the court treats Doe as the registrant, leaving NameCheap exposed to a possible secondary ACPA liability claim. (The court acknowledges that NameCheap would defeat a direct ACPA claim because NameCheap did not have any bad faith intent to profit from the domain name. Offering the proxy service wasn't enough to qualify as a bad faith intent to profit).
Wait a minute—how can NameCheap simultaneously be both the registrant (no safe harbor) but not the registrant (thus, subjected to a secondary claim)? The court does not acknowledge or explain this apparent inconsistency.
Contributory Cybersquatting
Courts have rarely discussed a contributory ACPA claim. The only one cited by the court was a 2001 case (the Ford Motors vs. Greatdomains.com case) and I can’t think of any others. Perhaps this isn’t surprising because (1) as the Greatdomains.com case indicated, a contributory ACPA claim is available "in only exceptional circumstances," and (2) registrars are the most likely targets of a contributory ACPA claim, and the domain name registrar safe harbor effectively eliminates their contributory ACPA liability.
Adopting the analysis in the Greatdomains.com case, this court equates contributory ACPA liability with the Ninth Circuit’s 1999 Lockheed standard for online contributory trademark infringement (as opposed to ACPA liability), which requires that "a plaintiff must prove that the defendant had knowledge and ‘[d]irect control and monitoring of the instrumentality used by the third party to infringe the plaintiff’s mark.'"
So how did NameCheap have the requisite control over Doe's instrumentalities? Good question. The court tosses out this gem: NameCheap was "the “cyber-landlord” of the internet real estate stolen by Doe." WHAT??? The court continues:
NameCheap’s anonymity service was central to Doe’s cybersquatting scheme. If NameCheap had returned the domain name to Solid Host, Doe’s illegal activity would have ceased.
The second sentence is true with respect to NameCheap, but it is also true of every registrar for every domain name they register--and we know from the 1999 Lockheed case that registrars lack control over the instrumentalities of their registrants. So the proxy service seems to make a legal difference, but how does the proxy service evidence NameCheap's greater control over the registrant's instrumentalities? I think something is amiss here.
To complete the prima facie contributory ACPA claim, in addition to control, Solid Host must show that NameCheap has the requisite knowledge of Doe's ACPA violation. The court sets a high scienter bar--mere notice from an aggrieved party isn't enough--but the court conclusorily says that the complaint alleged enough knowledge to survive the motion to dismiss.
Why This is a Troubling Ruling
As I trust is clear, I think the court's analysis is questionable at best. I’m also troubled about the normative implications. Most obviously, this case could portend the demise of domain name proxy services. Read literally, every proxy service is exposed to potential contributory ACPA liability for every domain name it services. I can’t imagine proxy service providers will be excited about that liability exposure, and some may choose to exit the business.
If proxy services evaporate, domain name registrants will have a tougher time maintaining their privacy. This could affect at least two groups. First, businesses seeking to register domain names for unlaunched new brands often want to procure the new brand's domain names without publicly announcing their intentions through the Whois database. (Of course, some businesses register such domain name through agents or shell companies, but at a much greater expense than a proxy service). Second, gripers, whistleblowers, critics and others may want to use proxy services to make it harder for their targets to unmask their identities. This ruling jeopardizes the potential privacy options available to both groups.
I’m also troubled by this ruling’s narrow reading of the domain name registrar safe harbors. There haven’t been many cases interpreting those safe harbors, and this case might influence other courts to read them narrowly.
A Mini-Trend of Lawsuits Against Registrars
I’ve noticed a small but troubling increase in lawsuits against domain name registrars in the past few months. In addition to this case, see the Vulcan Golf v. Google lawsuit (which named some registrars as defendants), OnlineNIC cases, Philbrick v. eNom and uBid v. GoDaddy. Personally, I believe this litigation trend mirrors the expansion of new and legally untested non-registration services offered by registrars. I explored this issue with Elliot Noss of Tucows in the most recent installment of TWiL (worth listening to, IMO). Discussing the uBid lawsuit, Elliott explained how registrars monetize dropped domain names before being returned to the available pool of unregistered domain names. The delay is putatively for the benefit of customers who mistakenly let a registration lapse; but this also has the happy (?) by-product of letting registrars create new ad inventory that they are monetizing.
In the past, a lot of the legal attention regarding domain names has focused on trademark owners vs. registrants. From my perspective, those lawsuits are becoming passé. The real litigation growth industry appears to be trademark owner vs. registrar lawsuits over new registrar service offerings that trademark owners don't like. Rulings like this one, with a broad reading of contributory ACPA liability and a narrow reading of the domain name registrar safe harbor, raise the specter that registrars may find more legal trouble than they anticipated.
UPDATE: Commentary from Domain Name News
UPDATE 2: A call for registrars to exit the domain name proxy business.
Posted by Eric at 03:27 PM | Derivative Liability , Domain Names , Privacy/Security , Trademark | TrackBack
April 12, 2009
Q1 2009 Quick Links, Part 4
By Eric Goldman
Security
* Massachusetts Data Security regulations were amended.
* In Facebook v. Power.com, Facebook brought another lawsuit to block extraction of user data from the site (similar to the Facebook v. ConnectU lawsuit). Venkat, Masnick, News.com, NYT, Justia. In this case, I wonder if Facebook has adequately distinguished between Power.com's behavior and the operation of its own "Find a Friend" service that taps into third party email servers to extract email addresses. Power.com’s response.
* Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. Jan. 7, 2009). IP infringement isn't a cognizable harm under the Computer Fraud & Abuse Act.
Adware/Spyware
* Who says Valentine's Day is just a Hallmark holiday? Sales of spyware and other tools to track cheating SOs also increase around Valentine's Day.
* Susan Brenner on the Cybercrimes Treaty and the US's decision not to criminalize possession of malware as required by the treaty.
Venture Capital
* BusinessWeek: Silicon Valley innovation is being stifled by VCs who only want to make small bets, not big bets. But VC investing is faddish, so the wind might change tomorrow.
* $600M of VC investments in virtual worlds.
Contracts
* Burcham v. Expedia, Inc., 2009 U.S. Dist. LEXIS 17104 (E.D. Mo. Mar. 6, 2009). Buyer was bound to user agreement even though he argued (without any evidence) that someone else established the account he used. This dovetails nicely with the broad reading of who is bound by an online user agreement; see my discussion in the Lori Drew case. Jeff Neuburger's writeup. Aside: I wonder if Expedia will be insulated by 47 USC 230 for the allegedly wrong description of amenities if they got the description of the hotel from third parties. For an analogous result involving the binding of users who didn't agree to the initial contract, see CoStar Realty Information, Inc. v. Field, 2009 WL 841132 (D. Md. March 31, 2009).
* Fractional Villas Inc. v. Tahoe Clubhouse, No. 08cv1396 (S.D. Cal. Feb. 25, 2009). Citing the RMG case, the court says that merely visiting a site may be sufficient to bind visitors to a browsewrap. However, in this case, there was insufficient evidence that the defendant had ever visited the site.
* Cherny v. Emigrant Bank, 2009 U.S. Dist. Lexis 2486 (March 12, 2009). Latest case that breach of privacy policy isn’t actionable unless there are actual damages. Venkat’s writeup.
* A stat I fully believe: "studies have shown that more than half of all companies cannot even locate signed copies of 10% or more of their contracts." The Zen Master asks: if both parties think they have entered a contract but neither can find a copy, do they have a contract? (this has really happened to me before).
Taxes
* Amazon v. New York and Overstock v. New York (N.Y. Sup. Ct. Jan. 12, 2009). Kudos to New York for finally figuring out a way to break the Internet and defeat the Internet Tax Freedom Act by treating Amazon Associates as traveling salespeople for sales tax collection purposes. I imagine every state in the country will jump on this bandwagon, at which point some e-tailers will kill their affiliate program and others will end up imposing sales tax collection nationwide.
* Pitt County v. Hotels.com, L.P. (4th Cir. Jan. 14, 2009), Online travel aggregators aren't "retailers" (as referenced in the statute) for purposes of collecting local hotel occupancy taxes.
General
* Some interesting cyberspace exceptionalism developments involving cases where paper presentation may be different from electronic presentation of the exact same content. In Smith v. Under Armour, Inc., 2008 WL 5486764, web payment confirmations displayed on-screen are not "printed" within the meaning of the Fair and Accurate Credit Transactions Act. Accord Smith v. Zazzle.com, Inc., 2008 U.S. Dist. LEXIS 101050. See generally this Proskauer recap. In Saulic v. Symantec Corp., a California law prohibiting data collection with credit card sales was held inapplicable online.
* Sudduth v. Donnelly, 2009 WL 918090 (N.D. Ill. April 1, 2009). Plaintiff got stiffed on his eBay transaction and sued eBay for 1983 equal protection and conspiracy claims as well as a Title VI civil rights claim. Because eBay isn't a state actor, however, the court dismissed eBay.
* My colleague Steve Diamond is blogging every detail of the battle for SAG's soul over at his new blog, King Harvest. For example, he summarizes the travails of the Screen Actor's Guild.
* Oddee: 10 Geekiest T-Shirts. I own a t-shirt that says "I'm Blogging This" (a gift from a former student) and a mug that says "Vegetarian Blogger" (gift from a colleague).
* Oddee: 15 Most Unfortunate Town Names. I think Licking County should have been a contender.
* Is there any better sign of Cyberlaw's maturity than the publication of Internet Law in a Nutshell
* Oddee: 12 Most Ridiculous Lawsuits. I welcome your nominations for the most ridiculous Internet lawsuits of all time. I hope to write that up some day.
* Happy birthday, Gmail! Best email software I've ever used. The battles over Gmail privacy seem so...2004!
Free Stuff
* The Ninth Circuit recently updated its website...with RSS feeds!
* Nolo Press' "NDAs for Free." Potentially useful site.
* I have one extra copy of my Fall 2008 Cyberspace Law course reader. First person to send an email with their mailing address gets it. [CLAIMED]
Posted by Eric at 12:03 PM | Adware/Spyware , E-Commerce , Licensing/Contracts , Privacy/Security , Trade Secrets , Virtual Worlds | TrackBack
April 11, 2009
Q1 2009 Quick Links, Part 3
By Eric Goldman
Blogging and Social Networking Sites
* A new version of the EFF Legal Guide to Blogging. While you're there, consider joining EFF as a member. The EFF does first-rate work, and they can use all the support they can get in this economic downturn.
* Red Tape Chronicles: "Blogger: Cash4Gold tried to 'bribe' me."
* Klein v. City of Laguna Beach, 594 F. Supp. 2d 1142 (C.D. Cal. Jan. 23, 2009): "many of the cases striking down ordinances that restrict sound-amplification equipment are artifacts of a bygone age that offered activists few media of mass communication. Twenty, thirty, or fifty years ago, a sound truck was an important means of spreading a message to a large group of people. Now, one must only have a computer and a printer to publish a newsletter or handbill. The Internet, e-mail, text messaging, and widespread mobile communications devices have made it easier than ever to reach a large audience on a small budget. Indeed, it might be easier for Mr. Klein to reach the youth he wishes to target by using Facebook or MySpace."
* Maybe everyone already knew this, but I learned something interesting about Blogger. Apparently in some cases they will place an interstitial warning in front of certain user-posted content.
* Doninger v. Niehoff, 2009 WL 103322 (D. Conn. Jan. 15, 2009). On remand from the Second Circuit, the district court denies damages for a student whose off-campus blog entry led to school discipline. At the same time, Wendy Davis reports on how a Conn. Bill Would Protect Students' Free Speech Online:
* Funny article on Facebook's efforts to police against people who create funny account names, which sometimes ensnares people who actually have funny names like Batman, Six, Super, Pancake and Kisser.
* Facebook Sex-Extortion Plot: a boy pretends to be a girl, gets boys to send naked photos to him, and then threatens to go public with the photos unless they consent to sex with him.
* Dynamic Sports Nutrition, Inc. v. Roberts, 2009 WL 136023 (S.D. Tex. Jan. 16, 2009). A former employee republishing confidential information via his blog is enjoined.
* We now know that Facebook settled with ConnectU for $65M. However, ConnectU might get a little more cash after this information was inadvertently disclosed by its former counsel, Quinn Emanuel, in a marketing brochure.
* Facebook gets TRO against Wallace.
* Some people gave up Facebook for Lent.
* Reuters writes up a shocking study: many teens on MySpace post things they might regret.
* State v. Hause, 2009 WL 295404 (Ohio App. Ct. Feb. 9, 2009). Facebook photos help convict a woman for allowing minors to drink alcohol in her house.
* U.S. v. Villanueva, 2009 WL 455127 (11th Cir. Feb. 25, 2009). MySpace photo and YouTube video showing defendant holding firearms contribute to sentence enhancements for firearms charges.
* John Palfrey & Adam Thierer discuss Palfrey's arguments to "improve" 47 USC 230 by reversing Doe v. MySpace.
Defamation/Cyberbullying
* JuicyCampus has shut down. LA Times, Chronicle of Higher Education, CMLP.
* Lengthy article on the AutoAdmit lawsuits. And a mixed ruling in Ciolli v. Iravani.
* Noonan v. Staples (1st Cir. Feb. 13, 2009). Truth is NOT an absolute defense to defamation in Massachusetts, which apparently also has seceded from the Union because the First Amendment no longer seems to apply.
* Neuwirth v. Silverstein, 2009 WL 294737 (Cal. App. Ct. Feb. 9, 2009). Reiterating that a website can be a public forum for purposes of anti-SLAPP laws. The CMLP writeup.
* Douchebags Lawsuit dismissed. Marc Randazza mocks the lawsuit.
* Rios v. Fergusan, 2008 WL 5511215 (Conn. Super. Ct. Dec. 3, 2008). Connecticut court has jurisdiction to issue restraining order against North Carolina man who posted YouTube video threatening Connecticut woman.
* Fahmy v. Hogge, 2009 WL 33418 (C.D.Cal. Jan. 2, 2009). Court denies Fahme's motion to set aside the dismissal based on lack of jurisdiction because Fahme made the error that caused the dismissal.
* 24Grille v. TripAdvisor (complaint filed April 2, 2009). Restaurant sues TripAdvisor for anonymous TripAdvisor review. Hello 230!
* Censorious laws brewing in WV and NJ.
Yelp
I have been meaning to post about my experiences with Yelp as a reader and a writer, but that has been repeatedly deferred. So, instead, how about a quick recap of Yelp’s woes? Yelp has been under the microscope quite a bit in the last few months.
* Wendy Davis recaps all the Yelp-related litigation she and I could find--at least 5 known cases. CMLP recaps a couple of the lawsuits.
* This East Bay Express article about Yelp caused quite a stir. It was followed up with more attributed sources. A number of other media outlets covered Yelp, including News.com and the NYT. For a full rundown of Yelp haters, check out the Eater coverage.
Wikipedia
* 25 Biggest Blunders in Wikipedia History.
* Two books about Wikipedia I’ve been checking out.
- Wikipedia, the Missing Manual.
- How Wikipedia Works.
Pornography
* Mukasey v. A.C.L.U., No. 08-565. The Supreme Court declined the cert petition regarding the challenge to the 1998 Child Online Protection Act, officially killing the law after a decade of litigation. Putting aside the merits of the law, it would have been a huge shock to the Internet community to have a circa-1998 criminal act resurrected! I'd like to think Congress will be wiser than to try to criminalize Internet porn a third time, but the regulation of Internet porn is like a siren song to Congressmembers.
* State v. Hurst, 2009 WL 580453 (Ohio App. Ct. March 6, 2009). From the unfortunately-named Licking County courts, the defendant downloaded 14,000 pornographic photos into his work computer's local cache in a five day period (he acknowledged he spent 70% of his workday downloading porn). An expert said that about 50 of the photos were child pornographic. The defendant was convicted of possessing child pornography even though he argued that he didn't intentionally download the photos, getting a 39 month sentence and classified as a sex offender.
* Excellent article by Colette Vogele on suing over a sex tape.
Gambling
* The credit card payment systems blocked the New Hampshire Lottery due to the Unlawful Internet Gambling Enforcement Act of 2006.
* Peer-to-peer gambling OKed in Washington.
Posted by Eric at 12:53 PM | Content Regulation , Derivative Liability , Internet History , Privacy/Security | TrackBack
March 12, 2009
Rip-off Report Lawsuit Updates: Certain Approval Programs and Ecommerce Innovations
By Eric Goldman
Certain Approval Program v. Xcentric
Certain Approval Programs, L.L.C. v. XCentric Ventures L.L.C., 2009 WL 596582 (D. Ariz. March 9, 2009). I previously blogged about this case in November. This ruling is in response to the plaintiff's request to file an amended complaint, which Rip-off Report resisted on several grounds. Of particular interest is the plaintiff's desire to add a claim for “misappropriation of name or likeness." Rip-off Report responded that such a claim is futile due to 47 USC 230. The court rejected the futility argument at this early procedural stage, saying
Plaintiffs have alleged enough facts regarding Defendants' “creation or development of information provided through the Internet or any other interactive computer service” to make it plausible that Defendants are an “information content provider” for some content and therefore the CDA does not completely immunize Defendants.
This is not the first time that plaintiffs' allegations against Rip-off Report have survived the equivalent of a motion to dismiss, but getting further into the litigation process has proven difficult for plaintiffs.
The court didn't reach the issue, but it's also germane to the futility argument whether a "misappropriation" claim is even preempted by 230 at all or if qualifies as an "intellectual property" claim that is excluded from the immunization. Compare ccBill and Friendfinder.
Ecommerce Innovations v Doe
Ecommerce Innovations, L.L.C. v. Does 1-10, No. MC-08-93 (D. Ariz. Feb. 10, 2009). Thanks to Jeff Neuburger for calling attention to this case. In this case, a defamation plaintiff is seeking identifying information for an anonymous Rip-off Report contributor. The Rip-off Report initially fought the request, but the district court ordered Rip-off Report to comply because the plaintiff had established a prima facie case. The Rip-off Report responded that it plans to appeal the judge's order to the Ninth Circuit, and the district court has stayed the order pending the appeal (although I can't find any evidence that the appeal has been filed yet). As Jeff points out, an appeal by Rip-off Report may prompt the Ninth Circuit to articulate its standards for when plaintiffs can unmask anonymous defendants; it also could become a backdoor way to gauge the Ninth Circuit's attitude towards Rip-off Report in light of some ambiguous language in the initial Ninth Circuit Roommates.com opinion.
Posted by Eric at 11:54 AM | Content Regulation , Derivative Liability , Privacy/Security , Publicity/Privacy Rights | TrackBack
February 20, 2009
Facebook User Agreement Imbroglio Recap (and Some Comments of My Own)
By Eric Goldman
I didn't have a chance to blog on the Facebook user agreement amendment flap in real-time, but now that Facebook has rolled back its amendments and everyone is catching their breath, the Monday morning quarterbacking is proceeding in full earnest. Some of the articles that caught my attention:
* CNET News.com: "Facebook's about-face: Change we can believe in?"
* InternetNews: "Experts: Facebook Must Rethink TOS Stance"
* EFF: "Facebook's reaction is a tremendous victory for its users." I guess that's true, in the way that getting back to zero at a casino sometimes can be considered a win.
* Bill McGeveran powerfully (and with irony) demonstrates that Facebook's terms weren't all that unusual. Et tu, Consumerist?
Some of my own observations:
* When you're a high-profile company living in the media fishbowl like Facebook, there is no such thing as a minor amendment to your user agreement.
* Facebook's amendments--and the news reports about them--were confusing for two independent but often correlated problems. First, lay readers often misread user agreements, especially broad license grants that users mistakenly read as statements of ownership. This is a well-known and long-standing phenomenon; see, e.g., the flap over GeoCities' user agreement from a decade ago. So initial news reports on Facebook's amendments were garbled and perhaps overly dramatic.
Second, Internet lawyers often draft user agreements using legalese in ways that make the agreements indecipherable to lay readers...and, not infrequently, to other lawyers. Having drafted a lot of them in my life, I'm a pretty sophisticated reader of user agreements, yet it took me a fair amount of time to parse Facebook's license terms to figure out what they were saying--and, even then, I wasn't quite sure. In particular, the "perpetual" and "irrevocable" terms in the license agreement were in seeming conflict with Facebook's promise in the same license grant to honor a user's privacy settings. In other words, if a user can set the configurations to remove content from Facebook's purview and Facebook will honor those instructions, then how is Facebook's license grant irrevocable? Unless I'm missing something big, this looked to me like a drafting error by Facebook. (And check out Nancy Kim's op-ed identifying this exact issue--in March 2008).
This suggests a drafting lesson we might internalize from Facebook's hassles (Jonathan Zittrain makes a complementary point). We as Cyberlawyers are used to parroting the exact words from the applicable statutes and caselaw because it seemingly increases the precision of the agreement, but frankly I think Facebook and other Internet companies would do a whole lot better--both legally and in the court of public opinion--if it junked the legalese and actually tried to write license grants in real English.
* Partially obscured in the haze is the lurking question of whether Facebook can unilaterally amend its user agreement without providing any notice to users. I don't even see this as a close question. From my reading of the precedents, I think the answer is pretty emphatically NO, both as a matter of contract law (and see more; but compare MySpace v. theglobe.com) and FTC law (see, e.g., the Gateway Learning case). Without a doubt, I wouldn't want to be Facebook trying to defend the new incremental changes in court.
* I got a few inquiries about whether a lawsuit against Facebook would have been successful. As Ethan explained recently, there may be unexpected hurdles to any such lawsuits.
* Now that Facebook has stirred the hornet's nest, it's not clear that they can simply roll back to the prior version of the user agreement and put everyone back in the happy apple. Instead, having called attention to its licensing policies, Facebook will be lucky if the pre-amendment terms survive as those undergo critical and jaundiced scrutiny from users. David Kirkpatrick touches on this.
* No matter how Facebook resolves its agreement, this episode has been damaging to its trust relationship with its users. It gives users yet another reason to question whether Facebook is a site we can trust. For users who lived through the Newsfeed and Beacon episodes, this may be a three-strike situation. For others, the fracas is yet another wedge in the users' relationship with Facebook. Trust is hard to earn and easy to lose.
Having said that, in the past couple of quarters, Facebook has been riding a strong network effects bull and seeing remarkable growth DESPITE Beacon. So Beacon clearly did not destroy users' trust in Facebook. At the same time, if users fall out of love of Facebook due to loss of trust, they will scale back their involvement with Facebook, which ultimately could negate the network effects benefits they are currently experiencing. IMO, this is the real risk created by Facebook's highly publicized problems.
Posted by Eric at 08:57 AM | Internet History , Licensing/Contracts , Privacy/Security | TrackBack
January 23, 2009
The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt
A recent court case reiterates that privacy policies aren't the be-all, end-all panacea for protecting online privacy.
By Ethan Ackerman
One of the main arguments against a federal online privacy law has been that website privacy policies were a self-regulatory solution that was more than sufficient, permitted more flexibility, and bound parties as surely as any federal law. Real-life court cases continue to suggest the contrary.
From mid-90s FTC staff decisions to "encourage self-regulation" to the 1998 formalization of a Clinton administration e-commerce policy framework to the extension of this policy through both terms of the G.W. Bush Administration, "self-regulation" of online privacy has been the policy of the executive branch of the federal government. Similarly, "self-regulation" has been the primary card played (the 10 of spades?) against Congressional attempts to pass federal online privacy regulation, successful in stalling any legislation on the issue since at least the 106th Congress. Online industry lobby groups still emphasize that "self-regulation" is the only needed enforcement, and online privacy advocates cite self-regulation's failures for the 'decade of disappointment' in internet privacy.
Meanwhile, outside of the policy debates, online activity has exploded, along with the collection and use of personal information online. Putting aside the real challenge of discovering unacceptable uses, sometimes that collection and use (or misuse) is egregious enough that someone sues over it. As the recent case of Pinero v. Jackson Hewitt Tax Service shows yet again, actual monetary damages matter more than egregiousness.
Ms. Pinero discovered that a Jackson Hewitt Tax Service licensee that prepared her taxes had breached its privacy policy when a local news station contacted her and provided her with her prior year tax returns, discovered in a public dumpster along with the returns of more than 100 other Jackson Hewitt clients.
Mindful of the increasing body of cases that have refused to find damages in the mere breach of protective statutes, violations of privacy policies or unlawful disclosures of personal records, Ms. Pinero's attorneys alleged specific factual emotional, physical, and economic damages in their suit. Those damages weren't good enough under the applicable state law, according to U.S. District Judge Sarah Vance. Specifically, the judge found that the plaintiff suffered no direct pecuniary damage from the breach - a heightened risk of future loss or steps taken to mitigate that loss weren't enough under Louisiana law for a negligence or breach of contract claim.
Above and beyond my brief summary, the opinion is worth a read in greater detail. The judge's detailed discussion of the pleadings reveals much work on this case. The pleading drafters clearly went to great effort to avoid precisely this outcome, claiming damages of several types with a great deal of specificity and carefully formulating claims under a variety of different statutes and causes of action, including a Consumer Protection Act and database breach statute claim. Judge Vance addresses each claim and the surrounding caselaw in good detail as well, providing scant room for a reversal on appeal by leaving every issue addressed.
The takeaway? As Eric has worried in the past, there may be no effective customer legal recourse against companies that breach their privacy policies.
[Eric's comment: we've seen a long list of situations where plaintiffs suffered some privacy invasion but were unable to obtain any legal recourse. Ethan links to the JetBlue case (which remains remarkable to me to this day), and we've blogged on others as well (see, e.g., the Acxiom and Key cases). In general, I think these opinions have often reached a sensible and pragmatic result that a privacy invasion may lead to no tangible losses, so damage awards may overcompensate the victim or overdeter the defendant. However, providing no damages awards--especially when a company breaches its self-selected promises--may under-deter and reward companies for overpromising and underdelivering. This case seems especially odd because the complaint contained allegations of specific tangible harm. Maybe we don't believe the allegations, but normally they ought to be heard.
At the same time, I fear the policy-makers may overreact to this situation by creating statutory damages. Those solve one problem (the courts' balking at plaintiffs that have no obvious damage) but create another, (IMO) much bigger problem of motivating plaintiffs and their lawyers engage in litigation frenzies with low-merit lawsuits. We've seen a lot of wasted motion in the spam context from people chasing statutory damages, and I shudder to think about the tax on our economy if we ever created a statutory damage for generalized privacy violations.]
Posted by Ethan Ackerman at 09:47 AM | Licensing/Contracts , Privacy/Security | TrackBack
January 22, 2009
Data Privacy Day at SCU Jan. 28: Erika Rottenberg, LinkedIn GC
By Eric Goldman
Please join us for this event being held in conjunction with the Data Privacy Day. Free admission and no RSVP required. Erika is a long-time colleague (dating back to our Cooley Godward days) and I'm very interested to hear how she sees the world from LinkedIn's perspective.
____________
"Protecting Personal Identities Online"
Erika Rottenberg
Vice President, General Counsel and Secretary of LinkedIn
January 28th
12:00 p.m. – 1:00 p.m.
Williman Room, Benson Center
Santa Clara University
Light lunch will be served
Part of the IT, Ethics & Law Colloquium Series cosponsored by the High Tech Law Institute; the Center for Science, Technology, & Society; and the Markkula Center for Applied Ethics.
On-line networking sites, such as LinkedIn, Facebook and MySpace, allow friends, acquaintances and/or professionals to connect and communicate with each other and have become an essential part of many people's daily lives. While most of these communications and interactions enrich our lives and enhance our business productivity, sometimes they can become problematic, especially when inappropriate or harmful information is published online. Erika Rottenberg, General Counsel of LinkedIn, a professional networking site with over 34 million members, representing 170 industries in 200 countries, will talk about opportunities and pitfalls posed by on-line networking sites and how we can be smart users of the sites. This will be a moderated discussion followed by an audience question and answer period.
About the speaker: Erika Rottenberg is Vice President, General Counsel and Secretary of LinkedIn, responsible for LinkedIn’s worldwide legal matters, including privacy. Prior to LinkedIn, Erika served as General Counsel for two public technology companies, providing valuable experience in dealing with the regulatory policies and challenges specific to technology centric public companies. Most recently, Erika was Senior Vice President, General Counsel and Secretary, for Nasdaq-listed SumTotal Systems. Prior to SumTotal, Erika was Vice President, Strategic Development and General Counsel of Creative Labs, the company that brought multimedia to the PC with the Sound Blaster sound card. Erika received her law degree from Berkeley's Boalt School of Law and started her legal career at the Silicon Valley technology based law firm of Cooley Godward.
Posted by Eric at 04:07 PM | Privacy/Security | TrackBack
January 16, 2009
AOL Loses Venue Selection Dispute in Ninth Circuit Due to an Unfortunate "Of"--Doe 1 v. AOL
By Eric Goldman
Doe 1 v. AOL LLC, 2009 WL 103657 (9th Cir. Jan. 16, 2009)
This is one of several lawsuits against AOL over AOL's 2006 posting of a database of improperly anonymized search queries. This particular lawsuit was brought by AOL members in California and alleges a variety of federal and state law claims against AOL.
AOL defended based on its venue selection clause in its member agreement, arguing that the contract required the lawsuit to be brought in Virginia. AOL has had a lot of success with its venue selection clause over the years, but it has had some prominent failures as well. One of those is America Online v. Superior Court (ex rel Mendoza) from 2001, in which a California appellate court struck down AOL's venue selection clause on public policy grounds because Virginia law did not provide adequate relief to California consumers--because, among other things, Virginia state courts do not permit class action lawsuits.
The Mendoza case was part of a broader judicial trend against online user agreements over the past decade. We've seen them fail for unconscionability, public policy and other reasons, making the successful drafting of such clauses tricky. Collectively, I think these cases have established pretty clearly that a venue selection clause designed to suppress class action lawsuits has a high risk of failure and, in California, is presumptively unenforceable.
What isn't clear to me is what, if anything, AOL did to modify its member agreement's venue selection clause in response to its Mendoza defeat. As a result, I can't tell if this court is interpreting the same contract language as was presented to the Mendoza court. But in all other respects this case is extremely similar to Mendoza: the plaintiff initiated a class action lawsuit in California, AOL defended on its venue selection clause to force the case back to Virginia, and the court is confronted with the public policy implications. Thus, if AOL did change its contract post-Mendoza, it didn't get the desired results, because it suffers another defeat here.
It appears that if the case could be heard in Virginia federal court, the class could form and the clause would not necessarily fail; but if the clause only permits Virginia state court, this is Mendoza redux and AOL loses. As a result, the court tries to figure out which venue the member agreement language specifies. AOL's agreement designates the exclusive venue as "the courts of Virginia." The court parses the grammar of the word "of" and looks at other precedent analyzing "the courts of [state]" and concludes that this language selects only Virginia state court. Because a California appellate court (the Mendoza court) had already said that Virginia state court isn't an acceptable choice for a putative class action of California consumers, the Ninth Circuit has no choice but to toss the venue selection clause.
This raises an obvious drafting point: courts are reading venue clauses specifying the venue as "state of X" to mean only state courts in the designated state, so don't use that grammar unless that's what you intend. I'm sure that most drafters using "state of X" language instead mean the parties can litigate in either federal or state court in that venue, but that's not the way courts are reading it. Accordingly, I think it would be prudent to avoid the "courts of X" grammar altogether, which isn't hard to do. Personally, I normally say "courts in X" (as opposed to "courts of X"). I would have to research the precedent interpreting that grammar (this case has made me a little nervous), but the "in" grammar should pretty clearly avoid the analysis in this Ninth Circuit opinion. Another alternative would be to expressly reference both federal and state courts as options; I've seen this language frequently, although I've previously thought that was unnecessarily wordy. Maybe it isn't.
Posted by Eric at 01:29 PM | Licensing/Contracts , Privacy/Security | TrackBack
January 08, 2009
December 2008 Quick Links, Part 2
By Eric Goldman
Social Networking Sites/Cyber-Bullying/Sexual Predation
* More on the Lori Drew conviction:
- Wired has a tough behind-the-scenes look at the Lori Drew jury deliberations.
- The jury instructions
- In case you missed it, my special three part series on implications of the Lori Drew conviction: Part 1, Part 2, and Part 3.
* Yet more fallout from the Lori Drew prosecution and conviction. Wired has a story on the cyberbullying litigation frenzy. The Washington Post has a recap on the proliferation of state anti-cyberbullying laws.
* U.S. v. Morris, 2008 WL 5101636 (7th Cir Dec. 5, 2008). Judge Posner talks about the difference between entrapment (not OK) and vigilantism (OK) in the context of a mom who created a fake MySpace persona to chat with an alleged sexual predator who had contacted her underage daughter.
* Facebook's policy on breast-feeding photos has sparked protests both online and off (1, 2, 3). It reminds me a bit of one of my first challenges as Epinions' general counsel. (search for Epinions).
* Barry Schwartz: is Google getting desperate for ad revenue?
* The Register: "Google this week admitted that its staff will pick and choose what appears in its search results." However, I don't think the article supports this aggressive statement. Instead, it appears the article is getting excited about the fact that Google manually tweaks the algorithms when they produce goofy results--something we've known for years.
* Updates on Axact v. Student Network Resources, the case involving alleged copyright infringement of term papers. Axact allegedly has been trying to get its domain name registrars to release its domain names for transfer, and SNR is trying to cut them off. Apparently Google also balked at the instructions to kick the subject domain names out of its index, but SNR and Google resolved their differences enough to reach a stipulation. Finally, I've received numerous threats and requests from Axact to modify my original post, which has prompted me to make some minor changes.
Marketing
* IMS Health v. Ayotte. New Hampshire passed a law restricting the use of a doctor's past prescribing practices (i.e., behavioral information) for personalized/targeted sales calls. This opinion upholds the NH law against a First Amendment and dormant Commerce Clause challenge.
* Australian advertisers are cookie-ing users at high CPM sites so that they can show the users targeted ads when those users appear at lower CPM sites.
* Sony busted for COPPA violations.
* New advertising medium: school exams.
Miscellaneous
* Good article on the Sprint v. Cogent peering fight.
* And a good article showing limits to the Long Tail theory.
* U.S. v. Grober, 2008 WL 5395768 (D. N.J. Dec. 22, 2008). Grober pleaded guilty to uploading and downloading child porn over the Internet. The judge rejects the 19 1/2 year minimum sentence specified by the Sentencing Guidelines and instead sentences Grober to the 5 year statutory minimum. This opinion poignantly explains why this judge, like several others, rejects the Sentencing Guidelines in Internet child porn cases because the dictated sentences are too severe.
* BusinessWeek is still amazed that people actually--get this--provide their time and efforts over the Internet without getting paid!
* Lior Strahilevitz, Reputation Nation: Law in an Era of Ubiquitous Personal Information, 102 Nw. U. L. Rev. 1667 (2008). Lior explores the cross-elasticities of demand for types of reputational information and shows that if some information isn't available (due to, say, privacy laws), decision-makers will consult less credible or pernicious sources. For example, if a landlord can't get good credit information about a prospective tenant, the landlord may resort to discriminatory considerations (like race) to decide whether or not to rent to the tenant. Good article.
* I have previously written about New York v. Synergy6, Inc., 404027/03 (N.Y. Sup. Ct. Jan. 6, 2006), where the court soundly rejected the New York Attorney General's office regarding a marketer's liability for allegedly illegal emails sent by downstream affiilates (i.e., not in direct privity). I have not been able to find a copy of the opinion electronically, but over the holidays I found my hard copy and scanned it to a PDF. Check it out, especially in combination with the 2008 New York v. DirectRevenue opinion, which soundly rejected the NYAG's affiliate liability arguments in the adware context.
Posted by Eric at 07:44 AM | Content Regulation , Copyright , Domain Names , Marketing , Privacy/Security , Search Engines | TrackBack
December 02, 2008
November 2008 Quick Links
By Eric Goldman
Trademark
* NYT: "A handful of new Web sites with names like Typo Bay and Typo Buddy are out to help shoppers save money by searching eBay for misspelled brand names." In 2005, I blogged that typographical errors are a significant issue for eBay's search engine.
* It's a bull market for Obama-related trademark filings and Obama merchandise.
* Domain name tasting down 84%?
* Wired: "Think Godzilla's Scary? Meet His Lawyers"
Copyright
* Reuters: "Instead of triggering the usual take-down notices, copyright-infringing footage of select MTV Networks programing uploaded by MySpace subscribers would be automatically redistributed with advertisements that would generate revenue for the companies." I'm interested to see how this system applies to fair uses of the works!
* Arista Records LLC v. Usenet.com, Inc., 2008 WL 4974823 (S.D.N.Y. Nov. 24, 2008). The court dismisses USENET.com's counterclaims for declaratory relief that it doesn't violate 17 USC 512 because the claims duplicate its affirmative defenses.
* James Grimmelmann does an excellent job parsing the Google Book Search settlement agreement and makes some sage recommendations for how it should be modified before court approval.
Advertising/Marketing
* The Google-Yahoo ad syndication deal is dead. Some behind-the-scenes discussions.
* I'm not sure about the implications of this, but Google is expanding its efforts to allow website and ad targeting based on automatic geographic detection. See my prior post about the future of geolocation and a bordered Internet.
* Good news: entrepreneurs want to authenticate children's ages to keep them out of online trouble. Bad news: entrepreneurs might use age authentication to hit the kids with targeted marketing.
* Classmates.com sued for misrepresenting that former school chums were actually looking to reconnect. Yet more pushback on bogus "X is looking for you!" ads.
47 USC 230
* The Supreme Court denied cert in Doe v. MySpace, 2008 WL 4218722. According to Tom O'Toole, this is the seventh time that the Supreme Court has denied cert in a 47 USC 230 case.
* It appears that Children of America v. Magedson has settled.
* The Santa Clara University community is having a catharsis about Juicy Campus.
* Dan Solove and I chatted with Doug Lichtman about social networking sites (asynchronously--I spoke with Doug after Dan had), with most of my conversation focusing on 47 USC 230. Doug edited the conversations together into a one-hour podcast entitled "Privacy in the Networked World." An added bonus for listening--you may be able to earn one hour of CLE FREE!
Spam
* Facebook v. Guerbuez. Facebook wins $873M default judgment under CAN-SPAM. Now, if Facebook could only collect any of this, they would have finally figured out a way to make money!
* Gordon v. SubscriberBASE Holdings, Inc., 2008 WL 4809833 (E.D. Wash. Oct. 31, 2008). Serial anti-spam plaintiff lost again on whether he has standing under CAN-SPAM.
* Evan Brown: Government spam filters do not deprive citizen of right to petition the government.
* Venkat: Unsolicited Marketing Extravaganza in the Ninth Circuit.
Miscellaneous
* eHarmony settles claim that it discriminates against gay singles.
* NYT: "almost five years into its expansion into Europe...Google is getting caught in a web of privacy laws that threaten its growth and the positive image it has cultivated as a company dedicated to doing good."
Posted by Eric at 09:47 AM | Copyright , Derivative Liability , Domain Names , Privacy/Security , Search Engines , Spam , Trademark | TrackBack
November 19, 2008
October 2008 Quick Links, Part 3
By Eric Goldman
Pornography
* Can you believe this? A 15 year old girl took nude photos of herself using her cellphone and sent the photos to her peers. She is now being prosecuted on child pornography charges. The girl's behavior sounds more like a cry for help than a criminal act.
* Judges are pushing back against online child porn downloading cases.
* PROTECT Our Children Act (S.1738). If I were a legislator, I would name all of my bills (regardless of substantive topic) “Protect Our Children Act” to ensure passage. Among other things, the law creates a new crime of “child pornography that is an adapted or modified depiction of an identifiable minor” (assuming this survives First Amendment scrutiny, no more photoshopping Miley Cyrus’ face onto a naked woman’s body). The law also modifies existing law to require that websites and Internet access providers who find child porn on their network to forward it and other information to the CyberTipline operated by the National Center for Missing and Exploited Children.
Online Crimes
* Sarah Palin email hack indictment. Orin's comments.
* HR 5938. Congress amended the Computer Fraud & Abuse Act again to increase the penalties and criminalize conspiracies to violate the law.
* S 431, Keeping the Internet Devoid of Sexual Predators Act of 2008 or the `KIDS Act of 2008'. Wired's critique. This law requires sex offenders to register their email addresses with a central database and then permits social networking sites to access the database and block registrations from the sex offenders. The most interesting aspect of the law is that it tries to define a social networking site as: “an Internet website (i) that allows users, through the creation of web pages or profiles or by other means, to provide information about themselves that is available to the public or to other users; and (ii) that offers a mechanism for communication with other users where such users are likely to include a substantial number of minors; and (iii) whose primary purpose is to facilitate online social interactions.” Is there any Web 2.0 site that does not qualify? Any wagers about how long it will take Congress to change this law to require social networking sites to block sex offenders’ email addresses rather than making it optional as this law states?
* State v. Ellison, 2008 WL 4531860 (Ohio App. Ct. Oct. 10, 2008). Two childhood friends have a falling out. One posts an allegation on her MySpace page that the other is a child molester. After the district court convicted her of harassment via a telecommunications device, the appellate court overturned the conviction because she lacked sufficient intent to harass.
Miscellaneous
* Ryan Haight Online Pharmacy Consumer Protection Act of 2008, HR 6353. “No controlled substance that is a prescription drug as determined under the Federal Food, Drug, and Cosmetic Act may be delivered, distributed, or dispensed by means of the Internet without a valid prescription.”
* Gotbaum ex rel. Gotbaum v. City of Phoenix, 2008 WL 4628675 (D. Ariz. Oct. 17, 2008). Malicious blog posts in local Phoenix blogs about a lawsuit aren't enough pre-trial publicity to warrant a change in venue.
* Bursac v. Suozzi, 2008 WL 4830541 (N.Y. Sup. Ct. Oct. 21, 2008). Online shaming of DWI suspects before conviction violates due process. Are you listening, FTC?
* Canadian court: linking to defamatory material is not defamation.
* In an attempt to forestall further movement on the Global Online Freedom Act, the search engines released a high concept statement on how they won’t help repressive regimes.
Posted by Eric at 10:03 AM | Content Regulation , Privacy/Security , Search Engines | TrackBack
November 18, 2008
October 2008 Quick Links, Part 2
By Eric Goldman
Spam
* Kramer v. Perez. An Iowa court awards $236M in damages in a spam case. Venkat's comments.
* After the government lost its jury trial against Impulse Media, the court denied Impulse Media attorneys fees.
Contracts
* AT&T put its own emailed notice of amended contract terms into its spam folder. Whoops! Due to spam filters and other automated blocks, it is becoming almost impossible for websites to communicate with their users by email.
* An estimate of the massive "tax" imposed on consumers by reading privacy policies. Of course the financial drain is overstated because many people make a rational decision not to read every privacy policy, plus not every person has to read a privacy policy for marketplace responses to be effective.
* The Blizzard v. MDY WOWGlider case has reached a stipulated damages amount of $6M.
* Pulaski & Middleman, LLC v. Google Inc., 5:2008cv03888 (N.D. Cal. complaint filed August 14, 2008). The Justia page. Yet another me-too lawsuit against Google over serving ads to parked domains and error pages.
* An Israeli GPL enforcement action settled.
Trademarks/Domain Names
* Kentucky v. 141 Domain Names. Is a domain name property? Yes. See the Sex.com case. Can a plaintiff seize a domain name pursuant to a favorable judgment? Yes. Is it appropriate for Kentucky to seize domain names for gambling websites available in Kentucky? Of course not, because this would effectuate an extraterritorial reach by curtailing non-Kentucky residents from making possibly legal uses of the domain name. More recently, the seizure was stayed.
* Speaking of inappropriate seizures, the Feds are trying to seize the trademarks of the Mongols motorcycle group. DOJ press release. LA Times article.
* Best Western Intern., Inc. v. Doe, 2008 WL 4630313 (D. Ariz. Oct. 20, 2008). Prior blog post in this case. The judge is losing patience: "These filings are wasteful in the extreme. The Court is not a forum for the parties to expend every possible dollar seeking to litigate every conceivable issue, no matter how insubstantial. The Court will no longer tolerate the excesses of this case."
* The Verizon v. Navigation Catalyst Systems domainer lawsuit settled.
* 50 Cent brings yet another questionable lawsuit. (1, 2).
Advertising
* Goddard v. Google Inc., 2008 WL 4542792 (N.D. Cal. Oct. 10, 2008). The case against Google for deceptive mobile phone ads will stay in federal court.
* Eyeblaster, Inc. v. Federal Insurance Co., 2008 WL 4539497 (D. Minn. Oct. 7, 2008). This is a collateral lawsuit to Sefton v. Eyeblaster alleging that Eyeblaster distributed spyware. Eyeblaster tendered the claim to its insurer. This court holds that the CGL policy doesn't apply because the claim relates to software problems, not physical damage to the users' computers. Further the E&O policy doesn't apply because Sefton alleges that Eyeblaster intentionally installed the spyware, bumping Eyeblaster into one of the policy's exclusions.
* Are consumers becoming more tolerant of pop-up ads? For more on consumer acceptance of new advertising formats, see here.
* A big damages award in NetQuote v. Byrd.
Posted by Eric at 06:42 AM | Adware/Spyware , Domain Names , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Spam , Trademark | TrackBack
October 14, 2008
September 2008 Quick Links, Part 3
By Eric Goldman
eBay
* Universal Grading Service v. eBay, Inc. More fallout from the National Numismatic v. eBay case--another lawsuit alleging antitrust and defamation because eBay designated some coin rating services as preferred and impliedly devalued others.
* Windsor Auctions v. eBay has been refiled in a new jurisdiction.
* Mehmet v. Paypal, Inc., 2008 WL 3495541 (N.D. Cal. Aug. 12, 2008). Upholding the consequential damages waiver in PayPal’s user agreement.
* A company's failure in the marketplace can drive up the value of its collectibles on eBay.
* Stelor Productions, Inc. v. Google, Inc., 2008 WL 4218107 (S.D. Fla. Sept. 15, 2008). In the lawsuit alleging that Google causes reverse confusion of Googles.com [warning: annoying music ahead], the plaintiff doesn't get to depose Sergey or Larry yet. Rose Hagan, Google’s long-time chief trademark counsel, is the lucky substitute.
* Lots of rhetoric in the Google/Yahoo ad syndication deal. Google’s advocacy website. Google Chief Economist Hal Varian explains why the deal won’t raise ad prices in the auction. Randall Stross weighs in.
* Google has changed course and now allows religious groups to advertise on the keyword “abortion.”
* Kubit v. Google Groups, 2:2008cv00738 (M.D. Fla. complaint filed Sept. 29, 2008):
I then would like to sue Google Groups for not removing the posts when I repeatedly asked them to for 2 years. I believe I am entitled to at least a small amount of compensation for the emotional distress and lost business income that has resulted from them allowing these posts to remain on their Google Groups, even though I offered them VERY solid proof that I do not have HIV. If they had stopped the posts when they first occurred, they would not have proliferated to hundreds of websites. I became suicidal for a period of time after the posts started. I incurred a lot of emotional pain and fear because of the posts and had to seek psychiatric and psychological help to get my life back together. I still suffer from fears of dating, living a public business life and trusting others.
Yes, this is a pro se complaint. Yes, it is preempted by 47 USC 230.
Marketing/Advertising
* NebuAd is dead (1, 2). Even so, the lure of intermediaries aggregating deep data about consumers for commercial purposes will never die.
* Is Gator/Claria dead?
* The EU passed a non-binding resolution against sexual stereotypes in advertising.
* Celebrity branded merchandise run amok.
Miscellaneous
* Valleywag: "The 5 most laughable terms of service on the Net." For more laughs, see Mark Lemley’s Terms of Use paper.
* Murakowski v. University of Delaware, 2008 WL 4104087 (D. Del. Sept. 4, 2008). This reminded me a lot of the Jake Baker case from the mid-1990s.
* The Virginia Supreme Court reversed itself on the Jaynes anti-spam prosecution, and Jaynes walks. Does Virginia routinely pass unconstitutional laws?
* Becker v. Toca, 2008 WL 4443050 (E.D. La. Sept. 26, 2008). Ex-wife's alleged delivery of "Infostealer" program to grab passwords from ex-husband could violate the ECPA, SCA and CFAA.
* Interesting article on ESPN’s exclusive distribution and bundling agreements with Internet access providers.
* Silly? Horrifying? A sign of the apocalypse?
Posted by Eric at 06:17 PM | Adware/Spyware , Content Regulation , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Spam | TrackBack
September 02, 2008
eBay Cracks Down on Cookie Stuffing--eBay v. Digital Point Solutions
By Eric Goldman
eBay, Inc. v. Digital Point Solutions, No. 5:08-cv-04052-PVT (N.D. Cal. complaint filed Aug. 25, 2008)
It is exceedingly rare for marketers to sue affiliates who are trying to game their affiliate programs. I'm sure there have been other lawsuits, but frankly I'm drawing a blank. (The only relevant precedent that came to mind was Google's tepid enforcement actions in 2004/2005 against click frauders--see Google v. Auction Experts and US v. Bradley). [Update: A reader reminded me of Land's End v. Remy, which is an on-point precedent.] The more typical remedy when commission fraud is taking place is to cancel any unpaid commissions and write off the rest as a cost of doing business (or an uncollectible painful lesson). But if someone gamed the system big--I mean, really big--maybe it would be worth hiring fancy and very high-priced counsel to go see what they might be able to retrieve...
eBay isn't saying how much it got taken for by the defendants in the case. The complaint was conspicuously silent on that juicy detail. However, the amount appears to be enough that eBay hired the premium law firm O'Melveny & Myers for a glorified collections effort. Either that, or eBay has decided to send a remarkably expensive message to other potential fraudsters.
The complaint alleges that the defendants engaged in a cookie stuffing campaign to hijack commissions through Commission Junction. Cookie stuffing occurs when a fraudster places a cookie on a third party computer that will cause the fraudster to get paid a commission that the fraudster didn't earn legitimately by doing the things that the marketer wanted to pay for. In this case, eBay alleges that the defendants used a clever technical exploit to put cookies on users' computers even though the users had not seen the requisite ads. The complaint also alleges that the defendants deployed some tricks to cover their tracks, like deliberately not cookie-ing computers in San Jose and Santa Barbara, the homes of eBay and Commission Junction respectively, to keep employees of those companies from spotting the marauding cookies.
If in fact the defendants engaged in cookie stuffing, I hope eBay nails them. However, I must say that some of eBay's legal arguments made me nervous. eBay's alleged causes of action include:
* CFAA (18 USC 1030). The allegation is that presenting a bogus cookie to eBay's servers was a misuse of the servers. Hmm...
* fraud. Similarly, the allegation is that the defendants caused web users to make a misrepresentation to eBay's servers by presenting a bogus cookie. Hmm again...
* CA Penal Code 502. There are very few cases interpreting 502, which isn't necessarily a bad thing because the statute is so broadly over-inclusive that everyone violates it routinely. Here, it looks like the lawyers weren't quite sure how to fit cookie stuffing into the statute. Take a look at para. 60 and let me know if you agree that this is an odd pleading.
* a civil RICO conspiracy claim. Given that eBay is being sued for RICO claims in the Mazur case (and, I'm sure, others), I would think eBay would want to avoid building new legal precedent that could be applied against them in other cases.
Reading the list of causes of action, I was surprised that there wasn't a more squarely applicable cause of action that governed cookie stuffing (however, I will confess, none came to mind as I drafted this post). Maybe this is due to the fact that eBay rather than Commission Junction is the plaintiff. If there isn't a better cause of action, then perhaps there is a hole in the law. However, I'm keeping my fingers crossed that a judge won't bastardize existing legal doctrines to plug it.
Posted by Eric at 09:23 AM | Licensing/Contracts , Marketing , Privacy/Security | TrackBack
July 24, 2008
Relevancy Trumps Creepiness, and Some Thoughts About Behavioral Targeting
By Eric Goldman
On Monday I spoke on a panel at OMMA Behavioral. See the MediaPost recaps (1, 2, 3, 4). The crowd was buzzing about Dave Morgan's earlier remarks (which I didn't hear) that behavioral targeting is "creepy," and throughout our panel discussion, any enthusiasm expressed about behavioral targeting was tempered by creepiness concerns.
I can understand this reaction, as least a little. When I was younger and first learned about the many tricks of marketer targeting, I was initially aghast by the seeming intrusion. They can't do that, I thought.
As regular readers know, I've outgrown those sentiments. Now, I really don't care what the machines know about me. And if the machines can figure out how to better cater to my interests and reduce the spam in my life, then I'm all for it.
At the same time, I think this latter observation suggests my real problem with behavioral targeting. There will always be some privacy diehards who will object to machine monitoring of their behavior on principle, but most people will be receptive (even after they get through the initial shock about behavioral tracking) if the targeting improves the user or consumer experience. Demonstrate to consumers that behavioral targeting gives them better results, and it's an easy sale. Relevancy trumps creepiness.
But I haven't seen any evidence that behavioral targeting has produced these payoffs (or, for that matter, any meaningful payoffs) for consumers yet. Current behavioral targeting practices might give marketers a little conversion lift compared to other targeting solutions (or not), but they have done little to change the overall fact that ads remain poorly targeted and crummy, and consumers still have plenty of incentives to treat ads as the pain to avoid through ad blindness or technology.
At this point, I'm still wondering if and when behavioral targeting will deliver on its theoretical promise. Sure, we can find excuses for the crummy user experiences today--the technology is still being developed, it's hard to get useful datasets (more on that in a moment)--but those excuses only go so far, and they will wear thin quickly. For behavioral targeting to really be a game-changer, it needs to deliver dramatically improved ad relevancy for consumers, and we're far from that ideal point.
I've argued before that for behavioral targeting to work, the marketer needs a comprehensive dataset about the consumer. Accordingly, a marketer--even an ad network--that relies solely on data collected from a consumer's interaction with web servers simply can't see enough data about the consumer to achieve a sufficient level of relevancy for the consumer. My paradigmatic example: no matter how much Amazon knows about my purchases from it and my browsing habits on its site, they still don't know if I bought a book from someone else unless I tell them (and I have no reason to tell Amazon what books I buy elsewhere).
This is why I'm so intrigued by the Internet access provider-level targeting exemplified by Phorm and NebuAd. In theory, they get access to much better datasets than web server-level targeters. If I browsed for a book on Amazon but I bought the book at barnesandnoble.com, the Internet access provider can know this while neither Amazon or B&N will know about my interactions with the other vendor.
For this reason, I've been quietly bemused by the legal fracas over Phorm and NebuAd's practices. Don't get me wrong--although the analysis is intensely fact-specific and I don't have all the facts, I have serious concerns about the legality of their practices. But from my perspective, the battles over the legality of Phorm and NebuAd are a smokescreen for the real issue, which is that marketers who have only server-level data don't want to compete against someone who has a better dataset than them. So expect plenty of continued fireworks over Phorm and NebuAd, but don't kid yourself that it's only the privacy advocates beating up on them.
Posted by Eric at 02:05 PM | Marketing , Privacy/Security | TrackBack
July 01, 2008
June 2008 Quick Links
By Eric Goldman
Trademarks/Domain Names
* Utah Lighthouse Ministry v. Foundation for Apologetic Information and Research, 2008 WL 22043807 (10th Cir. May 29, 2008). CMLP writeup. Nice 10th Circuit win for a gripe site against trademark infringement and cybersquatting. This case, plus the SKI VAIL case, indicate that the 10th circuit is making progress undoing the harm it created in the Australian Gold v. Hatfield case.
* Georgia has a new anti-phishing law (16-9-109.1) that acts as a para-trademark law. See my comments on the analogous California anti-phishing law.
* After initiating a trademark lawsuit against a consumer review site and soundly losing in court, Lifestyle Lift paid $17,500 to settle its own lawsuit and avoid claims for legal fees under Rule 11 and the Lanham Act.
* Marty reports on a German case saying that white-text-on-a-white-background is a trademark use.
* Update on the battle over the trademark registration for "SEO."
* Will TLD proliferation lead to a new open era in domain name administration, or will the resulting anarchy just reinforce that top search engine placement is the really important online real estate? It seems like the currently limited number of TLDs has some benefits from a bounded rationality standpoint, and those benefits will be lost in a cacophony of unknown TLDs.
Patents
* My colleague Colleen Chien has posted "Patently Protectionist? An Empirical Analysis of Patent Cases at the International Trade Commission" (forthcoming William & Mary Law Review). She empirically demonstrates that the ITC mostly involves disputes between two domestic litigants, making it a redundant battleground with federal district court but nevertheless an attractive venue for plaintiffs due to a number of procedural advantages. She makes a number of recommendations to eliminate the litigation gamesmanship offered by having parallel venues. Check it out.
Search Engines
* Udi Manber, chief algorithm keeper for Google, reiterates why it's silly for lawyers and judges to put too much legal emphasis on the relative placement of search engine results, saying "it's definitely the case that if you do the same search on a different cluster, you may get slightly different results at a given time. It's also the case that if you do the same search on different days you may get different results, because some of the results are things we indexed five minutes ago."
(Over)Regulation
* In response to an enforcement effort by the NY AG's office, several Internet access providers have blocked access to newsgroups that are putatively sources of child pornography. See the NYT story and the NY AG press release. In practice, this means wholesale takedowns of newsgroups that may have nothing to do with child porn. For example, Verizon is killing all USENET hierarchies except comp.*, misc.*, news.*, rec.*, sci.*, soc.*, and talk.*. Wired suggests this is the death of online intermediary freedom as conceptualized in 47 USC 230. Of course, 230 never protected intermediaries from criminal exposure for child porn, and this isn't the first time that an access provider has knuckled under to the NY AG's office. See the BuffNet enforcement action from 2001.
* Ohm, Paul. The myth of the superuser: fear, risk, and harm online. 41 UC Davis L. Rev. 1327-1402 (2008). A neat article on how regulators manufacture a fake bogeyman, the unbeatable "superuser," as a justification for expansive regulatory power.
* No evidence that data breach disclosure laws actually help reduce identity theft. Surprised?
* The FTC wants civil enforcement authority for spyware actions. Haven't they heard that the adware battle is already over...and they won?
Contracts
* Mark Radcliffe expresses concern about the ALI's proposed software licensing project on open source licenses.
* Sarah Bird on a messy contract lawsuit involving an SEO contractor.
Anonymity
* Tendler v. www.jewishsurvivors.blogspot.com, 2008 WL 2352497 (Cal. App. Ct. June 10, 2008). A subpoena request to identify a blogger doesn't support an anti-SLAPP cause of action.
* In the AutoAdmit lawsuit, Doe 21's motions to squash the subpoena and proceed anonymously were both denied. David Hoffman provides an update on the case.
Event Tickets
* Chicago has moved against eBay for reselling tickets in violation of its amusement tax law.
* The Ticketmaster v. RMG case ended with a default judgment granting a permanent injunction and $18.2M in damages.
General
* Vanity Fair: How the Web Was Won.
* Paul Levy blogs about a plaintiff's effort to bypass 230 by suing the authors of complaints about the vendor and then joining the consumer complaint site as a necessary party as a cost-increasing tactic.
* BusinessWeek on emerging technological tools to protect workers' attention against unwanted/untimely interruptions.
* Text message-savvy kids educate the North Carolina DMV about the meaning of the term "WTF," which was used on a license plate example on the DMV's website.
* I have one free pass to OMMA Behavioral in San Francisco July 21. First person to send me an email asking for the pass gets it.
Posted by Eric at 12:32 PM | Adware/Spyware , Content Regulation , Derivative Liability , Domain Names , E-Commerce , Internet History , Licensing/Contracts , Marketing , Patents , Privacy/Security , Search Engines , Trademark | TrackBack
June 04, 2008
Google Sued for Running Ads for "Fraudulent Mobile Subscription Services"--Goddard v. Google
By Eric Goldman
Goddard v. Google, Inc., Case No. 108CV111658 (Cal. Super. Ct. complaint dated April 30, 2008). Google's notice of removal to federal court C08 02738 (N.D. Cal. removal notice dated May 30, 2008). [warning: 1.5MB file. Google's notice contains a copy of the original complaint.]
Cyberlaw is filled with examples of plaintiffs suing the wrong defendant for perceived transgressions committed by someone else. Today's misdirected lawsuit involves "fraudulent mobile subscription services," which are optional third party services for cellphones (such as ringtones) that are charged on a periodic basis. The plaintiffs in this putative class action lawsuit feel like they got fleeced by providers of these subscription services. If they did, I hope they get appropriate redress from the wrongdoing vendors. But instead of suing the allegedly fraudulent vendors, the plaintiffs think Google should cover the losses for the sole reason that Google ran ads for the services. The argument goes as follows:
* Google has an express policy requiring mobile service providers to disclose certain info to consumers about their practices
* Google deliberately does not enforce this policy (or inadequately enforces it) to enjoy undeserved cash
* As a result, Google should stand behind all of the losses committed by its advertisers
There are some obvious problems with this argument. First, it's a gross example of cyberspace exceptionalism. An analogy might be that dead-trees newspapers should stand behind any losses suffered by readers who transact with newspaper advertisers. Sounds ridiculous? It does to me, whether the publisher is online or off.
Second, this argument ought to be clearly, squarely and soundly trumped by 47 USC 230. eBay has won on this exact point when plaintiffs have tried to hold it liable for accepting advertising (in the form of listings) for fraudulent products (at minimum, the Gentry case involving fake sports memorabilia seems apropos). The recent Doe v. MySpace case is also analogous, because the plaintiffs were trying to hold MySpace liable under a "premises liability" theory for tortious activity that took place outside of its premises. Either way, if Google's sole role in the process was publishing third party ads, it's not liable per 230.
It's not clear if the plaintiffs know about 230 or think it applies to this case, but they made two arguments that could be used to argue around 230. First, they allege that Google helped write the ad copy. I'm still not sure if this allegation actually is enough to hold Google liable for downstream fraud, but unless Google actually wrote the copy itself, it's not liable for third party ads even if it helped edit them or prescreened them (see Ramey v. Darkside Productions).
Second, they try to argue that Google's contract with its advertisers describing minimum standards for mobile service vendors running Google ads is an express marketing representation that binds Google for any breaches by the advertiser. By anchoring the claim in false advertising, the allegation might be designed to take advantage of the Mazur v. eBay exclusion to 230. However, treating contractual restrictions with a third party as affirmative representations to consumers is the exact same analytical error made by the New Jersey Attorney General's office in the JuicyCampus investigation, and the error is no less baffling here. I remain surprised that bright lawyers so fundamentally misunderstand the interaction between contract and false advertising law.
There's one more twist to this lawsuit that merits discussion. As a predicate harm for some of its claims, the plaintiffs argue that their cellphones are computers under the Computer Fraud & Abuse Act (CFAA) and the vendor's confirmatory text messages (required to authorize the service) are unauthorized accesses of a protected computer under the CFAA. I'm not really sure what to make of this theory, but I'm pretty sure it's novel (not necessarily in a good way). I'm OK with treating at least some cellphones as computers under the statutory definition, although this would expand the CFAA's reach quite a bit, but I think it would be highly problematic to treat text messages to a cellphone as an unauthorized access. And even if we did that, I still don't see how Google is responsible for the violation.
(For kicks, there is an analogous claim that Google aided and abetted the vendors' trespass to chattel of the cellphones).
One more thing: this interpretation of the CFAA follows the DOJ's recent attempt to treat breaches of a website's user agreement as a criminal CFAA violation in the Lori Drew prosecution. Given these crazy expansive CFAA claims, it may be time to rethink that statute.
Posted by Eric at 08:20 AM | Derivative Liability , Marketing , Privacy/Security , Search Engines | TrackBack
June 03, 2008
May 2008 Quick Links, Part 2
By Eric Goldman
Copyright
* Google says it isn't settling the Viacom lawsuit (I don't believe it).
* Interesting juxtaposition: (1) Chronicle of Higher Education: How It Does It: The RIAA Explains How It Catches Alleged Music Pirates and (2) BusinessWeek ran a lengthy retrospective on Tanya Andersen's battle against the RIAA, including her beefs against the RIAA’s investigation and enforcement tactics.
* A music warez trader was convicted by a jury of criminal copyright infringement.
Online Contracts
* Juanda Lowder Daniel. Virtually mature: examining the policy of minors' incapacity to contract through the cyberscope. 43 Gonz. L. Rev. 239-269 (2007/08). This article addresses the very important issue of contracting capacity of minors. See my most recent post on that topic.
* Adelman v. Sparks Network (Cal. App. Ct. May 20, 2008). The Jdate online dating service allegedly failed to include required language (such as notice of a mandatory cooling-off period) in its user agreement. The court dismisses the plaintiff's lawsuit nonetheless because he was a happy customer who didn't suffer any damage.
* Tom O'Toole surveys some recent online contract cases. He offers the following conclusions: (1) Contract Terms Should Be Available for Review, (2) Clickable Buttons/Links Should Clearly Signal Assent, and (3) Humans Are Not Helpful.
* I realize this point would be better explored in a full blog post, and I suspect this point has been made in the academic literature (if so, I'd appreciate some cites so I can pass them along). The issue: how might the endowment effect explain consumer antipathy towards EULAs? Wikipedia says the endowment effect means that "people value a good or service more once their property right to it has been established." This observation occurred to me when I attended a ridiculously stacked panel at the ION Game Conference on "user rights" in virtual worlds. Many of the gripes/grumbles related to very common EULA provisions that simply overrode default law. It occurred to me that maybe part of the problem was that consumers assume the defaults are appropriate rights allocations granting them the "property" right, in which case they suffer a greater psychological loss when those defaults are varied than if different defaults were set. One obvious policy consequence: as part of the considerations when setting defaults, policy makers should include the psychological costs of varying the defaults. If the interaction between EULAs and the endowment effect hasn't been written about, it would make an excellent paper topic.
Other Topics
* A military court has said that distributing a hyperlink to child porn does not constitute criminal distribution of child porn. Tom O'Toole explains the situation.
* A.B. v. State, 2008 WL 2031388 (Ind. May 13, 2008). It seems like the digital age recipe for guaranteed trouble: 8th grader + hatred towards a school principal + MySpace. How many judicial cases are we going to see with this combination? This one involves some mean-spirited and profanity-laced comments about her principal made by a 14 year old girl on a private MySpace page accessible only by 26 students. The principal saw it only because one of the students gave a printout to the principal. The court concludes that posting to a private MySpace page doesn't satisfy the criminal standards of "intent to harass, annoy, or alarm" via the Internet.
* Doe v. Friendfinder Network, Inc., 2008 WL 2001745 (D.N.H. May 8, 2008). The court denied the plaintiff's motion for reconsideration on Friendfinder's 230 eligibility for the statement "Sorry, this member has removed his/her profile."
* Another "where are they now?" retrospective on dot com boom companies, ironically running in the Industry Standard (which wiped out in the dot com bust itself).
Posted by Eric at 11:56 AM | Content Regulation , Copyright , Derivative Liability , Internet History , Licensing/Contracts , Privacy/Security , Virtual Worlds | TrackBack
May 23, 2008
Lori Drew Prosecuted for CFAA Violations--Some Comments, and a Practice Pointer
By Eric Goldman
Before I get started, let me first say that my heart goes out to Megan Meier's family. They have suffered a devastating tragedy, and I cannot possibly fathom the pain they must feel. As a result, I feel a little awkward blogging on the situation because I fear my words could be misinterpreted as some sign of disrespect or lack of empathy towards the family. I definitely don't intend that.
I have also passed on blogging about Megan Meier's suicide because, until recently, I didn’t think it raised a real cyberspace issue. Assuming the publicized facts are true, MySpace played a crucial role in mediating the communications between Drew and Meier, but Drew's ruse could have been perpetrated using a variety of communication media. Indeed, for millennia (and well before the Internet), people have been sending false messages to each other as part of some manipulative effort (Les Liaisons Dangereuses comes to mind, but we could find countless other examples). The fact that Drew chose MySpace for her scheme has always struck me as uninteresting at best. I recognize that perhaps MySpace made it easier for Drew to pull off her ruse, and perhaps Meier attached more credibility to MySpace messages than she would have attached to messages delivered in other media. But given that people can do serious harm to other people using many different types of communications media, I think it's a mistake to treat this tragedy as a source of profound insight into the nature of cyberbullying or the evils of cyberspace.
Despite this, we know that a high-profile situation like this will spur overreactions. Of most interest for this blog post is last week's federal indictment of Lori Drew for crimes predicated (at their core) on violations of the Computer Fraud and Abuse Act (CFAA). See the indictment. The CFAA violation putatively occurred because MySpace's user agreement required users to:
* provide accurate registration information
* not use information obtained from MySpace to harass or abuse others
* not solicit information from kids
* not promote false/misleading information
* not promote abusive or threatening conduct
* not post photos of third parties without their consent
Allegedly, Lori Drew breached the user agreement by failing to follow these provisions; and by breaching the user agreement, she made an unauthorized criminal use of MySpace's servers.
In the civil context, plaintiffs frequently use the CFAA to attack a defendant's server usage in violation of a site's user agreement. However, as far as I (and Orin) know, this is the first time the DOJ has tried to treat a user's breach of a site's user agreement as a CFAA crime. Not only is this theory potentially unsupported by the law (see, e.g., Orin Kerr and Dan Solove), but it puts almost all of us at risk of federal prosecution (see, e.g., Wired and the AP). Implicitly, the DOJ is saying that breaching a user agreement to provide false registration to a website or post a third party's photo without permission can be a federal crime. If you have never done any of these activities, please email me so I can send you some angel wings. For the rest of us, the DOJ seems to think that we should avoid the Big House only out of their sheer grace.
Also, though Drew's actions may have been heinous, her alleged breaches of the MySpace user agreement were, to be as charitable as possible, chickenscratch. Most websites like MySpace include contractual restrictions like the ones at issue simply to preserve their ability to kick off troublesome users at their discretion--not to put every non-conforming user at risk of looking down the barrel of an FBI agent's .45.
As a result, the DOJ prosecutors appear to be trying to make the MySpace user agreement do more work than it was designed to do. In that respect, I see this case as part of a broader trend where government enforcement agencies are misreading and misusing website user agreements. Consider two other very recent examples of government folks attaching undue emphasis to restrictions in website user agreements:
* the New Jersey Attorney General's office apparently misread restrictions in JuicyCampus' user agreement to think they should constitute affirmative marketing representations
* Joe Lieberman thinks YouTube should wipe terrorist videos off its site because its community guidelines discourage users from posting violent videos
This disturbing trend prompts me to offer a practice pointer to those of you who draft user agreements. Many user agreements—including MySpace’s—have gotten bloated with lengthy lists of restrictive rules (a manifestation of the rule proliferation phenomenon I blogged about here). It's pretty clear to me that government enforcement actors, either because of their fundamental misunderstanding of contract law or for their own self-aggrandizement, will treat these restrictions as expectations that the conduct won't occur on the site. But because most websites don't proactively enforce the restrictions they announce, this sets up a mismatch between rules and actual behavior—a mismatch that enforcers appear all too happy to exploit.
Therefore, I think it is better practice for contract-drafters to rely more heavily on general restrictive clauses in website user agreement (e.g., "we can kick you off at our convenience") than on overly detailed/specific but underenforced lists of restrictions. I know this stance runs contrary to the prevailing sentiment among most Cyberlawyers, who seem to believe that for every bad user behavior, it's easy enough to add a new contract prohibition that putatively eliminates the problem. But if the contracts are being misread, rule proliferation may be doing more long-term harm than good.
Posted by Eric at 05:49 PM | Content Regulation , Licensing/Contracts , Privacy/Security , Trespass to Chattels | TrackBack
April 23, 2008
Online Advertising Conference Recap
By Eric Goldman
Last Friday, the High Tech Law Institute and the Berkeley Center for Law & Technology co-sponsored the Law & Business of Online Advertising conference. We had first-rate panelists and an enthusiastic audience of over 100 attendees. Rebecca blogged the event (tutorials, consumer issues, publisher issues, advertiser issues) and Sarah Bird posted her own recap. My understanding is that BCLT will post the audio from the conference to the conference website in the near future.
I'm going to focus my recap on just three of the talks.
_____
Joel Winston from the FTC (speaking for himself, not on behalf of the commission) spoke on the consumer issues panel. He said that consumers have a feeling of lack of control on the Internet. He thinks that consumers are generally aware of online tracking, but the tracking process is opaque, and consumers don't understand the future implications for use and disclosure of the tracked data. Surveys say that most consumers think tracking shouldn't be done at all or should be governed by an opt-in or opt-out process. Many people like targeted ads but they are worried about other uses of the data, such as security breaches, government misuse and secondary uses.
So consumers want transparency and control, and trust is the key. Adults are concerned about posting data online but kids will post very intimate details online. People don't understand the privacy tradeoffs, such as the connection between targeted ads and free content. And transparency isn't working when consumers don't read privacy policies. Self-regulation is the right approach, but the FTC will step in to protect consumers.
The FTC's behavioral principles:
* transparency and control
* reasonable security and limited data retention
* express consent for material changes to a privacy policy
* express consent to use sensitive data.
_____
Mark Cooper spoke about an interesting new paper he's working on. He starts with the premise that everyone hates "interruption marketing" such as TV ads: consumers hate TV ads (interruptive) and advertisers hate TV ads (can't measure efficacy). In contrast, he thinks newspaper ads are clearly better because they are easy to skip, easy to store and contain more useful information. [Eric's note: Mark is making a highly stylized argument. I explored the relative merits of different ad media in this paper.]
He thinks online advertising can improve on interruption marketing because the Internet is a two way conversation, not push marketing. He outlined 4 dimensions to measure the acceptability of advertising:
* influence. Online advertisers don't create audiences, they chase audiences created for them.
* intrusiveness. Online advertising isn't in the "middle of content." [Sounds like Mark has never experienced an unconsented adware install...and I'm not sure how he'd explain spam in one's in-box...] But he worries that data collection may be more intrusive than other media.
* ubiquity. I think he argued that online advertisers don't devote as much on-the-page real estate to ads as newspapers do. [Sounds like he's never been to a domainer's website...]
* efficiency (delivery of useful information). The cost of online advertising is less than TV, which expands the market for advertisers. This also facilitates the creation of hyper-niche content sites.
Despite some of the benefits of online advertising, he worries about how much information he needs to give up to get these improvements. He thinks behavioral targeting and tracking is inherently deceptive but in-session contextual advertising is OK, and maybe informed consent may be OK.
[Eric's comments:
* I'm not sure the four dimensions he uses are the right dimensions to measure advertising
* His arguments relied on a number of assumptions that aren't very robust, which limits the extensibility of his analysis.
* I think the statement that behavioral tracking is inherently deceptive must be overstated for rhetorical emphasis. Otherwise, I don't think that statement stands up to critical scrutiny.
* I argue (in great/excessive detail) that some types of behavioral targeting are both good and inevitable in this paper.]
_____
Rebecca Tushnet spoke on intermediary liability. She made two main points:
1) Intermediaries aren't good representatives of the speakers who they facilitate because the intermediaries are adverse to their users. Ex: the 512 notice-and-takedown provisions, Google's policy on TMs in ad copy.
2) There is pressure to move away from a robust interpretation of 47 USC 230. Ex: Roommates.com, the recent Adult Friendfinder case (which I hope to blog on soon) and the Quiznos case.
She thinks there may be merit to looking at the New York Times v. Sullivan case, which people sometimes forget is an advertising case (i.e., the plaintiff was trying to hold the newspaper liable for ad copy supplied by an advertiser). The newspaper wasn't liable in that case unless it had actual malice about the definition--a very high scienter bar. Perhaps the actual malice standard could be more widely used in the online context; among other benefits, notice alone wouldn't create liability.
Posted by Eric at 09:06 AM | Derivative Liability , Marketing , Privacy/Security | TrackBack
April 22, 2008
March 2008 Quick Links, Part II
By Eric Goldman
Copyright
* A lot of action on whether “making available” a file in a P2P share directory is copyright infringement, including Elektra v. Barker and London-Sire v. Doe. Patry summarizes the action.
* Ticketmaster L.L.C. v. RMG Technologies, Inc., 2008 WL 649788 (C.D. Cal. March 10, 2008). Copyright misuse is not an independent cause of action; it's only a defense. HT Evan Brown.
* A student asked me a good Q that I couldn't answer. Given that copyright work transfers are subject to the risk of a non-waivable termination of transfer 35-40 years after the transfer, how do companies account for that risk on their financial statements?
* A man whose Youtube video was taken down by lawyers for Van Morrison strikes back with a new video: "The Lawyers Pulled My Video Down."
Trademark
* The Utah governor signed SB 151, the repeal of the Utah Trademark Protection Act.
* Wilson v. Yahoo! UK Ltd., No. 1HC 710/07, Feb. 20, 2008. A UK court says that buying the broad-matched keyword "spicy" does not constitute an actionable use in commerce of the trademark "Mr. Spicy." In response, Google liberalized its keyword policy in the UK and Ireland to match its US and Canada policy.
* Vulcan Golf, LLC v. Google Inc., 2008 WL 818346 (N.D. Ill. March 20, 2008). This is another interesting development that I just didn't have time to blog (see my earlier post when the lawsuit was filed). In a lengthy opinion, the district court rejected most of the significant motions to dismiss, saying that she wanted to let the case develop. Ironically, she also complained about the workload in the case--perhaps this is obvious, but granting some motions to dismiss would help clear your docket queue! Unfortunately, most of the opinion isn't insightful because so many issues were reserved for further development. Perhaps the most interesting discussion relates to the "use in commerce" question, and the court rejected a motion to dismiss on that basis: "The plaintiffs have alleged that Sedo and the other Parking Defendants transacted in and improperly profited from domain names that are deceptively similar to the plaintiffs' trademarks. Such statements sufficiently allege the "use" of a domain name to allow the infringement claims against Sedo and Oversee to move forward on this issue." Some other commentary on the case: Sarah Bird and David Fish.
* American Airlines loves Google (except for the part where it's suing Google). HT Search Engine Land.
State Regulation of the Internet
* Some state legislators are becoming privacy entrepreneurs about behavioral targeting. Venkat does a recap. But Zachary Rodgers points out that some of the operative provisions track NAI's self-regulatory guidelines. More angst about deep packet inspection by IAPs.
* Ewert v. eBay, Inc., 5:07-cv-02198-RMW (N.D. Cal. March 31, 2008). eBay isn't an "auctioneer" or an "auction company" as defined by California's Auction Act.
* The Tennessee legislature is considering a goofy response to the Hannah Montana ticket furor.
* Ken Magill at Direct wrote an article entitled "Psychotic Law Clowns in Utah at it Again." A highlight: "Whenever I think of Utah's state legislature, I envision a room full of Jack-in-the-Boxes straight out of a never-made Twilight Zone episode. Every fall, when it's time for the next legislative session, their cranks begin to turn, a chorus of "Pop Goes the Weasel" begins, and on the note for "pop" the lids fly open and dozens of psychotic clown heads spring out of the boxes chanting: "New Internet Law! New Internet Law!""
Other Stuff
* The Economist: The Battle for Wikipedia's Soul. "To create a new article on Wikipedia and be sure that it will survive, you need to be able to write a "deletionist-proof" entry and ensure that you have enough online backing (such as Google matches) to convince the increasingly picky Wikipedia people of its importance. This raises the threshold for writing articles so high that very few people actually do it. Many who are excited about contributing to the site end up on the "Missing Wikipedians" page: a constantly updated list of those who have decided to stop contributing. It serves as a reminder that frustration at having work removed prompts many people to abandon the project." See a similar article in the NY Times Review of Books.
* FTC busts Goal Financial for inadequate security practices.
* The DOJ is busting people who click on a link that purportedly offered child porn, prosecuting them for attempted downloading of child porn.
* Orin Kerr, "Criminal Law in Virtual Worlds," University of Chicago Legal Forum (forthcoming). Orin sensibly argues against virtual world exceptionalism with respect to criminalizing activities in virtual worlds.
Posted by Eric at 10:09 AM | Content Regulation , Copyright , Domain Names , Marketing , Privacy/Security , Trademark , Virtual Worlds | TrackBack
March 24, 2008
Clickthrough Agreement Binding Against Minors--A.V. v. iParadigms
By Eric Goldman
A.V. v. iParadigms, 2008 U.S. Dist. LEXIS 19715 (E.D. Va., March 11, 2008),
I previously blogged that the judge was going to dismiss this case. The judge finally issued an opinion explaining his reasoning, and it's quite an interesting read.
At issue is iParadigms' Turnitin plagiarism detection service. It works as follows: a professor adopts the Turnitin service for a class. Students then submit class papers directly to the Turnitin database. Turnitin compares the submitted papers against its database, which includes Internet content, previously submitted student papers, and various commercial databases. Turnitin then provides the professor with an "Originality Report" assessing the likelihood that the paper was original to the student and not copied from one of the sources in the database. At the same time, Turnitin adds each student-submitted paper to its proprietary database so those papers create matches if submitted again.
Personally, I've never used the Turnitin service. I'm lucky enough that when I've taught "paper courses," I've been able to work closely enough with each student that a plagiarized paper would be useless. However, not every professor or teacher can interact with students enough to make these individualized assessments, and there are plenty of courses where students basically dump a paper onto professors in a relatively impersonal exchange. In those cases, I could see why Turnitin is an important or even essential tool to combat student efforts to game the grading system.
Even so, I remain troubled by some aspects of the Turnitin service. Most of my concerns relate to the implicit coercion of students to use Turnitin. Some students may not be aware that the professor will require Turnitin use at the beginning of the semester when (in theory) objecting students could freely drop the course, in which case the student is effectively required to use Turnitin to pass the class regardless of student consent. Even more problematically, students might be required to take a Turnitin-mediated course--such as when the course is a mandatory prerequisite and there aren't multiple professors teaching the course, or when students are assigned to a course without any choice (such as in high school). In those cases, students are forced to participate in the Turnitin scheme whether they want to do so or not. This isn't the biggest travesty in the world, but I'm not sure it's fair either.
The plaintiffs in this case--a group of four high schoolers--mount a solid attack on the Turnitin system for copyright infringement based on Turnitin keeping copies of their papers and occasionally republishing the papers to other professors when the papers trigger matches in future Originality Reports. iParadigms defends based on its mandatory clickthrough agreement, which every student must agree to as part of the submission process. The clickthrough was properly formed, so there's no question that it superficially demonstrates mutual assent.
However, student consent is illusory in at least two ways. First, as I mentioned, many students don't have a meaningful choice about consenting to the clickthrough agreement because they will fail their courses if they don't submit. The students attack this as duress, and the court correctly notes that Turnitin is not the source of duress; instead, the schools are the source, and the court tells the students to take it up with them. While the court is right that duress doesn't apply directly here, I could have seen other courts using the school-supplied duress as part of an unconscionability attack on the contract.
Second, the plaintiffs were minors, and well-settled law is that incomplete contracts with minors are voidable. The court sidesteps this issue by saying that the students had received the complete benefit of the Turnitin contract relationship when their papers were cleared by the Originality Report, and therefore they could not "return" the benefits conferred on them by Turnitin.
This is a ruling of potentially large significance. I've long believed that courts would struggle with dismissing claims by minors against websites because of the voidability issue, which seemingly left a large class action hole against all websites with minors as users. That hole may still exist--it depends on whether the contract is complete or not, and in many cases both parties will have incomplete obligations in a standard website EULA. Despite this, it's clear that this judge wasn't going to entertain any bypass that threatened the integrity of the Turnitin service, and I wouldn't be surprised if many other courts would reach the same conclusion in other circumstances.
The court dismisses the copyright infringement claim on the alternative ground that Turnitin's copying is fair use:
* storing the copy of the paper for plaigarism purposes is highly transformative
* the court twists the nature of work factor to weigh in favor of Turnitin, saying that Turnitin doesn't use the papers for their creative meaning
* the court also twists the amount/substantiality of the portion taken to weigh in favor of Turnitin. Even though Turnitin takes 100% of the work, it doesn't really publish the entire work (except in the occasional cases where a professor requests a copy after a match in the Originality Report) to others but simply flags the match.
* the court dismisses the effect on the market value of the work. Most student papers have no commercial value. The papers would have commercial value if resold to the term paper websites, but the plaintiffs conceded that they wouldn't authorize this usage because that would be cheating.
While I can't really quibble with the conclusion that Turnitin's use is fair, especially given the laudable objective of plagiarism suppression, other judges would have reached the opposite conclusion because Turnitin forces students to put their papers into a database that iParadigms mines for its profit.
In any case, this fair use ruling may augur well for search engine fair use cases, most obviously Google's book search and Google News--both of which pump third party copyrighted works into a for-profit database but republish only a limited portion.
The opinion also has some interesting discussion about iParadigms' counterclaims against the students. iParadigms initiated a very aggressive counterattack against the students (the words "scorched earth" came to mind). I guess iParadigms wanted to send the message--don't screw with us, because we'll make your life heck. I don't think iParadigms expected to get any meaningful payoff from their counterclaims, but they got nothing. In some sense they are lucky that it wasn't worse; I could see some judges taking such umbrage at iParadigms' tactics that they could have backfired.
iParadigms sought indemnity from the students based on a clause in its usage policy. The problem is that the usage policy wasn't presented as a mandatory clickthrough (whoops!) and the court refuses to extend the Register.com v. Verio bailout here.
One of the students obtained false credentials to log into the system at one point, but the court rejects iParadigms' claim that such a login was a trespass to chattels, Computer Fraud & Abuse Act violation or Virginia Computer Crimes violation because iParadigms couldn't make any showing of damages from this unauthorized login. This is the right result (at least with respect to trespass to chattels) per Intel v. Hamidi, but we've seen plenty of courts ignore the damages requirement from the Hamidi case.
Other comments on this case:
* Tom O'Toole
* Rebecca Tushnet
* Siva Vaidhyanathan
* Georgia Harper
* William Patry
UPDATE: According to the Chronicle of Higher Education, the students plan to appeal. Given the many conflicting norms associated with this case, I would be surprised if the appellate ruling was as decisively favorable for Turnitin as the district court opinion was.
Posted by Eric at 10:41 PM | Copyright , Licensing/Contracts , Privacy/Security | TrackBack
March 02, 2008
Feb. 2008 Quick Links
By Eric Goldman
Advertising
* BusinessWeek: Monetizing social networking sites isn't as easy as everyone had hoped, clickthrough rates are through the floor (0.04%!), and ad proliferation on the sites is driving users away.
* Wilbur, Kenneth C. and Zhu, Yi, "Click Fraud" (January 2, 2008). This paper appears to argue that search engines can increase their profits by failing to disclose the true rate of click fraud on their network.
* In re Miva, Inc. Securities Litigation, 2008 WL 450037 (M.D. Fla. Feb. 15, 2008). This lawsuit alleges that Miva and some associated individuals understated or misreported Miva’s reliance on click fraud, spyware and third party distributors in its public statements and thus inflated the company's stock price. Last year, the court dismissed many of the allegations but let a couple survive. In this ruling, the court dismisses a few more defendants from some statements and lets the rest of the case proceed.
* Going-out-of-business sales are often just another scam. (HT ContractsProf). Note this is completely consistent with economists’ theoretical predictions of final-period behavior of trademark owners.
* Google's stock has lost $70B in market cap in 7 weeks. Oh darn. Clickz offers some theories about why Google's clicks are declining. Could lower rates of click fraud be part of it?
* Hal Varian, Google's Chief Economist, argues that Google's marketplace success is solely due to its "secret sauce" (i.e., the advantage of learning by doing) rather than any defects in the marketplace.
Spam
* Jaynes v. Virginia (Va. Sup. Ct. Feb. 29, 2008). By a 4-3 vote, the Virginia Supreme Court upheld Jeremy Jaynes' 9 year sentence for violating Virginia’s spam law.
* Silverstein v. Experienced Internet.com, 2008 U.S. App. LEXIS 3364 (9th Cir. 2008). Ninth Circuit dismissed a CAN-SPAM lawsuit for lack of jurisdiction when the defendants attest that they didn't send the message and aren't local.
Domain Names
* NSI has been sued for its practice of grabbing pre-registration domain names based on WHOIS searches. The complaint. Good luck defending those practices, NSI!
* Two more breathy articles about the economics of domaining from the New York Times and Network World.
47 USC 230
* Johnson v. Barras, 2007 CA 001600 B (DC Superior Ct Feb. 1, 2008). Court dismisses a lawsuit against a website for republishing a defamatory story per 47 USC 230.
* Yet another doomed lawsuit against MySpace for facilitating communications between an adult male and an underage female that led to sex. Sam Bayard's comments.
Pornography
* NY Lawyer (login required): "Defense Bar Sees Growing Practice in Internet Sex Crimes"
* A federal obscenity prosecution for publishing graphic short stories (without pictures) on the Internet? As Tim Wu says, "astonishing."
* The Utah legislature is considering entering the marketplace again, this time through a certification mark program for Internet access providers who are willing to combat porn. See HB407. Of course, the Utah legislature has had terrific success in the past creating successful new business opportunities that the marketplace has overlooked.
User-Generated Content
* Nick Carr: "What we've seen happen with self-regulating communities, both real and virtual, is that they go through a brief initial period during which their performance improves - a kind of honeymoon period, when people are on their best behavior and rascals are quickly exposed and put to rout - but then, at some point, their performance turns downward. They begin, naturally, to decay." Like, I think, Wikipedia.
* Slate on the top-heavy nature of contributions to Wikipedia and Digg.
* Christian Science Monitor: Teachers Strike Back at Students' Online Pranks.
* Sam Bayard on a motion to quash in the AutoAdmit case.
Reputation
* eBay no longer lets sellers leave negative/neutral feedback for buyers. This putatively stops sellers from retaliating against buyers who leave legitimate complaints, but it also skews the database towards only positive reviews, which ultimately undercuts its credibility.
* In India, where courtships remain very brief by US standards and grooms can be paid dowries by the bride's families, there is an emerging trend for brides to hire "wedding detectives" to ferret out the scoop on grooms and whether their representations are correct.
* Funny article on being a secret shopper for Consumer Reports.
* Dan Solove's book, The Future of Reputation, is now available online for free. Ethan's review of the book.
Patents
* Six years later, eBay finally buys it now: eBay v. MercExchange settles with eBay buying out some of MercExchange's patents and licensing others.
* Mike Masnick: "Psst! Patent Examiners Do Not Scale"
Copyright
* Mike Masnick: “Why We Should All Want Politicians Who Plagiarize.”
* Do Not Resuscitate...My Copyrights (funny).
Miscellaneous
* Citizen Media Law Project has a useful discussion on getting insurance for cyberlaw risks.
* People v. Fernino, 2008 WL 382348 (N.Y. City Crim. Ct. Feb. 13, 2008) (woman violated a no-contact order when sending a MySpace message to the person).
* Mike Masnick: "We Need A Broadband Competition Act, Not A Net Neutrality Act"
* A retrospective on some of the leading dot-coms from the 1990s.
Posted by Eric at 05:32 PM | Content Regulation , Copyright , Derivative Liability , Domain Names , E-Commerce , Internet History , Marketing , Patents , Privacy/Security , Search Engines , Spam , Trademark | TrackBack
February 12, 2008
Jan. 2008 Quick Links (Non-IP Edition)
By Eric Goldman
47 USC 230
* Doe v. SexSearch, the case absolving a website for age verification of its users, has been appealed.
* The Supreme Court denied cert in Parker v. Google. See 2008 WL 114262.
* NYT update on the Subway v. Quiznos lawsuit. I'm still waiting to see how the CCBill case affects the legal analysis.
Ripoff Report
* CMLP reported that Energy Automation Systems v. Xcentric Ventures has settled.
* A lot of people would love to take down the Ripoff Report. The latest (perhaps unexpected) opponents--the SEO crowd. See here, here and here. Definitely not a group I'd want to have gunning for me...
* Sarah Bird wrote the blog post I wanted to write: a recap of all of the litigation involving the Ripoff Report and its related entities. She updates a number of cases I've blogged about here.
Privacy
* The quest to find defendants in the AutoAdmit lawsuit has spilled over to unrelated websites whose URLs were posted to AutoAdmit, on the theory that AutoAdmit users were likely to have visited there prior to or after the links were posted. See the plaintiff's motion. This has proven to be a controversial move; see critiques from Mike Masnick and Sam Bayard.
* World Privacy Forum's Top Ten Opt Outs.
* The Privacy Rights Clearinghouse has compiled a master list of all the data breaches that have been announced.
Spam
* Venkat on 4 years of CAN-SPAM. I think the best we can say is that CAN-SPAM hasn't destroyed email as a communication tool, but I am skeptical that its significant transaction costs are outweighed by its benefits.
* Search Engine Land shows Wired that its wiki isn't spam-proof and then apologizes for it.
Marketing/Advertising
* Greg Linden predicts a dot-com crash in 2008 where a dry-up of investment capital will lead to marketing desperation: "Much like we saw after the 2000 crash, it is likely that those with little to lose will attempt scary new forms of advertising. The Web will become polluted with spyware, intrusiveness, and horrible annoyances. None of this will work, of course, and there will be lawsuits and new privacy legislation, but we will have to endure it while it lasts."
* Oddee has some vintage ads that couldn't be made today.
Blogging
* Examples of how blogging is actually increasing some companies' sales.
* Giving in to cyberspace exceptionalism, a divorce court judge ordered a husband to stop blogging about the wife. Fortunately, the judge soon realized his error and reversed course, basically throwing up his hands saying "I don't know what to do here." Garrido v. Krasnansky, No. F 466-12-06 (Vt. Fam. Ct. Jan. 14, 2008).
Miscellaneous
* Once again, Mike Masnick says what I was thinking better than I could: "Both Microsoft And Google Are Probably Best Off Shutting Up About Monopolies."
* Wired has a great article on scraping data from major Internet players, many of whom themselves use scraping-like methodologies to gather data: "But beneath all the kumbayas, there's an awkward dance going on, an unregulated give-and-take of information for which the rules are still being worked out. And in many cases, some of the big guys that have been the source of that data are finding they can't — or simply don't want to — allow everyone to access their information, Web2.0 dogma be damned."
* The FTC has cracked down (again) on a website for inadequate security. This time, the e-tailer "Life is good" promised that "all information is kept in a secure file" but a hacker got good stuff (credit card #s, etc.) anyway. The FTC pointed to several deficiencies, including (1) the retailer's failure to store the sensitive data in encrypted format, (2) inadequate efforts to identify and patch security holes, and (3) inadequate monitoring of intrusions.
* Krause v. Chippas, 2007 WL 4563471 (N.D. Tex. Dec. 28, 2007). Court says a website user was bound to the contract when "lead page" of website said "USE OF THIS SITE AND OR SERVICES OFFERED WITHIN THIS FUTURESCOM.COM SITE SIGNIFIES YOUR AGREEMENT TO THIS SERVICE AND USAGE AGREEMENT."
* An interesting British study explains the downsides of government-mandated disclosures to consumers. HT Rebecca.
* I participated in a 30 minute podcasted conversation on the Lawyer 2 Lawyer show on the topic of social networking sites.
* I have 2 copies left of my 2007 Cyberspace Law course reader. First 2 people to email me with a request and their mailing address get them. [UPDATE: Gone!]
Posted by Eric at 05:50 PM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam | TrackBack
January 30, 2008
State of the Net Conference Recap
By Eric Goldman
Today I attended the State of the Net conference, sponsored by the Congressional Internet Caucus Advisory Committee. This event has become the "go-to" event for Internet policy wonks. Well over 300 people attended, including many well-known folks. If you deal with Internet policy, you should be at this conference.
A few notes from the event:
The morning keynote was delivered by Mary Bono Mack, who delivered one of the most true believer IP-maximalist talks I've heard in a long time. It was almost cartoonish. Based on the fire-and-brimstone talk, I imagine she would support just about any expansion of IP rights proposed to her. In response to a Q&A, she said that she had been previously misquoted and that she doesn't support a perpetual copyright duration. But she thought the Eldred opinion vindicated Congress' previous term extension as a reasonable policy; she must have read a very different opinion than the one I read. See Anne Broache's writeup of Mary's talk.
I've now heard a few different suggestions that server-level filtering by IAPs would drop them out of 512(a) coverage. (Today, Gigi Sohn raised this issue). This arises in response to AT&T's proposal to filter for copyrighted material, but it's also a subtext of the net neutrality discussion. I'm not sure if this is an accurate reading of 512(a), though. 512(a) says it applies only if the "the transmission, routing, provision of connections, or storage is carried out through an automatic technical process without selection of the material by the service provider." (Emphasis added). What does it mean for a service provider to select material? In context, I think the statutory language means that the user, instead of the service provider, selects the particular file moving over the IAP's network. I don't see how this exclusion was meant to cover automated filtering. In contrast, if the language is read to apply to filtering; would any type of filtering, including spam and virus filtering, knock out IAPs from 512(a)? If so, then no one could ever qualify for 512(a). It's not beyond Congress to draft a safe harbor that describes a null set of activity (see, e.g., 512(d)), but I suspect the courts will be more flexible in their reading than this.
The always-entertaining Federal Trade Commissioner Jon Leibowitz spoke about social networking sites. He implied that if Facebook hadn't backed down on Beacon, he was going to encourage the FTC to investigate it. He also wondered how online speech could receive the same level of protection as offline speech, and specifically referenced Marsh v. Alabama (the company town case) in suggesting that some online sites might be analogized to essential facilities. I'm not really sure what to make of this, as every court that has reviewed these state action arguments as applied to private online sites have rejected them squarely. But I'm sure virtual world exceptionalists will be thrilled to know that an FTC Commissioner might be sold on weighting player rights over provider rights.
At the post-event technology exhibition, I had the most remarkable demo from a woman at Quova, the geolocation company that claims 97% accuracy to the state level and 95% accuracy to the city level. I don't feel comfortable repeating some of the things she said because I haven't been able to validate them, but suffice it to say that all of you privacy advocates who freaked out about ChoicePoint may have a new company to freak out about. Among the questions that I'd like to see answered about Quova:
* what websites supply them with IP address data based on their users' activities? If it's the companies she named, then I'm pretty confident that at least some big Internet brands have been regularly violating their privacy policies.
* what government agencies are Quova's customers? And what are they doing with the data?
* what kinds of subpoenas is Quova getting from private plaintiffs, and how are they handling those subpoenas? Based on what I heard, it sounded like plaintiffs have been wasting their time tendering subpoenas to individual websites when Quova may offer some interesting one-stop-shopping.
If you have any insights into any of these Qs, I'd welcome your thoughts.
Posted by Eric at 11:14 PM | Copyright , Privacy/Security , Virtual Worlds | TrackBack
December 14, 2007
Oct.-Nov. 2007 Quick Links, Part 2
By Eric Goldman
Marketing/Branding
* To stimulate demand for its services, the British postal service is pointing out that snail mail is a good way to use olfactory marketing. Try to keep up with THAT, spammers! But doesn't this give new meaning to the observation that “junk mail stinks”...?
* Dunlop Tires offered a free set of tires to people who would get a tattoo of the company's logo. This tops a past promotion where they gave free tires to anyone who got tire tracks shaved into their hair. As a promotion, tattoos have an obvious advantage over hair-shaving because hair grows back. See my comprehensive post on tattoo advertising.
* As the Internet increases price competition and reduces margins in the jewelry market, diamond manufacturers are trying to prop up prices by branding their diamonds.
* Another lawsuit over the scorching-hot Hannah Montana concert tour—this time, alleging that the Hannah Montana fansite overpromised priority access to tickets.
* Anthony v. Yahoo, which involved a claim that Yahoo misled consumers of its dating service, has settled for $4M.
* I enjoyed this YouTube Video, Mr. Spam Man. Brought to mind the Spam-Free-or-Die video, which is still funny today.
Copyright
* William Patry on crazy copyright rulings against the “segOne,” a device that allows retailers showing broadcast TV to their patrons to substitute in ads sold by them instead of the ads sold by the broadcasters.
* Textile Secrets International, Inc. v. Ya-Ya Brand, Inc. (C.D. Cal. Oct. 31, 2007). 17 USC 1202 (the restriction on modification/removal of “copyright management information”) has been rarely interpreted, so this is a noteworthy case on that basis alone. This case involved the removal of CMI in offline activities. The court concludes "Court nevertheless cannot find that [1202] was intended to apply to circumstances that have no relation to the Internet, electronic commerce, automated copyright protections or management systems, public registers, or other technological measures or processes as contemplated in the DMCA as a whole."
* The Copyright Office has (finally) updated its electronic copy of Title 17.
Blogging
* David Hoffman discusses some considerations when structuring a group blogging LLC's operating agreement.
* U.S. v. Citgo Petroleum Corp., 2007 WL 4116066 (S.D. Tex. Nov. 19, 2007). An attendee at a trial blogs some of her observations about the jury. Her reward? One of the litigants can depose her as having potentially relevant information about jury impartiality. See my first-hand experience with potentially being deposed due to a blog post.
E-Commerce
* College students are ordering tires, pool tables and Winchester rifles online.
* The Canadian taxing authorities have won a victory allowing them to order eBay’s US company to disclose vast amounts of transactional data that presumably will be cross-checked against Canadian PowerSeller tax returns.
Miscellaneous
* Express Media Group, LLC, v. Express Corp., No. C 06-03504 WHA (N.D. Cal., May 10, 2007). Martin Samson's summary: "Court finds defendant, who claimed to have purchased plaintiffs' Express.com domain for $150,000 from someone who purported to be, but was not, the domain's Administrative Contact, guilty of conversion and directs defendant to return the domain to plaintiffs."
* Fallout from the Oracle v. SAP case: SAP may sell TomorrowNow, and several TN executives have been axed.
* A good use for a geolocated cellphone-mediated information service: the location of the nearest public toilet.
* Declan rallies against a federal "Do Not Track" list.
* NYT: US News & World Reports is getting into the consumer review business by aggregating third party opinions. According to the NYT, "The magazine has searched the work of dozens of automotive reviewers at newspapers and magazines, assigned a numerical value to each review (a process U.S. News describes as complex, rigorous and top secret), and then aggregated those into final scores. The Web site offers a description of each vehicle, sprinkled with snippets of quotes from those reviewers, so that it reads as much like a Zagat's restaurant blurb as something you might find in Consumer Reports."
* Don'tcensorme.com: a website for commenters who believe that their comments have been deleted by moderators on hubris overload.
* BusinessWeek: 101 Best Web Freebies.
Posted by Eric at 08:20 AM | Copyright , Domain Names , E-Commerce , Marketing , Privacy/Security , Spam | TrackBack
November 10, 2007
Google Resists Subpoena for Keyword Ad Purchases--Connor Sport Court v. Google
By Eric Goldman
Connor Sport Court International, Inc. v. Google Inc., CV-06-3066 PHX JAT // CV 07-80252 (N.D. Cal. motion to compel filed Oct. 31, 2007)
This summer, I reported on trademark litigation between Connor Sport Court and Rhino Court. The parties had settled the lawsuit, but then Connor complained that Rhino violated the settlement by buying keyword advertising triggered to Connor's trademarks. Connor then submitted a discovery request to Google seeking records of other people who had bought Connor's trademarks as keywords. As I noted at the time, the requested information had significant competitive value, and Google's delivery of the information could prompt a lot of other similar discovery requests to Google.
Initially, Google seemed inclined to give Connor the data it asked for, but apparently Google changed its mind. Instead, Google has refused to turn over any data related to third party purchases and didn't turn over much related to Rhino. Connor apparently still believes the requested information is worth pursuing, because it has now filed a motion to compel Google to comply with its discovery request.
Google might take the opportunity to clarify its policies regarding the disclosure of keyword ad purchases. Connor's brief claims that Google provided Rhino with information about a third party's ad purchase, including the ad copy, the maximum cost-per-click bid, the number of clicks and impressions, the average ad position and more. Is Google handing out this information merely based on a subpoena, or is Google going to make it harder for litigants to get access to this data? According to the filing, the hearing is scheduled for Dec. 7 at 9 am in San Jose.
Posted by Eric at 12:53 PM | E-Commerce , Marketing , Privacy/Security , Search Engines , Trademark | TrackBack
October 30, 2007
Vendor of Illicit Phone Records Not Protected by 230--FTC v. Accusearch
By Eric Goldman
Federal Trade Commission v. Accusearch, Inc., 06-CV-105-D (D. Wy. Sept. 28, 2007)
Accusearch (a/k/a Abika) offers for sale records of telephone calls made by telephone subscribers. Abika doesn't acquire the records itself directly from the phone companies; third parties do that. Even so, I believe the collection and resale of these phone records was illegal throughout the relevant time period. (Michael Erdman explores this more).
The FTC brings an action against Abika for unfair trade practices. Abika defends on 230. The FTC argued that Abika was the retailer; Abika argues that it is just an intermediary making matches between buyers and sellers of the records. The court rejects the 230 defense for two separate reasons:
* the statutory terms publisher/speaker are ambiguous, at least as applied to this case. Thus, the court turns to 230's legislative history to conclude that Congress didn't mean to protect these types of claims. The court says snarkily "It is ironic that a law intended to reflect a policy aimed at deterring 'stalking and harassment by means of computer' is now being urged as a basis for immunizing the sale of phone records used for exactly those purposes." (Fair enough, but see Zeran!)
* reselling the records meant that Abika "participated in the creation or development of the information" and thus became an information content provider itself.
Both of these arguments are pretty strained. The statutory references to "publisher" and "speaker" aren't entirely clear, but dozens of cases have interpreted them. It would have been nice to see the court consider those precedents before jumping to the legislative history as if the court is reading a 10 year old statute for the first time. As for the interpretation of "creation and development," I don't see how anyone can interpret those words to include retailing a record without any modifications at all.
Despite these analytical deficiencies, I think the court reached the right result. In my opinion, the retailer/intermediary distinction is the critical linchpin. It's pretty well accepted that an intermediary between buyers and sellers is fully eligible for 230 even if the purchase/sale involves illegal goods--see, e.g., Gentry v. eBay (fake sports memorabilia), Stoner v. eBay (bootlegged recordings). In those cases, eBay was the venue to publish the seller's advertisements to buyers. (See also Ramey v. Darkside Productions, another case holding that a publisher of third party ads wasn't liable for the ads, even if the publisher helped prepare the ads).
In contrast, I think a retailer who acts as the merchant of record of third party goods generally should be liable for selling those goods, even if the goods were acquired for resale from third parties. I don't see how 230 protects a retailer selling goods for its own account--I don't think the claim is appropriately styled as either a "publisher" or "speaker" claim at that point. But see Prickett v. infoUSA, where infoUSA resold data it obtained from third parties but was still eligible for 230.
Unfortunately, I think the court's biggest mistake is that it apparently forgot that it was addressing summary judgment motions, because the court made numerous factual inferences (some apparently contested) against Abika. So I think this ruling is best understood not as an SJ motion, but instead as a bench ruling where the court simply disbelieved that Abika was an eBay-like intermediary and instead concluded that a retailer can't claim 230 for reselling illegal goods for its own account. Rephrased this way, I think the court reached the right result.
For more on this case, see Michael Erdman's nice writeup.
Posted by Eric at 11:26 AM | Derivative Liability , E-Commerce , Marketing , Privacy/Security | TrackBack
October 21, 2007
Ticketmaster Wins Big Injunction in Hannah Montana Case, But Did the Public Interest Get Screwed?--Ticketmaster v. RMG
By Eric Goldman
Ticketmaster L.L.C. v. RMG Technologies, Inc., 2007 WL 2988403 (C.D. Cal. Oct. 16, 2007)
You may remember Ticketmaster's multi-year battle against Tickets.com over data aggregation and deep linking. Ticketmaster never got a solid win in that case, but here Ticketmaster successfully advances the same legal theories against someone gaming its allocation of tickets. Hannah Montana fans might cheer this ruling, but some of the court’s analysis makes this a troubling Cyberlaw development.
Introduction
This case involves what I'll call "ticket sniping"--the practice of quickly snapping up highly-sought-after tickets when they first go on sale and then reselling them at higher prices. When it comes to hot concerts--such as the upcoming Hannah Montana tour--Ticketmaster's price may be well below the prices people are willing to pay in the secondary market. Why don't event promoters use auctions or other dynamic pricing scheme to capture this upside on the first sale? I'm reminded of the odd pricing systems for IPOs--just like that market, perhaps Ticketmaster (as an intermediary) deliberately underprices below the market-clearing price to increase its profits.
In any case, initial ticket buyers from Ticketmaster can get an economic windfall, which naturally motivates people to game the initial first-come, first-served ticket allocation system. RMG was one such gamer. They developed software that helped its customers beat other buyers in the rush to get hot tickets. Ticketmaster sued RMG to stop their gaming activities; the court issues a preliminary injunction:
Copyright
The court says that RMG directly infringed Ticketmaster's copyright in its web pages by browsing them to test the operation of its software tool. Effectively, then, the court says that web browsing is copyright infringement. This isn't the first time a court intimated as much, but it's troubling every time we see it.
The court overlooks any implied license to browse because Ticketmaster's "browsewrap" on its home page (which says "Use of this website is subject to express Terms of Use which prohibit commercial use of this site. By continuing past this page, you agree to abide by these terms") acts as an express restriction on browsing, so any access in contravention of those terms constitutes copyright infringement.
One of the key Qs is how RMG's software differs from other search engine robots. The court skirts this Q, simply pointing to Perfect 10 v. Amazon as excusing the cache copies made by web users who follow search engine links. Of course, search engine robots make lots of other copies, and we think these copies are excused because the final presentation (the display of search results snippets) doesn’t infringe. The court doesn't address this at all.
The court also says that RMG is indirectly infringing based on a Grokster inducement theory because RMG's marketing said it's offering "stealth technology [that] lets you hide your IP address, so you never get blocked by Ticketmaster." This is a pretty expansive interpretation of copyright inducement because the marketing references IP address blocks, not copyright infringement, but it's very consistent with the court's moral condemnation of RMG's behavior.
Anti-Circumvention
The court says that website pages are protected by copyright, and the website used a CAPTCHA to restrict access to these copyrighted works. Thus, distributing the software tool designed to circumvent the CAPTCHA to access the copyrighted website violates 1201(a)(2) and 1201(b)(1). Not only does this give unexpected copyright protection for CAPTCHAs, this ruling seems inconsistent with several precedents holding that bypassing a password protection system doesn't violate 1201.
Breach of Contract
As indicated above, the court upholds Ticketmaster's browsewrap. Admittedly, Ticketmaster has improved its contract formation processes since it litigated against Tickets.com, but I'm not sure this was as easy as the court treated it.
Computer Fraud & Abuse Act
Surprisingly, the court denies relief for this claim because Ticketmaster couldn't allege $5,000 of loss. I tell my students that if they can't construct $5,000 of loss under the CFAA, then they aren't thinking creatively enough.
Conclusion
It's easy to point at RMG and its customers as the bad guys. After all, they are trying to get an unfair advantage in the first-come, first-served allocation of scarce tickets for their economic benefit, with the result that later comers have to pay more to get the same tickets.
But what about Ticketmaster's role in this situation? They haven't designed a technologically gaming-resistant allocation of tickets, so they need legal help to solve that deficiency. I also remain suspicious about Ticketmaster's incentives here, both in setting prices and in policing against ticket allocation gaming. Their motives may not be nearly so consumer-friendly as they try to portray.
And this opinion is hardly pro-consumer either. This ruling won't be a problem if future courts limit this ruling solely to a company's efforts to legally protect a competently designed anti-gaming strategy. But some of the more dramatic rulings are anything but consumer-friendly, such as the implicit holding that browsing is copyright infringement and the upholding of Ticketmaster's browsewrap. If other courts apply these principles more broadly, Hannah Montana concertgoers may have gotten a benefit at the expense of us all.
Posted by Eric at 03:45 PM | Copyright , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Privacy/Security | TrackBack
October 15, 2007
Online Trust Conference Recap
By Eric Goldman
On October 2, Santa Clara University held a half-day conference called "Trust Online." This event was co-sponsored by the Center for Science, Technology and Society, the High Tech Law Institute, the Markkula Center for Applied Ethics and Microsoft. We brought together policymakers, technologists, lawyers and academics to explore the process by which online companies engender trust from their customers. The topic of "trust" is complicated because it cuts across privacy, security and branding issues. In the end, we discussed all that and more.
The day started off with a keynote by Richard Clarke, formerly Bush's chief cybersecurity czar. His talk started out on a disconcerting note as he described cyberspace as a place of "chaos" and "crime" (shades of California CIO Clark Kelso calling the Internet a "sewer"). But he got onto more productive grounds when talking about how consumers develop trust in different entities:
* trust in the government. Americans' trust in government has fallen to an all-time low. This lack of trust in the government undermines trust across-the-board because, for example, consumers may be reluctant to disclose personal data to websites knowing that the government could get access to it.
* trust in the private sector. He echoed the conventional sentiment among privacy advocates that we need to worry more about Little Brother than Big Brother.
* trust in individuals. He blamed the Internet for the "pandemic" of identity theft--especially lax security.
He proposed five solutions:
1) Biometric ID cards--we need 2 factor authentication online
2) We should ask the government to regulate. He thinks the FCC has the authority to regulate the Internet, and the FCC could instruct ISPs to take specific actions that would reduce risks. He acknowledged that when a person suggests the government should regulate the Internet, others want to take the person away in shackles. That pretty much summed up my reaction to this proposal!
3) We should keep critical infrastructure from being Internet-connected.
4) Industry should improve the security of its code.
5) We should form a government entity that people could trust to safeguard their privacy and civil liberties concerns
Next was a panel on Enforcing and Enabling Trust, moderated by Lise Buyer (one of the star Internet analysts from the dot com boom). Panelists: Scott Charney of Microsoft, Mozelle Thompson (a former FTC Commissioner who is doing a lot of consulting work for Facebook) and Jim Ransome from Cisco. Some notes I made during this panel:
* Charney: consumers need just-in-tirme, actionable information to make trust decisions
* Thompson: people are clamoring for context
* Charney: security and privacy are conflated in the concept of "safety." People just want to feel safe.
* Thompson: people don't want anonymity, then want control over their data (Eric's comment: this makes sense in a Facebook context; not sure if it is more broadly extensible)
* Charney: goal should be risk management, not risk elimination
* Charney: we think of security as binary (is it secure or not), but privacy is a continuum
* Charney: we accept the fact that people may die in the name of privacy (examples: anthrax mailed without a return address; disposable cellphone to make bomb threat)
* Charney: we need to marry authentication with reputation
Next was a panel on Branding and Building Trust. Lise also moderated. Panelists: Alessandro Acquisti of Carnegie Mellon, Chris Hoofnagle of UC Berkeley, and Fran Maier of TRUSTe. Some notes I made:
* [not sure who made this point]: there is a positive correlation between good business practices and consumer perceptions that the company has good privacy practices (Eric's comment: this would certainly explain sentiments towards Google)
* Acquisti: a study showed that stock prices drop after companies announce a security breach, but they quickly rebound after a few days
* Q: what is trust worth? Acquisti: according to his study, people will pay extra for privacy in some cases. Maier: TRUSTe has a case study showing that their logos improve consumer willingness to provide data (Eric's comment: I'd need to look through this case study to see how it regresses possible co-variables)
* Hoofnagle: consumers erroneously believe that companies' ability to use their data is regulated
* [not sure who made this point]: we should give kids amnesty for their youthful postings. i.e., we need to forget some information
* Maier: 15-20% of TRUSTe applicants don't get certified.
The day ended with a keynote by Dave Cullinane, eBay's Chief Information Security Officer who recently joined the company from Washington Mutual. A few notes from his talk:
* eBay employs 2,000 people in its trust & safety department
* eBay/PayPal investigators currently assist in over 2 arrests per day
* He implied that the Department of Homeland Security was trying to get a dataset from eBay to see if they can crunch the data to identify patterns that look like terrorism. I'd like to know more about this!
* Rootkitted Linux boxes--not (as commonly believed) Microsoft boxes--are the vast majority of security threats
Other comments on the event:
* SCU Law student Erik Schmidt at TechLawForum on Richard Clarke's talk
* Cade Metz at the Register on Richard Clarke's talk
* Cade Metz at the Register on Dave Cullinane's talk
* Robert McMillan at InfoWorld on Dave Cullinane's talk
UPDATE: Listen to the podcasts!
Posted by Eric at 01:42 PM | E-Commerce , Privacy/Security | TrackBack
September 07, 2007
August 2007 Quick Links, Part II
By Eric Goldman
* e360 Insight v. Spamhaus Project, 2007 U.S. App. LEXIS 20725 (7th Cir. Aug. 30, 2007). An email marketing company was listed on Spamhaus' ROSKO and sued for defamation and other torts in Illinois. Spamhaus took the position that US courts have no authority to render a judgment on a UK-based operation. The district court ultimately awarded $11.7M in damages and various equitable relief. The Seventh Circuit affirmed the default judgment but vacated the damages and equitable relief, sending those back to the district court to reevaluate the appropriate remedies. I understand that Spamhaus wanted to make a philosophical point by not fighting the lawsuit in the US, but had they overlooked their philosophical objections, they should have won a quick victory per 47 USC 230(c)(2).
* Perfect 10 has appealed its Ninth Circuit 230 loss in ccBill to the US Supreme Court.
* Search Engine Land had a good overview/recap article on geolocation technology. It provides a clear and easy-to-read explanation why the folks who think online businesses can just stay out of a state that enacts dumb regulations are full of crud.
* Pisciotta v. Old National Bancorp, No. 06-3817 (7th Cir. Aug. 23, 2007). Another court (this time, the Seventh Circuit) says that consumer fretting about possible future identity theft isn't enough harm to support a lawsuit. See the analogous JetBlue, Acxiom and Key cases.
* Wikipedia Scanner--an automated tool to determine who is editing Wikipedia pages. Katie Hafner's NYT article on the matter. David Hoffman does a little sleuthing on law firm edits.
* NYT: In the 1990s, a lot of people sought to build an infrastructure for micropayments. Consumers resisted them, but today those efforts seem a little silly--AdSense advertising can generate the same financial benefits for a web publisher without the overhead. Meanwhile, the credit card systems are being stretched to cover micro-transactions because merchants are aggregating a consumer's orders and processing them in bulk (rather than processing each one individually) as a way to reduce the transaction costs.
* NYT: "As video games have surged in popularity in recent years, politicians around the country have tried to outlaw the sale of some violent games to children. So far all such efforts have failed."
* AP: Chinese animated cops will be patrolling the Information Superhighway beat.
* Tired of negative reviews on Yelp, a San Francisco restaurant put up a sign saying "no Yelpers." I wonder if a sign like that lessens or exacerbates negative publicity.
* NYT: Book authors obsessively check Amazon sales rankings and try to game them.
* Facebook accidentally posted some of its source code to a public website. Surely an interesting development for ConnectU's discovery team!
* Another Internet company hires its own in-house economist--this time, virtual world Eve Online.
* A nice retrospective on the Cleveland Free-net, which at one point was a prominent component of the Cyberspace community.
* I have one free guest pass to the CLE International New Media Law conference in SF on Oct. 1-2. Free to the first person who sends me an email request. [SORRY--TAKEN!]
Posted by Eric at 09:48 AM | Content Regulation , Derivative Liability , E-Commerce , General , Internet History , Privacy/Security , Virtual Worlds | TrackBack
July 30, 2007
Fourth Amendment Privacy Case Law Bonanza
By Ethan Ackerman
In June, privacy advocates generally celebrated the Sixth Circuit’s important 4th Amendment ruling in US. v. Warshak. But hot on its heels, the Ninth Circuit sobered the tone rather quickly in US. v. Alba, declining to find 4th Amendment protection for email and IP addresses. Alba dealt with the use of a pen register to collect IP addresses and out- and in-bound email addresses that the suspect visited/emailed. Based on the results of the pen register, the government got a warrant for subsequent surreptitious keylogging and screen captures on the defendant's PC. At the trial court level, the defendant challenged only the pen registers and not the subsequent warrant-based surveillance. Coming so close on the heels of the privacy-expansive holding in Warshak, US v. Alba drew attention (and quite possibly some of the best off-the-cuff 4th Amendment banter/criticism on the Web) for its apparent holding that email addresses and IP addresses have no 4th Amendment protection. The Ninth Circuit generated enough confusion over the facts surrounding this holding to merit a subsequent clarification from the court as to whether this surveillance occurred surreptitiously on the defendant's PC (nope) or at the ISP level (yep).
Following closely on Alba's release, while everyone was still confused about just where the pen register interception happened, Wired News broke the details of US v. Glazebrook, a District court opinion on FBI keylogging that used some sort of software exploit or social engineering to allow remote monitoring of the PC of a high school MySpace user making bomb threats. The Glazebrook surveillance was done pursuant to a traditional court-reviewed warrant, leaving little room for 4th Amendment issues. Nonetheless, the case (and especially the warrant affidavit) is great reading, full of interesting technological questions regarding the FBI's covert remote monitoring capabilities.
Another District court decision, United States v. D'Andrea provides an interesting take on the 4th Amendment protections of web-stored files with password protection. As Orin Kerr's thoughtful parsing points out, the decision makes some fairly big factual judgments without sharing some of the significant background details. In this case, the contraband files were password-protected but stored online, and government investigators viewed them (without a warrant) after an ex-girlfriend of the suspect tipped off the investigators and provided the web site's password. The opinion finds a reasonable expectation of privacy may exist in password-protected files stored online, even though they are physically remote and transmitted to a third party provider.
In this case, the expectation of privacy did not exist, however, as the judge concluded that the suspect gave the ex-girlfriend the necessary information to access the files. As Professor Kerr points out, this last conclusion is thin on the facts. It is not at all clear in the opinion how the ex-girlfriend acquired the passwords; the suspects vigorously denied providing them to her. Would it have made a difference if she hacked, snooped, or guessed the passwords? Although it cited to Warshak, the opinion was similarly thin on just why 4th Amendment protections existed. (Not wrong, to this author's eye, just not detailed.) The opinion also spent little time addressing statutes that might address the privacy expectations, and whether and how they might affect the expectations of the defendant. For example, the Protection of Children from Sexual Predators Act requires ISP reporting of any discovered instances of child pornography, and the Electronic Communications Privacy Act is rife with exceptions allowing for disclosure of electronic communications. While I suspect the correct opinion is that mere statutes don't influence the Constitutional standard of "reasonableness," the court doesn't address the issue in any detail.
Professor Kerr would moot these conundrums with an alternate holding based on the controversial "special needs" exception, reaching the same final result. This particular debate is fairly politicized, and arises in many 4th Amendment cases, and isn't specific to computer cases, though it often pops up there too. I’m not as willing as Professor Kerr to recognize an imaginary dividing line between criminal investigators and other government employees such as child services investigators or network administrators and ascribe no 4th Amendment significance to agents on the "correct" side of that line, but his other questions cut right to the core ambiguities of this opinion. To be fair, even some other Circuit Courts don't seem too concerned making that excuse in other computer investigation cases, either.
Posted by Ethan Ackerman at 10:01 AM | Privacy/Security | TrackBack
June 12, 2007
Domain Names Can't Be Trespassed--Utube.com v. YouTube
By Eric Goldman
Universal Tube & Rollform Equipment Corp. v. YouTube, Inc., 2007 WL 1655507 (N.D. Ohio June 4, 2007)
Boy, this case got a lot of attention when it was first filed (which isn't surprising; YouTube lawsuits usually do). You may remember the story: the plaintiff is a dealer of used tube mills, used pipe mills and used pollforming machines. The plaintiff operated a website at utube.com. As you might expect, like most other industrial B2B vendors' websites, utube.com had a small but targeted audience.
With the phenomenal and quick rise in popularity of YouTube, a lot of web users mistyped youtube.com and entered utube.com instead, causing utube.com to suddenly experience disproportionate popularity. Unfortunately for the plaintiff, few of these visitors were interested in pollforming machines--as the opinion starts out, "This is a case about two very different types of “tubes.”" As a result, the plaintiff was paying big bandwidth charges for customers who weren't buying. In some cases, the plaintiff claimed that the traffic overwhelmed the servers, causing utube.com to be offline and preventing the plaintiff's real customers from conducting business with the plaintiff.
The plaintiff sued YouTube for trademark infringement, trespass to chattels and related claims. Last week, the court addressed YouTube's motion to dismiss. The net result is that the court allowed some of the plaintiff's trademark and related claims to survive, but the court dismissed several other claims (with leave to amend).
Trespass to Chattels
Most interesting to me is the court's dismissal of the plaintiff's claims that YouTube "trespassed" utube.com. The court correctly says that trespass to chattels (TTC) claims require physical contact, so it is not possible to trespass intangible property like a domain name. While this is the right result, I can't help but note the Ninth Circuit's holding that domain names can be converted like personal property (in the Sex.com case), and the recent Thyroff case, which also said that digital files could be converted. But here we're talking about a smaller possessory interest than conversion, and the court rightly understands that TTC could become a bypass to trademark infringement. As a result, this decision channels unhappy domain name owners towards trademark claims instead of some TTC bypass.
Even if the domain name itself can't be trespassed, the plaintiff can still claim that the computer servers attached to the domain name were trespassed. The court dismisses the claim for two independent reasons:
1) The plaintiff uses a third party web host, and the court says that the plaintiff didn't allege an adequate possessory interest in its host's equipment.
This may just be a pleading issue that gets corrected in an amended complaint, but it raises an interesting question about TTC standing that I don't recall seeing discussed before. Assuming that TTC is occurring to a site hosted by a third party vendor, does the TTC claim rest with the website operator, the vendor, or no one? I had always assumed that the website operator and the vendor EACH had standing for TTC because each has shared possessory interest in the computers, but I can see outer limits to this. For example, a person using a free web host vendor who is one of a zillion customers shouldn't have standing if there's a TTC to the vendor's computers. OTOH, if a customer is paying a vendor to operate a dedicated computer, and the customer will bear all economic charges associated with that computer's usage, I think the customer has standing. In that circumstance, perhaps the vendor does as well.
In my case, I pay a nominal amount to my web host for shared computer usage, but I pay bandwidth charges associated with my domain name. I think that if a third party were trespassing my website, and I bore the economic consequences from bandwidth usage, I should be able to claim TTC even though I only "lease" the computer space and I share that computer with other sites. Perhaps this warrants more thought.
2) Independently, the court correctly says that YouTube's customers, not YouTube itself, are "contacting" utube.com, and therefore YouTube isn't committing the actus reus. This result also appeared to be designed to channel this complaint into trademark law.
Nuisance
Some pundits have theorized about the existence of a nuisance claim that would parallel (or supplant) online TTC claims. These nuisance claims are occasionally pleaded (for example, a nuisance claim was made initially in the Intel v. Hamidi case, though Intel voluntarily dropped it), but this argument has not gotten any traction in court. This court's terse rejection of the claim is typical:
Universal has provided virtually no legal support for its contention that a private nuisance can exist when no land is involved. Nor has Universal shown any support for the proposition that a domain name, a website, or a computer that hosts a website somehow constitutes real property. There being no such support or other basis for its nuisance claim, that claim will be dismissed.
Other Claims
The court also dismissed the plaintiff's attempt to cancel (in district court) YouTube's trademarks and claims for negligence and violation of state RICO laws. The court rejected YouTube's motion to dismiss for unfair competition, state dilution, and deceptive trade practices, so those claims are still active (plus any causes of action revived with an amended complaint).
Posted by Eric at 09:59 AM | Domain Names , Privacy/Security , Trademark , Trespass to Chattels | TrackBack
May 29, 2007
Zango Claims Spyware Doctor SE Surreptitiously Deletes Its Software
By Eric Goldman
Zango, Inc. v. PC Tools Pty Ltd., 07-2-15844-8SEA (Wash. Superior Ct. complaint filed May 15, 2007)
We've seen a fair amount of tussling between adware vendors and anti-spyware software vendors, including a battle over the incorporation of' "good samaritan" immunizations for anti-spyware vendors in proposed anti-spyware legislation (see, e.g., here and here). However, litigation between the two camps has been relatively rare, so this case (if it doesn't settle like most of the precedents) might help shape the contours of anti-spyware software vendors' duties as well as influence the pending anti-spyware legislation in Congress.
Here, Zango claims that PC Tools' software, Spyware Doctor Starter Edition, (1) mislabels Zango's software as an "elevated risk" and (2) automatically disables Zango's software from functioning without giving users notice, which prevents new installs and prevents current users from using existing installs--including those users who have paid a premium subscription allowing them to use Zango's software pop-up-free. While these effects alone would be problematic for Zango even if Spyware Doctor were an obscure program, Spyware Doctor SE has the added profile of being bundled in the Google Pack.
While I can see why Zango would be upset enough about this situation to sue, bringing a lawsuit has numerous downsides. First, the facts may not be in its favor; SunbeltBlog has had difficulty replicating some of the results. Second, lawsuits over classifications threaten anti-spyware vendors' editorial integrity (and PC Tools is claiming that was Zango's intent), but fortunately those editorial judgments should be completely protected by 47 USC 230(c)(2). Third, Zango isn't particularly popular in the anti-spyware crowd, so their enforcement actions bring extra scrutiny.
With the respect to the claim that Spyware Doctor disables Zango, this case reminds me of the fracas (that matured into a lawsuit) between Avenue Media and DirectRevenue back in 2004, where Avenue Media claimed that competitor DirectRevenue was surreptitiously kicking its software off users' hard drives (the case reached a detente).
While it would be tempting to dismiss the Avenue Media/DirectRevenue lawsuit as a piratical battle between untouchables, there are other examples where company A deletes company B's software with minimal notice. Most prominently, I still can't fathom how Microsoft gets away with unilaterally wiping software off users' hard drives (my recollection is that AOL has done the same thing, but I can't find my documentation of it now). At some point we're going to have reach a social consensus about what level of user authorization is required for one software program to annihilate another program. Maybe this case will help us understand that issue a little better.
Posted by Eric at 01:14 PM | Adware/Spyware , Privacy/Security | TrackBack
May 01, 2007
April 2007 Quick Links
By Eric Goldman
* Rebecca blogs on CollegeNET, Inc. v. XAP Corp., 2007 WL 927946 (D. Or. March 26, 2007), where a jury awarded $4.5M in damages under 43(a) because the defendant had a privacy policy saying it wouldn't disclose personal information to third parties "without the user's express consent and direction," but when users affirmatively said “yes” to "Are you interested in receiving information about students loans and financial aid?," the defendant sold the name to a third party. This is the right result because the combination of the two statements--we won't disclose to third parties, and a lack of pronouns about who would send the information about loans/financial aid—clearly imply that the information would come only from the defendant. However, it would have been easy to avoid this result! As the court points out, the defendant could have added one more line to the privacy policy ("If you ask for more info on loans/financial aid, we may provide your name to third parties") or pronouns to the call-to-action ("Are you interested in receiving information about students loans and financial aid from us or selected third party vendors?"). While the result is right, the damages sure seem high.
* Claria has taken its PersonalWeb tool out of beta. This tool creates a personalized navigation page for consumers by inferring their preferences rather than requiring them to proactively customize the personalization, which only 10% of users did.
* From BusinessWeek: To capture interest in a hot story, media entities buy keywords like "Virginia Tech massacre" immediately following tragedies.
* MailChannels' technology deliberately introduces latency into its server's handshakes, effectively creating a slow lane for spammers.
* Internet Archive v. Shell has settled. John O. may have more thoughts on this.
* Latest evidence that consumers don't always want to have their say: less than 0.2% of visits to YouTube and Flickr are for the purpose of uploading content.
* Todd J. Hollis' lawsuit against dontdatehimgirl.com has been dismissed for lack of jurisdiction. Unfortunately, the court deliberately sidestepped the 47 USC 230 issue, which would have been a simple way to clear the docket permanently.
* BusinessWeek article on how dictionary-makers are struggling to sort through the proliferation of new well-known words via the web.
* A historian raises some quality concerns about Google's book scanning efforts. I think the metadata issue is particularly serious, as many people will expect Google's metadata to be accurate and will cite it accordingly. HT Rebecca.
* Lawsuit over a botched tattoo. Whoops! Speaking of bad-idea tattoos, check out my archive post on tattoo advertising.
* New York councilman wants to ban "menu spam."
* Thyroff v. Nationwide Mutual Insurance Co., No. 41, 2007 N.Y. LEXIS 264 (N.Y. Mar. 22, 2007), holding that electronic records are protected by a state law against "conversion." This is certainly consistent with some precedent, such as Kremen v. Cohen, 325 F.3d 1035 (9th Cir. 2003) saying that domain names can be converted, but this broad holding seems plainly wrong. With respect to copyrightable electronic records, federal copyright law should preempt state anti-conversion laws. What am I missing?
* Some items that made me laugh this month:
- Dilbert on crowded trademark namespaces
- Comedy Central has the amazing story of My-T-Boy, the cute branded character who lapsed into the public domain
- Marge Simpson googles herself and doesn't like what she sees from the satellite image of her home. Very funny!
Posted by Eric at 06:20 PM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam , Trademark | TrackBack
April 09, 2007
March 2007 Quick Links Part 2
By Eric Goldman
Yesterday I posted the Google edition of my list of interesting items from March. Today I post the remainder of items that caught my eye last month.
Trademarks/Brands
* Bosley Medical Institute v. Kremer, 2007 WL 935708 (S.D. Cal. Mar. 22, 2007). On remand from the Ninth Circuit, the district court denies Kremer's motions to dismiss/for SJ. Michael Atkins recaps the ruling and case's history.
* Milbank Tweed Hadley & McCloy LLP v. Milbank Holding Corp. d/b/a Milbank Real Estate Services, No. CV 06-187-RGK (JTLx), (C.D. Cal. Feb. 23, 2007). After passage of the Trademark Dilution Revision Act, the court rejects the existence of "niche fame" as support for a dilution action. I’m a little surprised that this plaintiff would bring this losing argument.
* ICANN votes down a .XXX TLD. Again.
* NYT on the increasing challenges of creating a unique global brand in very crowded namespaces.
* Trademarked Sentences: A tool that helps you generate poetry by mixing trademarked slogans.
Blogs/UGC
* BidZirk v. Smith, No. 06-1487 (4th Cir. March 6, 2007). The Fourth Circuit, in a non-substantive opinion, denied a company's request for an injunction against a griping blogger's use of its trademarks. My initial write-up of the case. With this loss, the plaintiff's ill-advised decision to appeal the case is now even more clearly a complete waste of the plaintiff's money and our judicial resources.
* Chapman v. Merchandise Mart Properties, 2007 WL 922258 (D. Vt. Mar. 23, 2007). Woman tries to get TRO against physical-space trade show based on trademark interests in the term "GreenStyle," which is her blog’s title. The court rejects the request, but interestingly doesn't seem fazed by the argument that she may have a trademark interest generated from her blog name. Blog names can be trademarkable with sufficient use in commerce, a factor the court ignored completely.
* Sifry: "70 million weblogs. About 120,000 new weblogs each day, or...1.4 new blogs every second."
* A nice retrospective on the history of blogging.
* Wikipedia is requiring some credentialing after getting burned by a pseudonymous contributor who falsely claimed he was a professor.
* Ed Felten has some terrific observations about building distributed reputation systems like Digg (and, for that matter, Epinions). Ed is 100% correct that reputation systems need substantial stabilization; they don't just work deus ex machina.
Contracts
* Dorr v. Yahoo, No 3:07-cv-01428-MJJ (N.D. Cal. complaint filed March 7, 2007). Yahoo offered a premium subscription service allowing users to send email without Yahoo's ads attached. Then, allegedly, they changed the service's terms, and some of the paying customers were unilaterally bumped to a tier where Yahoo's ads were again attached to their email. Steve Bryant has more. In general, if people pay to eliminate ads, during that period of time, Yahoo should not be able to unilaterally amend the terms so that the user is paying but still getting ads.
* Ken Adams blogs on Affinity Internet, Inc. v. Consolidated Credit Counseling Services, Inc., 920 So. 2d 1286 (Fla. Dist. Ct. App. 2006), where the court held that a contract clause saying "This contract is subject to all of SkyNetWEB's terms, conditions, user and acceptable use policies located at http://www.skynetweb.com/company/legal/legal.php" was insufficient to incorporate an arbitration clause contained in the referenced document. Ken's suggested fix: "The SkyNetWEB user agreement located at http://www.skynetweb.com/company/legal/legal.php constitutes part of this agreement."
Government Agencies
* The National Do Not Call Registry: Annual Report to Congress for FY 2006 Pursuant to the Do Not Call Implementation Act On Implementation of the National Do Not Call Registry (April 2007): "The Commission believes that the fundamental goal of the National Do Not Call Registry — to provide consumers with a simple, free, and effective means to limit unwanted telemarketing calls — has been realized." My curmudgeonly take on why the do-not-call registry isn’t great policy.
* Implementing the Children's Online Privacy Protection Act: A Federal Trade Commission Report to Congress (February 2007). The FTC remains pretty pleased with itself about COPPA, but it's worried about social networking sites and the continuing lack of age verification technology. I'm not as impressed with COPPA as the FTC is; see here and here. In any case, if you're doing COPPA research, this report helpfully recounts the 12 COPPA enforcement actions to date.
* Hard to believe, but payola busts are still being made. The latest: a $12.5M settlement. See the NYT and WaPo .
* Terrific post by the EFF’s Seth Schoen about a misguided report on P2P file sharing by the USPTO and the issues with empowering users to control their computers. A must-read.
Miscellaneous
* ACLU v. Gonzales, No. 98-559 (E.D. Pa. March 22, 2007). On remand from the Supreme Court, the court once again holds that the 1998 Child Online Protection Act is unconstitutional.
* CRS Report for Congress: An Overview of Recent U.S. Supreme Court Jurisprudence in Patent Law, March 16, 2007, discussing the last 8 Supreme Court patent cases.
* We've all heard about the magic of network effects. But as this Mercury News article explains, when an Internet start-up company's network takes root principally overseas, it can leave the company with a large audience of unmonetizable users.
* Jacob Loshin, Property in the Horizon: The Theory and Practice of Sign and Billboard Regulation, 30 Environs 101 (2006). A thoughtful discussion of the history of billboard regulation and some regulatory considerations.
* Coca-Cola's launch campaign for "Coke Zero" is premised on the idea that the executives of Coca-Cola want to sue the executives of Coke Zero (i.e., other executives within the same company) for "taste infringement" because the taste is so similar. Personally, I find commercials about faux lawsuits HILARIOUS. Ha ha ha. Except...if there isn't currently a cause of action for "taste infringement," with the expansion of IP rights, it may only be a matter of time... This turns the joke about how hard it would be to establish taste infringement on its head. Ironically, the commercial features Coke's actual lawyers. Yet more on this sorry story.
Posted by Eric at 09:14 AM | Content Regulation , Copyright , Domain Names , E-Commerce , Internet History , Licensing/Contracts , Marketing , Patents , Privacy/Security , Trademark | TrackBack
April 08, 2007
Oracle v. SAP Lawsuit Comments
By Eric Goldman
Oracle Corporation v. SAP AG, 3:07-cv-01658-EMC (N.D. Cal. complaint filed March 22, 2007)
I realize I'm a couple weeks late to this story, but it's too important/interesting a case not to address.
TomorrowNow (TN) is a company started by former Oracle employees. They offer maintenance services for Oracle software competitive with Oracle's standard maintenance program, but at much-reduced prices: Oracle charges 22%/yr while TN charges half that (11%/yr).
But how is TN able to undercut Oracle's pricing so drastically? One possibility is that Oracle charges supra-market rates due to the lock-in effects of tying maintenance services to software licenses. On that front, I'll note that back in the 1990s, my software vendor clients typically charged 15%/yr for maintenance--a substantially lower number than Oracle's breath-taking 22% figure. So perhaps TN is able to charge 11% as a modest start-up discount off the industry-standard 15%, and Oracle's been getting away with a great deal for a long time.
An alternative story, told by Oracle in its complaint, is that TN could undercut Oracle only by stealing. TN has a very thin development team compared to the Oracle behemoth, so Oracle might incur all of the development expenses necessary to provide maintenance services, and TN might just take those assets for free to engage in competitive free-riding. Specifically, Oracle alleges that TN gets switching Oracle customers to give TN their passwords to Oracle's website/database for its maintenance customers and then send robots to download everything (manuals, patches, etc.) it can find, which then allows it to provide services comparable to Oracle’s.
Perhaps TN, even if had engaged in such a scheme, would have been a nettlesome gnat as a standalone company, but it got scooped up by German software giant SAP, one of Oracle's main rivals. At this point, TN becomes problematic to Oracle in a variety of ways. TN is poaching some maintenance revenue outright, while it is putting price pressure on the maintenance business that Oracle retains. Further, Oracle customers who switch to TN have an easier path to migrate their overall software needs to archrival SAP.
Oracle has struck back in court with a tightly drafted complaint. Oracle claims that the scheme of getting former Oracle customer passwords and downloading lots of content from Oracle's maintenance database violates (among other things) the CFAA and Cal. Penal Code Sec. 502 and constitutes trespass to chattels and interference with prospective economic advantage. This is a well-pleaded complaint, in the sense that there are no obvious deficiencies with Oracle's pleadings. I don't love everything about Oracle's practices. For example, it makes no sense that Oracle made it possible for customers to root around the entire database for stuff, even if it didn't relate to the customer's software. Also, I would definitely have drafted and implemented the contracts differently than Oracle did. But these are quibbles; Oracle's contracts and practices are serviceable for this lawsuit's purposes.
Having said that, there are two obvious omissions from the alleged claims. First, Oracle didn't allege copyright infringement yet because it needed to get its copyright registration applications on file, so it expects to file an amended complaint. Second, Oracle didn't allege that the claimed misuse of switching customers constituted a 1201 circumvention. I'm not 100% sure why. It could be that this claim will be added along with the other copyright infringement claims, or it could be that Oracle is sufficiently deterred by the handful of cases holding that mere misuse of a legitimately issued password isn't a circumvention.
Also, it's noteworthy that Oracle didn't sue its switching customers for allegedly providing their passwords to TN, although it seems like at minimum Oracle would have breach of contract claims against them. I assume Oracle isn't suing customers because that's never good for business. Indeed, part of the lawsuit is about wooing customers; there is some hilarious and gratuitous marketing language in the complaint designed to impress Oracle customers and to rattle the confidence of customers thinking of switching to SAP.
Putting aside what's not in the complaint, if Oracle's complaint accurately states the facts, SAP could be in deep legal trouble. Of course, it's fairly typical for the plaintiff to draft a great complaint and the defendant then tells a very different story. As just one example, Oracle ties the downloads to TN via IP addresses; but IP addresses are spoofable, so it's theoretically possible that someone spoofed TN. So we have to wait until we hear both sides before we can make any rigorous assessments of merit.
Even so, I'm a little unnerved by the software industry analysts who have claimed this lawsuit is no big deal. Perhaps in the grand scheme of things, this lawsuit won't have a great deal of effect on the competitive position of SAP and Oracle. Sure, the lawsuit casts some doubts in the minds of customers who are thinking of leaving Oracle for lower-cost options that SAP/TN will be a long-term trustworthy vendor, but such doubt-sowing initiatives are fairly common the bare-knuckle competition for enterprise database software. Plus, if SAP just cuts off TN altogether, presumably the overall effect on SAP and Oracle revenues will be comparatively modest.
But this lawsuit could be a Big Deal because the facts alleged by Oracle might support criminal prosecutions for CFAA, CA Penal Code 502, criminal copyright infringement and other crimes. It's not clear if the criminal prosecutors are going to get involved in this case or if Oracle even wants them to do so, but I suspect a number of SAP employees have procured their own personal attorneys. To the extent TN was a rogue operation operating without oversight or permission from SAP corporate, then again the financial impact may be small, even if the affected individuals might suffer severe consequences. But if TN wasn't a rogue operation, any criminal prosecutions could have major ripple effects throughout the entire SAP organization.
I think the Cadence v. Avant lawsuits are illustrative, especially given the many parallels. In that case, a bunch of former Cadence employees started up a competitive company, Avant. However, to get a jumpstart on the competition, the employees walked out the door with Cadence source code. Perhaps aided by this unfair head start, Avant had a very successful marketplace run, growing into a major public company with hundreds of millions of dollars of revenue. But after the civil and criminal prosecutions, Cadence got damage awards of hundreds of millions of dollars, multiple Avant employees went to jail, and Avant was effectively knocked out of the marketplace.
I need to reiterate that we don't know yet if Oracle's alleged facts are true, or if anyone committed a crime, or if any criminal prosecutions will ever be launched. However, I think it's too breezy for software industry analysts to brush this case off as a low-risk threat. If Oracle’s alleged facts are true, this isn't business-as-usual; instead, this would constitute illegal marketplace behavior, with potentially severe consequences for the business generally and the decision-makers individually.
I have additional edgy things to say about this case in this interview. Other resources:
* WSJ Law Blog
* BusinessWeek article pitching this lawsuit as just bare-knuckle competition between giants
* A collection of industry analysts' comments
Posted by Eric at 11:08 AM | Copyright , Internet History , Licensing/Contracts , Privacy/Security , Trespass to Chattels | TrackBack
March 01, 2007
February 2007 Quick Links
By Eric Goldman
* The California Highway Patrol (which, for reasons unclear to me, has investigatory power here) has concluded that the Angelides campaign did not break any laws when they reverse-guessed URLs on Schwarzenegger's website and found an unrestricted page with a video of the Gov wondering about Assemblywoman Bonnie Garcia's "hot'' temperament because of her mixture of "black blood'' and "Latino blood'' and referring to Assembly Republicans as a "wild bunch." The CHP did recommend that Schwarzenegger's team tighten up their website security. Silly reminder: if you really want keep information a secret, don't put it on a website without password protection.
UPDATE: Greg Haverkamp points me to this document, which explains that the CHP has enforcement power over Penal Code 502 violations involving state computers. Interesting. In my mind, I see Erik Estrada revving up his PowerBook to bust some baddies...
* Voda v. Cordis Corp., 2007 WL 269431 (Fed. Cir. Feb. 1, 2007). Patent owner can't litigate infringement of foreign patent rights in US court as part of supplemental jurisdiction over a US patent infringement claim. Patry's writeup.
* NYT on how YouTube indirectly motivates teens to deliberately do stupid things just for the opportunity to post them and perhaps get notoriety. I had a first-hand observation of this when I trolled through YouTube looking for a Listerine commercial that I might show in class while teaching a case involving Listerine. A search for the word "Listerine" in YouTube produces video after video of people doing stupid things with Listerine, like eating big stacks of their breath film or snorting the breath spray and then writhing in pain. Watching video after video of people repetitively doing stupid stunts, I felt like shouting to these people: "IF YOU'RE GOING TO DO SOMETHING STUPID ON YOUTUBE, AT LEAST BE ORIGINAL!"
* From Steve Bryant at eWeek: Shannon Stovall sues Yahoo for including her photo in Yahoo's welcome email, claiming Yahoo violated her rights of publicity/privacy to the tune of $10M compensatory damages and $10M punitive damages.
* Digg users may mark content they don't agree with as "spam." The most recent example is Danny Sullivan's post on SEO, which got Dugg and then was eliminated when anti-SEO Digg users flagged it as spam. If a website defers content grading to its users, it has to trust that they are reporting their feedback accurately. If they aren't, the whole user grading process breaks down. And speaking of breakdowns, there is an active secondary market for Digg votes--check out how Annalee Newitz bought front page placement on Digg for about $100.
* The always-colorful Chris Hoofnagle has released a new paper, "The Denialists' Deck of Cards: An Illustrated Taxonomy of Rhetoric Used to Frustrate Consumer Protection Efforts." By his standards, I suspect I've dealt a full house with some of my rhetoric! Now, I wonder if he's going to create a complementary deck for bogus rhetorical tactics used by consumer protection "advocates"?
* From the EFF: "Debbie Foster, a single mom who was improperly sued by the RIAA back in 2004 for file sharing, has won back her attorneys' fees." Capitol Records v. Foster, No. 04-1569-W (W.D. Okla. Feb. 6, 2007). Unfortunately, that hasn't stopped the plaintiff from advancing nonsense arguments in the case, including the specious argument that a computer owner is automatically responsible if third parties use the computer to infringe copyrights. Fred at the EFF rightly debunks this argument.
* Wikipedia article: "Wikipedia is Failing." Your perspective about success or failure may be influenced by the impressive traffic gains that Wikipedia is experiencing--Wikipedia is now one of the top 10 most trafficked websites. Most of that traffic is coming from Google.
* Doe v. Josef Silney & Assoc., No 07-04167CA15 (Fla. Cir. Ct. complaint dated Feb., 13, 2007). Golfer Fuzzy Zoeller sues an alleged vandal of his Wikipedia page for defamation and related torts. Fortunately, he left Wikipedia out of the suit. However, he only knows the IP address of the person who modified the page, and that IP address is registered to the defendant. Is owning the IP address enough to establish liability? Or is this like an RIAA blunderbuss sue-first, ask-questions-later approach? It seems like the lawsuit should have been against a Doe, with a subpoena to find out who actually edited the page using that IP address.
* US v. Twombly, 2007 U.S. Dist. Lexis 12664 (S.D. Cal. Feb. 22, 2007). A spammer challenges some criminal provisions of CAN-SPAM as vague and overbroad, but the judge has no problems reading the statute to facilitate sending spammers to the slammer. Venkat's writeup.
* CDT groks (and mostly bashes) a variety of online kid-protection bills proposed in Congress.
* From the NYT: Nancy Pelosi posted some videos from C-SPAN to her blog. The Republicans immediately attack her for "pirating" the videos. Turns out that those videos were actually recorded by the government, so they are in the public domain. Whoops! The Republicans had to issue a mea culpa retraction. However, Nancy did grab a C-SPAN-owned video elsewhere which she had to take down. If our legislative leaders can't figure out what video they can recycle, how in the world can less-trained lay people do so? Patry has more.
* A bearish view on domain name speculation from CircleID. I share the sentiment that domain names don't matter, so domaining and typosquatting strike me as a short-term arbitrage opportunity that inevitably will be mooted by a variety of forces. Thus, the idea of paying 40 or 60 years worth of revenue for a domain name is laugh-out-loud funny to me.
* The Long Tail notes that some brands, trying to build a more esoteric image, try to hide their ownership by mainstream mass-market brands, a phenomenon he calls "brand dis-synergy." Examples: Dagoba Organic Chocolate, Joseph Schmidt, Cacao Reserve and Scharffen Berger chocolates (all owned by Hershey) and Converse (owned by Nike).
* Veritas busted for manufacturing revenues via round-tripping with AOL (Veritas bought AOL ads and AOL bought Veritas software; each at inflated prices).
* What does "or" mean? According to the 8th Circuit, it can mean "and." Ken Adams is on the case.
* Ricky Hoggard Holman, a 18 year old high schooler in Sudbury, Canada, correctly blogged all 24 of the American Idol finalists. How? Online research, such as researching the MySpace pages of contestants and emailing their MySpace friends. He also talked to some of the booted final 40 contestants, a few of whom broke their punitive-laden confidentiality agreement to dish some dirt. Maybe he wasn't studying, but clearly he's learned a few things about the power of good old-fashioned research. (The article says he's a straight A student, so he clearly can balance many things). Nice job, Ricky!
Posted by Eric at 12:03 PM | Content Regulation , Copyright , Derivative Liability , Domain Names , Licensing/Contracts , Marketing , Patents , Privacy/Security , Publicity/Privacy Rights , Search Engines , Spam , Trademark | TrackBack
January 10, 2007
December 2006 Quick Links
By Eric Goldman
* JP Enterprises, Inc. v. HDVE, LLC, 1:06-cv-01046-REB-PAC (D. Colo.). In June 2006, JP Enterprises sued Yahoo for selling its trademarks for keyword-triggered ads. In December, JP Enterprises and Yahoo stipulated a dismissal of the case against Yahoo (the remaining defendants weren't affected), presumably based on a settlement.
* Domain name valuations continue to rise. The latest overvalued domain name? Vodka.com, selling for $3M. This totally perplexes me. Can you imagine what $3M of well-spent PPC advertising would do?
* Amidst the TLD proliferation, ICANN is thinking about retiring some TLDs, such as .su for the (extinct) Soviet Union.
* According to ClickTales, "76% of the page-views with a scroll-bar, were scrolled to some extent[, and] 22% of the page-views with a scroll-bar, were scrolled all the way to the bottom." From a legal standpoint, currently we assume that content “below the fold” usually is legally irrelevant. However, if users routinely scroll down on pages, this may require rethinking.
* Forbes' special report: "Books." Especially interesting stories:
- The Secret Life Of An Online Book Reviewer
- Cory Doctorow, Giving It Away
- Stop Worrying About Copyrights
- Publish And Perish (about picking storage media to archive human knowledge)
- The Networked Book (about using blogs as a complement to the book authoring process)
* How about this manipulative practice? Yelp, the local consumer review guide, pays "marketing assistants" to leave positive comments for review authors to "help make Yelp appear to be a vibrant and outgoing community in hopes that it will actually become one." As the BusinessWeek article says, "Some reviewers may be turned off by the notion that an ostensibly disinterested fellow user is getting paid to compliment their writing." Ya think? Hiring professional back-patters crosses my line.
UPDATE: I got the following email from Jeremy Stoppelman, founder of Yelp:
The Businessweek article is misleading so I can understand how you got that impression. Our system breaks down as follows:
Community Managers - responsible for local marketing & pr, organizing yelp events (offline) and for welcoming people to the site. People who are active in the community generally know this person (and that they are an employee) since they are organizing local events and emailing users all the time.
Marketing Assistants - the first people in a new market (that has little-to-no community), they are paid to update our crappy yellow pages data and write some of the first reviews (e.g. make the site not empty). We initially suggested they get active (post on talk, compliment if someone shows up), but turned away from that quickly (for the same concerns you raised).
The only critique left is that these people aren't badged and I totally understand this issue (minor, but real). Therefore we decided before Christmas break we should badge all our marketing & community staff. This change should be out later tonight.
* The magazine Nature has ended its experiment with an open peer review process. Why? According to the AP, "The journal concluded that many researchers were either too busy or had no real incentive in evaluating their colleagues' work publicly. In addition, none of the editors found the posted comments influenced their decision whether a paper gets published." No point in manufacturing metadata if it's not going to change the decision anyway! But this raises a related question--what incentives are needed to produce useful metadata?
* As written up in the NYT, Sao Paulo has outlawed a wide variety of outdoor advertising, including billboards, leaflets, advertising on the sides of buses/taxis, and via airplanes and blimps, and has promulgated strict rules on commercial signage. This is a radical experiment in the effort to reduce visual clutter by squelching the availability of a major class of advertising. But Chris Hoofnagle (who pointed out the article to me) wonders, where are these ad dollars going to go? Presumably they will be redirected into different ad media, with uncertain consequences. For more on the effect of regulation in one advertising medium on advertising in other media, see my Coasean Analysis of Marketing article.
* In response to the Google/China flap, the State Department in February 2006 established the Global Internet Freedom Task Force (GIFT). On December 20, the GIFT issued a press statement outlining its "GIFT Strategy" consisting of 3 principal points:
- MONITORING Internet freedom in countries around the world
- RESPONDING to challenges to Internet freedom.
- ADVANCING Internet freedom by expanding access to the Internet.
I wonder if this effort will moot the need for the Global Online Freedom Act?
* BusinessWeek article on domain tasting (with the wildly hyperbolic title "The Great Internet Brand Rip-Off"--an editor ran amok!). Domain tasting always has struck me as a silly issue. Of course if you offer marketers a way to get exposure to consumers for free, some of them will abuse it! But I just have to believe that the legitimate utility of the 5 day refund period is low, if not zero. So the refund period should be killed, and consumers who make a typographical error when registering domain names should be SOL (much like it's almost impossible to fix an error if a consumer buys the wrong non-refundable airline tickets).
* Rick Skrenta: "RIP DMOZ: 1998-2006."
* AP Story updating the Steinbuch v. Cutler case. The case is in discovery now, and there's no sign that it will avoid a trial.
* Tom Smedinghoff wrote an excellent recap of last year's developments in the field of information security law: Where We're Headed — New Developments and Trends in the Law of Information Security.
* In December, Shuman (Google's click fraud czar) reportedly said that Google's click fraud rates were less than 2%, but then Google backpedaled and obfuscated about what Shuman had really said. In yet another terrific post, Danny sorts through the mess and tells us what we know and don't know about click fraud rates. Read the whole thing.
* Jeffrey Rohrs is one of the people I trust for expert opinions. I don't agree with his plaintiff-side orientation, but I respect his perspectives. He's written an analysis of the click fraud issue that he calls the Sausage Manifesto. A recap of Google's responses to the manifesto.
* Jennifer Granick predicts that EULAs and the law of mass surveillance will be the hot legal issues of 2007. Both seem good bets; I'd add to that list that this year we'll spend a lot of time irresolutely chasing our tail on the net neutrality issue.
Posted by Eric at 10:00 AM | Domain Names , General , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Trademark | TrackBack
December 22, 2006
Top Cyberlaw Developments for 2006 – Part 2
By John Ottaviani
(Eric Goldman is away until the New Year. He left me the keys to the blog. I warned him that this may be like leaving the teenagers the keys to the house when the parents go away for the weekend!)
As Eric pointed out, our “Top Ten Cyberlaw Developments for 2006” list left out several notable developments. Here are a few more that were “near misses” for the list. In no particular order of importance:
· Electronic Voting – There was a lot of buzz about electronic voting and the perceived failures of the various systems. Given the proliferation of machine-human interfaces that we encounter on a daily basis, it is difficult to comprehend why problems continue to plague this industry.
· Apple v. Does – A California state appeals court held that online journalists had the same right to protect the confidentiality of their sources as offline reporters do under California’s reporters’ shield law. This result is not surprising, but it appears to be the first formal confirmation that courts would apply the same rules to traditional and online reporters. In addition, the court ruled that the federal Stored Communications Act does not permit a civil subpoena of stored e-mail from a service provider, only direct subpoenas from the account holders.
· Snow v. DirecTV – In June, the 11th Circuit held that, in order to be protected by the Stored Communications Act, an Internet website must be configured in some way as to limit ready access by the general public. An anti-DirecTV activist had created a public bulletin board, with a banner containing purported terms of service forbidding DirecTV representatives from entering the site or using its message board. However, the site was configured such that anyone in the public (including the DirecTV representatives) could enter the site, create a profile and use the message board. The court recognized Congress’s intent not to criminalize or create civil liability for acts of individuals who “intercept” or “access” communications or websites that otherwise readily are accessible by the general public. The court suggested that even a statement in the complaint that a plaintiff screens the registrants before granting access may have been sufficient to infer that the site was not configured to be readily accessible to the general public. However, in the absence of any such statements, the court granted DirecTV’s motion to dismiss for failure to state a claim. As a result, website operators who want to take advantage of the provisions of the Stored Communications Act must take some affirmative actions to be able to demonstrate that the website was not configured to be readily accessible to the general public. Relying on those who are not the website’s intended users to voluntarily excuse themselves will not be sufficient.
· eBay v. MercExchange – In May, the U.S. Supreme Court ruled that, once a patent is found valid and infringed, an injunction does not automatically have to be issued. Trial judges are free to weigh competing factors, including the effect of enforcing a patent on the public interest, as the trial judges do in other injunction proceedings. The case revolved around eBay’s “buy it now” feature, which allows customers to purchase items without participating in an auction. In 2003, a jury found that this feature infringed on two of MercExchange’s patents. The Supreme Court’s decision requires the patent owners show “irreparable injury” resulting from defendant’s infringement in order to receive injunctive relief. While this standard should be relatively straightforward for patent owners who practice their technology, the decision may lessen the ability of patent owners who don’t practice their inventions to obtain an injunction (or threaten to obtain one as a negotiating tool).
If anyone else has any Cyberlaw developments that they feel should be on the “Top Ten” list, please feel free to let us know!
Our list of “Top Cyberspace Intellectual Property Cases” for 2006 will be available in January.
Posted by John Ottaviani at 12:18 PM | E-Commerce , Patents , Privacy/Security | TrackBack
November 29, 2006
Nov. 2006 Quick Links
By Eric Goldman
My monthly roundup of noteworthy tidbits:
* Yesmail, an email outsource vendor, was busted by the FTC under CAN-SPAM for failing to honor opt-out requests because Yesmail's incoming email filters blocked those opt-out requests as spam. This strikes me as a particularly messy technological dilemma--even email outsource vendors need spam filters, but if those filters nab opt-out requests, the FTC isn't showing any sympathy. So it looks like email outsource vendors will need to use less vigilant spam filters or find some way to direct opt-out requests to a non-filtered email server.
* Best Western Int'l Inc. v. Doe, No. 06-1537 (D. Ariz. Oct. 24, 2006): griper defeats trademark infringement and dilution claims due to the lack of "use in commerce in connection with goods or services." (HT: BNA's E-Commerce and Tech Law Blog).
* Simmons v. Florida, SC04-2375 (Fla. Sup. Ct. Nov. 16, 2006). Very troubling ruling from Florida upholding the criminal conviction of a defendant for disseminating harmful to minors material online. First, breaking with an unbroken string of cases dating back to 1996, it upholds the state law prohibiting the dissemination of harmful to minor materials over the Internet from a Constitutional challenge. In the past, these laws uniformly have been struck down under the First Amendment or the Dormant Commerce Clause (or both). Second, the statute applies only to email, but it was used to bust someone communicating via instant message. These types of technology-specific statutes create these odd silos that create too much ambiguity. Declan's writeup.
* McDonald's is seeking a patent on using a "sandwich delivery tool" to deliver filling (like ham) to a "bread component." This could be the greatest thing since sliced bread!
* From Greg Linden's blog: Google surveys its users and they say they want more results per page. So Google tests a search results page with 30 results/page. The result? A 20% drop in traffic! Note that a 10-result page takes 0.4 seconds to load, while a 30-result page takes 0.9 seconds, so the working theory is that an extra 0.5 second latency deterred a lot of searching. This may give a little insight into why Google is fighting so hard on net neutrality. If Google does get relegated to a slow lane, it may lose lots of searches.
* A band called Bones registers a MySpace account at http://www.myspace.com/bones and, over the course of 2 years, accrues 2,100 friends. Fox, the owner of MySpace, decides that it would prefer to have that URL for its TV show Bones, so it boots the band and puts up a page for the TV show. Can Fox do this legally? It all depends on the contract (but I'm skeptical that the contract was this broad). For some background on taking virtual assets, see my prior discussion on the sex.com litigation and account ownership in virtual worlds. In any case, Fox relented and gave the URL back to the band. But this is a good reminder that, if you care about your web presence, don't build up goodwill in a URL controlled by someone else.
* FTC busts Guidance Software for inadequate security. According to Internet News: Guidance's privacy policy said it "takes every precaution to protect our users' information," "your information is protected both online and offline" and it protected data "with the best encryption software in the industry – SSL." Yet, Guidance suffered a security breach that resulted in the leak of 4,000 credit card numbers; and the breach wasn't detected for 3 months. I'm not entirely sure what to make of this--was this enforcement action based solely on overstatements in the privacy policy, or was it based on poor security practices regardless of the privacy policy? My vote is that it's the latter based on the BJ's Wholesale Club precedent.
* A consumer group filed a complaint against Zillow for doing a lousy job of providing valuation estimates. While Zillow's estimates may be poor, this complaint raises some troubling concerns about the liability associated with any web-based price estimate service. Could developments in this matter affect Google's PageRank as a valuation of the worth of web pages?
* Ted Leonsis, vice chair of AOL, didn't like the search results when he vanity searched. So he vowed to improve his Google profile, launching a high volume blog that helped drive preferable results to the top of the list. My advice to Ted: enjoy the favorable placement while it lasts; you're only one Googlebomb away from disappointment.
* We are generally conditioned to think that every searcher gets the same search results for the same search. This model is progressively breaking down due to personalized search and other innovations. A catalog of reasons why search results vary for searchers. I eagerly await the time when courts recognize this fact when dealing with search engine cases!
* A DoubleClick study claims that 30% of consumers admitted that they sometimes click on banner ads, but 61% of consumers said that at least sometimes they made a mental note of the advertisers and followed up with them later. If true, this means that banner ads generate a lot more value than is measured by clicks alone. However, I wonder if this result should be chalked up to the "talk is cheap" category?
* It's like a well-worn joke: if you'll believe that, I've got a bridge to sell you. But no joke: they may be selling the Golden Gate Bridge--well, at least, corporate sponsorships for it. Of course, the bridge is so iconic that a brand owner could get significant goodwill from being associated with it. On the other hand, it's the world's leading suicide destination; not exactly the best corporate tie-in for many brands.
* According to one anti-spam vendor, "9 out of 10 emails now spam." At this rate, pretty soon it will be 11 out of 10 emails.
Posted by Eric at 11:47 AM | Content Regulation , Marketing , Patents , Privacy/Security , Search Engines , Spam , Trademark | Comments (4) | TrackBack
November 28, 2006
Google Personalized Search, 1 Year Later
By Eric Goldman
Exactly 1 year ago, I started using Google Personalized Search. Since then, Google Personalized Search has recorded 6,700 searches of mine--an average of over 18 searches a day, every day (including weekends and vacations), or over 1 Google search every waking hour. My highest daily total was at least 89 searches.
Clearly, from these 6,700 data points, Google should know a lot about me. Yet, I would rank the benefits of Google Personalized Search as low. In some cases, Google prioritizes specific search results that I've selected before (and tells me how many times I've selected that link), so it can help me find something when I'm revisiting a past search. Otherwise, I can't say that I've noticed any discernible benefits from their personalized search tool.
My suspicion of low efficacy is reinforced by Google's inability to make good inferences about me. In Google Trends, it shows me what it describes as the "top gaining queries related to your searches"--presumably, these are the search terms it thinks are associated with the search terms I've used. The top 10 today:
1. prime outlets
2. ucla taser
3. great mall
4. rhodes scholars
5. tofurky
6. tofurkey
7. marie calendars
8. dundee wisconsin
9. bakers square
10. odot
#5 and 6 surely must relate to my vegetarian-related searches, so this isn't too bad. #2 may somehow reflect my association with UCLA (good), but UCLA taser? (huh?) #1 and #3 are big outlet malls in the Bay Area, so they are geographically relevant and perhaps seasonally topical due to the holiday shopping season (although I haven't really been shopping this season). #7 and #9 are a little bizarre for a vegetarian--I'm sure I've done restaurant searches, but not for chains like this! I have no idea what triggered #8 or #10. So, on balance, it doesn't appear like Google is making very smart inferences about me based on the 6,700 searches I've provided it. For more on this point, see Greg Linden's similar comments on Google's recommendation engine explaining that Google is relying too heavily on geolocation instead of other personalization attributes.
One more interesting piece of data: Google Trends captures the times of my search, which visually illustrates my work habits. Unfortunately, the histogram is distorted by my move from Milwaukee to California mid-year; my Milwaukee activity was 2 hours ahead of this data.
As you can see from this diagram, I generally get into the office between 9-10 am and then work at a constant rate for a few hours. Then, in the late afternoon, I really hit my stride, spiking at 3 pm--which was really 5 pm when I was in Milwaukee. In other words, my real work day begins about 5 pm. Then, there's a drop-off around 7 pm (5 pm on this chart when I was in Milwaukee), which is when I go home, and then a mini-resurgence between 9-11 after the kids are in bed.
At minimum, this data shows why I'll never be a great 9-5er. The 5-7 period is among my most efficient work period. When I first became a professor, I tried to come home at 5 pm regularly for a couple of weeks and I felt like I never got anything done. This chart partially explains why.
Despite this fun with graphics, I'm disappointed with Google Personalized Search. I will keep using it because it provides me limited benefits at no additional effort, but it's not really doing anything to increase my loyalty to Google.
One last point: I know some of you would interpret my experience as a good reason NOT to use personalized search because of the privacy risks associated with Google's aggregation of search results. I do worry about that, a tiny bit, in that I'm sure people would draw bizarre and potentially adverse inferences if they were to parse through my 6,700 searches. But I've made the deliberate choice that I'm not too worried about that risk personally--although I'm not going to publicize my search terms, I'm comfortable enough with their limited privacy protection in Google's hands.
Posted by Eric at 03:46 PM | Privacy/Security , Search Engines | Comments (1) | TrackBack
October 18, 2006
Acxiom Not Liable for Security Breach--Bell v. Acxiom
By Eric Goldman
Bell v. Acxiom Corp., 4:06CV00485-WRW (E.D. Ark. Oct. 3, 2006)
Acxiom is a major data miner/data broker. As a result, they have lots of sensitive personal data stored on their computers. Between 2001-2003, they suffered a major security breach when a bad actor (now in jail) extracted personal data and resold it to marketers. Bell brought a putative class action against Acxiom for this security breach that may have resulted in her data being resold.
Specifically, Bell alleged two injuries: (1) increased risk of receiving junk mail, and (2) increased risk of identity theft. However, she did not allege that she actually experienced either increased junk mail or identity theft. Thus, the court brushes the concerns about possible future risks aside, saying that both injuries were not sufficiently concrete to satisfy the "case or controversy" pleading standard. As a result, the court granted Acxiom's motion to dismiss.
This case reminds me of the In re JetBlue case, where the airline provided passenger records to the government in contravention of its articulated privacy policy. That lawsuit died because the plaintiff could not show any cognizable injury from the data transfer/privacy policy breach. In the Acxiom case, the lawsuit died because the plaintiffs couldn't plead a sufficiently tangible harm to clear the motion to dismiss standard. So it appears that some courts are demanding more from privacy plaintiffs than just their mere apprehension about privacy--a significant standard that could keep privacy lawsuits in check.
UPDATE: A very similar ruling rejecting a fear of increased risk of identity theft as an injury sufficient to support standing: Key v. DSW, Inc., 2:06-cv-00459-GLF-TPK (S.D. Ohio Sept. 27, 2006).
Posted by Eric at 07:12 PM | Privacy/Security | Comments (3) | TrackBack
October 11, 2006
Article on Regulating Marketing--A Coasean Analysis of Marketing
By Eric Goldman
Eric Goldman, A Coasean Analysis of Marketing, 2006 Wis. L. Rev. __ (forthcoming).
In 2001, I had a career-altering epiphany while I was working at Epinions (this is the topic that prompted me to consider becoming a full-time academic). Epinions was morphing from a content generation engine (generating consumer reviews of products and services) into a shopbot where a core value proposition was to refer users to vendors to consummate transactions. As we made this transition, I realized that we were really entering the attention broker business. We aggregated consumer attention, principally from search engine referrals, using copyrighted content (the consumer reviews) as marketing to capture consumer attention. We then redirected that attention to vendors for our economic benefit. To the extent we bought the consumer's attention (say, through paid search listings), we were just in the attention arbitrage business (i.e., we wanted to sell the attention for more than we paid to buy it).
As a result, I realized that we competed against every other attention broker, including adware vendors (who were nascent in 2001), spammers, and every other marketing intermediary. But I couldn't resolve an underlying question--what gave us (or anyone) the right to broker a consumer's attention? Who "owned" attention, and when was it permissible to profit from someone else's attention?
It took me 5 years and 8 complete rewrites to complete my paper, A Coasean Analysis of Marketing, that answers these questions. This was one of the hardest things I've ever done professionally. It was truly a labor of love!
Part of my difficulty is that I ultimately realized that "attention" wasn't the real issue (and, in fact, it was distracting me). Instead, "attention brokering" is really a matching problem--marketers and consumers want to match with each other, but the matching process is costly. In particular, the key challenge is that consumers incur costs to express their preferences, a problem exacerbated by rising data glut.
Thus, the only sustainable solution allows consumers to express and manage their preferences at a near-zero cost. This will require a technological, not legal, solution, and the technology will look a lot like what we currently call adware and spyware. In turn, we may be doing ourselves a disservice if our efforts to regulate adware and spyware inhibit the development of technology that provides improved marketer-consumer matching in an information overload environment.
Certainly, many of these themes will be familiar to blog readers. However, this article ties together numerous threads that I've addressed on an ad hoc basis and, for the first time, lays out my vision comprehensively. Thus, I hope you'll take a look at it. I welcome your comments and thoughts.
Some discussion about the article from around the blogosphere:
* Peter Huang's comments
* Frank Pasquale's comments
* Conglomerate Junior Scholars Workshop comments (including responses to Peter's and Frank's comments)
* Daniel Solove's comments
The abstract:
Consumers claim to hate marketing - mostly, because they get too much unwanted marketing. In response, regulators develop medium-by-medium marketing suppression regulations. Unfortunately, these ad hoc solutions do little to satisfy consumers, and dynamic technologies and business practices quickly render them moot. Instead of continuing this cycle, there would be some benefit to developing a cross-media marketing regulatory scheme.
However, any holistic solution must be predicated on a clear rationale for regulating marketing. The most common justification is that marketing imposes a negative externality on consumers, but this argument ignores the private and social welfare created by marketing and can lead to cost overinternalization and marketing undersupply.
The Coase Theorem also suggests that social welfare improves by reducing the costs of matching marketers with interested consumers. To achieve this, consumers need a low cost but accurate mechanism to manifest their preferences. This Article shows that typical regulatory and marketplace solutions do not provide effective mechanisms.
Instead, marketer-consumer matchmaking will improve from technology that will automatically infer consumer preferences and use these inferences to filter incoming marketing and seek out wanted content. This technology is rapidly emerging, but regulation of surreptitious monitoring devices (like adware and spyware) may inadvertently block the development of this socially-beneficial technology. As a result, current regulatory overreactions to developing technology may counterproductively foreclose social welfare improvements
Posted by Eric at 11:33 AM | Adware/Spyware , E-Commerce , Marketing , Privacy/Security , Search Engines , Spam | TrackBack
October 01, 2006
Sept. 2006 Quick Links
By Eric Goldman
Some stories that caught my eye in September:
* Digg users are gaming the Digg algorithm. Greg Linden's take. Naturally, Digg is fighting back by tweaking its algorithm to reduce the effect of gaming and preserve some editorial integrity to its results. Hmm...this sounds familiar. As I've argued, users inevitably will game algorithms, websites will tweak the algorithms, and the cycle will repeat infinitely. It is the Law of Algorithms. For a user revolt/algorithmic assault that I "enjoyed" first hand, see here.
* Rebecca blogs on "mocketing," the process where brand owners pay people to parody their brands, and its potential implications for trademark law.
* Starbucks emails employees a coupon for a free drink and encourages them to forward the email coupons on to friends and family. A few trillion emails later, Starbucks realizes that it made a horrible mistake and dishonors the coupons. Now, they're staring down a $114M class action lawsuit. See the coupon and more details here. Practice pointer for marketers: NEVER EVER encourage email recipients to forward the emails on to friends and families, especially if some benefit putatively will attach. It's a sure-fire way to become an instant urban legend, and some variation of these emails will still be making the forwarding rounds in the year 2525. Tsan offers some more practice pointers.
* BusinessWeek recaps the social science literature on how eBay sellers can maximize revenues. Recommendations based on the literature: set low starting prices; don't use reserves; use photos; don't flood the market; spell check; use hype; hold longer auctions; watch the auction's ending time; don't overcharge for shipping; and avoid negative feedback.
* About 1 of every 2 searches involves "pogo-sticking" (reviewing a search results page, investigating a search result and back-buttoning to the search results page). Yet more social science demonstrating the junkiness of the initial interest confusion doctrine--consumers have figured out how to investigate search results and back out if they are not relevant.
* In a default judgment, an Illinois judge ordered UK-based Spamhaus, one of the email blocklist maintainers, to pay e360 Insight LLC $11.7M in damages for blocklisting them and to post a note acknowledging that they aren't spammers. However, it remains unclear how e360 can enforce this ruling.
* Google lost a Google News copyright case in Belgium. For a critical view of this case, see Ross Dunn's take. Google's official statement.
* Lengthy NYT article on Marshall, TX, with the second-largest patent docket in the country. Why? Fast trials, plaintiff-favorable results (78% pro-plaintiff instead of a national average of 59%), and Texas-sized damages. More on Marshall as patent litigation capital available here.
* AOL has been sued for its release of search data. Danny's take. Two things: (1) I can't see the ECPA claim at all. A search request is a communication between party A (searcher) and party B (search engine). There's no ECPA violation when either A or B discloses the contents of that communication. However, I think search engines make their life harder when they take the position that they make the factually unsupportable argument that they are just passive conduits between searchers and web publishers (see Field v. Google). (2) the complaint takes the position that AOL is continuing to disseminate the search data because it continues to display search results linking to the data. I think this argument has lost all credibility in the copyright arena; it seems equally bogus here.
* A three year old kid knows how to "buy it now."
* NYT on "orphan brands"/"dormant brands" and efforts to license and revive these brands.
* The US officially joined the Council of Europe (COE) Convention on Cybercrime. It becomes effective Jan. 1, 2007.
* My colleague Tyler Ochoa explains the fallacies of Huntington Beach's trademark claims for the phrase "Surf City USA."
Posted by Eric at 11:07 AM | E-Commerce , Marketing , Patents , Privacy/Security , Search Engines , Spam , Trademark | TrackBack
September 07, 2006
Xanga.com Busted for COPPA Violation
By Eric Goldman
The FTC announced today that Xanga.com had settled charges that it violated the Children's Online Privacy Protection Act (COPPA). The settlement includes, among other remedies, a payment of $1 million--by far the largest fine in a COPPA case to date.
Xanga.com's transgression can be easily summarized, as stated in the FTC's press release:
The Xanga site stated that children under 13 could not join, but then allowed visitors to create Xanga accounts even if they provided a birth date indicating they were under 13. ... The defendants created 1.7 million Xanga accounts over the past five years for users who submitted age information indicating they were under 13.
Two practical observations:
1) Statements in EULAs/user agreements saying that users should not sign up if they are underage (or in the wrong geography, or whatever) are worthless from a risk management/legal compliance standpoint. The complaint also indicated that Xanga.com required users to check a box certifying that they were over 13. This might have been slightly more helpful, except when Xanga.com got conflicting data and didn't cross-check it against the certification.
2) Collecting birthdates is a well-known and paradigmatic way to violate COPPA. For years, I've been saying that one simple way to mitigate COPPA exposure is simply not to collect birthdates. (COPPA also covers sites that target kids 12 and under, so avoiding birthdates isn't a complete solution). Or, if birthdates are collected, simply refuse to register underage users. Here, according to the FTC, Xanga.com violated these well-known and basic approaches--1.7 million times!
FWIW, when COPPA became effective in 2000, Epinions had a field where users could self-report their age. We ran a script and found a few dozen users 12 and under. We promptly kicked those users off the site (they were ticked about being evicted--I told them to take it up with Congress and the FTC). We then disabled the ability of users to self-report their age.
Posted by Eric at 12:39 PM | Privacy/Security | Comments (2) | TrackBack
August 23, 2006
August 2006 Quick Links (Volume 2)
By Eric Goldman
Some more things that caught my eye in the past month (see Volume 1):
* Wikipedia's entry on trademarks that have become generic. "Google" isn't listed...yet—instead, it’s listed as a trademark “often used generically”. HT: Marty. My list of favorite generic terms: Aspirin, Baby Oil, Brassiere, Cellophane, Celluloid, cornflakes, Dry Ice, Escalator, granola, Kerosene, Lanolin, Light Beer, Linoleum, Milk of Magnesia, Murphy Bed, nylon, octane, raisin bran, Shredded Wheat, Thermos, trampoline, Yo-yo, zipper. I would update the Wikipedia entry myself if I thought that those changes would actually stick rather than being reverted by a Wikipedian exercising dominion over the page--a blog post coming on that issue soon.
* Greg Linden has some insight thoughts about lawyers' role with start-ups that come from the voice of experience.
* Goofy article in the Washington Post romanticizing the sites enabled by AdSense and citing examples of people getting rich through AdSense. Two observations; (1) That's definitely not me! (2) Only a very quick mention of the splogs, typosquatting sties and junky content-free sites spawned by self-service AdSense programs.
* Fraudsters may have found the perfect technique to game eBay’s feedback. They use robots to build positive eBay reputations through a series of $0.01 buy-it-now transactions. If eBay’s feedback rating system becomes unreliable, what will happen to eBay? This seems like a bet-your-business issue for eBay.
* eBay isn't a "debt collector" under the Fair Debt Collection Practices Act, nor is eBay's feedback forum a "consumer report" under the Fair Credit Reporting Act. McCready v. eBay, Nos. 05-2450 and 05-3043 (7th Cir. July 10, 2006).
* "Nike: It's Not a Shoe, It's a Community." Another example of how a marketer has embraced its role as a content publisher.
* WSJ debate on search engines storing user data. Issues about the disposition of search engine data doesn’t seem to be going away any time soon! Big blog post coming on this topic shortly.
Posted by Eric at 08:50 AM | Privacy/Security , Search Engines , Trademark | TrackBack
July 28, 2006
Doe v. MySpace.com --- Continued
By John Ottaviani
I was finally able to read the complaint. It raises some very interesting issues concerning the obligations of website hosts and Internet service providers to institute and enforce appropriate security measures to decrease the likelihood of harm to users. These harms could occur on line (such as defamation), or in the physical world, as unfortunately occurred here.
The complaint names MySpace, Inc., News Corporation, the parent company of MySpace, Inc. and the man who allegedly committed the sexual assault on the 14-year-old girl.
From the complaint, we see that the predator initially contacted the plaintiff through MySpace.com, but then she gave him her cell phone number. It appears that subsequent communications were by cell phone, including the arrangements for an after-school meeting, during which she was sexually assaulted.
The complaint alleges causes of action against MySpace and its parent, News Corporation, for negligence, gross negligence, fraud, fraud by non-disclosure and negligent misrepresentation. The complaint also alleges assault and intentional infliction of emotional distress claims against the attacker.
The negligence claim is interesting because it raises what I believe is an issue of first impression: does MySpace.com have a duty to institute and enforce appropriate security measures and policies to withstand and substantially decrease the likelihood of danger and harm in the physical world that MySpace posed to the plaintiff? I have been debating this with David Fish, who feels that an Internet site that targets young children and (allegedly) knows of assault problems against these children, certainly has a duty to protect because there is a foreseeable risk of harm. I find it difficult to imagine that, given the enormous policy and economic repercussions for all Internet content providers, a court would impose such a duty, which would expose Internet content providers to liability for the wrongful acts of potentially millions of unknown bad people committed against millions of unknown potential victims. A similar claim was rejected in the early days of the Internet in Lunney v. Prodigy Services Company when the New York Court of Appeals held that there is “no justification” to impose a duty on ISP’s to “employ a process for verification of the bona fides” of all applicants and any credit cards they offer so as to protect against defamatory acts. The Lunney case may serve as an analogous precedent. But remember, the complaint in the MySpace.com lawsuit was filed by a Texas plaintiff in a Texas state court, and Section 230 does not necessarily give a defendant the right to remove to a federal court, so MySpace may be in for a fight on this issue.
The negligence count further alleges that this breach of duty was the proximate cause of the sexual assault of the plaintiff. I have a hard time seeing proximate cause here, where the initial e-mail communications were followed up with cell phone conversations.
Eric and I differ as to whether or not MySpace will be able to successfully assert a Section 230 defense. The relevant portion of Section 230 states: “No provider or user of the interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Here, however, the plaintiff is alleging that she was injured as a result of actions of her attacker in the physical world, which were caused either by MySpace’s “failure to take action and to protect her” or MySpace’s “misrepresentations about the safety of its site.” None of the claims are based on information posted by the predator or any other third party. Eric still feels there is room for a Section 230 defense, however.
There may be enough muck in the complaint for some of the other causes of action to survive a Motion to Dismiss. MySpace may have better luck going straight to summary judgment.
Posted by John Ottaviani at 11:07 AM | Privacy/Security
June 27, 2006
June 2006 Quick Links
By Eric Goldman
I have had virtually no Internet access over the past 10 days due to my move and travels, so my Bloglines account was bulging with more than 1700 articles. Here's a quick look at some of the items that have caught my attention this month:
* The FTC announced its own data breach due to a stolen laptop. Hmm...is it just me, or is this incident dripping with irony?
* Microsoft appears to be in its "benevolent" dictator mode again. Last year I blogged about how Microsoft made the unilateral decision to wipe some "malicious" software off users' computers without user notice or consent. (If it makes you feel any better, AOL has done the same thing). Now, Microsoft is installing mandatory software that phones home and doesn't tell users it's phoning home. Most people would categorize the phone home capability as spyware, and I'll be interested to see how the undisclosed feature doesn't violate 18 USC 1030(a)(2)(C). Yet, as Andy Patrizio wonders, where's the outrage? The consumer protection lawsuits? Andy writes:
All manner of hell broke loose over the major phone companies reportedly cooperating with the National Security Agency over international phone calls, but the news that Microsoft is watching every single Windows XP PC has been met with deafening silence.
Suzi rounds up the situation.
[UPDATE: First lawsiut over WGA filed. I'm sure more are coming.]
* JP Enterprises v. Yahoo, No. 06-cv-01046-REB-PAC (D. Colo. amended complaint filed June 6, 2006). Complaint against Yahoo Dating and other dating sites for purchasing keywords of a competitor, LoveCity. I'm not optimistic about the plaintiff's chances here, given that it doesn't seem to understand the differences between metatags and keyword triggers. Also, note the irony that Yahoo is buying ads from competitor Google.
* The WSJ writes about the accuracy of recommendation engines. The article explains how consumers make some decisions based on brand perceptions rather than actual utility they derive from the product. As a result, recommendation engines do a better job serving consumer desires by watching consumer behavior rather than relying on self-reported consumer preferences.
This also raises interesting implications for the role of brands in the search process. Brands may help consumers find what they think they are looking for, but at the same time may interfere with utility maximization. To avoid this, one recommendation engine contemplated hiding brands from the consumers.
* Heidi Cohen states the obvious. (Well, she and I think it's obvious, but apparently most marketers still don't get it.) Marketers are in the content publishing business, so they need to think like publishers, not marketers. And, from a policy standpoint, this continues to reinforce the illusory line between marketing content and editorial content.
* Another shocker: Marketers pay-for-placement in editorial content in print publications.
* Michael Scott (from his new blog, Singularity) writes a fun article about the implications of three generations of cyberlawyers: the veteran "computer lawyers" from the 1980s (that includes him), the dot com boomers from the 1990s (which I belong to), and the post-dot com busters from the 2000s.
* More evidence of "banner blindness." As usual, consumers can organically adjust to annoying marketer tactics if legislators avoid jumping into the fray.
* Finally, an article on fake consumer reviews. This is hardly the first article on the topic, but interestingly it hints that some merchants may be outsourcing/offshoring the creation of fake reviews. Forget click fraud shops in India and gold farming in China; those are passe. Instead, here's a new possible tort for you plaintiffs' lawyers--review "fraud"?
Posted by Eric at 05:50 PM | Adware/Spyware , General , Internet History , Licensing/Contracts , Marketing , Privacy/Security , Trademark
May 11, 2006
Quick Links May 2006
By Eric Goldman
My blogging queue has gotten too thick. Here's some items that caught my attention that I've been meaning to blog and simply haven't gotten to.
* I previously blogged about Chris Wilson, the website operator who allowed users to post pornography and was then prosecuted for distributing pornography under state law. I argued then that such prosecutions were immunized by 230. According to AP, in January, Chris pleaded no contest to 5 counts of possession of obscene material (this news report sounds garbled; the crime of possessing obscene material, without more, should protected by Stanley v. Georgia). For this, in April, he was sentenced to 5 years probation.
* Deborah Wilcox has written an article about situations when trademark owners should NOT send a trademark cease-and-desist letter. Given how many trademark plaintiffs' lawyers mistakenly shoot first and ask questions later, this article raises an important but overlooked perspective.
* The blogosphere is doubling every six months. 4 million bloggers update their blogs at least weekly.
* Cedric reports that, in February, Google finally won an AdWords case in France.
* 310,000 consumers were affected by Lexis-Nexis' data breach. Lexis-Nexis offered them a free year of credit monitoring services. Only 6% took Lexis-Nexis up on the offer, a number that's similar to other such offers (Citibank only had a 4% signup rate). Bob Sullivan tries to figure out why. Among the theories:
- consumers discarded/ignored the notification as junk mail
- consumers were suspicious that the free offer wasn't going to be free in the end
- consumers are apathetic about privacy issues
I have my own speculation about this, but I think the time for relying on intuition is long past. Instead, I think further empirical research is critical before more legislatures robotically rubber-stamp existing legislation designed to remediate data breaches. I remain suspicious that these mandated solutions are doing nothing to help the problem, and may in fact be exacerbating the problems.
* Barton Beebe's slides from his presentation, US Contextual Advertising Law, at the Fordham International IP conference in April.
Posted by Eric at 09:03 AM | Adware/Spyware , Content Regulation , General , Privacy/Security , Search Engines , Trademark
March 23, 2006
NY Enforcement Actions for Reselling Emails in Breach of Privacy Policy
By Eric Goldman
Gratis Internet runs several websites that promise free stuff (like free iPods) in exchange for consumers signing up for subscription trials. The trials are initially free but then convert to paid subscriptions. The idea is that many consumers will either like the subscriptions or be duped into keeping the subscriptions against their will. For an example of how even very intelligent people can be trapped by these free trials, see my colleague Christine's story (and the update).
Along the way, Gratis made a variety of privacy promises to consumers. Of specific relevance here, Gratis promised that it would never resell the consumers' email addresses. However, as it turns out, Gratis allegedly may have done precisely that.
If so, this should be a fairly straightforward legal problem. The false privacy policy should constitute unfair/deceptive trade practices and false advertising, and both the government and consumers should have causes of action (although, see In re JetBlue about possible limits in the consumers' cause of action). In this case, Spitzer announced today that his office is going after Gratis for violation of New York's consumer protection laws. This makes sense.
More interesting to me is Spitzer's action against Datran Media, one of the buyers of email addresses from Gratis. Last week, Spitzer's office announced a settlement with Datran that included a $1.1 million check.
Note that Datran didn't breach the privacy policy directly; it allegedly purchased and used tainted email addresses. Ordinarily, there's no such thing as contributory contract breach, but we might think of this as analogous to receiving stolen property. Perhaps with the requisite level of Datran's scienter, they should in fact bear responsibility for buying and using "hot goods." If the scienter standard is high enough, then it's hard to quibble with the action.
But I think there's a more fundamental lesson to learn. This case reinforces that it's very hard to legitimately buy/sell email addresses. At minimum, I think buyers need to do thorough diligence of the email addresses' origins, and it's hard to find legitimate email addresses that were completely acquired without restriction on transfer or resale. Then, under CAN-SPAM, the email addresses have to be filtered out for any opt-outs that the buyer has received in the past. And then, it's hard to get bulk emails through the email service providers/IAPs, especially if the sender can't claim some type of relationship with or authorization from the recipients.
All told, I just don't understand how legitimate companies think that email addresses can be flipped like commodities. The practice may never have been legitimate, but I see it as a completely dead practice today.
UPDATE: Dan Solove weighs in on the case. I generally agree with Dan's analysis, except that I think we need to know more about Datran's scienter. This result is defensible only if the scienter level was high enough.
UPDATE 2: Chris Hoofnagle calls the case "one of the biggest cases for consumer privacy ever."
Posted by Eric at 01:31 PM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam | Comments (3)
March 11, 2006
FTC Extends COPPA Without Changes...and New FTC RSS Feeds
By Eric Goldman
The FTC has extended the COPPA rule unchanged. Most significantly, the rule continues to preclude non-authenticated email as a way of obtaining parental consent.
I don't spend a lot of time thinking about COPPA much any more. I teach my Cyberlaw class that they should advise clients to avoid being governed by COPPA at all costs. COPPA makes it expensive to provide online interactivity tools to kids; but by definition, kids don't have any online purchasing power. So it's hard to profit from providing robust online tools to kids.
Having said that, I am constantly surprised by the number of websites I see that should be COPPA-compliant but don't appear to make any effort to comply with it. I think the FTC could find plenty of targets if it decided to sweep for COPPA violations.
On a separate note: While checking out the FTC's website, I discovered that the FTC quietly has launched RSS feeds. Terrific news!
Posted by Eric at 02:29 PM | Privacy/Security | Comments (1)
March 06, 2006
Congress Is Lovin' the Internet...to Death?
By Eric Goldman
Congress has an unresolved love-hate attitude towards the Internet. Through the 1990s, Congress frequently said that the Internet should be left alone from a regulatory standpoint. Indeed, in some cases, Congress affirmatively deregulated the Internet; 47 USC 230 and the Internet Tax Freedom Act come to mind.
However, Congress is irresistibly drawn to Internet regulation. Every Congressional session, members of Congress propose literally hundreds of laws to regulate some aspect of the Internet. Obviously, not all of these laws pass, but the sheer volume is evidence of the seductive lure of Internet regulation. Congress just can’t control itself!
I was working through the piles on my desk yesterday and I came across three recently proposed laws that demonstrate this irresistibility. All three laws reflect legislative opportunism to capitalize on hot media issues; all three laws reflect a certain idealism for how markets should function; and all three laws would have radical (and possibly crippling) effects on the Internet.
1) Eliminate Warehousing of Consumer Internet Data Act of 2006, HR 4731 (Introduced Feb. 8 by Rep. Markey).
Rep. Markey promised this law in response to the DOJ-Google flap. The premise is simple enough: online companies should flush their databases of personal data so the DOJ can't abuse its power to get that data. This animating principle translates into the following operative provision:
"An owner of an Internet website shall destroy, within a reasonable period of time, any data containing personal information if the information is no longer necessary for the purpose for which it was collected or any other legitimate business purpose, or there are no pending requests or orders for access to such information pursuant to a court order." The definition of personal information is suitably broad--first/last name qualify, as does an email address.
I don’t like this law’s expansive sweep. It would govern many seemingly-unimportant websites, such as my blogs (which allow users to submit both their first/last name and their email addresses). In some cases (like mine), I can’t flush personal data because it’s in the hands of my service providers.
Further, ironically this law doesn't even correct the DOJ-Google situation. First, the data requested by the DOJ wasn't personal data as defined by the law. Second, and more importantly, Google arguably has a legitimate business purpose to keep every scrap of data it ever lays its hands on (after all, how can you organize the world's information if you have to flush some of it down the drain?). Given that many businesses can claim a continuing benefit from keeping personal data, this law won't get that data flushed. Instead, I think it merely creates weird/unexpected technical headaches.
2) Internet Non-Discrimination Act of 2006, S. 2360 (Introduced March 2, 2006 by Sen. Wyden)
This law follows on the hot topic of net neutrality, or a “two-tier” Internet, which is also linked to AOL’s implementation of Goodmail’s certified email program. The law’s basic premise is simple: data transit vendors should not discriminate between bits—each bit should get processed equally. This gets codified in a list of restrictions about the products/services that a covered entity can (or can’t) offer.
I'm dubious about the theoretical underpinnings of this law, but for now my objection to the law is far more tactical. The law restricts the behavior of "network operators," which is anyone who "provides communications directly to a subscriber." I think the law was intended to govern the provision of Internet access/connectivity. But, as drafted, I think the law covers everyone who moves data from one point to another--this should include every website that provides user-to-user communication, including email service providers, instant message providers, blog providers, "email this page to a friend" providers, etc., etc. In other words, virtually the entire Internet.
This drafting error is, in theory, fixable. The law could just define the covered entities as Internet access providers more carefully. However, I don't think this is an easy fix. I think there is no clear distinctions between the various "layers" (content v. application v. transport); at least, the distinctions aren't definable statutorily.
Worse, it significantly restricts beneficial intermediary behavior, such as blocking incoming spam. The law acknowledges this consequence and says that the governed entities can block spam if the consumers are notified and have a chance to disable the application. So whereas AOL might kill almost all incoming spam at the server level, the law would take this choice out of AOL’s hands. I’m not sure what consequences result from that, but my heart tells me it’s expensive for AOL/the consumer and it could lead to weird and unexpected results.
In effect, this law would place most of the Internet under the oversight of an administrative agency (the FCC). The Internet had thrived without FCC oversight for a while now. I’m having a hard time believing that turning the Internet into a comprehensively-regulated industry would be a good thing.
3) Global Online Freedom Act of 2006, HR 4780 (Introduced Feb. 16, 2006 by Rep. Smith).
This law builds off the Google/Yahoo-China flap. It has various proposals designed to get China and other repressive countries to stop censoring Internet content.
Specifically, the law would create a new administrative agency called the "Office of Global Internet Freedom." This title alone is disconcerting; it sounds like something out of Orwell or Kafka. Indeed, like any good dystopian view of bureaucracy, the OGIF would free the Internet by telling its citizens what they can't do.
In this case, the OGIF would help generate a list of bad censorship-loving countries. On the initial list are China, Iran and Vietnam. All US search engines or content hosts cannot locate those functions in the bad countries. (Note that the definition of search engines or content hosts covers anyone who has a search tool on their website or permits users to generate content). Search engines also cannot change their filtering based on requests from bad countries. Content hosts also can't help "Internet jamming" and can't disclose personal data at the request of bad countries.
This law seems terribly misguided. It’s as if Rep. Smith thinks that Google is so amazing that countries will change their censorship laws just to get Google’s services. But we know better. Chinese entrepreneurs will have no problem providing competent yet censorable search services. I’m sorry to be the bearer of bad news, Rep. Smith, but embargoing Google isn’t going to bring down the current Chinese government.
Meanwhile, this law represents a dangerous step towards government regulation of search engine operations. I know that pro-regulation forces would love to have the chance to regulatorily inculcate their normative values into search engine algorithms; this law represents a first step along that path. However, I think there’s little chance that government fiat will improve search engine coverage or relevancy. Instead, I think there’s a much better chance that government intervention in search engine operations will degrade search engines’ usefulness to consumers.
Conclusion
Reading these 3 laws in succession, two 1980s songs came to mind. First, Congress “just can’t get enough” regulation of the Internet. However, "If you love somebody, set them free." We’ll see just how much Congress loves the Internet as it wrestles with these bills.
Posted by Eric at 06:39 PM | Content Regulation , Internet History , Privacy/Security , Search Engines | Comments (3)
March 03, 2006
NCSoft Sued in South Korea for ID Theft
By Eric Goldman
NCSoft has been sued in South Korea for allowing users to improperly register Lineage/Lineage 2 accounts in other people's official Korean ID number (I'm inferring this is similar to a social security number). More than 3,500 people have joined the class action so far, although the affected number is in the hundreds of thousands.
Based on this report, my understanding is that an organized crime ring stole a large number of Korean IDs from a third party shopping website, used those IDs to create Lineage accounts, used Chinese gold farmers to manufacture in-world wealth, and then converted that to physical-world wealth.
Assuming this is true, I don't immediately understand how NCSoft could be liable to the people whose IDs were stolen. It's not clear that NCSoft played any role in the initial ID theft, and so far the news reports indicate that the people whose IDs were stolen have not suffered any damage. If NCSoft had no role in the initial theft and the people whose IDs were stolen suffered no damages, I'm having a hard time seeing how this is NCSoft's problem. Certainly, in the US, I can't see how the plaintiffs in this situation could state a valid cause of action.
As a result, this lawsuit smells fishy. The organizers run a case auction service that matches victims with lawyers for all types of lawsuits. (From their website: "Case Auction is a bidding system of which clients find out lawyers to handle his/her case through the auction.") Could this lawsuit just be a traffic driver for the website?
Alternatively, lawyers just may be trying to capitalize on consumer outrage. I'm inferring from news reports that NCSoft collected the ID number unnecessarily and consumers are ticked about the security breach and its possible implications (even if no damages were caused here). If the analogy is that an online service provider collected social security numbers are part of their authentication process, I see why some people would want answers about the necessity of such data collection. This article recaps some of the controversy.
Thanks to Matt Goeden for pointing this out. More coverage at Terra Nova.
Posted by Eric at 01:14 PM | Derivative Liability , Privacy/Security , Virtual Worlds
February 15, 2006
Your License, Registration and DNA, Please?
Congress Passes, President Signs, Press ignores...
As broader nationwide DNA database becomes law, states rush to fill database with expanded collection laws of their own.
By Ethan Ackerman
The DNA Fingerprint Act of 2005, which I blogged about late last year, was signed by President Bush into law on January 5, 2006. The legislation expands federal DNA collection efforts to include some legal and illegal immigrants, and allows states to contribute DNA collected for any reason listed under state laws to the federal DNA database. The final language did not change since I first wrote about it. See also the summary here. Rather than rehashing the bill, this post will discuss (1) how the media missed this issue, (2) related state and international developments, (3) the large role individual states' policies will have on deciding just how 'invasive' this database is, and (4) some current 'DNA criminology' shortcomings that this bill may make even worse.
The Media Missed the Issue
While the initial legislative steps of the DNA Fingerprinting Act drew some attention, the media silence on its ultimate passage can be summed up in one phrase - 'buried in layers of legislation.' The DNA Fingerprinting Act was rolled into the 2005 Violence Against Women Act and 2005 DOJ Reauthorization Act, a 176 page mega-bill, which had the effect of obscuring its passage. It took several days for the press to even digest the DOJ bill's passage - its other provisions included Democrat-driven 'mail-order bride' protections and the extensively-blogged 'Cyberstalking prevention' provisions (and even that wasn’t covered in the press until a week later).
International & state developments
On the international scene, Ireland and Scotland, among others, are also expanding DNA collections. (Scotland has the unique wrinkle of being the only UK territory where evidence collected at arrest is held and destroyed if a conviction doesn't follow. Other UK regions already collect and retain DNA at the time of arrest; it is this higher threshold that is targeted for removal.) The UK DNA collection expansion is in tandem with its fingerprint collection expansion - UK police are also set to beging 'roadside' collection of fingerprints. Here again, the UK appears to be following US lead, as several jurisdictions, notably Phoenix, AZ, are already collecting 'roadside' fingerprints, initially voluntarily but now under penalty of jail, for traffic violations. The UK appears to be out in front of the US, however, with 'in the field' DNA collection, with even bus and train drivers collecting DNA of suspects - in this case 'spitting passengers.'
At the state level, legislation expanding DNA collection to suspects is racing through legislatures - apparently regardless of the political party in control. The Democratic-controlled New Mexico House recently passed legislation authorizing collection from felony suspects. The Republican-controlled Kansas legislature is apparently ready to do the same. Indiana, where different parties control the two legislative chambers, is also several steps into the legislative process of passing a similar bill. Somewhat more liberal New York is running into difficulties over Republican Governor Pataki's version of expanded collection authority, which would apply to misdemeanors and felonies, but only after conviction. While the federal DNA bill allows states to collect DNA for any purpose, under any "applicable legal authority," states so far seem focused on expanding collection from just convicted felonies to felonies AND misdemeanors, and in many cases also to criminal suspects, for now.
The pressure for a state 'race to the bottom'
A notable aspect of the piecemeal expansions occurring at the state level is the "race to the bottom" between states that appears likely. States with heightened guilt or suspicion standards (such as 'felonies only' or 'after conviction, not just arrest' states) would benefit the least from their correlatively smaller databases. A database's utility increases exponentially, not just linearly, with the number of entries it contains. Pressed to obtain the maximum value from their systems, or even just a usefulness level comparable to states that collect more DNA, each state would feel a pressure to expand its database to match or exceed other states. Institutional, and often moneyed, motivators such as political platform-staking, a drive for increased governmental efficiency and pressures to lower crime also force states to compete in expanding these DNA databases. These concentrated pressures exert much more force than the diffuse pressures of individual desires for genetic privacy - a classic economic imbalance often seen in other policy-making scenarios.
States with laws already on the books
At the time the federal DNA Fingerprinting Act passed, Virginia, Louisiana, California, Florida and Texas already had laws requiring DNA collection at the time of arrest for some or all crimes. Yet almost all of these states also have had notable instances of erroneous forensic 'mis'matches, with wrongly convicted suspects serving time before their eventual release. In Virginia, a prisoner's life sentence was commuted and he received an eventual pardon after being exonerated by conflicting crime lab tests. In Louisiana, a man served 17 years before an eventual pardon. A minor was convicted of rape and served over four years before exoneration in Texas, and a prisoner served a 17-year term before it was overturned in Florida (search for Rudolf Holton on page), for example.
DNA Database Shortcomings
Just as with any other scientific endeavor, DNA screening is plagued by errors and fraud. What makes DNA screening different is that, unlike carbon-dating trees or replicating embryonic stem cells, fraudulent DNA evidence doesn't just cause media scandals but it is used to incarcerate or execute people.
Error
Like any other human endeavor, collecting, handling, and processing DNA evidence is an error-prone process. The same characteristic that makes DNA evidence so incredibly useful - an amazingly small fragment of as little as several human cells can be used to identify its genetic source - makes it incredibly prone to contamination. Stray chromosomes from a lab worker, housecat, other evidence sample or crime scene witnesses can be misattributed to a person, and this error can be multiplied by the chemical reaction that underlies modern DNA forensics. Worse, even if scientists get the chemistry right, their assistants and prosecutors still have to get the paperwork right and not mislabel or switch results or files.
Fraud
In many cases, a desire to cover up the errors discussed above apparently leads to false or misrepresented DNA results. In other cases, a lack of impartiality - the majority of official state and local crime labs are tied directly to the local police force - is the problem. For example, in Indiana (which is also contemplating an expansion of collections), allegations that prosecutors pressured crime lab workers to alter evidence have imploded the trial of an alleged murderer.
Showing just how far one crime lab employee's evidence-concealing can go, Michigan and Chicago have both investigated the alleged concealment of exonerating DNA evidence by a Chicago crime lab worker who subsequently went to work at the Michigan state crime lab. Chicago settled over $9 million in claims from the incident.
Similarly showing how far irregularities with DNA evidence can get, questionable testimony from a Virginia crime lab was a large part of the reason the US Supreme Court stayed execution (though ultimately declined cert.) on Robin Lovitt's Virginia death row petition in 2005. Lovitt's sentence was ultimately commuted as a result of the misrepresentations. Problems, however, are not limited to state labs. The US Army's lab, which operates roughly in parallel with the FBI's national lab as a crime and records lab for the US military, stands accused of evidence fraud as well.
DNA's mythical status as irrefutable evidence compounds these shortcomings
Criminal jurors, charged with deciding facts in a trial, tend to be irreversibly swayed by DNA evidence, rightly or wrongly. Call it the "CSI effect," but DNA evidence creates an irrefutable connection in the minds of most jurors. While this can be a two-edged sword when juries expect forensic evidence prosecutors just don't have, jury allegiance to DNA evidence tends to harm defendants it is introduced against much more than it exonerates them.
DNA's genetic nature means inclusion is 'inclusion by proxy' for all your relatives, and an 'open genetic book' about personal attributes and status.
DNA, like a fingerprint, is a useful personal identifier. Indeed, there is a scientific and mathematical basis for the uniqueness and correlation of an individual to his or her DNA that is largely absent for fingerprints. DNA, however, is much more than just an individualized identifier. Much like a family tree, bank statement, dental impression or medical history file may serve to identify an individual, these records (like DNA) also contain much personal information unrelated to authenticating a person’s identity. DNA may reveal private information such as legitimacy at birth or the presence of a gender-change operation or marrow transplant. Some research suggests there are also reliable genetic markers for such traits as aggression, substance addiction, criminal tendencies and sexual orientation.
*title with apologies to James F. Van Orden, who authored an excellent, and slightly variant-titled article I discovered after writing this post.
Posted by Ethan Ackerman at 10:12 AM | Privacy/Security , Publicity/Privacy Rights
January 24, 2006
DOJ Fishes for Search Records, and Google Fights Back--Gonzales v. Google
By Eric Goldman
Gonzales v. Google, Inc., No. 5:06-mc-80006-JW (N.D. Cal. motion to compel filed Jan. 18, 2006)
This event is a collateral consequence of Congress’ obsessive and relentless campaign against Internet pornography. In Summer 2004, the US Supreme Court upheld a preliminary injunction of the 1998 Child Online Protection Act (COPA) and remanded the case for trial. In preparing its defense of the law, the DOJ sought to prove that COPA would be more effective at blocking children’s access to harmful-to-minor materials than technological filtering.
But how could the DOJ get supporting data? Well, no one knows more about the comings-and-goings of Netizens than search engines. If only the DOJ could get its hands on their server logs….
So the DOJ sent a subpoena to several search engines. In Google’s case, the DOJ initially asked for:
• “All URL’s that are available to be located through a query on your company’s search engine as of July 31, 2005”
• “All queries that have been entered on your company’s search engine between June 1, 2005 and July 31, 2005, inclusive”
Google resisted this request, and after some discussions, the DOJ scaled back its requests to ask for:
• “a multi-stage random sample of one million URL’s from Google’s database, i.e., a random sample of the various databases in which those URL’s are stored, and a random sample of the URL’s held within those databases.”
• “the text of each search string entered onto Google’s search engine over a one-week period (absent any information identifying the person who entered such query)”
Google is still resisting this amended request, so the DOJ has asked a federal district court to compel Google to comply with the DOJ’s request.
From my perspective, there are five essential points to take away from this event:
1) This is a Big Deal. This is not the usual Cyberlaw flare-up that has a short shelf life (see, e.g., AutoLink). Instead, I think this will become a classic Cyberlaw moment we’ll be discussing for years. It’s got all the right indicia--hubris, privacy and porn. Regardless of how the courts rule on the DOJ’s request, I think this event will have lasting effects. This is a Big Deal.
2) The DOJ’s Initial Request Was Way Out-of-Bounds. The DOJ’s initial request was jaw-droppingly broad. How could the DOJ ask for so much? And how could some search engines give it to them without a fight?
I think the DOJ’s initial request is very typical of government investigative requests. I’ve been on the receiving end of a few such requests myself. In my experience, government investigators typically make broad initial requests because such requests are costless to the government. If the government does not bear the costs of producing the data, then it’s rational for government investigators to ask for any data that might have any possible benefit to them. (This is like a negative externality—the government overconsumes data because it doesn’t bear the true social costs of its production).
In my experience, however, government investigators will craft a more tailored request when someone resists the initial overbroad request. Basically, the resistance raises the government investigator’s cost, so often the investigator’s path of least resistance is to submit a narrower request reflecting exactly what the investigator really needs.
However, recipients of government investigative requests rarely push back for entirely logical reasons. Principally, recipients do not want to become the investigator’s next target. Government investigators can make someone’s life very miserable, so annoying them has a non-trivial risk of inviting suspicion or even outright retaliation.
Or, in Microsoft’s case, recall that the DOJ enforces Microsoft’s consent decree. Microsoft may have been legitimately concerned that resisting the DOJ’s request could have adverse consequences for the DOJ’s assessment of Microsoft’s compliance with the consent decree. If I work at Microsoft and the DOJ wants some data, I’m going to give it to the DOJ with a smile on my face—no questions asked. (MSN claims that they did push back a little).
One more consideration to explain why other search engines complied with the DOJ’s initial request without much fuss. I don’t have empirical evidence to back this up, but I suspect that large search engines like Google, Yahoo and Microsoft get dozens or even hundreds of government investigative requests a month—most or all of which the search engines dutifully fulfill. This DOJ request was just yet another government request—perhaps a little broader than normal, but not that different from the dozens or hundreds of recent requests the search engines had complied with.
3) Our Government is the Biggest Threat to Our Internet Privacy. Concerns about search engines and privacy are hardly new (this is an evergreen topic for this blog; see here and here). Not surprisingly, some privacy advocates are opportunistically using this event to complain yet again that we shouldn’t trust Google (see, e.g., Leslie Walker's Washington Post story and Rep. Markey's ill-conceived and opportunistic legislative proposal). This is a completely misdirected concern, especially in this case. We have no new or additional reasons to fear Google’s misuse of data about us. But, as this event points out, we have every reason to fear our government’s rapacious desire for information about its citizens.
Though we try to ignore it, deep down we know that our government is the biggest data slut around (it’s not even close). Consider some news from the last few months: Bush’s administration is engaged in domestic surveillance, the NSA and other agencies illegally use tracking cookies and even members of Congress breach their own voluntarily-adopted privacy policies. We don’t need tighter restrictions on search engine’s data management practices. Instead, we desperately need MUCH tighter restrictions on government data requests.
4) This Event May Backfire on the DOJ. The DOJ picked the wrong company to challenge publicly. I know that public attitudes towards Google are volatile (many of us have a love/hate relationship with Google). Despite that, Google has a great brand, and many people remain very passionate about Google. Go ahead, DOJ, mess with Yahoo or MSN or even Amazon and you won’t hear much public uproar. But targeting Google…well, that’s a fight that has a high risk of losing both the fight and popular support.
As a result, I expect that the DOJ will get unwanted public scrutiny about the propriety of its data requests. If the DOJ can’t convincingly defend its request, the DOJ’s gluttony could instigate public support for efforts to restrict government data-collection activities. Normally, in light of the USA Patriot Act and prevailing anti-terrorism/anti-porn rhetoric, such a suggestion would be laughable. But the DOJ picked on Google, one of the most cherished companies of our time. Bad move.
5) Google’s Motive May Not Be Entirely Pro-Consumer. Sure, Google’s resistance to the DOJ gives Google a chance to redeem its privacy standing after Gmail. However, I suspect Google’s principal motivations may have little to do with consumer privacy. Even as amended, the DOJ’s request would take valuable engineering time and would potentially expose some Google trade secrets to competitors or black-hat SEOs. We can laud Google for its pro-privacy stance all we want, but if the DOJ’s request required zero engineering time and did not expose any Google trade secrets, I’m convinced that Google would have quietly fulfilled the DOJ’s request a long time ago.
There's been a lot of commentary on this event, and I won't try to recap it here. However, a few pages I recommend:
* Danny Sullivan's level-headed and insightful post
* Dan Solove's insightful commentary on the applicable law that governs government's requests to third parties for data
UPDATE: As predicted, Sen. Leahy is asking the DOJ to explain what they are doing and why.
UPDATE 2: Google's response to the government's motion.
Posted by Eric at 12:34 PM | Privacy/Security , Search Engines | Comments (1)
January 20, 2006
Anti-Marketing Laws and the Commercial Speech Doctrine
By Eric Goldman
Prompted by the Supreme Court's denial of cert in the White Buffalo case, Chris Hoofnagle of EPIC posted a nice rundown of some recent cases where anti-marketing laws survived a First Amendment challenge. He calls the 1999 US West case (which struck down an FCC rule limiting resale of customer records) the "high water mark" of the argument that First Amendment rights trump "privacy" laws. [Chris' characterization of the laws as "privacy" laws confused me; all of the laws were intended to restrict marketing in some fashion.]
He then makes his case by discussing a number of opinions from the last 5 years where anti-marketing laws survived a First Amendment challenge. Chris concludes: "In light of the number of cases where privacy law has trumped commercial free speech, shouldn't we consider U.S. West to be an anomaly?"
Descriptively, I think Chris' characterization is generally correct. First Amendment challenges to anti-marketing laws have met with scarce success recently.
Normatively, I'm not sure we should be celebrating this corner of First Amendment jurisprudence. The commercial speech doctrine is incoherent, and I don't envy lower court judges having to apply the commercial speech doctrines to anti-marketing laws. I wouldn't know what to do either.
Personally, I rarely get excited by First Amendment defenses against anti-marketing laws. I would much prefer to focus on first principles--what rules make for good social policy, and why? Unfortunately, this type of policy-making is rarely possible, leaving First Amendment challenges as last-ditch (and often low-likelihood-of-success) efforts to correct shaky policy-making.
Posted by Eric at 11:33 AM | Marketing , Privacy/Security
December 16, 2005
When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue
By Eric Goldman
In re JetBlue Airways Corp. Privacy Litigation, 79 F. Supp. 2d 299 (E.D.N.Y. August 1, 2005)
I’m late blogging this case, but the case is remarkable enough to warrant some comments even at this late date.
As part of the post-9/11 anti-terrorism efforts, the TSA requested that JetBlue turn over its passenger name records (PNRs) to the Department of Defense for various data mining/analysis. Based on the request, JetBlue gave over 5,000,000 PNRs to a DoD contractor (Torch). This data handoff unambiguously violated JetBlue’s declared privacy policy, which said that JetBlue would not share personal information with any third parties. This privacy policy might be mooted by a law mandating disclosure, but my understanding is that JetBlue turned over the data voluntarily (i.e., it was not legally compelled to give Torch the data, although it may have felt strongly encouraged).
A quick drafting digression: It was a significant drafting error for JetBlue’s privacy policy not to contemplate disclosing PNRs to the government. For years, privacy policies have included exclusions that permitted voluntary disclosure of data to the government. If JetBlue’s privacy policy had contained such a statement, I believe this lawsuit would have been trivially easy to resolve.
In any case, the plaintiffs sued JetBlue for ECPA, breach of contract, trespass to property and unjust enrichment.
ECPA
The ECPA claim failed because JetBlue was not a provider of an electronic communications service or remote computing service; instead, it was a customer of those providers. The court’s reasoning would extend to anyone operating a website; simply collecting information from a website doesn't make the website per se an ECS or RCS.
Trespass to Property
The court converted the trespass to property claim into a trespass to chattels claim. Conceived this way, the data in a PNR isn’t a chattel, so this claim is dubious. However, the court disposes of it for lack of damages. The plaintiffs claimed loss of privacy as the damage, but the court says that this allegation doesn’t diminish the quality or value of the information, nor are the customers deprived of an ability to use their personal information.
Unjust Enrichment
This claim failed because JetBlue didn’t derive any benefit from giving the data to Torch. Further, there was no injustice to the customers, as the effort was tied to preventing terrorism.
Breach of Contract
I’m not surprised that the prior three claims failed, as they seemed pretty weak. However, the breach of contract claim seemed much more powerful. JetBlue promised that it wouldn’t disclose personal information to third parties. It broke the promise. What’s to discuss?
The court first assumes that the website privacy policy was a validly formed contract, even though (a) it was presented as a non-mandatory hyperlink from the home page, and (b) the plaintiffs did not allege that any of them actually read the policy. This assumption runs directly contrary to two other related cases (In re Northwest Airlines Corps., 2004 U.S. Dist. LEXIS 10580, 2004 WL 1278459 and Dyer v. Northwest Airlines Corps., 334 F. Supp. 2d 1196).
I think the court is correct that the failure to allege that the plaintiffs read the contract is immaterial. I'm working on the assumption that JetBlue's failure to present the privacy policy as a mandatory non-leaky clickthrough prevents JetBlue from enforcing the contract terms against its customers. However, the court sidestepped the more complex question of whether the customers could treat the privacy policy as a one-way binding commitment against JetBlue. I think, like any marketing collateral, is binding on the marketer as a marketing representation, but it would have been nice if the court had acknowledged these nuances.
In any case, after assuming the existence of the contract, the court dismisses the contract claim for lack of alleged damages. Non-economic losses typically aren’t recoverable in most types of breach of contract actions, so the plaintiffs had to plead some economic losses. Ultimately, the plaintiffs couldn’t do so (at least, not to the court’s satisfaction). The court notes that the customers had no expectation of being compensated for the value of their personal information, either from JetBlue or from Torch. Therefore, the plaintiffs can’t establish the damage element of a breach of contract action, and the claim fails.
The court’s legal analysis is right, so far as it goes, but the result is clearly unsettling and (I think) discordant with other privacy lawsuits. Read most literally, this holding would mean that plaintiffs rarely can establish a breach of contract claim for a privacy policy violation, because those privacy breaches rarely create economic losses to plaintiffs. Of course, other legal doctrines might apply to privacy breaches—such as the FTC Act or other consumer protection laws—but I find it hard to believe that a privacy policy breach is (effectively) categorically immune from a privately-enforced breach of contract action.
Maybe plaintiffs can avoid this result with different pleadings—such as promissory estoppel (which the plaintiffs could have alleged, because they claimed they made reservations with JetBlue "in reliance on express promises made by JetBlue in the company's privacy policy") or a fraudulent inducement claim. However, promissory estoppel may not result in meaningful damages, and JetBlue may not have had the requisite scienter to commit fraud.
Therefore, read literally, this case could stand for the proposition that there may be no effective customer legal recourse against companies that breach their privacy policies. But I'm uncomfortable with the vitality of this conclusion in other cases, so perhaps this result is best explained by its context. A lot of decision-makers made a lot of poor decisions in the wake of 9/11 in the name of “anti-terrorism,” and perhaps we are willing to excuse those excesses accordingly. In contrast, I can imagine that future courts, presented with more venal breaches of privacy policies, will be less charitable.
Many thanks to Matt Goeden for his help preparing this blog post.
Posted by Eric at 12:01 PM | Licensing/Contracts , Privacy/Security | Comments (1)
December 15, 2005
Report Challenges Value of Notifying Consumers of Data Security Breaches
By Eric Goldman
ID Analytics has released a report trying to quantify the harms caused by data security breaches. The report sensibly distinguishes between different types of breaches--misappropriation of name and social security numbers are different, and in some ways more serious, than disclosures of account numbers. The press release claims:
"ID Analytics’ research makes it clear that identity-level breaches pose the greatest potential for harm to businesses and consumers due to fraudsters’ sophisticated methods for profiting from identity information, as compared to account-level breaches. Even so, the calculated fraudulent misuse rate for consumer victims of the analyzed breach with the highest rate of misuse was 0.098 percent—less than one in 1,000 identities."
There are plenty of reasons to carefully scrutinize the report's methodology and findings. However, the findings should not be quickly dismissed. Without good data, it would be easy to overestimate the harm caused by the mere disclosure of data. In these situations, there is an almost-irresistible temptation to overreact to the fear of the unknown.
On this front, the report questions the value of mandatory consumer notifications after security breaches. As the press release says, "It’s not helpful for consumers to receive a generic letter in the mail telling them that they may or may not be at risk. We need to help victims of breaches understand when they need to be more vigilant and prevent them from being unnecessarily alarmed."
This quote is probably unintentionally inflammatory. Its sentiments are 100% right, but it is a lightening rod for criticism because it challenges the bedrock consumer protection view that more information is better. In particular, it shouldn't be surprising that consumers think they want to know about data security breaches, given the overdriven press hype about the scariness of ID theft.
However, in an era of consumer information overload, we need to be circumspect about the value of throwing more information at consumers--especially if they lack any meaningful ability to act on the information or redress the problem. For example, there's a non-trivial risk that consumers who receive notification letters get scared, toss the letter, and otherwise do not change their behavior. If so, from my perspective, government-mandated information that doesn't change consumer behavior is worse than no information at all--it consumes attention, and in this case it causes unnecessary psychological distress, for no tangible benefit. Too bad that, in the mania to pass mandatory breach notification laws, regulators are not exploring these possible consequences more carefully.
Posted by Eric at 12:24 PM | Privacy/Security
October 20, 2005
California Anti-Phishing Law--Cal. B&P Code Sec. 22948
By Eric Goldman
Going through my stack, I came across Cal. Business & Professions Code Sec. 22948-22948.3 (SB 355), California's recently enacted anti-phishing law. In general, compared to other state anti-Internet behavior laws, this law is relatively targeted and unobjectionable. However, the substantive provision caught my attention for an unexpected reason. 22948.2 says:
"It shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business."
I've highlighted the part that I find interesting. The term "business" isn't defined, but per 22948.3(a), a business either provides Internet access to the public, owns a web page, or owns a trademark.
Because someone can be a web page owner even if they are not a trademark owner, this law is a quasi-trademark law--it gives trademark law-style rights to non-trademark owners. The way I read this, business owner X can prevent competitor Y from representing itself as business owner X (at least, for purposes of eliciting personal information via a transaction) even if business owner X doesn't have a trademark--or even if business owner X can't get a trademark (because, e.g., it is using a descriptive trademark that hasn't derived secondary meaning). Anyone else have a different interpretation of this? If my reading is right, then it seems like this law provides a conceptually significant expansion of trademark law.
Further, if my reading is right, then I think trademark owners who can avail themselves of CA law can go after some alleged Internet trademark infringers under the anti-phishing law, even if there wasn't a technical trademark infringement (at least, in the pure form of a likelihood of consumer confusion). If I were a California plaintiff-side trademark attorney, I would consider adding this cause of action as a standard pleading when online trademark infringement is involved. Note, among other things, 22948.3(a) provides statutory damages of $500,000, which might be a pretty good windfall for some trademark owners (and an even better windfall for someone who can't get a trademark!).
Posted by Eric at 07:14 AM | E-Commerce , Privacy/Security , Trademark
October 03, 2005
Law Enforcement Collection of DNA
By Ethan Ackerman
Recent legislative activity in the US Senate has brought some press attention to the touchy issue of DNA collection by law enforcement. Similar proposed and passed DNA legislation at the state and federal levels over the last several years has also drawn court challenges. As a result, a fair number of court opinions on the subject exist - enough to allow a quick look at the legal contours and legislative status of DNA collection laws.
A quick background
Most every US state and territory has some sort of legislation regarding law enforcement collection of DNA from convicted criminals of one type or another. These laws, passed primarily to assist in identifying potential perpetrators of other, unsolved crimes, vary significantly from state to state. A comprehensive comparison can be found at DNAresource.com, which catalogs legislative information such as types of qualifying crimes, records purging procedures, applicability to probationers, etc. Despite the variability, almost every state shares at least some DNA information with a national, FBI-administered DNA database called CODIS.
Constitutional interests- Privacy and self-incrimination
The non-voluntary extraction of DNA from blood or tissue samples of a suspect or convict plausibly touches on 4th & 5th Amendment rights to be free of searches and self-incrimination, respectively. So how does the jurisprudence currently stand?
The 5th Amendment - not so applicable after all
DNA has quite a bit of evidentiary value, as a match or a dissimilarity with a suspect's DNA can tell whether there is a highly probable connection, or definitive non-match, to some other piece of evidence. The main 5th Amendment argument asserted against collection is that compelled production of such potentially damning, and highly personal, evidence amounts to a compelled 'testimony' against one's self.
This 5th Amendment interest has been rather definitively addressed, and it doesn't amount to much, according to the Supreme Court. More specifically, blood or tissue samples that may tend to show innocence or guilt (say, by matching blood at the scene or having more than the legal limit of alcohol in the blood) can be forcibly (so log as also humanely) collected, and doing so won't violate the 5th Amendment, according to the Supreme Court. In a case that obviously matters a lot to DUI attorneys, Schember v. California, the Supreme Court reiterated that the 5th Amendment protects against compelled testimony primarily in the spoken word sense. Blood tests weren't compelled "testimony," even if they were "compelled" in the sense that they were forcible, over protests. DNA seems to tell much more about a person than blood alcohol level, but while that may gather DNA more privacy protections, it doesn't seem to matter for 5th Amendment purposes, which are concerned mainly with whether spoken "testimony" is compelled.
The 4th Amendment - it applies, but the devil is in the details
The 4th Amendment protects against unreasonable searches and seizures, and most every case challenging a DNA collection has recognized that such compelled collection is a search or seizure. With almost equal uniformity, though, courts have found such a search - at least as applied to convicts or probationers/parolees - not unreasonable. A comprehensive and fairly recent report on these cases by the American Society of Law, Medicine & Ethics catalogs the legal theories in each case. Included in the report is a discussion of the 9th Circuit's 2004 en banc decision in US v. Kincade, discussed more below. While several federal circuit courts have addressed DNA collection laws, the 9th Circuit in Kincade is the only court to find one unconstitutional. Kincade's unconstitutionality ruling was only temporary, as the en banc court reversed the panel decision and barely found the federal DNA statute constitutional, in a 6-5 split. Because it is the only circuit decision to find a 4th Amendment failing in the federal statute, because the ultimate decision was en banc rather than just a panel (making it a close to a Supreme Court decision as anything out there,) and because the split was so close, Kincade is worth focusing on in more detail.
US v. Kincade
A 9th Circuit Court of Appeals panel found, 2-1, that the mandatory collection of DNA as a term of parole violated Thomas Kincade's 4th Amendment rights, a decision the en banc 9th Circuit reversed. Details and analysis can be found on findlaw, the informative EPIC page on the Kincade cases, or the actual en banc 9th circuit opinion.
It is worth noting reading at least one of the summaries, but the meat of the opinion is this: a 6-5 majority upheld the collection only because of the diminished privacy expectations probationers/parolees have, a distinction discussed more in the conclusion, below.
Legislative status
Criminal DNA collection laws can generally be classified into three 'waves,' with the third wave just starting to be proposed and pass in states and Congress. In the first wave, states passed laws mandating collection of DNA from violent or sexual offense criminals, and the creation and sharing DNA databases. At the federal level, this included a nationwide database, administered by the FBI, called CODIS. The 'second' wave was somewhat reactionary: in response to the perceived slanting of the technology and resources towards prosecution, legislation was passed mandating sharing of DNA information and samples with the accused, requiring timely analysis and providing funding to reduce backlogs, and making evidence available to the already convicted to assist in post-conviction claims of innocence. Such legislation is perhaps best exemplified by the Innocence Protection Act at the federal level. The "third' wave of DNA legislation has focused on extending the collection pool to arrestees, not just those tried and convicted of a crime, with the goal of making DNA collection much like fingerprinting.
California's prop. 69 and Senator Kyl's DNA Fingerprinting Act of 2005 are examples of recent 'third' wave legislation, though some states, such as Virginia, have gone beyond legislation and have already enacted laws.
Because it is the federal version of similar state 'third' wave legislation, and it expands the federal database and funding to arrestees, the DNA Fingerprinting Act of 2005 is worth a quick peek.
The DNA Fingerprinting Act of 2005
The DNA Fingerprinting Act of 2005 (S.1606) would, according to its author, Sen. John Kyl of Arizona, now allow DNA from state arrestees (not just convicts) to be included in CODIS, expand federal funding to state DNA collection programs for arrestees (not just convicts), and allow DNA collection from federal arrestees and detainees (not just convicts). Similar bills have passed the House of Representatives in the past, and, although it has opposed 'second wave' bills that arguably level access to DNA evidence, the current Administration apparently supports Sen. Kyl's bill.
Senate politics and bill passage
In addition to the expansion of state DNA collection powers, the Kyl bill allows anyone who is "arrested or detained under the authority of the United States" to DNA tested, not just convicted felons. This federal expansion, while nowhere near as big an expansion as allowing each state to expand collection, is likely to be the most contentious. Why? Immigration. The Kyl bill allows compulsory testing of any detained immigrants. While many may think of "detained" immigrants as just those caught at illegal border-crossing attempts, but, thanks to federal immigration law, even visiting foreign scholars in the visa application system may be considered detained at some points in processing. The immigration angle seems to be the first thing opponents (LEAHY cite) criticized, and depending on which version of the Kyl press release/editorial one looks at, the home-state-targeted one or the one on the Senator's senate webpage, illegal immigrants either are or are not mentioned as the target of the bill.
The Kyl bill's recent press has been primarily focused on its recent passage out of the Senate Judiciary Committee, and important procedural step on the path to enacted law. The bill was offered, over objections, as an amendment to S.1197, the reauthorization of VAWA, the Violence Against Women Act, itself a politically charged bill.
Some thoughts in conclusion
To some degree, legislators zealous expansion of criminal DNA collection flies in the face of oft-professed concern over personal privacy. The US Senate unanimously passed a genetic information privacy bill, extolling the sanctity of genetic information protection and warning against indiscriminate collection and discrimination. Yet at least some of these legislators are proposing to authorize large-scale collections of the same information in the name of crime fighting.
Bad drafting?
Aside from the constitutional concerns discussed below and immigration issues that make it a political hot potato, Sen. Kyl's bill also seems to be weak in how broadly it sweeps in permissible DNA collection. Far from expanding DNA collection to "just" the arrestees and detainees focused on above, the language of the bill technically allows states almost carte blanche to include DNA from any source. A state could pass a law allowing collection, not just for convicted offenses or at arrest, but at any reason - i.e. as a condition of getting a drivers license! The only limiting language for state collection grants in the bill is: states can only add DNA collected pursuant to "applicable legal authority" - which means, roughly, anything the state passes a law for.
Final Constitutional thoughts
So how would a bill such as the DNA Fingerprint Act of 2005 fare if it were passed into law? Arizona Senator Kyl is from the 9th Circuit, so lets look there. From Kincade, we already know that DNA testing turns heavily on the incarcerated/probationary status of the unwilling donor. Another 9th Circuit case, US v. Scott, held that pre-conviction arrestees can't be compelled to submit to drug testing as a condition of bail. This seems like the same population (the 'arrestees and detainees' described in the DNA Fingerprint Act) in the same circumstances (facing compelled tissue sampling) with the same 4th Amendment concerns. At least under 9th Circuit case law, it looks like the Kyl bill, and any similar California propositions, wouldn't hold up to a 4th Amendment challenge.
A contrary conclusion?
But wait a minute, aren't searches of a person incident to a lawfully executed arrest ok for 4th Amendment purposes? All these current DNA cases are about parolees or convicts, and are well after an arrest, in effect a new search. Why not routine DNA testing of an arrestee during booking, just like fingerprinting, which doesn't violate the 4th Amendment?
Even here, the Kyl bill doesn't limit collections to lawful arrestees, but rather speaks also of those (such as immigrants, or presumably also Guantanamo captives, or as-of-yet-unarrested suspects) who are "detained." The fingerprinting of those 'detained but not (or not yet) arrested' does present a 4th Amendment-violating seizure according to the US Supreme Court. Presumably the same logic would apply to DNA collection.
Posted by Ethan Ackerman at 08:55 AM | Privacy/Security
September 21, 2005
Anti-Phishing Warning Protected by 47 USC 230
By Eric Goldman
Associated Bank Corp. v. EarthLink, Inc., No. 05-C-0233-S (W.D. Wis. Sept. 13, 2005). [BNA subscription required]
EarthLink's "ScamBlocker" incorrectly identified Associated Bank's website as a phishing site, so users trying to access the website saw a huge and scary warning that surely caused some users to freak out. Associated Bank sued EarhtLink for tortious interference, negligent/fraudulent representations and Lanham Act 1125(a) injury to business reputation.
EarthLink moved for summary judgment based on 47 USC 230. In support of 230, it submitted an affadavit that it uses a third party vendor to identify phishing sites, so its display of the huge and scary warning was triggered by third party content. Because EarthLink points to the third party, the court grants the summary judgment motion, and Associated Bank's lawsuit is dismissed.
This situation is more nuanced that the court treated it. If EarthLink merely relayed the opinion of its third party vendor, then no question in my mind that 230 protects EarthLink. See OptInRealBig.com, LLC v. Ironport Sys., Inc., 323 F. Supp. 2d 1037 (N.D. Cal. June 25, 2004) (third parties characterized email as spam).
However, EarthLink did more than that here. While the third party vendor provided the underlying opinion that Associated Bank's website was a phishing site, it's unclear who drafted the actual content displayed to users (the anti-phishing warning). To the extent that the language was drafted by EarthLink, EarthLink is the sole provider of that language, even if the triggering event is someone else's opinion. It seems like we need to know who drafted the warning language.
In that respect, I would distinguish this case from Carafano (where the users parrotted language written by the service provider) because the huge and scary warning included a set of instructions like "Please do not continue to this potentially risky site"--which goes beyond merely communicating the opinion that the site is a phishing site.
In the end, I still think this is a good outcome. Phishing is a real problem, and I think we should encourage intermediaries like EarthLink to help consumers combat the problem even if some misgradings are made. Nevertheless, EarthLink would have been in a clearer legal position if it had merely disseminated the site-is-phishing opinion of the third party vendor rather than possibly using its own words to explain that the site was a phishing site.
A few other questions/observations:
* Associated Bank could try to sue EarthLink's vendor who graded the site as a phishing site. However, this may be a protected opinion or otherwise excused for lack of scienter.
* Although I'm confident that a claim for "injury to business reputation" should be preempted by 230, the court doesn't appear to acknowledge that IP claims are not covered by 230. It would be interesting to see how the court distinguished that claim from an IP claim.
* On the top of page 8, there's some garbled language that begins "Further, had Defendant edited the list of phisher sites it received from the third-party vendor...." I'd like to know how the court intended to finish that sentence. I would finish it "...it would have made no difference" to the legal outcome, but I suspect that's not where the court was going!
Posted by Eric at 07:12 AM | Derivative Liability , Privacy/Security | Comments (1)
August 23, 2005
Jill, Meet Best Buy's Friendly Human Shopbot/Profiler
I'm a little surprised this article hasn't generated more discussion. Last week, the Washington Post ran an article about Best Buy's efforts to segment and target its customer base. They have developed a set of consumer profiles that they describe with friendly personal names (presumably, to put a human face on the profiles), like Barry (the wealthy professional man), Ray (the family man), Buzz (the young tech enthusiast), and most prominently, Jill.
Jill is a soccer mom who is the family's main shopper. She is well-educated and confident but intimidated by technology.
To help serve Jill better, Best Buy has organized a Jill SWAT team. When a woman enters the store who looks like a Jill, a dedicated sales assistant (dressed in pastels) approaches her and asks "Is there anything special you're looking for today?" The sales assistant then hand-holds the Jill through the store and even has special hard-to-find express checkout lanes that are intended for Jills.
On the plus side, these efforts to sort and treat customers differently improves the experience for the affected customers. The Jills find what they are looking for faster. Best Buy benefits too, extracting 30% more sales from Jills. In aggregate, this seems like this improves consumer welfare, producer welfare and social welfare.
On the minus side, the programs mean that customers get differential treatment. Given my advancing age, I'm probably more of a Ray than a Buzz, and I'm guessing the Ray-schmucks get stuck in the long lines instead of being queued up to the express lanes. This isn't the first time that Best Buy has expressly distinguished between customers, and of course many businesses try to sort and segment customers. I don't have a problem with making distinctions between customers--in fact, I strongly favor it as a way to improve social welfare--but I know many people do.
Perhaps more troubling is the seeming racial profiling of customers. It's possible that Jill-assistants don't make racial/ethnic distinctions, but I doubt it. I wouldn't be a bit surprised if Jills are de facto white, even if there's no corporate policy to that effect (or even if there is a corporate policy against such judgments). This visual profiling definitely makes me nervous and uncomfortable about impermissibly discriminatory treatment.
The imprecise nature of visual targeting (predicated on stereotyped definitions, no less) shows a huge advantage of the Internet. The Internet permits much more accurate behavioral targeting that should lead to consumer, producer and social welfare improvements. Still, Best Buy is showing that offline efforts to segment and target can be effective, so I suspect we'll see more of this in the future.
Posted by Eric at 04:31 PM | E-Commerce , Marketing , Privacy/Security | Comments (2)
July 25, 2005
Bellia on Spyware, and Searcy v. Microsoft
Patricia Bellia of Notre Dame Law School recently posted a paper on spyware and surveillance laws, Spyware and the Limits of Surveillance Law. She challenges those who believe that the Electronic Communications Privacy or the Computer Fraud and Abuse Act adequately address spyware, concluding that “there is good reason to question whether federal electronic surveillance statutes can successfully combat anything but the most extreme forms of spyware.”
If nothing else, this article points out that there is an existing body of law pertaining to “spyware,” and much of it constitutes plaintiffs’ losses in court (although, I should note, there have been a number of settlements where defendants have paid money). As Bellia points out, some of these losses are attributable to judicial formalism.
As an example of these phenomena, consider Searcy v. Microsoft Corp., 2005 WL 1163114 (M.D. Fla. May 4, 2005). This case is putatively a spyware case, although (like many spyware cases) it doesn’t really discuss the allegations in those terms. The case is further muddled by the fact that (a) Searcy was a pro se plaintiff, and (b) worse, he was an incarcerated man with a history of repeat frivolous lawsuits. Usually these attributes produce poor judicial reasoning, as evidenced here.
In this lawsuit, Searcy alleges that Microsoft and AOL created and distributed software devices that surreptitiously captured personal information. He alleged that the capture violated the ECPA. However, he never alleges that the defendants ever did anything with that information. As a result, the court immediately rejects the lawsuit.
So far, so good. Then, the court continues:
"Defendants could not be held liable for the manufacture and distribution of software which may be exploited by third parties and used to illegally obtain a person's electronic information."
[An aside: the court footnotes this sentence to Zeran and AOL v. Green, both cases where the defendants relied on 47 USC 230. However, by its terms, 47 USC 230 doesn't apply to ECPA claims, so the court's reliance on these cases is sloppy at best.]
The court then concludes:
"[The ECPA] simply does not contemplate imposing civil liability on software manufactures [sic] and distributors for the activities of third parties."
This latter sentence is a strong statement, and it seems germane to the continuing confusion over how we sort through the allocation of responsibility between advertisers, manufacturers and distributors/affiliate marketers. The court was clearly saying that merely developing a tool to capture data does not violate the ECPA, even if some unrelated third party exploits that data. However, this language might also suggest a broader principle that there are strong limits to derivative liability under the ECPA irrespective of 47 USC 230.
Unfortunately, this case will never be good precedent because of the plaintiff's unique situation. However, the case both reinforces Bellia’s points and represents yet another example where a court rejects the legal claims of anti-spyware plaintiffs.
Posted by Eric at 11:54 AM | Adware/Spyware , Derivative Liability , Privacy/Security | Comments (1)
July 18, 2005
Search Engines and Privacy...AGAIN?!
News.com and the Associated Press both ran stories last week about the possible ways that Google aggregates user data in a way that theoretically threatens privacy.
Hmm...this sounds familiar...haven't we heard this story before? Yes, only about a thousand times. Danny Sullivan asks why we obsess about Google and privacy and ignore how other search engines (such as Yahoo) also have rich databases of potentially equal magnitude.
Indeed, I was going through my notes over the weekend and came across this March 2005 AP article fretting about how Amazon might use its customer database. The search engines-and-privacy story seems to endlessly cycle through the press, pretty much every time a search engine adds a new feature that uses personal data. (I won't even revisit the mind-numbing press about Gmail from last year).
I offer three propositions about search engines and privacy:
1) Search engine databases can be accessed by government agencies through legal processes. In rare cases, other private parties could use a legal process to access information in these databases too. Search engines are not alone in this regard; any business that has personal information about its customers is susceptible to these legal processes as well. It's true that search engines have particularly interesting/rich data, but plenty of other vendors have interesting data too.
So search engines aren't the problem; the problem is government snooping. As a result, perhaps new legislation would be appropriate to raise the bar on when the government can tap into search engine databases (a little like the "Bork bill" that raised the bar for accessing video rental histories).
2) Search engine databases are a tempting target for hackers. This is true, but once again, search engines are not unique in this regard. Every business that maintains personal data about its customers is a hacker's target. As a result, we need businesses to take prudent actions to prevent hacking, and we need government enforcement against illegal hacks. Nothing new here on any front.
3) Search engines will necessarily need to obtain and use personal data to reach the next rung of delivering relevant results. Right now, the biggest limitation inhibiting search engines is that they use a "one-size-fits-all" relevancy algorithm, designed to satisfy majority interests rather than personalized to each person's interests. Google has done a remarkable job with relevancy using a one-size-fits-all algorithm, but it (and its competitors) will make quantum improvements in relevancy when they personalize the searches. To personalize the searches and really give searchers what they want, search engines will need to collect and use rich personalized datasets. This is a good thing for searchers.
Thus, from my perspective, social welfare will improve in these situations. I can't wait for Google and other search engines to start reading my mind (as opposed to making guesses about majority interests). Let's hope that the constant whining/scaremongering about search engines and privacy doesn't delay us in getting there.
Prior blog post on this topic.
UPDATE: Google has blacklisted News.com reporters for one year because of the story linked to above.
Posted by Eric at 09:48 AM | Privacy/Security , Search Engines | Comments (3)
June 17, 2005
FTC Settles Another Case for Failure to Use Reasonable Security
In the Matter of BJ's Wholesale Club, Inc., File No. 042 3160. The FTC settled with BJ'S Wholesale Club over BJ's allegedly deficient security practices. This is the second settlement of its nature in three months (the last being an enforcement action under the Gramm-Leach-Bliley Act against Nationwide Mortgage Group).
This enforcement action seems especially problematic because it's not exactly clear what BJ did wrong (except get caught, of course). I'm still trying to figure out how BJ's practices differed from industry standards. If not, this case has significant implications for everyone who touches credit cards--including all retailers, restaurants, gas stations and e-tailers.
The FTC complaint alleged the following:
"The Commission’s proposed complaint alleges that BJ’s stored members’ personal information on computers at its stores and failed to employ reasonable and appropriate security measures to protect the information. The complaint alleges that this failure was an unfair practice because it caused or was likely to cause substantial consumer injury that was not reasonably avoidable and was not outweighed by countervailing benefits to consumers or competition. In particular, the complaint alleges that BJ’s engaged in a number of practices which, taken together, did not provide reasonable security for sensitive personal information, including: (1) failing to encrypt information collected in its stores while the information was in transit or stored on BJ’s computer networks; (2) storing the information in files that could be accessed anonymously, that is, using a commonly known default user id and password; (3) failing to use readily available security measures to limit access to its networks through wireless access points on the networks; (4) failing to employ measures sufficient to detect unauthorized access to the networks or conduct security investigations; and (5) storing information for up to 30 days when BJ’s no longer had a business need to keep the information, in violation of bank security rules. The complaint further alleges that several million dollars in fraudulent purchases were made using counterfeit copies of credit and debit cards members had used at BJ’s stores. The counterfeit cards contained the same personal information BJ’s had collected from the magnetic stripes of members’ credit and debit cards and then stored on its computer networks. After discovering the fraudulent purchases, banks cancelled and re-issued thousands of credit and debit cards members had used at BJ’s stores, and members holding these cards were unable to use them to access credit and their own bank accounts."
As I said, other than get caught (and holding onto the data longer than it should), I'm not sure what BJ did that was unusual. The FTC is implying that every database of credit card numbers must be stored in an encrypted database with restricted access. Here, BJ failed to do this and got nailed by a hacker, which led to a fairly public problem as the hacker forced banks to reissue credit cards. But credit card databases are ubiquitous, and I'm having a hard time imagining that other retailers are doing more than BJ is doing.
The FTC's proposed remedy is pretty interesting. It seems like the FTC is foreshadowing what it considers to be best practices for managing security of credit card databases. The requirements imposed on BJ:
"• Designate an employee or employees to coordinate and be accountable for the information security program.
• Identify material internal and external risks to the security, confidentiality, and integrity of consumer information that could result in unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and
assess the sufficiency of any safeguards in place to control these risks.
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
• Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that BJ’s knows or has to reason to know may have a material impact on the effectiveness of its information security program."
Seems like the lawyers and security consultants will love having this as the best practices! Perhaps I should get into the security consulting business...
But it's not immediately clear to me that all of this self-assessment and navel-gazing will actually improve security. It might, or it might just turn into one big paper-pushing/CYA/pay-the-consultants-and-do-whatever-they-say fiesta. You can't really mandate that people care about security; this has to be interally-motivated, or it just becomes a go-through-the-motions exercise.
As I've said before, I have historically dismissed the lawyers hyping security concerns as hucksters trying to drum up some low-utility business. If that view was once correct, it certainly is no longer, and I recant any such views. Enforcement actions like this one (and the prior Nationwide Mortgage action) send a clear message: the FTC does believe there is a baseline level of security that companies must undertake, and failing to do so has legal ramifications. While security measures must still be evaluated on a cost/benefit basis, the costs of non-compliance must now include legal risks that previously might have been de minimis but are now tangible and non-trivial.
Posted by Eric at 04:43 PM | Privacy/Security
May 17, 2005
FTC Commissioner: "Somebody has got to pay"
FTC Commissioner Orson Swindle goes off about corporate data security practices. Internet News quotes him as saying “industry has, to a great extent, been irresponsible, and somebody has got to pay.” The article also quotes him as saying the lax data security practices are “being driven in part by those general counsels who sit around and say, 'Be careful about what you promise in privacy and information security because you might get sued for it.'”
This is complete BS. In-house lawyers are paranoid about being sued for lax data security practices, a fear exacerbated by outside counsel using scare tactics to drum up business. So the (lack of) promises in corporate agreements reflects the fear of being sued, but I would be shocked if in-house counsel kick up their heels on their desks and think “I’ve drafted a tight agreement, my work is done.”
Entrust’s CEO offers a solution: a safe harbor from liability if a company complies with good housekeeping practices. Of course, Entrust’s self-interested solution is that companies should use encryption to get the safe harbor. However, I don’t know how legislators can mandate the minimum standards for data security; security practices are fluid and context-specific.
Admittedly, without any liability, there is the theoretical risk of corporate sandbagging, but my guess is that this is not anywhere close to the problem. The problem is that good security is HARD—it’s an ongoing effort, with weak links both in the technological interactions between different vendors’ products and in the humans in charge of maintaining security. If we accept that security is hard, doesn’t that seem like a more likely explanation for “lax” security practices than GC indifference?
Posted by Eric at 05:33 PM | Privacy/Security
May 16, 2005
BNA on Mandatory Disclosure Laws
BNA (registration required) runs an article recapping state-level activity on mandatory security breach notification laws. Seven states (Arkansas, California, Georgia, Indiana, Montana, North Dakota, and Washington) have adopted laws, and Florida is expected to join this list soon. The laws are not intrinsically inconsistent but each has their own nuances, increasing the regulatory costs for any affected organization. It seems likely to me that the state laws will continue to proliferate until Congress preempts the field with its own mandatory disclosure law.
However, I remain curious whether these mandatory disclosure laws are good social policy. We now have some data on the California experience (plus the follow-on disclosures made voluntarily by companies). Have these disclosures made consumers better off? I’ve argued before that these laws may actually hurt consumers by increasing their level of distress without giving the consumers any ability to address the situation. Meanwhile, due to the press attention given to each notification, the mandatory disclosure laws have led to increased calls for new substantive data protection/security laws--for better or worse.
Posted by Eric at 01:17 PM | Privacy/Security
May 05, 2005
Congress Mulls Mandatory Security Breach Disclosure Law
Congress is discussing a national mandatory security breach notification law. In a minor surprise, at least one legislator, Rep. Oxley, is asking the right questions. He observes: “consumers may begin to ignore those notices as just that many more pieces of unsolicited junk mail.” That is absolutely correct! He also observed that only a small percentage of data breaches result in fraudulent activity. Also correct. He didn’t pick on the other major deficiency of the proposed laws, which is that the notifications are scary but consumers are powerless to do anything proactively to protect their interests. (Consumers can be vigilant in monitoring their financial activity, but they need to do this anyways). So the notifications stress out consumers but don't offer any solutions. Thus, the question is: what value does mandatory notification have? And what costs does it impose?
Interestingly, a number of companies are lining up in favor of a mandatory disclosure law, including ChoicePoint and Bank of America, even though they could simply pledge voluntarily to make disclosures as appropriate. I assume these companies are in favor of a national law to preempt a state-level patchwork quilt of laws, or to forestall even more draconian laws.
Posted by Eric at 02:38 PM | Privacy/Security | Comments (1)
April 16, 2005
NPR on Whois and Privacy
Larry Abramson of NPR ran a story entitled “New Laws on Domain Names Aim to Stem Online Fraud” (specifically referring to the Fraudulent Online Identity Sanctions Act, passed as part of the Intellectual Property Protection in Courts Administration Act). My mom said I talked too fast.
Posted by Eric at 03:13 PM | Copyright , Domain Names , Privacy/Security , Trademark
April 14, 2005
Flash and Cookies
AP reports that there’s a hole in Flash that allows websites to access personal information stored on a user’s hard drive even if the user has wiped the hard drive of the website’s cookies.
Posted by Eric at 10:26 AM | Privacy/Security
April 05, 2005
Data Mining and Attention Consumption
My short book chapter, Data Mining and Attention Consumption, has finally hit SSRN (it took almost a month to go through the SSRN review process--not sure why it took so long). The abstract:
"This Essay challenges the prevailing hostility towards data mining and direct marketing. The Essay starts by defining data mining and shows that the only important step is how data is used, not its aggregation or sorting. The Essay then discusses one particular type of data use, the sending of direct marketing. The Essay establishes a model for calculating the private utility experienced by a direct marketing recipient. The model posits that utility is a function of the message's substantive content, the degree of attention consumed, and the recipient's reaction to receiving the message. The Essay concludes with some policy recommendations intended to help conserve recipients' attention while preserving space for direct marketing tailored to minority interests."
This article is a preview of my more major piece on marketing regulation generally.
Posted by Eric at 04:19 PM | Marketing , Privacy/Security
Search Engines and Privacy
Wired runs an article on search engines using cookies to track searcher behavior. There is a certain “haven’t-we-heard-this-before” scaremongering in articles like this, especially the continued drumbeating against cookies and Gmail (which is a terrific service, BTW—best email account I’ve ever had). I have 100% confidence that search engines use cookies to help me accomplish my search objectives, so the anti-cookie paranoia strikes me as particularly extreme.
Posted by Eric at 09:24 AM | Privacy/Security , Search Engines
April 04, 2005
Boalt Spyware Conference Recap
On Friday I attended the Spyware conference at Boalt. This was an outstanding conference—I learned a lot. You should take any opportunity to attend a Berkeley Technology Law Journal annual symposium in the future—their events are typically first-rate.
Tutorial on Spyware
Jeffrey Friedberg, Microsoft’s “Director of Windows Privacy,” started off the conference with a spyware tutorial. He proposed rejecting the term “spyware” in favor of “deceptive software,” a useful nomenclature shift. He then made the typical technologist’s argument that we should focus on bad behavior instead of bad software features, as many features that are included in deceptive software can be used for beneficial purposes. Thus, he wants to preserve room for “horse trades” where users willingly make a choice to cede desktop control in exchange for some desired benefit. However, he then gave examples of deceptive software to show how bad actors exploit various user interface design elements to trick users into downloading their software. He listed a number of attributes of XP Service Pack 2 designed to correct some of those design elements.
He then gave an extended depiction of an “Internet battlefield” to argue that spyware and phishing are really the same problem—an attempt to convert data from the user/their desktop into cash. He offered his solutions to the deceptive software/phishing problem: a combination of consumer education, technological innovation, industry cooperation, enforcement and new legislation.
Two points were especially interesting to me:
First, he explained why users should never put personal information into a pop-up window because users don’t/can’t know who served the pop-up window (e.g., there are no address bars in the pop-up window). He showed how phishers may launch a pop-up while redirecting the main window to a trusted website at the correct URL. In this case, the user might mistakenly assume that the pop-up window was spawned by the underlying trusted site. I realized that even I could fail prey to that trick, so I’ve made a mental note—no personal information into pop-up windows!
Second, he discussed how occasionally Microsoft has used its automatic update feature to eradicate (he called it “clean”) software from users’ computers. He gave the example of Download.ject, some malware code that Microsoft simply deemed impermissible, so it wiped Download.ject off the face of the Windows universe. Perhaps I missed the publicity about this at the time, but I’m troubled by this exercise of power. On the one hand, so long as Microsoft executes its powers as a benevolent dictator wisely, it’s a great asset to combat malware. On the other hand, (1) it isn’t clear how clearly Microsoft communicates its decision, (2) I am not aware that Microsoft has published its standards for software that it will unilaterally eradicate (or that it applies those standards consistently), and (3) we have to trust Microsoft to do the right thing, and I’m not sure how comfortable I am with that!
Panel on Privacy and Surveillance Issues
Patricia Bellia made an argument that some existing federal laws are inadequate to deal with spyware. She deconstructed the ECPA and made a convincing case that the law has a tough time stretching to cover actions on a single desktop computer. She also deconstructed the CFAA and suggested a little more hope there, but still argued that several standards (such as the $5,000 damage requirement) may be fatal to claims. I need to see her paper, but her talk makes me question my previous beliefs that CFAA and ECPA already covered spyware and that additional legislation was superfluous.
Ari Schwartz presented CDT’s positions on spyware. He argued that adware vendors cater only to advertiser interests, not user interests, and therefore these misdirected loyalties disadvantage consumers. I disagree with this argument: if adware vendors do not provide a suitable user experience, they will not be able to perform well for advertisers. So adware vendors will have to create a good value proposition for users, and their interests are far more aligned than Ari portrays.
Paul Schwartz recapped his recent article Property, Privacy, and Personal Data, 117 Harvard Law Review 2055 (a very interesting read, BTW). In that article, he pointed out two separate reasons to regulate privacy: first, there is a privacy market failure because data collectors know more about what they will do with the data than data subjects, and second, that there are social costs to privacy, and therefore a privacy commons needs to be protected.
Based on this, he favors an opt-in scheme that, among other benefits, forces data collectors to tell consumers about their practices. After his talk, I pointed out to him that I see the information asymmetry differently—consumers have heterogeneous but undisclosed interests, so perhaps we should set up a system to force consumers to disclose those interests. I doubt I’ll convince him on this point!
Paul S. surprised a number of us by supporting the mandatory disclosure requirements in HR 29, favoring efforts to sharpen the notice/consent process.
Reed Freeman of Claria then presented Claria’s perspectives on regulation. Claria generally favors regulation of software that operates without consent. From their perspective, these laws would not affect them because they see themselves as obtaining consumer consent.
Seth Lesser then gave his perspectives as a plaintiff’s lawyer in the Doubleclick cookies, Avenue A and Pharmatrak cases, saying that user consent issues are tough to overcome and echoing Patricia’s assessment that the federal statutes may not be robust enough.
Deirdre Mulligan moderated this panel, and I thought she made a great observation when she noted that spyware purveyors are experts at exploiting consumer expectations about user interfaces.
Intellectual Property and Contracting Issues
Dan Burk discussed how intellectual property law does not protect consumers from spyware because, among other things, consumers lack standing to sue. Later I asked Dan if spyware raises any unique issues because consumers don’t have standing under IP laws generally. Dan observed that the relevant “infringing” actions take place on a chattel owned by the consumer, yet the consumer cannot use IP laws to protect that chattel. I’m still not sure if that is a meaningful difference; I’m looking forward to reading his paper.
Jane Winn talked about contract law. Her perspective is that American law upholds contracts very liberally. She favors an approach like the EU directive on mass market contracts, where courts have the power to reject terms that are substantively unfair.
Tim Ehrlich spoke about the costs that legitimate businesses incur due to the spyware paranoia, including the costs incurred by advertisers and the costs attributable to being labeled as spyware or adware. Ehrlich called for some type of appeals process when private companies characterize software as spyware or adware.
Alex MacGillivray described Google’s software principles.
Keynote
Christine Varney was scheduled as the keynote, but she scratched at the last minute due to illness. Instead, her partner Mary Ellen Callahan took her place. I think we had all been looking forward to hearing Christine, so the substitution was a little disappointing, but Mary Ellen did the best she could under the circumstances. Mary Ellen focused on whether adware businesses could be legitimate, and taking a very FTC-esque approach, she concluded that the answer was yes with adequate notice/consent and easy uninstall procedures.
Regulatory Challenges
Peter Menell asked whether regulation was better located at the state or federal level. He used the unfair competition doctrine as a case study, showing that it used to be a federal doctrine but is principally the province of state law now. However, on the Internet, state-based regulation has the risk of creating a lowest-common denominator environment where the most restrictive laws control nationally. He took particular aim at the notion that states can be a laboratory for testing new policy, showing that state law is often influenced by federal policy (such as in the case of unfair competition laws), so they are not pure testing environments. After the talk, I added that states are lousy laboratories because (1) they are especially susceptible to regulatory capture/rent seeking, (2) there is no empirical measurements of results or effort to divine best practices from states’ experiences, and (3) often, at least in the Internet context, a pioneering state’s law is adopted by other states before it has been tested. California’s anti-spyware law is a typical example, having propagated to approximately a dozen states before we have gotten any empirical results in California.
Ira Rubinstein deconstructed several of the proposed federal laws, showing both their breadth and ambiguity.
Susan Crawford gave a good overview of how various legal efforts have failed to address spyware. Her solution is to think about unwanted software as a pathogen and allow technology to develop immunizations organically. She has written a nice paper surveying the spyware/adware topic and I hope she’ll post the paper soon (before it gets too far out of date…).
Deirdre Mulligan gave a great talk (my choice for the best of the day). Her clinic has conducted an ethnographic study of 30 people downloading software and how they processed disclosures. Under current practices, downloaders did not understand the contract terms or even review them. However, when she explained the terms post-download, most users expressed regret. She then presented downloaders with summary notices of some key terms (a layered notice approach). The summaries improved user understanding, but to her surprise, they did not change behavior—people still clicked through to complete the download! This empirical research seems to completely destroy the assumptions incorporated into laws like the Spy Act—the fact that behavior did not change undercuts any belief that more prominent or understandable disclosures will help consumers. I am anxious to see Deirdre’s write-up of her findings; they appear to be both important and useful.
I spoke after Deirdre and made two principal points. First, consumers will benefit from having software on their machines that learns their preferences passively and using those inferred preferences to deliver surplus-producing information. Therefore, we don't want laws that would keep that type of software off users' computers. Second, regulators are forcing consumers to see notice/consent information that consumers don’t care about—basically, foisting new types of pop-ups onto consumers, except that consumers can’t turn these pop-ups off. You can see my notes here.
Henry Chesbrough talked about business models of adware companies. He gave Ebates as an example of a company creating consumer value based on monitoring consumer behavior. He also talked about how government can affect policy not just through negative regulations, but also by encouraging behavior through subsidies and its purchasing protocol.
Michael Geist spoke about transnational jurisdictional issues. He noted the split regarding defamation jurisdiction between the US (which applies the law of the poster) and the other Commonwealth countries (which apply the law of the target).
Conclusion
I thought the conference was great both substantively and as a place to exchange information. My only “criticism” is that many talks did a good job identifying the problems but gave little attention to any solutions (my talk suffered this same defect). In the end, I think this reflects the difficult nature of the problem, but it would have been great if there are new innovative solutions that we should support. Ultimately, such an inquiry is probably moot, because Congress appears to be determined to pass an anti-spyware law regardless of its policy merit.
Posted by Eric at 11:45 AM | Adware/Spyware , Marketing , Privacy/Security
March 31, 2005
Infomediaries--Where Are They?
I have been thinking a lot about “infomediaries.” If you’re not familiar with the term, John Hagel first described it in a 1997 Harvard Business Review article The Coming Battle for Customer Information (with Rayport) and then fleshed out his vision in the 1999 book Net Worth (with Singer).
Infomediaries interpose themselves between marketers and consumers to facilitate better marketing matches. Consumers disclose their personal preferences to an infomediary, who can then offer marketers the ability to engage in highly targeted marketing without knowing consumers' personal identities. Further, infomediaries will use their aggregated consumer demand to cut consumer-favorable deals with marketers. To make this work, consumers must completely trust that infomediaries will respect their privacy and will not become a biased shill for marketers based on which marketer pays the infomediary the most.
From an academic’s perspective, I think infomediaries would substantially improve social welfare. Consumers get what they want—relevant and trustworthy marketing without sacrificing privacy; marketers get what they want—a cost-effective source of interested consumers; and infomediaries profit by taking cuts of the deal. Society wins due to lowered transaction/search costs and fewer marketing mismatches between consumers who don’t want the marketing and marketers who cannot target granularly enough.
Compare this with our current marketing environment, where consumers lack an easy one-stop way to disclose their preferences (and many consumers refuse to do so due to privacy fears). More regulated solutions of marketing communications have high transaction costs (for marketers, and sometimes for consumers too) and a high risk of Type I and Type II errors (i.e., relevant marketing is squashed; unwanted marketing is unregulated).
Despite all of these benefits, as far as I can tell, the infomediary industry has failed to materialize. In Feb. 1999, James Glave wrote a Wired News story called The Dawn of the Infomediary listing five companies trying to enter the infomediary business: Lumeria, PrivaSeek, InterOmni, @YourCommand, and PrivacyBank. On January 24, 2005, I visited the purported websites of all five infomediaries discussed in Glave’s article. Lumeria’s site still exists but appears not to have been updated since 2000. InterOmni was acquired by Lumeria in 1999. The PrivaSeek and @yourcommand domains appear to have lapsed and been reregistered by others. InfoSpace.com bought PrivacyBank in 2000; it is unclear what happened thereafter.
In other words, it appears that all of these infomediaries are out of the business. Also gone are the group buying sites (like Mercata and Accompany) that aggregated consumer interests to negotiate better deals with merchants.
We have some more success if we broaden our definition of infomediaries further. In some industry verticals, infomediary-like businesses have emerged, like LendingTree for loans and Autobytel for cars. However, to some extent, Autobytel act like messaging services—I submit my information, a message goes to interested dealers, then the dealers spam me directly (sometimes relentlessly). Rather than protecting my privacy (whatever that means), Autobytel just ratchet up the email volume. There is still value to consumers to messaging systems, but I don’t think they rise to the infomediary level. LendingTree actually makes offers, not just referrals. However, I'm not entirely clear how these offers are ordered.
We could also try to analogize the shopbots to infomediaries. Shopbots like Shopping.com, Shopzilla and PriceGrabber have survived the dot com crash and offer some infomediary-like services, such as organizing marketing information by product and pitting merchants against each other. However, shopbots do not personalize the offers based on a consumer’s preferences or try to act as a consumer agent; instead, like some industry vertical sites, shopbots view their role as referral services (i.e., send the consumers to the merchant and get out of the way). Further, merchant listings are generally presented based on merchant willingness-to-pay, so consumers may feel like shopbots put merchant interests ahead of their own.
Why haven’t infomediaries emerged? I am struggling to answer this question. Some of the possible theories I’ve come up with:
· Infomediaries do exist but I’m not defining the term expansively enough.
· Infomediaries cannot convince consumers that they are trustworthy. In my experience, my clients would routinely start out saying that they wanted to protect their customers’ privacy, but inevitably they would, over time, look for ways to monetize their customers’ information. Further, companies usually cater to those who pay the bills; so any infomediary will inevitably be tempted to put merchants’ interests over consumers.
· Consumers’ privacy concerns are not strong enough that they need infomediaries. The empirical evidence here is sharply split. Consumers routinely say that privacy concerns inhibit their online actions, but consumer behavior routinely belies this. There are plenty of good reasons to use an infomediary beyond privacy protection, but perhaps this motivation is not as strong as Hagel predicted.
· There is no viable profitable business here (i.e., the economics simply don’t work).
· There is a market failure that prevents companies from entering the market. If we could find a market failure, would this support government intervention to sponsor the creation/operation of one or more infomediaries?
As you can see, I’m stuck. I ask for your help, and I’m opening comments on this post. (Unfortunately, to prevent comment spam, registration is required—sorry). Why do you think infomediaries have not arisen?
Posted by Eric at 10:04 AM | Adware/Spyware , E-Commerce , Internet History , Marketing , Privacy/Security | Comments (1)
March 21, 2005
ZoomInfo and Egosurfing
Just-launched ZoomInfo aggregates web information about individuals into a single profile.
The business model is a little opaque. The website offers a subscription service for “recruiting, sales intelligence and other markets”, and the article says that "the free "people search" option aims to draw new visitors to the site and build the company's reputation, thereby boosting subscription sales."
Whatever the motivation, the consumer interface provides a convenient way to egosurf (or stalk someone else, depending on your inclinations). You can see my profile here. The site appears to have done a pretty good job distinguishing among several Eric Goldmans, although the snippets it displays are of varying quality and interest.
AP article on the tool.
Article on a defamation case brought by Mark Maughan because Google’s search result snippets were allegedly misleading.
Posted by Eric at 03:26 PM | Privacy/Security
ACLU Mini-Movie on Privacy
The ACLU has put together a humorous (?) look at the possible consequences of a National ID number and widespread data sharing. But the satire partially backfires; I actually wish that vendors offered some of the depicted services! And if it was on the menu, I would voluntarily order a sprouts submarine pizza with a side order of tofu sticks… (no joke!).
Posted by Eric at 02:23 PM | Privacy/Security
March 17, 2005
Eye-Tracking Studies and Mandatory Disclosures
In writing about the Eyetools eye-tracking technology, Chris Sherman says:
“In one study, for example, Eyetools inserted gibberish into E*Trade's homepage to illustrate that content in a "visual dead zone" doesn't get read and might as well not exist. Some of the "gibberish" was astonishing—phrases like "FDIC distrusts us," "No Bank Quality," and "Will Lose Value"—statements that should have caused even semi-conscious users racing to abandon the page were noticed by only 1 in 25 people!”
This seems especially problematic for any mandatory disclosure regulatory scheme. Effective disclosures require several integrated components:
· disclosures of information that consumers actually care about, as opposed to information that regulators THINK that consumers SHOULD find important
· a presentation of the disclosures in a way that it will actually register with the target audience. As this quote indicates, placement of mandatory disclosures in a user interface “dead zone” is effectively invisible to the target audience. This certainly is consistent with the overwhelming statistics that consumers don’t read EULAs or privacy policies.
So what’s the solution? I don’t think the appropriate answer is to force every possible relevant information into the consumer’s attention sphere. Doing so would only contribute to information overload and may significantly increase search costs/transaction costs. Instead, any mandatory disclosures need to be guided by UI considerations, and that means consulting UI experts (not relying on legislative intuition). It also means that we have to be selective about what information should be disclosed to everyone as opposed to made available only to those who care or left solely to market forces because it doesn’t affect anyone’s decision.
Posted by Eric at 12:49 PM | Licensing/Contracts , Marketing , Privacy/Security
March 14, 2005
EPIC Report on Privacy Self-Regulation
Chris Hoofnagle of EPIC has written an interesting report entitled “Privacy Self Regulation: A Decade of Disappointment.” Not surprisingly, given EPIC’s general stance (and the title of the report), Hoofnagle concludes that industry self-regulation of online privacy has failed. Therefore, Hoofnagle calls for greater online privacy regulation by the FTC.
However, comments like this one from page 5 catch my attention: “Ten years later, online collection of information is more pervasive, more invasive, and just as unaccountable as ever—and increasingly, the public is anesthetized to it.”
Privacy advocates must acknowledge consumers’ general malaise in protecting their privacy (as Hoofnagle does in the report). But what explains this lackadaisical attitude? Is it because protecting privacy is too hard? Because consumers cannot accurately calculate the cost/benefit of their choices? Because consumers lack meaningful alternatives in the marketplace?
There’s another possible explanation of consumer “anesthetization” about online privacy issues. Perhaps consumers do not care about privacy as much as privacy advocates do. Many consumers have complex and possibly inconsistent attitudes towards “privacy,” often simultaneously saying they want privacy but responding to benefits available only through disclosures and other technologies or techniques that EPIC would label intrusive. How can we balance consumers’ duality?
I am becoming increasingly skeptical of the Fair Information Practices, which privacy advocates have lauded for decades. While survey evidence often shows that consumers say they like the practices, there is also some compelling social science—including, most importantly, behavioral studies—suggesting that the practices do not necessarily reflect what consumers value or care about. At minimum, I think we should be careful assuming that privacy regulations built on the Fair Information Practices truly improve social welfare. I hope to get to this topic in a future paper.
Posted by Eric at 10:51 AM | Privacy/Security
March 11, 2005
FTC v. CartManager
The FTC obtained a settlement from CartManager. CartManager operates shopping cart functionality as a service for third party website customers. CartManager used personal information from the shopping carts in conflict with customers’ privacy policies presented to users.
We have seen this conundrum before (the Pharmatrak litigation comes most immediately to mind), where websites publish privacy policies that appear to bind third party service providers. This can put service providers like CartManager in a bind. First, each customer may have an individualized privacy policy, forcing the service provider to build its technology so that it can develop custom rules for each customer. Second, customers often change their privacy policies without notifying their service providers, leaving service providers exposed to any unannounced privacy policy changes. Third, service providers often want to evolve their business model, and usually that evolution takes them towards monetizing personal information they have obtained.
To deal with these problems, service providers can require customers to include specific service provider-favorable language in the customers’ privacy policies. DoubleClick has historically done this (not sure if they still do); DART customers have been required to include language in their privacy policy giving DoubleClick the right to collect information necessary to make DART work.
Website customers often resist customizing their privacy policies in response to vendor requests. This can be an administrative hassle (especially where there are several/dozens of vendors who want to include language in the privacy policy), and there’s a risk that a privacy policy modification in the future will delete or modify the required language, a problematic breach of the vendor’s contract.
An unexpected change like that appears to leave the service provider at risk of an FTC enforcement action. While I’m sure some service providers engage in egregious behavior, I also hope the FTC will be tolerant if a service provider gets screwed by customers whose privacy policies were outside of the provider’s control.
Posted by Eric at 10:21 AM | Licensing/Contracts , Marketing , Privacy/Security
March 10, 2005
Regulating Data Brokers
The recent hacks into ChoicePoint’s and Lexis’ personal information databases has led to calls for further regulation of data brokers. While I don’t want to minimize the consequences of these hacks, including the severe consequences of identity theft, limiting data sales is not the way to solve the problem. I made this point in an essay involving data mining, where I take the position that the problem occurs with bad data uses, not the underlying sales. Therefore, regulating sales limits some socially-beneficial activities that can derive from information dissemination, and merely attacks a proxy for the harm, rather than the harm itself.
I also wonder if some of the angst can be attributed to the new laws mandating consumer notices in the event of hacks into personal databases (such as California's). While I understand the spirit of the law, I also question if the notifications are helpful or harmful. I’ve never received one of those notices, but if I did, I’m not sure what I’d do with it. Should I cancel my credit cards? Should I order a credit-watching service? Should I just live in fear of some potential ominous outcome? I think we would all be tempted to react emotionally to a letter of this sort given our difficulties quantifying uncertain risk.
Posted by Eric at 02:06 PM | Privacy/Security
March 07, 2005
FTC Enforcement Action for Deficient Security Practices
The FTC has settled a charge against Nationwide Mortgage Group, Inc., a mortgage company, for failing to comply with the security requirements under the Gramm Leach Bliley Act. FTC enforcement actions for poor security practices are relatively rare, so this case will be recycled endlessly by those lawyers who are desperate to convince their clients that poor management of security has dire legal consequences.
Posted by Eric at 06:10 PM | Privacy/Security
March 02, 2005
My Reactions to Seeing My Credit Report
Yesterday I got my three free credit reports from annualcreditreport.com. At my other blog, I wrote about my experiences downloading the reports. I spent last night poring through them, reliving old memories of credit cards I’ve used and abused over the years.
For the most part, the reports looked accurate. However, there were some major jaw-dropping errors. For example, my Equifax report lists my current employer as a part-time job I had as an undergraduate 17 years ago. My Experian report includes my last home phone number in California (now 3 years out of date). It makes me wonder—does anyone use this “ancillary” information? It appeared that the credit agencies aren't really trying to keep this information accurate. (It also explains why I submitted the “wrong” answers to some of their authentication questions online).
Because of these major errors and my question of how they affect a user of the credit report, I was also really interested in learning my FICO score (but I’m not willing to pay for it). I think we should be able to get our FICO score free along with the free credit reports. Getting one without the other felt a little incomplete.
Posted by Eric at 12:51 PM | Privacy/Security
February 14, 2005
More on TRUSTe's Seal Revocation
A follow up article to my previous post on TRUSTe. It looks like the problem will be solved soon by the licensee paying some money for additional employee training. This reinforces the question: just how much value is a TRUSTe license worth?
Posted by Eric at 01:01 PM | Privacy/Security
February 10, 2005
Is TRUSTe Irrelevant?
TRUSTe pulled its logo from some websites for breaking its rules for the first time in 2 years. The article focuses on TRUSTe’s refusal to specify the rules violation, but this seems to miss the point, and widely. In 1999 and 2000, virtually every important website had a TRUSTe logo, and the logo had the potential to really shape consumer expectations and behavior. Now, I rarely see the logo, nor do I care if I see it or don’t. If my experience is typical (and I think it is), then TRUSTe has become irrelevant. I think a better angle for the story would have been—why does anyone care that TRUSTe yanked the logo?
Posted by Eric at 09:43 AM | Internet History , Privacy/Security