June 30, 2009
Roommates.com Infects the Tenth Circuit--FTC v. Accusearch
By Eric Goldman
F.T.C. v. Accusearch Inc., 2009 WL 1846344 (10th Cir. June 29, 2009). My blog post on the district court opinion.
Introduction
June has been an active month for 230 jurisprudence. Cases this month include Doe IX v. MySpace (actually a May opinion but I blogged it in June), Gibson v. Craigslist, the Barnes v. Yahoo amendment, and Zango v. Kaspersky--all defense-favorable outcomes. As I mentioned in my post on the Doe IX case, the Ninth Circuit Roommates.com en banc decision has not cast a long shadow on 230 jurisprudence; it has been cited less than 10 times in the past year, and prior to yesterday, only once in favor of the plaintiff. Unfortunately, those good times may be over. The Tenth Circuit has largely adopted the rule and reasoning of Roommates.com in FTC v. Accusearch, effectively making Roommates.com the governing law west of the Rockies.
The FTC's Enforcement Action Against Accusearch
This is a prime example of bad facts making bad law. Accusearch runs Abika.com, a website that tried to style itself as a matchmaker between customers seeking, and vendors selling, private/personal records about people. The specific records at issue here contain "customer proprietary network information" (CPNI), the metadata about telephone calls. CPNI resales were probably illegal at the relevant time periods; following the Hewlett-Packard pretexting scandals, Congress cleared up any confusion and criminalized the resale of CPNI via the Telephone Records and Privacy Protection Act of 2006, 18 U.S.C. §1039.
If Abika.com was structured as a pure advertising site to facilitate off-site transactions, like Craigslist or eBay, perhaps Abika.com would have a stronger case for qualifying for 47 USC 230 protection for the sale and delivery of CPNI reports from Abika's vendors to their customers. However, Abika.com apparently was structured as a classic retailer in that it advertised the third party reports, processed customer payments, and delivered the subsequent reports to customers as if the reports were its own (Abika.com even stripped out the third party vendor's identifying information). So the veneer of Abika.com simply being a passive intermediary between customers and vendors may have been overwhelmed by Abika's active and overwhelming presence in the transaction.
The FTC went after Accusearch claiming that Abika.com was engaged in "unfair" trade practices under the FTC Act. (Note: the FTC has the power to pursue unfair commercial practices, even when they are not deceptive. However, the standards for "unfair" are amorphous, making such enforcements potentially problematic and controversial. Fortunately, the FTC generally wields this power sparingly). Accusearch's principal defense was 47 USC 230 on the theory that Accusearch procures the CPNI reports from third party vendors and merely republishes the third party reports to Accusearch's customers.
It's really hard to defend CPNI resales, and the court says that Accusearch had the requisite scienter that such resales were illegal/impermissible. With the combination of scienter, illegal transactions, active intermediation and the FTC as a plaintiff, it really seemed to me that Accusearch had no chance of winning this case. But this combination also tempted the judges to use loose reasoning to reach that unavoidable result.
The Opinion’s Discussion of 47 USC 230
A defendant must establish three elements of a successful 230 defense, and the majority opinion muddles the discussion on all of them:
1) "provider or user of an interactive computer service." Based on the funky definition of ICS, the FTC argued that websites qualify for 230 protection only when they enable user-to-user communications. The majority declines to accept this argument but doesn't reject it outright either, basing its decision on another prong. Although the statute could be clearer (like, for example, saying that websites qualify for 230 protection), the caselaw is extremely thick that every website qualifies for 230 protection. Unfortunately, with the majority's pathetic response, I wouldn't be surprised if plaintiffs unnecessarily put this issue into play in future 10th circuit cases.
2) "publisher or speaker of content" The concurring judge argues for a speech/conduct distinction and argues that the FTC is pursuing Accusearch for its conduct, not its speech. The speech/conduct distinction is almost meaningless in this case given that Accusearch was reselling information, which means that Accusearch was electronically republishing that information. The majority disagrees with the speech/conduct distinction but otherwise doesn't discuss this prong.
3) "created or developed by another information content provider." Adopting the arguments from the Roommates.com case, the majority says that Accusearch didn't "create" the reports but it was "responsible" for "developing" the reports. To reach this conclusion, the majority defines "responsible" and "develop":
* citing old French, "develop" means to "unwrap." Huh? Thus, "when confidential telephone information was exposed to public view through Abika.com, that information was 'developed.'" Does this definition make "develop" a synonym for "publish"?
* the majority initially says when "responsible" doesn't mean: "to be 'responsible' for the development of offensive content, one must be more than a neutral conduit for that content." This reference to "neutral conduit" parallels the Roommates.com case, which used the term "neutral tools" five times but never defined the term once.
The majority then says "a service provider is 'responsible' for the development of offensive content only if it in some way specifically encourages development of what is offensive about the content." This phrasing allows the court to distinguish the old 10th Circuit Ben Ezra precedent, which absolved AOL of liability for republishing inaccurate stock quotes. There, AOL didn't ask its vendors to give it false reports; here, the majority says that Accusearch asked its vendors to get information it knew was illegal to obtain:
Accusearch solicited requests for such confidential information and then paid researchers to obtain it. It knowingly sought to transform virtually unknown information into a publicly available commodity. And as the district court found and the record shows, Accusearch knew that its researchers were obtaining the information through fraud or other illegality.
Implications
I doubt the literal holding of this case is all that troubling to most folks. If you're in the business of reselling illicit phone records and the FTC comes calling, 230 isn't likely to help you.
However, this opinion could be problematic for any online retailers who thought they could use 230 to insulate themselves. It's never been clear how much 230 protects online retailers when they are making sales for their own account (as opposed to advertising services like eBay or Craigslist), and this opinion raises the specter that 230 won't apply even when "retailing" involves republishing third party content. Indeed, the loose language means the case could be a major carveback of 230's coverage in the Tenth Circuit. As the concurrence points out, the majority's reading is "an unnecessary extension of the CDA’s terms 'responsible' and 'development,' thereby widening the scope of what constitutes an 'information content provider' with respect to particular information under the Act."
Then again, between its role as a retailer and the illicit nature of its goods, Accusearch was always at the periphery of 230's coverage. Today, 230 would be irrelevant if a federal government agency pursued a CPNI reseller under the new criminal provisions in 18 U.S.C. § 1039. So I think a better interpretation of this case is that where an online provider is dabbling too close to third party illegal activity, judges simply will ignore 230 as a bailout. Framed that way, this ruling is akin to Roommates.com, which was a largely a normative judgment by the Ninth Circuit that the Fair Housing Act should trump 230 regardless of 230’s precise statutory contours.
I'll conclude with a few more thoughts about the concurrence. Although the concurrence's proposal to distinguish between speech and conduct wasn’t a good one, there was a useful nugget embedded in it. To bypass 230, perhaps the case could have focused on first party content published by Accusearch--namely, copy written by Accusearch advertising the availability of CPNI records, including any express or implied statements that it was reselling legitimate records. I've repeatedly blogged on the challenges of first-party/third-party content distinctions in 230 (see, e.g., my recent discussion about 230 and consumer protection), but in this case, I think focusing on Accusearch's own representations may have led to a cleaner doctrinal result than the one we got.
Finally, in the concurrence's FN5, Judge Tymkovich says:
If Accusearch had run a traditional business out of a physical location and offered similar services, it would seem the FTC would have the same unfair business practices complaint. Nothing would immunize Accusearch’s conduct had it chosen to deliver the confidential telephone records to requesters through hard copy print-outs either in person or through the mail. Accusearch’s duty to refrain from engaging in the solicitation and distribution of unlawfully-obtained confidential telephone records should not depend on the medium within which it chooses to operate.
Uh, NO. As with some other bright judges dealing with 230 cases, Judge Tymkovich has fallen into the mental trap that smart common law judges applying their powers of reasoning can simply intuit what the law should be. Congress has made it abundantly clear that it did exactly what Judge Tymkovich rejects; via 230, Congress created medium-specific rules that make some activities online permissible even if their offline analogue would not be. As challenging as it may be, judges should resist the temptation to make these kinds of normative assumptions in the face of clear Congressional intent.
Posted by Eric at 10:28 AM | Derivative Liability , E-Commerce , Privacy/Security | TrackBack
June 10, 2009
Stop Saying "We Can Amend This Agreement Whenever We Want"!--Harris v. Blockbuster
By Eric Goldman
Harris v. Blockbuster Inc., 2009 WL 1011732 (N.D. Tex. April 15, 2009). The Justia page.
[I've been sitting on this case for a couple of months, but it's such an important case that it still deserves a write-up even at this comparatively late date.]
This case is part of the legal detritus from the Facebook Beacon program. As you recall, Facebook Beacon included purchases from third party e-commerce sites into the buyer's Facebook status reports. This required the e-commerce sites to report Facebook users' purchases back to Facebook. A Blockbuster user claimed that Blockbuster's reports to Facebook violated the Video Privacy Protection Act, which prevents disclosures of PII about video customers without their consent. (Beacon did have an opt-out of debatable efficacy). Blockbuster moved to compel arbitration of this lawsuit based on the mandatory arbitration clause in Blockbuster's user agreement.
Blockbuster used an industry-standard and entirely typical introductory clause to its user agreement, which said:
Blockbuster may at any time, and at its sole discretion, modify these Terms and Conditions of Use, including without limitation the Privacy Policy, with or without notice. Such modifications will be effective immediately upon posting. You agree to review these Terms and Conditions of Use periodically and your continued use of this Site following such modifications will indicate your acceptance of these modified Terms and Conditions of Use. If you do not agree to any modification of these Terms and Conditions of Use, you must immediately stop using this Site.
This industry-standard and entirely typical clause does not fare well in this courtroom. Among other defects, the judge notes that "there is nothing in the Terms and Conditions that prevents Blockbuster from unilaterally changing any part of the contract other than providing that such changes will not take effect until posted on the website." As a result, the court deems the arbitration clause "illusory," an odd Texas law descriptor that appears to be a cousin of lack of consideration.
I could wax philosophic about the ontological meaning of a "contract" that one party can amend unilaterally at any time without notice. However, I'd rather focus on the simple practical implication from this ruling. I've never been a fan of the language Blockbuster used, and I had hoped many websites would reconsider the language after the Ninth Circuit trashed such provisions in 2007 in Douglas v. Talk America (also see my follow-up post). Yet, these clauses are still ubiquitous, even at big websites that "should know better," so let me boil it down for you into a single all-caps mantra:
STOP PUTTING CLAUSES INTO YOUR CONTRACTS THAT SAY YOU CAN AMEND THE CONTRACT AT ANY TIME IN YOUR SOLE DISCRETION BY POSTING THE REVISED TERMS TO THE WEBSITE
This language has a significant risk of killing the entire contract, which would strip away a lot of very important provisions that should be/need to be in the contract. So far Blockbuster has only lost its mandatory arbitration clause, but it's possible other important risk management clauses (warranty disclaimer, liability limits, dollar caps, etc.) will similarly fall. If those clauses fail, let the plaintiff feasting begin!
I recognize that weaning ourselves from very flexible amendment language leaves us as drafters with few good options to modify online user agreements over time. I discussed this dilemma in my post on the Douglas case. I haven't found any better solutions in the past 2 years, but I can say with confidence--DON"T DO WHAT BLOCKBUSTER DID.
UPDATE: I got the following email from a reader proposing a good alternative to current amendment notification processes: "To avoid the spam-filter problem, the provider could give notice via an RSS feed as well, and then disclaim like crazy about the problems with the email option (which would indeed simply be an option -- a link to a page where users can sign up to receive notices)." I love this idea! RSS is a true opt-in with few of the challenges of email.
Also, this brought to mind the EFF's new TOSBack service, which I'll mention more in a future blog post, that effectively provides a third party service to track amendments of various user agreements into an RSS feed. I LOVE IT! I have subscribed to TOSBack and plan to blog on interesting user agreement amendments it reveals--and I suspect I'm not the only one queued up to do so. TOSBack is a game-changer for public scrutiny of agreement amendments--sites being monitored in TOSBack are now on notice that their user agreement amendments are being watched!
Posted by Eric at 10:26 AM | Licensing/Contracts , Privacy/Security | TrackBack
June 09, 2009
May 2009 Quick Links Part 2
By Eric Goldman
Blogs and Boards
* WSJ: Bloggers, Beware: What You Write Can Get You Sued
* j2 Global Communications v. Zilker Ventures, CV 08-07470 SJO (AJWx) (C.D. Cal. April 22, 2009). A consumer review website can putatively qualify for anti-SLAPP protection, but not in this case because the plaintiff established its prima facie case.
* Biggs Cardosa Associates Inc. v. Bradbury, 2009 WL 1508703 (Cal. App. Ct. May 29, 2009). Here's another one for all of you Rip-off Report fans. A former employee lost a jury trial (and was hit with over $100,000 of damages) for breaching a "non-disparagement" clause in his separation agreement by posting negative comments about his former employer and colleagues on a variety of online fora, including numerous posts on the Rip-off Report.
* Houston Chronicle article on a lawsuit against a website operator for a user post saying that a woman has herpes when she, in fact, does have herpes. She is claiming public disclosure of private facts. [Stupid Houston Chronicle expired the article and moved it to its archives, breaking a number of links throughout the web. Here's a short recap of the article.]
* Stengle v. Office of Dispute Resolution, 2009 WL 1138119 (M.D. Pa. April 27, 2009). The contract of an independent contractor government "hearing officer" was non-renewed because she blogged on the topics of her hearings, raising questions about her impartiality. As the court says in dismissing the resulting lawsuit from the hearing officer:
To reiterate, this Court fully recognizes the cherished right of free speech, as well as the commendable goals of the RA. But these cannot wash away the bona fide concerns that arise when a judicial officer elects to disseminate her opinions in cyberspace with little or no restraint. Because of her position, Plaintiff's attempts to qualify her stances as solely her own were entirely ineffectual. With particular jobs come certain precise responsibilities. In Plaintiff's case, one of these included avoiding even the appearance of bias via extra-judicial comments. Plaintiff's deep concerns about the special education issues and the resulting creation of her blog ultimately caused her to face a dilemma that she alone created. The choices she freely made thereafter led to her non-renewal, and as aforestated we do not find any of the Defendants' conduct actionable under the circumstances.
This case reminded me some of Richerson v. Beckon from last year.
* JuicyCampus redux: People's Dirt. Let the angst over anonymous online forums begin anew.
* Doe v. Ciolli, 2009 WL 1204361 (D. Conn. April 30, 2009). In the AutoAdmit lawsuit, the court rejected Matthew Ryan's (aka ":D") motion to dismiss for lack of jurisdiction.
* Facebook v. Power Ventures, Inc., 2009 WL 1299698 (N.D. Cal. May 11, 2009). Largely following the troublesome Ticketmaster v. RMG case, Power Ventures' motion to dismiss Facebook's copyright and DMCA claims was denied. (Other claims survived too). Comments from Jeff Neuburger and Tom O'Toole.
Miscellaneous
* Colleen Chien, Of Trolls, Davids, Goliaths, and Kings: Narratives and Evidence in the Litigation of High-Tech Patents, North Carolina Law Review, Vol. 87, 2009
* Mazur v. eBay Inc., 2009 WL 1203937 (N.D. Cal. May 5, 2009) Class certification denied. My blog post on this case’s more troubling ruling about 47 USC 230.
* Riggs v. MySpace, Inc., 2009 WL 1203365 (W.D. Pa. May 1, 2009). Venue selection clause in MySpace user agreement upheld.
* Salter v. State, 2009 WL 1409484 (Ind. App. Ct. May 20, 2009). Saving pornographic photos of a minor to a CD does not constitute the "creation" of child porn, even though a new "copy" has been created.
* State v. Bell, 2009 WL 1395857 (Ohio App. Ct. May 18, 2009). MySpace chat sessions aren't MySpace "business records" for hearsay purposes.
* Forbes: the Hidden Costs of Privacy. This article has been written, and written again, many times in the last decade; yet the regulatory dynamics have not improved.
Posted by Eric at 10:35 AM | Content Regulation , Copyright , Derivative Liability , Patents , Privacy/Security , Publicity/Privacy Rights | TrackBack
June 08, 2009
May 2009 Quick Links Part 1
By Eric Goldman
Just a reminder that I'm posting some quick links exclusively to my Twitter account.
Trademarks
* Texas International Property Associates v. Hoerbiger Holding AG, 2009 U.S. Dist. LEXIS 40409 (N.D. Tex. May 12, 2009). Domainer loses ACPA claim over typosquatted domain name. The PPC advertising constituted bad faith intent to profit. Ryan Gile recaps the action.
* GunBroker.com LLC v. Heckler & Koch Inc., No. 09-cv-00051 (M.D. Ga. complaint filed May 14, 2009). Interesting lawsuit by an online auction site for guns seeking a declaratory relief action against a trademark owner who deployed an enforcement agency, Continental Enterprises, to send a driftnet takedown letter that apparently targeted used gun resales or compatible goods. Ryan Gile has more.
* Miranda v. Guerroro, 2009 WL 1381250 (S.D. Fla. May 14, 2009). Miranda is “Paola Morena,” a Latin singer. Her former manager convinced her to do some nude photo shoots in an effort to get a Playboy gig. The Playboy gig didn't materialize, and the manager stopped representing Miranda/Morena. After Morena's career took off, the manager then allegedly threatened to publicly post the photos unless she paid him $70k. Morena rebuffed the request, so the manager allegedly followed through with his threats by launching a website paolamorena.com [I got a nasty Google malware warning when I tried to visit the site], calling it her “official” site and posting some of the photos. The court enjoined the manager under trademark law. I'm a little confused how Morena had protectable trademark rights in her name. Did she make any use in commerce in the United States? Did her name achieve secondary meaning? This could be another case where trademark law is being stretched to stop bad behavior.
* Eric Menhart, the self-purported owner of a trademark in the term Cyberlaw, has gotten his very own personal gripe site.
Advertising and Marketing
* How much can Behavioral Targeting Help Online Advertising? HT Greg Linden
* Yingling v. eBay, 5:2009cv01733 (N.D. Cal. complaint filed April 21, 2009). A class action lawsuit alleging that eBay Motors overcharged merchants.
* IAB has issued its Click Measurement Guidelines designed to answer the Q “What is a Click?” See if their 28 page report actually answers the Q.
* A confusingly written LA Times article reports that 4 South Korean dissident bloggers are being criminally prosecuted for artificially inflating impression counts in order to game rankings of most popular pages.
* Perennially funny: unfortunate product names.
Copyright
* Solicitor General recommends against granting cert in Cartoon Network v. CSC.
* AV v. iParadigms, April 16, 2009. The Fourth Circuit says that the Turnitin system is fair use. My initial blog post on the district court ruling.
Security
* News.com: Interview with FBI cybercrime agent working undercover.
* Oddee: problematic CAPTCHAs. Funny.
* Everyone wants to talk about whether Google is a monopolist
- In early May, I heard Susan Athey, Microsoft's Chief Economist, give a lunchtime attack speech on Google at a George Mason event
- Google is circulating a document explaining why it's good for competition
- Google is blanketing DC with lobbyists too.
- And Google says it's actually small potatoes.
- Wired: Will Wolfram Alpha forestall antitrust inquiry into Google? As I've argued before, we continue to see new entrants into the search business all the time—it’s just too big a market to ignore.
- NYT weighs in too. And the Washington Post discusses how Microsoft and others are complaining about how many Google folks are going into the Obama administration.
* Danny Sullivan: State Of Search: Google Will Stay Strong Despite Bing & Yahoo
* Wired: Secret of Googlenomics: Data-Fueled Recipe Brews Profitability
Posted by Eric at 04:03 PM | Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Trademark | TrackBack
May 28, 2009
Contributory Cybersquatting and the Impending Demise of Domain Name Proxy Services?--Solid Host v. NameCheap
By Eric Goldman
Solid Host, NL v. NameCheap, Inc., 2:08-cv-05414-MMM-E (C.D. Cal. May 19, 2009)
Facts
This case involves an alleged domain name theft. Solid Host is a web host and initial owner of the domain name solidhost.com, which it registered through eNom in 2004. Solid Host claims that in 2008, a security breach at eNom allowed an unknown interloper (Doe) to steal the domain name and move the registration to NameCheap. Doe also acquired NameCheap's "WhoisGuard" service, a domain name proxy service that masked Doe's contact information in the Whois database. Solid Host contacted Doe and sought the domain name; Doe asked for $12,000, and Solid Host took a pass. Instead, Solid Host demanded that NameCheap hand back the domain name and identify Doe, but Doe claimed that he had bought the domain name legitimately. NameCheap, apparently feeling like the cheese in a sandwich, demurred to Solid Host's requests. Solid Host then got a TRO ordering NameCheap to transfer the name and reveal Doe's identity, both of which occurred. For unclear reasons, Solid Host hasn't amended the complaint to name the Doe, but it is proceeding against NameCheap on various claims, including an Anti-Cybersquatting Consumer Protection Act (ACPA) claim.
The Opinion
Who is the Registrant?
My understanding of domain name proxy services is that the service acts as the legal registrant, thus supplying its contact information, but it registers the domain name for the benefit of its customer, making the customer the beneficial registrant. An analogy: a bank may take legal title of a property as part of securing a loan on the property, but the borrower retains beneficial title to the property.
So, for purposes of the ACPA, is the proxy service the “registrant” of the domain name? ICANN’s agreement with registrars seemingly contemplates this characterization in Section 3.7.7.3 of its Registrar Agreement, which says “A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.” However, it’s not clear to me that a proxy service “licenses” the domain name, especially if you accept my lender-borrower analogy above. Alternatively, if the proxy service is the “agent” of the customer, the licensing analogy also breaks down.
Whether the proxy service is the registrant matters a great deal to the legal outcome, and unfortunately, the court’s analysis of this important question was cursory, muddled, and possibly internally inconsistent.
In this case, the court’s inquiry is made more difficult by the fact that NameCheap acted as both the registrar and the proxy service provider. As a registrar, an ACPA claim against NameCheap should be squarely preempted by the domain name registry/registrar safe harbor enacted as part of the ACPA (15 U.S.C. §1114(2)(D)). For example, 1114(2)(D)(iii) says:
A domain name registrar, a domain name registry, or other domain name registration authority shall not be liable for damages under this section for the registration or maintenance of a domain name for another absent a showing of bad faith intent to profit from such registration or maintenance of the domain name
(This provision only moots damages, not an injunction, but since Solid Host has the domain name back in its possession, damages seem like the only remaining issue).
The court concludes that NameCheap is not eligible for the domain name registrar safe harbor because NameCheap is the domain name registrant. It says, "NameCheap is, by virtue of the anonymity service it provides, the registrant of a domain name that allegedly infringes Sold [sic] Host’s trademark." Thus, NameCheap is ineligible for the registrar safe harbor, which applies only when the registrar acts as a registrar.
But, having rejected the domain name registrar safe harbor because NameCheap was the domain name registrant, the court then inconsistently says that NameCheap is not the registrant for purposes of the prima facie ACPA claim. Instead, for ACPA purposes the court treats Doe as the registrant, leaving NameCheap exposed to a possible secondary ACPA liability claim. (The court acknowledges that NameCheap would defeat a direct ACPA claim because NameCheap did not have any bad faith intent to profit from the domain name. Offering the proxy service wasn't enough to qualify as a bad faith intent to profit).
Wait a minute—how can NameCheap simultaneously be both the registrant (no safe harbor) but not the registrant (thus, subjected to a secondary claim)? The court does not acknowledge or explain this apparent inconsistency.
Contributory Cybersquatting
Courts have rarely discussed a contributory ACPA claim. The only one cited by the court was a 2001 case (the Ford Motors vs. Greatdomains.com case) and I can’t think of any others. Perhaps this isn’t surprising because (1) as the Greatdomains.com case indicated, a contributory ACPA claim is available "in only exceptional circumstances," and (2) registrars are the most likely targets of a contributory ACPA claim, and the domain name registrar safe harbor effectively eliminates their contributory ACPA liability.
Adopting the analysis in the Greatdomains.com case, this court equates contributory ACPA liability with the Ninth Circuit’s 1999 Lockheed standard for online contributory trademark infringement (as opposed to ACPA liability), which requires that "a plaintiff must prove that the defendant had knowledge and ‘[d]irect control and monitoring of the instrumentality used by the third party to infringe the plaintiff’s mark.'"
So how did NameCheap have the requisite control over Doe's instrumentalities? Good question. The court tosses out this gem: NameCheap was "the “cyber-landlord” of the internet real estate stolen by Doe." WHAT??? The court continues:
NameCheap’s anonymity service was central to Doe’s cybersquatting scheme. If NameCheap had returned the domain name to Solid Host, Doe’s illegal activity would have ceased.
The second sentence is true with respect to NameCheap, but it is also true of every registrar for every domain name they register--and we know from the 1999 Lockheed case that registrars lack control over the instrumentalities of their registrants. So the proxy service seems to make a legal difference, but how does the proxy service evidence NameCheap's greater control over the registrant's instrumentalities? I think something is amiss here.
To complete the prima facie contributory ACPA claim, in addition to control, Solid Host must show that NameCheap has the requisite knowledge of Doe's ACPA violation. The court sets a high scienter bar--mere notice from an aggrieved party isn't enough--but the court conclusorily says that the complaint alleged enough knowledge to survive the motion to dismiss.
Why This is a Troubling Ruling
As I trust is clear, I think the court's analysis is questionable at best. I’m also troubled about the normative implications. Most obviously, this case could portend the demise of domain name proxy services. Read literally, every proxy service is exposed to potential contributory ACPA liability for every domain name it services. I can’t imagine proxy service providers will be excited about that liability exposure, and some may choose to exit the business.
If proxy services evaporate, domain name registrants will have a tougher time maintaining their privacy. This could affect at least two groups. First, businesses seeking to register domain names for unlaunched new brands often want to procure the new brand's domain names without publicly announcing their intentions through the Whois database. (Of course, some businesses register such domain name through agents or shell companies, but at a much greater expense than a proxy service). Second, gripers, whistleblowers, critics and others may want to use proxy services to make it harder for their targets to unmask their identities. This ruling jeopardizes the potential privacy options available to both groups.
I’m also troubled by this ruling’s narrow reading of the domain name registrar safe harbors. There haven’t been many cases interpreting those safe harbors, and this case might influence other courts to read them narrowly.
A Mini-Trend of Lawsuits Against Registrars
I’ve noticed a small but troubling increase in lawsuits against domain name registrars in the past few months. In addition to this case, see the Vulcan Golf v. Google lawsuit (which named some registrars as defendants), OnlineNIC cases, Philbrick v. eNom and uBid v. GoDaddy. Personally, I believe this litigation trend mirrors the expansion of new and legally untested non-registration services offered by registrars. I explored this issue with Elliot Noss of Tucows in the most recent installment of TWiL (worth listening to, IMO). Discussing the uBid lawsuit, Elliott explained how registrars monetize dropped domain names before being returned to the available pool of unregistered domain names. The delay is putatively for the benefit of customers who mistakenly let a registration lapse; but this also has the happy (?) by-product of letting registrars create new ad inventory that they are monetizing.
In the past, a lot of the legal attention regarding domain names has focused on trademark owners vs. registrants. From my perspective, those lawsuits are becoming passé. The real litigation growth industry appears to be trademark owner vs. registrar lawsuits over new registrar service offerings that trademark owners don't like. Rulings like this one, with a broad reading of contributory ACPA liability and a narrow reading of the domain name registrar safe harbor, raise the specter that registrars may find more legal trouble than they anticipated.
UPDATE: Commentary from Domain Name News
UPDATE 2: A call for registrars to exit the domain name proxy business.
Posted by Eric at 03:27 PM | Derivative Liability , Domain Names , Privacy/Security , Trademark | TrackBack
April 12, 2009
Q1 2009 Quick Links, Part 4
By Eric Goldman
Security
* Massachusetts Data Security regulations were amended.
* In Facebook v. Power.com, Facebook brought another lawsuit to block extraction of user data from the site (similar to the Facebook v. ConnectU lawsuit). Venkat, Masnick, News.com, NYT, Justia. In this case, I wonder if Facebook has adequately distinguished between Power.com's behavior and the operation of its own "Find a Friend" service that taps into third party email servers to extract email addresses. Power.com’s response.
* Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. Jan. 7, 2009). IP infringement isn't a cognizable harm under the Computer Fraud & Abuse Act.
Adware/Spyware
* Who says Valentine's Day is just a Hallmark holiday? Sales of spyware and other tools to track cheating SOs also increase around Valentine's Day.
* Susan Brenner on the Cybercrimes Treaty and the US's decision not to criminalize possession of malware as required by the treaty.
Venture Capital
* BusinessWeek: Silicon Valley innovation is being stifled by VCs who only want to make small bets, not big bets. But VC investing is faddish, so the wind might change tomorrow.
* $600M of VC investments in virtual worlds.
Contracts
* Burcham v. Expedia, Inc., 2009 U.S. Dist. LEXIS 17104 (E.D. Mo. Mar. 6, 2009). Buyer was bound to user agreement even though he argued (without any evidence) that someone else established the account he used. This dovetails nicely with the broad reading of who is bound by an online user agreement; see my discussion in the Lori Drew case. Jeff Neuburger's writeup. Aside: I wonder if Expedia will be insulated by 47 USC 230 for the allegedly wrong description of amenities if they got the description of the hotel from third parties. For an analogous result involving the binding of users who didn't agree to the initial contract, see CoStar Realty Information, Inc. v. Field, 2009 WL 841132 (D. Md. March 31, 2009).
* Fractional Villas Inc. v. Tahoe Clubhouse, No. 08cv1396 (S.D. Cal. Feb. 25, 2009). Citing the RMG case, the court says that merely visiting a site may be sufficient to bind visitors to a browsewrap. However, in this case, there was insufficient evidence that the defendant had ever visited the site.
* Cherny v. Emigrant Bank, 2009 U.S. Dist. Lexis 2486 (March 12, 2009). Latest case that breach of privacy policy isn’t actionable unless there are actual damages. Venkat’s writeup.
* A stat I fully believe: "studies have shown that more than half of all companies cannot even locate signed copies of 10% or more of their contracts." The Zen Master asks: if both parties think they have entered a contract but neither can find a copy, do they have a contract? (this has really happened to me before).
Taxes
* Amazon v. New York and Overstock v. New York (N.Y. Sup. Ct. Jan. 12, 2009). Kudos to New York for finally figuring out a way to break the Internet and defeat the Internet Tax Freedom Act by treating Amazon Associates as traveling salespeople for sales tax collection purposes. I imagine every state in the country will jump on this bandwagon, at which point some e-tailers will kill their affiliate program and others will end up imposing sales tax collection nationwide.
* Pitt County v. Hotels.com, L.P. (4th Cir. Jan. 14, 2009), Online travel aggregators aren't "retailers" (as referenced in the statute) for purposes of collecting local hotel occupancy taxes.
General
* Some interesting cyberspace exceptionalism developments involving cases where paper presentation may be different from electronic presentation of the exact same content. In Smith v. Under Armour, Inc., 2008 WL 5486764, web payment confirmations displayed on-screen are not "printed" within the meaning of the Fair and Accurate Credit Transactions Act. Accord Smith v. Zazzle.com, Inc., 2008 U.S. Dist. LEXIS 101050. See generally this Proskauer recap. In Saulic v. Symantec Corp., a California law prohibiting data collection with credit card sales was held inapplicable online.
* Sudduth v. Donnelly, 2009 WL 918090 (N.D. Ill. April 1, 2009). Plaintiff got stiffed on his eBay transaction and sued eBay for 1983 equal protection and conspiracy claims as well as a Title VI civil rights claim. Because eBay isn't a state actor, however, the court dismissed eBay.
* My colleague Steve Diamond is blogging every detail of the battle for SAG's soul over at his new blog, King Harvest. For example, he summarizes the travails of the Screen Actor's Guild.
* Oddee: 10 Geekiest T-Shirts. I own a t-shirt that says "I'm Blogging This" (a gift from a former student) and a mug that says "Vegetarian Blogger" (gift from a colleague).
* Oddee: 15 Most Unfortunate Town Names. I think Licking County should have been a contender.
* Is there any better sign of Cyberlaw's maturity than the publication of Internet Law in a Nutshell
* Oddee: 12 Most Ridiculous Lawsuits. I welcome your nominations for the most ridiculous Internet lawsuits of all time. I hope to write that up some day.
* Happy birthday, Gmail! Best email software I've ever used. The battles over Gmail privacy seem so...2004!
Free Stuff
* The Ninth Circuit recently updated its website...with RSS feeds!
* Nolo Press' "NDAs for Free." Potentially useful site.
* I have one extra copy of my Fall 2008 Cyberspace Law course reader. First person to send an email with their mailing address gets it. [CLAIMED]
Posted by Eric at 12:03 PM | Adware/Spyware , E-Commerce , Licensing/Contracts , Privacy/Security , Trade Secrets , Virtual Worlds | TrackBack
April 11, 2009
Q1 2009 Quick Links, Part 3
By Eric Goldman
Blogging and Social Networking Sites
* A new version of the EFF Legal Guide to Blogging. While you're there, consider joining EFF as a member. The EFF does first-rate work, and they can use all the support they can get in this economic downturn.
* Red Tape Chronicles: "Blogger: Cash4Gold tried to 'bribe' me."
* Klein v. City of Laguna Beach, 594 F. Supp. 2d 1142 (C.D. Cal. Jan. 23, 2009): "many of the cases striking down ordinances that restrict sound-amplification equipment are artifacts of a bygone age that offered activists few media of mass communication. Twenty, thirty, or fifty years ago, a sound truck was an important means of spreading a message to a large group of people. Now, one must only have a computer and a printer to publish a newsletter or handbill. The Internet, e-mail, text messaging, and widespread mobile communications devices have made it easier than ever to reach a large audience on a small budget. Indeed, it might be easier for Mr. Klein to reach the youth he wishes to target by using Facebook or MySpace."
* Maybe everyone already knew this, but I learned something interesting about Blogger. Apparently in some cases they will place an interstitial warning in front of certain user-posted content.
* Doninger v. Niehoff, 2009 WL 103322 (D. Conn. Jan. 15, 2009). On remand from the Second Circuit, the district court denies damages for a student whose off-campus blog entry led to school discipline. At the same time, Wendy Davis reports on how a Conn. Bill Would Protect Students' Free Speech Online:
* Funny article on Facebook's efforts to police against people who create funny account names, which sometimes ensnares people who actually have funny names like Batman, Six, Super, Pancake and Kisser.
* Facebook Sex-Extortion Plot: a boy pretends to be a girl, gets boys to send naked photos to him, and then threatens to go public with the photos unless they consent to sex with him.
* Dynamic Sports Nutrition, Inc. v. Roberts, 2009 WL 136023 (S.D. Tex. Jan. 16, 2009). A former employee republishing confidential information via his blog is enjoined.
* We now know that Facebook settled with ConnectU for $65M. However, ConnectU might get a little more cash after this information was inadvertently disclosed by its former counsel, Quinn Emanuel, in a marketing brochure.
* Facebook gets TRO against Wallace.
* Some people gave up Facebook for Lent.
* Reuters writes up a shocking study: many teens on MySpace post things they might regret.
* State v. Hause, 2009 WL 295404 (Ohio App. Ct. Feb. 9, 2009). Facebook photos help convict a woman for allowing minors to drink alcohol in her house.
* U.S. v. Villanueva, 2009 WL 455127 (11th Cir. Feb. 25, 2009). MySpace photo and YouTube video showing defendant holding firearms contribute to sentence enhancements for firearms charges.
* John Palfrey & Adam Thierer discuss Palfrey's arguments to "improve" 47 USC 230 by reversing Doe v. MySpace.
Defamation/Cyberbullying
* JuicyCampus has shut down. LA Times, Chronicle of Higher Education, CMLP.
* Lengthy article on the AutoAdmit lawsuits. And a mixed ruling in Ciolli v. Iravani.
* Noonan v. Staples (1st Cir. Feb. 13, 2009). Truth is NOT an absolute defense to defamation in Massachusetts, which apparently also has seceded from the Union because the First Amendment no longer seems to apply.
* Neuwirth v. Silverstein, 2009 WL 294737 (Cal. App. Ct. Feb. 9, 2009). Reiterating that a website can be a public forum for purposes of anti-SLAPP laws. The CMLP writeup.
* Douchebags Lawsuit dismissed. Marc Randazza mocks the lawsuit.
* Rios v. Fergusan, 2008 WL 5511215 (Conn. Super. Ct. Dec. 3, 2008). Connecticut court has jurisdiction to issue restraining order against North Carolina man who posted YouTube video threatening Connecticut woman.
* Fahmy v. Hogge, 2009 WL 33418 (C.D.Cal. Jan. 2, 2009). Court denies Fahme's motion to set aside the dismissal based on lack of jurisdiction because Fahme made the error that caused the dismissal.
* 24Grille v. TripAdvisor (complaint filed April 2, 2009). Restaurant sues TripAdvisor for anonymous TripAdvisor review. Hello 230!
* Censorious laws brewing in WV and NJ.
Yelp
I have been meaning to post about my experiences with Yelp as a reader and a writer, but that has been repeatedly deferred. So, instead, how about a quick recap of Yelp’s woes? Yelp has been under the microscope quite a bit in the last few months.
* Wendy Davis recaps all the Yelp-related litigation she and I could find--at least 5 known cases. CMLP recaps a couple of the lawsuits.
* This East Bay Express article about Yelp caused quite a stir. It was followed up with more attributed sources. A number of other media outlets covered Yelp, including News.com and the NYT. For a full rundown of Yelp haters, check out the Eater coverage.
Wikipedia
* 25 Biggest Blunders in Wikipedia History.
* Two books about Wikipedia I’ve been checking out.
- Wikipedia, the Missing Manual.
- How Wikipedia Works.
Pornography
* Mukasey v. A.C.L.U., No. 08-565. The Supreme Court declined the cert petition regarding the challenge to the 1998 Child Online Protection Act, officially killing the law after a decade of litigation. Putting aside the merits of the law, it would have been a huge shock to the Internet community to have a circa-1998 criminal act resurrected! I'd like to think Congress will be wiser than to try to criminalize Internet porn a third time, but the regulation of Internet porn is like a siren song to Congressmembers.
* State v. Hurst, 2009 WL 580453 (Ohio App. Ct. March 6, 2009). From the unfortunately-named Licking County courts, the defendant downloaded 14,000 pornographic photos into his work computer's local cache in a five day period (he acknowledged he spent 70% of his workday downloading porn). An expert said that about 50 of the photos were child pornographic. The defendant was convicted of possessing child pornography even though he argued that he didn't intentionally download the photos, getting a 39 month sentence and classified as a sex offender.
* Excellent article by Colette Vogele on suing over a sex tape.
Gambling
* The credit card payment systems blocked the New Hampshire Lottery due to the Unlawful Internet Gambling Enforcement Act of 2006.
* Peer-to-peer gambling OKed in Washington.
Posted by Eric at 12:53 PM | Content Regulation , Derivative Liability , Internet History , Privacy/Security | TrackBack
March 12, 2009
Rip-off Report Lawsuit Updates: Certain Approval Programs and Ecommerce Innovations
By Eric Goldman
Certain Approval Program v. Xcentric
Certain Approval Programs, L.L.C. v. XCentric Ventures L.L.C., 2009 WL 596582 (D. Ariz. March 9, 2009). I previously blogged about this case in November. This ruling is in response to the plaintiff's request to file an amended complaint, which Rip-off Report resisted on several grounds. Of particular interest is the plaintiff's desire to add a claim for “misappropriation of name or likeness." Rip-off Report responded that such a claim is futile due to 47 USC 230. The court rejected the futility argument at this early procedural stage, saying
Plaintiffs have alleged enough facts regarding Defendants' “creation or development of information provided through the Internet or any other interactive computer service” to make it plausible that Defendants are an “information content provider” for some content and therefore the CDA does not completely immunize Defendants.
This is not the first time that plaintiffs' allegations against Rip-off Report have survived the equivalent of a motion to dismiss, but getting further into the litigation process has proven difficult for plaintiffs.
The court didn't reach the issue, but it's also germane to the futility argument whether a "misappropriation" claim is even preempted by 230 at all or if qualifies as an "intellectual property" claim that is excluded from the immunization. Compare ccBill and Friendfinder.
Ecommerce Innovations v Doe
Ecommerce Innovations, L.L.C. v. Does 1-10, No. MC-08-93 (D. Ariz. Feb. 10, 2009). Thanks to Jeff Neuburger for calling attention to this case. In this case, a defamation plaintiff is seeking identifying information for an anonymous Rip-off Report contributor. The Rip-off Report initially fought the request, but the district court ordered Rip-off Report to comply because the plaintiff had established a prima facie case. The Rip-off Report responded that it plans to appeal the judge's order to the Ninth Circuit, and the district court has stayed the order pending the appeal (although I can't find any evidence that the appeal has been filed yet). As Jeff points out, an appeal by Rip-off Report may prompt the Ninth Circuit to articulate its standards for when plaintiffs can unmask anonymous defendants; it also could become a backdoor way to gauge the Ninth Circuit's attitude towards Rip-off Report in light of some ambiguous language in the initial Ninth Circuit Roommates.com opinion.
Posted by Eric at 11:54 AM | Content Regulation , Derivative Liability , Privacy/Security , Publicity/Privacy Rights | TrackBack
February 20, 2009
Facebook User Agreement Imbroglio Recap (and Some Comments of My Own)
By Eric Goldman
I didn't have a chance to blog on the Facebook user agreement amendment flap in real-time, but now that Facebook has rolled back its amendments and everyone is catching their breath, the Monday morning quarterbacking is proceeding in full earnest. Some of the articles that caught my attention:
* CNET News.com: "Facebook's about-face: Change we can believe in?"
* InternetNews: "Experts: Facebook Must Rethink TOS Stance"
* EFF: "Facebook's reaction is a tremendous victory for its users." I guess that's true, in the way that getting back to zero at a casino sometimes can be considered a win.
* Bill McGeveran powerfully (and with irony) demonstrates that Facebook's terms weren't all that unusual. Et tu, Consumerist?
Some of my own observations:
* When you're a high-profile company living in the media fishbowl like Facebook, there is no such thing as a minor amendment to your user agreement.
* Facebook's amendments--and the news reports about them--were confusing for two independent but often correlated problems. First, lay readers often misread user agreements, especially broad license grants that users mistakenly read as statements of ownership. This is a well-known and long-standing phenomenon; see, e.g., the flap over GeoCities' user agreement from a decade ago. So initial news reports on Facebook's amendments were garbled and perhaps overly dramatic.
Second, Internet lawyers often draft user agreements using legalese in ways that make the agreements indecipherable to lay readers...and, not infrequently, to other lawyers. Having drafted a lot of them in my life, I'm a pretty sophisticated reader of user agreements, yet it took me a fair amount of time to parse Facebook's license terms to figure out what they were saying--and, even then, I wasn't quite sure. In particular, the "perpetual" and "irrevocable" terms in the license agreement were in seeming conflict with Facebook's promise in the same license grant to honor a user's privacy settings. In other words, if a user can set the configurations to remove content from Facebook's purview and Facebook will honor those instructions, then how is Facebook's license grant irrevocable? Unless I'm missing something big, this looked to me like a drafting error by Facebook. (And check out Nancy Kim's op-ed identifying this exact issue--in March 2008).
This suggests a drafting lesson we might internalize from Facebook's hassles (Jonathan Zittrain makes a complementary point). We as Cyberlawyers are used to parroting the exact words from the applicable statutes and caselaw because it seemingly increases the precision of the agreement, but frankly I think Facebook and other Internet companies would do a whole lot better--both legally and in the court of public opinion--if it junked the legalese and actually tried to write license grants in real English.
* Partially obscured in the haze is the lurking question of whether Facebook can unilaterally amend its user agreement without providing any notice to users. I don't even see this as a close question. From my reading of the precedents, I think the answer is pretty emphatically NO, both as a matter of contract law (and see more; but compare MySpace v. theglobe.com) and FTC law (see, e.g., the Gateway Learning case). Without a doubt, I wouldn't want to be Facebook trying to defend the new incremental changes in court.
* I got a few inquiries about whether a lawsuit against Facebook would have been successful. As Ethan explained recently, there may be unexpected hurdles to any such lawsuits.
* Now that Facebook has stirred the hornet's nest, it's not clear that they can simply roll back to the prior version of the user agreement and put everyone back in the happy apple. Instead, having called attention to its licensing policies, Facebook will be lucky if the pre-amendment terms survive as those undergo critical and jaundiced scrutiny from users. David Kirkpatrick touches on this.
* No matter how Facebook resolves its agreement, this episode has been damaging to its trust relationship with its users. It gives users yet another reason to question whether Facebook is a site we can trust. For users who lived through the Newsfeed and Beacon episodes, this may be a three-strike situation. For others, the fracas is yet another wedge in the users' relationship with Facebook. Trust is hard to earn and easy to lose.
Having said that, in the past couple of quarters, Facebook has been riding a strong network effects bull and seeing remarkable growth DESPITE Beacon. So Beacon clearly did not destroy users' trust in Facebook. At the same time, if users fall out of love of Facebook due to loss of trust, they will scale back their involvement with Facebook, which ultimately could negate the network effects benefits they are currently experiencing. IMO, this is the real risk created by Facebook's highly publicized problems.
Posted by Eric at 08:57 AM | Internet History , Licensing/Contracts , Privacy/Security | TrackBack
January 23, 2009
The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt
A recent court case reiterates that privacy policies aren't the be-all, end-all panacea for protecting online privacy.
By Ethan Ackerman
One of the main arguments against a federal online privacy law has been that website privacy policies were a self-regulatory solution that was more than sufficient, permitted more flexibility, and bound parties as surely as any federal law. Real-life court cases continue to suggest the contrary.
From mid-90s FTC staff decisions to "encourage self-regulation" to the 1998 formalization of a Clinton administration e-commerce policy framework to the extension of this policy through both terms of the G.W. Bush Administration, "self-regulation" of online privacy has been the policy of the executive branch of the federal government. Similarly, "self-regulation" has been the primary card played (the 10 of spades?) against Congressional attempts to pass federal online privacy regulation, successful in stalling any legislation on the issue since at least the 106th Congress. Online industry lobby groups still emphasize that "self-regulation" is the only needed enforcement, and online privacy advocates cite self-regulation's failures for the 'decade of disappointment' in internet privacy.
Meanwhile, outside of the policy debates, online activity has exploded, along with the collection and use of personal information online. Putting aside the real challenge of discovering unacceptable uses, sometimes that collection and use (or misuse) is egregious enough that someone sues over it. As the recent case of Pinero v. Jackson Hewitt Tax Service shows yet again, actual monetary damages matter more than egregiousness.
Ms. Pinero discovered that a Jackson Hewitt Tax Service licensee that prepared her taxes had breached its privacy policy when a local news station contacted her and provided her with her prior year tax returns, discovered in a public dumpster along with the returns of more than 100 other Jackson Hewitt clients.
Mindful of the increasing body of cases that have refused to find damages in the mere breach of protective statutes, violations of privacy policies or unlawful disclosures of personal records, Ms. Pinero's attorneys alleged specific factual emotional, physical, and economic damages in their suit. Those damages weren't good enough under the applicable state law, according to U.S. District Judge Sarah Vance. Specifically, the judge found that the plaintiff suffered no direct pecuniary damage from the breach - a heightened risk of future loss or steps taken to mitigate that loss weren't enough under Louisiana law for a negligence or breach of contract claim.
Above and beyond my brief summary, the opinion is worth a read in greater detail. The judge's detailed discussion of the pleadings reveals much work on this case. The pleading drafters clearly went to great effort to avoid precisely this outcome, claiming damages of several types with a great deal of specificity and carefully formulating claims under a variety of different statutes and causes of action, including a Consumer Protection Act and database breach statute claim. Judge Vance addresses each claim and the surrounding caselaw in good detail as well, providing scant room for a reversal on appeal by leaving every issue addressed.
The takeaway? As Eric has worried in the past, there may be no effective customer legal recourse against companies that breach their privacy policies.
[Eric's comment: we've seen a long list of situations where plaintiffs suffered some privacy invasion but were unable to obtain any legal recourse. Ethan links to the JetBlue case (which remains remarkable to me to this day), and we've blogged on others as well (see, e.g., the Acxiom and Key cases). In general, I think these opinions have often reached a sensible and pragmatic result that a privacy invasion may lead to no tangible losses, so damage awards may overcompensate the victim or overdeter the defendant. However, providing no damages awards--especially when a company breaches its self-selected promises--may under-deter and reward companies for overpromising and underdelivering. This case seems especially odd because the complaint contained allegations of specific tangible harm. Maybe we don't believe the allegations, but normally they ought to be heard.
At the same time, I fear the policy-makers may overreact to this situation by creating statutory damages. Those solve one problem (the courts' balking at plaintiffs that have no obvious damage) but create another, (IMO) much bigger problem of motivating plaintiffs and their lawyers engage in litigation frenzies with low-merit lawsuits. We've seen a lot of wasted motion in the spam context from people chasing statutory damages, and I shudder to think about the tax on our economy if we ever created a statutory damage for generalized privacy violations.]
Posted by Ethan Ackerman at 09:47 AM | Licensing/Contracts , Privacy/Security | TrackBack
January 22, 2009
Data Privacy Day at SCU Jan. 28: Erika Rottenberg, LinkedIn GC
By Eric Goldman
Please join us for this event being held in conjunction with the Data Privacy Day. Free admission and no RSVP required. Erika is a long-time colleague (dating back to our Cooley Godward days) and I'm very interested to hear how she sees the world from LinkedIn's perspective.
____________
"Protecting Personal Identities Online"
Erika Rottenberg
Vice President, General Counsel and Secretary of LinkedIn
January 28th
12:00 p.m. – 1:00 p.m.
Williman Room, Benson Center
Santa Clara University
Light lunch will be served
Part of the IT, Ethics & Law Colloquium Series cosponsored by the High Tech Law Institute; the Center for Science, Technology, & Society; and the Markkula Center for Applied Ethics.
On-line networking sites, such as LinkedIn, Facebook and MySpace, allow friends, acquaintances and/or professionals to connect and communicate with each other and have become an essential part of many people's daily lives. While most of these communications and interactions enrich our lives and enhance our business productivity, sometimes they can become problematic, especially when inappropriate or harmful information is published online. Erika Rottenberg, General Counsel of LinkedIn, a professional networking site with over 34 million members, representing 170 industries in 200 countries, will talk about opportunities and pitfalls posed by on-line networking sites and how we can be smart users of the sites. This will be a moderated discussion followed by an audience question and answer period.
About the speaker: Erika Rottenberg is Vice President, General Counsel and Secretary of LinkedIn, responsible for LinkedIn’s worldwide legal matters, including privacy. Prior to LinkedIn, Erika served as General Counsel for two public technology companies, providing valuable experience in dealing with the regulatory policies and challenges specific to technology centric public companies. Most recently, Erika was Senior Vice President, General Counsel and Secretary, for Nasdaq-listed SumTotal Systems. Prior to SumTotal, Erika was Vice President, Strategic Development and General Counsel of Creative Labs, the company that brought multimedia to the PC with the Sound Blaster sound card. Erika received her law degree from Berkeley's Boalt School of Law and started her legal career at the Silicon Valley technology based law firm of Cooley Godward.
Posted by Eric at 04:07 PM | Privacy/Security | TrackBack
January 16, 2009
AOL Loses Venue Selection Dispute in Ninth Circuit Due to an Unfortunate "Of"--Doe 1 v. AOL
By Eric Goldman
Doe 1 v. AOL LLC, 2009 WL 103657 (9th Cir. Jan. 16, 2009)
This is one of several lawsuits against AOL over AOL's 2006 posting of a database of improperly anonymized search queries. This particular lawsuit was brought by AOL members in California and alleges a variety of federal and state law claims against AOL.
AOL defended based on its venue selection clause in its member agreement, arguing that the contract required the lawsuit to be brought in Virginia. AOL has had a lot of success with its venue selection clause over the years, but it has had some prominent failures as well. One of those is America Online v. Superior Court (ex rel Mendoza) from 2001, in which a California appellate court struck down AOL's venue selection clause on public policy grounds because Virginia law did not provide adequate relief to California consumers--because, among other things, Virginia state courts do not permit class action lawsuits.
The Mendoza case was part of a broader judicial trend against online user agreements over the past decade. We've seen them fail for unconscionability, public policy and other reasons, making the successful drafting of such clauses tricky. Collectively, I think these cases have established pretty clearly that a venue selection clause designed to suppress class action lawsuits has a high risk of failure and, in California, is presumptively unenforceable.
What isn't clear to me is what, if anything, AOL did to modify its member agreement's venue selection clause in response to its Mendoza defeat. As a result, I can't tell if this court is interpreting the same contract language as was presented to the Mendoza court. But in all other respects this case is extremely similar to Mendoza: the plaintiff initiated a class action lawsuit in California, AOL defended on its venue selection clause to force the case back to Virginia, and the court is confronted with the public policy implications. Thus, if AOL did change its contract post-Mendoza, it didn't get the desired results, because it suffers another defeat here.
It appears that if the case could be heard in Virginia federal court, the class could form and the clause would not necessarily fail; but if the clause only permits Virginia state court, this is Mendoza redux and AOL loses. As a result, the court tries to figure out which venue the member agreement language specifies. AOL's agreement designates the exclusive venue as "the courts of Virginia." The court parses the grammar of the word "of" and looks at other precedent analyzing "the courts of [state]" and concludes that this language selects only Virginia state court. Because a California appellate court (the Mendoza court) had already said that Virginia state court isn't an acceptable choice for a putative class action of California consumers, the Ninth Circuit has no choice but to toss the venue selection clause.
This raises an obvious drafting point: courts are reading venue clauses specifying the venue as "state of X" to mean only state courts in the designated state, so don't use that grammar unless that's what you intend. I'm sure that most drafters using "state of X" language instead mean the parties can litigate in either federal or state court in that venue, but that's not the way courts are reading it. Accordingly, I think it would be prudent to avoid the "courts of X" grammar altogether, which isn't hard to do. Personally, I normally say "courts in X" (as opposed to "courts of X"). I would have to research the precedent interpreting that grammar (this case has made me a little nervous), but the "in" grammar should pretty clearly avoid the analysis in this Ninth Circuit opinion. Another alternative would be to expressly reference both federal and state courts as options; I've seen this language frequently, although I've previously thought that was unnecessarily wordy. Maybe it isn't.
Posted by Eric at 01:29 PM | Licensing/Contracts , Privacy/Security | TrackBack
January 08, 2009
December 2008 Quick Links, Part 2
By Eric Goldman
Social Networking Sites/Cyber-Bullying/Sexual Predation
* More on the Lori Drew conviction:
- Wired has a tough behind-the-scenes look at the Lori Drew jury deliberations.
- The jury instructions
- In case you missed it, my special three part series on implications of the Lori Drew conviction: Part 1, Part 2, and Part 3.
* Yet more fallout from the Lori Drew prosecution and conviction. Wired has a story on the cyberbullying litigation frenzy. The Washington Post has a recap on the proliferation of state anti-cyberbullying laws.
* U.S. v. Morris, 2008 WL 5101636 (7th Cir Dec. 5, 2008). Judge Posner talks about the difference between entrapment (not OK) and vigilantism (OK) in the context of a mom who created a fake MySpace persona to chat with an alleged sexual predator who had contacted her underage daughter.
* Facebook's policy on breast-feeding photos has sparked protests both online and off (1, 2, 3). It reminds me a bit of one of my first challenges as Epinions' general counsel. (search for Epinions).
* Barry Schwartz: is Google getting desperate for ad revenue?
* The Register: "Google this week admitted that its staff will pick and choose what appears in its search results." However, I don't think the article supports this aggressive statement. Instead, it appears the article is getting excited about the fact that Google manually tweaks the algorithms when they produce goofy results--something we've known for years.
* Updates on Axact v. Student Network Resources, the case involving alleged copyright infringement of term papers. Axact allegedly has been trying to get its domain name registrars to release its domain names for transfer, and SNR is trying to cut them off. Apparently Google also balked at the instructions to kick the subject domain names out of its index, but SNR and Google resolved their differences enough to reach a stipulation. Finally, I've received numerous threats and requests from Axact to modify my original post, which has prompted me to make some minor changes.
Marketing
* IMS Health v. Ayotte. New Hampshire passed a law restricting the use of a doctor's past prescribing practices (i.e., behavioral information) for personalized/targeted sales calls. This opinion upholds the NH law against a First Amendment and dormant Commerce Clause challenge.
* Australian advertisers are cookie-ing users at high CPM sites so that they can show the users targeted ads when those users appear at lower CPM sites.
* Sony busted for COPPA violations.
* New advertising medium: school exams.
Miscellaneous
* Good article on the Sprint v. Cogent peering fight.
* And a good article showing limits to the Long Tail theory.
* U.S. v. Grober, 2008 WL 5395768 (D. N.J. Dec. 22, 2008). Grober pleaded guilty to uploading and downloading child porn over the Internet. The judge rejects the 19 1/2 year minimum sentence specified by the Sentencing Guidelines and instead sentences Grober to the 5 year statutory minimum. This opinion poignantly explains why this judge, like several others, rejects the Sentencing Guidelines in Internet child porn cases because the dictated sentences are too severe.
* BusinessWeek is still amazed that people actually--get this--provide their time and efforts over the Internet without getting paid!
* Lior Strahilevitz, Reputation Nation: Law in an Era of Ubiquitous Personal Information, 102 Nw. U. L. Rev. 1667 (2008). Lior explores the cross-elasticities of demand for types of reputational information and shows that if some information isn't available (due to, say, privacy laws), decision-makers will consult less credible or pernicious sources. For example, if a landlord can't get good credit information about a prospective tenant, the landlord may resort to discriminatory considerations (like race) to decide whether or not to rent to the tenant. Good article.
* I have previously written about New York v. Synergy6, Inc., 404027/03 (N.Y. Sup. Ct. Jan. 6, 2006), where the court soundly rejected the New York Attorney General's office regarding a marketer's liability for allegedly illegal emails sent by downstream affiilates (i.e., not in direct privity). I have not been able to find a copy of the opinion electronically, but over the holidays I found my hard copy and scanned it to a PDF. Check it out, especially in combination with the 2008 New York v. DirectRevenue opinion, which soundly rejected the NYAG's affiliate liability arguments in the adware context.
Posted by Eric at 07:44 AM | Content Regulation , Copyright , Domain Names , Marketing , Privacy/Security , Search Engines | TrackBack
December 02, 2008
November 2008 Quick Links
By Eric Goldman
Trademark
* NYT: "A handful of new Web sites with names like Typo Bay and Typo Buddy are out to help shoppers save money by searching eBay for misspelled brand names." In 2005, I blogged that typographical errors are a significant issue for eBay's search engine.
* It's a bull market for Obama-related trademark filings and Obama merchandise.
* Domain name tasting down 84%?
* Wired: "Think Godzilla's Scary? Meet His Lawyers"
Copyright
* Reuters: "Instead of triggering the usual take-down notices, copyright-infringing footage of select MTV Networks programing uploaded by MySpace subscribers would be automatically redistributed with advertisements that would generate revenue for the companies." I'm interested to see how this system applies to fair uses of the works!
* Arista Records LLC v. Usenet.com, Inc., 2008 WL 4974823 (S.D.N.Y. Nov. 24, 2008). The court dismisses USENET.com's counterclaims for declaratory relief that it doesn't violate 17 USC 512 because the claims duplicate its affirmative defenses.
* James Grimmelmann does an excellent job parsing the Google Book Search settlement agreement and makes some sage recommendations for how it should be modified before court approval.
Advertising/Marketing
* The Google-Yahoo ad syndication deal is dead. Some behind-the-scenes discussions.
* I'm not sure about the implications of this, but Google is expanding its efforts to allow website and ad targeting based on automatic geographic detection. See my prior post about the future of geolocation and a bordered Internet.
* Good news: entrepreneurs want to authenticate children's ages to keep them out of online trouble. Bad news: entrepreneurs might use age authentication to hit the kids with targeted marketing.
* Classmates.com sued for misrepresenting that former school chums were actually looking to reconnect. Yet more pushback on bogus "X is looking for you!" ads.
47 USC 230
* The Supreme Court denied cert in Doe v. MySpace, 2008 WL 4218722. According to Tom O'Toole, this is the seventh time that the Supreme Court has denied cert in a 47 USC 230 case.
* It appears that Children of America v. Magedson has settled.
* The Santa Clara University community is having a catharsis about Juicy Campus.
* Dan Solove and I chatted with Doug Lichtman about social networking sites (asynchronously--I spoke with Doug after Dan had), with most of my conversation focusing on 47 USC 230. Doug edited the conversations together into a one-hour podcast entitled "Privacy in the Networked World." An added bonus for listening--you may be able to earn one hour of CLE FREE!
Spam
* Facebook v. Guerbuez. Facebook wins $873M default judgment under CAN-SPAM. Now, if Facebook could only collect any of this, they would have finally figured out a way to make money!
* Gordon v. SubscriberBASE Holdings, Inc., 2008 WL 4809833 (E.D. Wash. Oct. 31, 2008). Serial anti-spam plaintiff lost again on whether he has standing under CAN-SPAM.
* Evan Brown: Government spam filters do not deprive citizen of right to petition the government.
* Venkat: Unsolicited Marketing Extravaganza in the Ninth Circuit.
Miscellaneous
* eHarmony settles claim that it discriminates against gay singles.
* NYT: "almost five years into its expansion into Europe...Google is getting caught in a web of privacy laws that threaten its growth and the positive image it has cultivated as a company dedicated to doing good."
Posted by Eric at 09:47 AM | Copyright , Derivative Liability , Domain Names , Privacy/Security , Search Engines , Spam , Trademark | TrackBack
November 19, 2008
October 2008 Quick Links, Part 3
By Eric Goldman
Pornography
* Can you believe this? A 15 year old girl took nude photos of herself using her cellphone and sent the photos to her peers. She is now being prosecuted on child pornography charges. The girl's behavior sounds more like a cry for help than a criminal act.
* Judges are pushing back against online child porn downloading cases.
* PROTECT Our Children Act (S.1738). If I were a legislator, I would name all of my bills (regardless of substantive topic) “Protect Our Children Act” to ensure passage. Among other things, the law creates a new crime of “child pornography that is an adapted or modified depiction of an identifiable minor” (assuming this survives First Amendment scrutiny, no more photoshopping Miley Cyrus’ face onto a naked woman’s body). The law also modifies existing law to require that websites and Internet access providers who find child porn on their network to forward it and other information to the CyberTipline operated by the National Center for Missing and Exploited Children.
Online Crimes
* Sarah Palin email hack indictment. Orin's comments.
* HR 5938. Congress amended the Computer Fraud & Abuse Act again to increase the penalties and criminalize conspiracies to violate the law.
* S 431, Keeping the Internet Devoid of Sexual Predators Act of 2008 or the `KIDS Act of 2008'. Wired's critique. This law requires sex offenders to register their email addresses with a central database and then permits social networking sites to access the database and block registrations from the sex offenders. The most interesting aspect of the law is that it tries to define a social networking site as: “an Internet website (i) that allows users, through the creation of web pages or profiles or by other means, to provide information about themselves that is available to the public or to other users; and (ii) that offers a mechanism for communication with other users where such users are likely to include a substantial number of minors; and (iii) whose primary purpose is to facilitate online social interactions.” Is there any Web 2.0 site that does not qualify? Any wagers about how long it will take Congress to change this law to require social networking sites to block sex offenders’ email addresses rather than making it optional as this law states?
* State v. Ellison, 2008 WL 4531860 (Ohio App. Ct. Oct. 10, 2008). Two childhood friends have a falling out. One posts an allegation on her MySpace page that the other is a child molester. After the district court convicted her of harassment via a telecommunications device, the appellate court overturned the conviction because she lacked sufficient intent to harass.
Miscellaneous
* Ryan Haight Online Pharmacy Consumer Protection Act of 2008, HR 6353. “No controlled substance that is a prescription drug as determined under the Federal Food, Drug, and Cosmetic Act may be delivered, distributed, or dispensed by means of the Internet without a valid prescription.”
* Gotbaum ex rel. Gotbaum v. City of Phoenix, 2008 WL 4628675 (D. Ariz. Oct. 17, 2008). Malicious blog posts in local Phoenix blogs about a lawsuit aren't enough pre-trial publicity to warrant a change in venue.
* Bursac v. Suozzi, 2008 WL 4830541 (N.Y. Sup. Ct. Oct. 21, 2008). Online shaming of DWI suspects before conviction violates due process. Are you listening, FTC?
* Canadian court: linking to defamatory material is not defamation.
* In an attempt to forestall further movement on the Global Online Freedom Act, the search engines released a high concept statement on how they won’t help repressive regimes.
Posted by Eric at 10:03 AM | Content Regulation , Privacy/Security , Search Engines | TrackBack
November 18, 2008
October 2008 Quick Links, Part 2
By Eric Goldman
Spam
* Kramer v. Perez. An Iowa court awards $236M in damages in a spam case. Venkat's comments.
* After the government lost its jury trial against Impulse Media, the court denied Impulse Media attorneys fees.
Contracts
* AT&T put its own emailed notice of amended contract terms into its spam folder. Whoops! Due to spam filters and other automated blocks, it is becoming almost impossible for websites to communicate with their users by email.
* An estimate of the massive "tax" imposed on consumers by reading privacy policies. Of course the financial drain is overstated because many people make a rational decision not to read every privacy policy, plus not every person has to read a privacy policy for marketplace responses to be effective.
* The Blizzard v. MDY WOWGlider case has reached a stipulated damages amount of $6M.
* Pulaski & Middleman, LLC v. Google Inc., 5:2008cv03888 (N.D. Cal. complaint filed August 14, 2008). The Justia page. Yet another me-too lawsuit against Google over serving ads to parked domains and error pages.
* An Israeli GPL enforcement action settled.
Trademarks/Domain Names
* Kentucky v. 141 Domain Names. Is a domain name property? Yes. See the Sex.com case. Can a plaintiff seize a domain name pursuant to a favorable judgment? Yes. Is it appropriate for Kentucky to seize domain names for gambling websites available in Kentucky? Of course not, because this would effectuate an extraterritorial reach by curtailing non-Kentucky residents from making possibly legal uses of the domain name. More recently, the seizure was stayed.
* Speaking of inappropriate seizures, the Feds are trying to seize the trademarks of the Mongols motorcycle group. DOJ press release. LA Times article.
* Best Western Intern., Inc. v. Doe, 2008 WL 4630313 (D. Ariz. Oct. 20, 2008). Prior blog post in this case. The judge is losing patience: "These filings are wasteful in the extreme. The Court is not a forum for the parties to expend every possible dollar seeking to litigate every conceivable issue, no matter how insubstantial. The Court will no longer tolerate the excesses of this case."
* The Verizon v. Navigation Catalyst Systems domainer lawsuit settled.
* 50 Cent brings yet another questionable lawsuit. (1, 2).
Advertising
* Goddard v. Google Inc., 2008 WL 4542792 (N.D. Cal. Oct. 10, 2008). The case against Google for deceptive mobile phone ads will stay in federal court.
* Eyeblaster, Inc. v. Federal Insurance Co., 2008 WL 4539497 (D. Minn. Oct. 7, 2008). This is a collateral lawsuit to Sefton v. Eyeblaster alleging that Eyeblaster distributed spyware. Eyeblaster tendered the claim to its insurer. This court holds that the CGL policy doesn't apply because the claim relates to software problems, not physical damage to the users' computers. Further the E&O policy doesn't apply because Sefton alleges that Eyeblaster intentionally installed the spyware, bumping Eyeblaster into one of the policy's exclusions.
* Are consumers becoming more tolerant of pop-up ads? For more on consumer acceptance of new advertising formats, see here.
* A big damages award in NetQuote v. Byrd.
Posted by Eric at 06:42 AM | Adware/Spyware , Domain Names , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Spam , Trademark | TrackBack
October 14, 2008
September 2008 Quick Links, Part 3
By Eric Goldman
eBay
* Universal Grading Service v. eBay, Inc. More fallout from the National Numismatic v. eBay case--another lawsuit alleging antitrust and defamation because eBay designated some coin rating services as preferred and impliedly devalued others.
* Windsor Auctions v. eBay has been refiled in a new jurisdiction.
* Mehmet v. Paypal, Inc., 2008 WL 3495541 (N.D. Cal. Aug. 12, 2008). Upholding the consequential damages waiver in PayPal’s user agreement.
* A company's failure in the marketplace can drive up the value of its collectibles on eBay.
* Stelor Productions, Inc. v. Google, Inc., 2008 WL 4218107 (S.D. Fla. Sept. 15, 2008). In the lawsuit alleging that Google causes reverse confusion of Googles.com [warning: annoying music ahead], the plaintiff doesn't get to depose Sergey or Larry yet. Rose Hagan, Google’s long-time chief trademark counsel, is the lucky substitute.
* Lots of rhetoric in the Google/Yahoo ad syndication deal. Google’s advocacy website. Google Chief Economist Hal Varian explains why the deal won’t raise ad prices in the auction. Randall Stross weighs in.
* Google has changed course and now allows religious groups to advertise on the keyword “abortion.”
* Kubit v. Google Groups, 2:2008cv00738 (M.D. Fla. complaint filed Sept. 29, 2008):
I then would like to sue Google Groups for not removing the posts when I repeatedly asked them to for 2 years. I believe I am entitled to at least a small amount of compensation for the emotional distress and lost business income that has resulted from them allowing these posts to remain on their Google Groups, even though I offered them VERY solid proof that I do not have HIV. If they had stopped the posts when they first occurred, they would not have proliferated to hundreds of websites. I became suicidal for a period of time after the posts started. I incurred a lot of emotional pain and fear because of the posts and had to seek psychiatric and psychological help to get my life back together. I still suffer from fears of dating, living a public business life and trusting others.
Yes, this is a pro se complaint. Yes, it is preempted by 47 USC 230.
Marketing/Advertising
* NebuAd is dead (1, 2). Even so, the lure of intermediaries aggregating deep data about consumers for commercial purposes will never die.
* Is Gator/Claria dead?
* The EU passed a non-binding resolution against sexual stereotypes in advertising.
* Celebrity branded merchandise run amok.
Miscellaneous
* Valleywag: "The 5 most laughable terms of service on the Net." For more laughs, see Mark Lemley’s Terms of Use paper.
* Murakowski v. University of Delaware, 2008 WL 4104087 (D. Del. Sept. 4, 2008). This reminded me a lot of the Jake Baker case from the mid-1990s.
* The Virginia Supreme Court reversed itself on the Jaynes anti-spam prosecution, and Jaynes walks. Does Virginia routinely pass unconstitutional laws?
* Becker v. Toca, 2008 WL 4443050 (E.D. La. Sept. 26, 2008). Ex-wife's alleged delivery of "Infostealer" program to grab passwords from ex-husband could violate the ECPA, SCA and CFAA.
* Interesting article on ESPN’s exclusive distribution and bundling agreements with Internet access providers.
* Silly? Horrifying? A sign of the apocalypse?
Posted by Eric at 06:17 PM | Adware/Spyware , Content Regulation , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Spam | TrackBack
September 02, 2008
eBay Cracks Down on Cookie Stuffing--eBay v. Digital Point Solutions
By Eric Goldman
eBay, Inc. v. Digital Point Solutions, No. 5:08-cv-04052-PVT (N.D. Cal. complaint filed Aug. 25, 2008)
It is exceedingly rare for marketers to sue affiliates who are trying to game their affiliate programs. I'm sure there have been other lawsuits, but frankly I'm drawing a blank. (The only relevant precedent that came to mind was Google's tepid enforcement actions in 2004/2005 against click frauders--see Google v. Auction Experts and US v. Bradley). [Update: A reader reminded me of Land's End v. Remy, which is an on-point precedent.] The more typical remedy when commission fraud is taking place is to cancel any unpaid commissions and write off the rest as a cost of doing business (or an uncollectible painful lesson). But if someone gamed the system big--I mean, really big--maybe it would be worth hiring fancy and very high-priced counsel to go see what they might be able to retrieve...
eBay isn't saying how much it got taken for by the defendants in the case. The complaint was conspicuously silent on that juicy detail. However, the amount appears to be enough that eBay hired the premium law firm O'Melveny & Myers for a glorified collections effort. Either that, or eBay has decided to send a remarkably expensive message to other potential fraudsters.
The complaint alleges that the defendants engaged in a cookie stuffing campaign to hijack commissions through Commission Junction. Cookie stuffing occurs when a fraudster places a cookie on a third party computer that will cause the fraudster to get paid a commission that the fraudster didn't earn legitimately by doing the things that the marketer wanted to pay for. In this case, eBay alleges that the defendants used a clever technical exploit to put cookies on users' computers even though the users had not seen the requisite ads. The complaint also alleges that the defendants deployed some tricks to cover their tracks, like deliberately not cookie-ing computers in San Jose and Santa Barbara, the homes of eBay and Commission Junction respectively, to keep employees of those companies from spotting the marauding cookies.
If in fact the defendants engaged in cookie stuffing, I hope eBay nails them. However, I must say that some of eBay's legal arguments made me nervous. eBay's alleged causes of action include:
* CFAA (18 USC 1030). The allegation is that presenting a bogus cookie to eBay's servers was a misuse of the servers. Hmm...
* fraud. Similarly, the allegation is that the defendants caused web users to make a misrepresentation to eBay's servers by presenting a bogus cookie. Hmm again...
* CA Penal Code 502. There are very few cases interpreting 502, which isn't necessarily a bad thing because the statute is so broadly over-inclusive that everyone violates it routinely. Here, it looks like the lawyers weren't quite sure how to fit cookie stuffing into the statute. Take a look at para. 60 and let me know if you agree that this is an odd pleading.
* a civil RICO conspiracy claim. Given that eBay is being sued for RICO claims in the Mazur case (and, I'm sure, others), I would think eBay would want to avoid building new legal precedent that could be applied against them in other cases.
Reading the list of causes of action, I was surprised that there wasn't a more squarely applicable cause of action that governed cookie stuffing (however, I will confess, none came to mind as I drafted this post). Maybe this is due to the fact that eBay rather than Commission Junction is the plaintiff. If there isn't a better cause of action, then perhaps there is a hole in the law. However, I'm keeping my fingers crossed that a judge won't bastardize existing legal doctrines to plug it.
Posted by Eric at 09:23 AM | Licensing/Contracts , Marketing , Privacy/Security | TrackBack
July 24, 2008
Relevancy Trumps Creepiness, and Some Thoughts About Behavioral Targeting
By Eric Goldman
On Monday I spoke on a panel at OMMA Behavioral. See the MediaPost recaps (1, 2, 3, 4). The crowd was buzzing about Dave Morgan's earlier remarks (which I didn't hear) that behavioral targeting is "creepy," and throughout our panel discussion, any enthusiasm expressed about behavioral targeting was tempered by creepiness concerns.
I can understand this reaction, as least a little. When I was younger and first learned about the many tricks of marketer targeting, I was initially aghast by the seeming intrusion. They can't do that, I thought.
As regular readers know, I've outgrown those sentiments. Now, I really don't care what the machines know about me. And if the machines can figure out how to better cater to my interests and reduce the spam in my life, then I'm all for it.
At the same time, I think this latter observation suggests my real problem with behavioral targeting. There will always be some privacy diehards who will object to machine monitoring of their behavior on principle, but most people will be receptive (even after they get through the initial shock about behavioral tracking) if the targeting improves the user or consumer experience. Demonstrate to consumers that behavioral targeting gives them better results, and it's an easy sale. Relevancy trumps creepiness.
But I haven't seen any evidence that behavioral targeting has produced these payoffs (or, for that matter, any meaningful payoffs) for consumers yet. Current behavioral targeting practices might give marketers a little conversion lift compared to other targeting solutions (or not), but they have done little to change the overall fact that ads remain poorly targeted and crummy, and consumers still have plenty of incentives to treat ads as the pain to avoid through ad blindness or technology.
At this point, I'm still wondering if and when behavioral targeting will deliver on its theoretical promise. Sure, we can find excuses for the crummy user experiences today--the technology is still being developed, it's hard to get useful datasets (more on that in a moment)--but those excuses only go so far, and they will wear thin quickly. For behavioral targeting to really be a game-changer, it needs to deliver dramatically improved ad relevancy for consumers, and we're far from that ideal point.
I've argued before that for behavioral targeting to work, the marketer needs a comprehensive dataset about the consumer. Accordingly, a marketer--even an ad network--that relies solely on data collected from a consumer's interaction with web servers simply can't see enough data about the consumer to achieve a sufficient level of relevancy for the consumer. My paradigmatic example: no matter how much Amazon knows about my purchases from it and my browsing habits on its site, they still don't know if I bought a book from someone else unless I tell them (and I have no reason to tell Amazon what books I buy elsewhere).
This is why I'm so intrigued by the Internet access provider-level targeting exemplified by Phorm and NebuAd. In theory, they get access to much better datasets than web server-level targeters. If I browsed for a book on Amazon but I bought the book at barnesandnoble.com, the Internet access provider can know this while neither Amazon or B&N will know about my interactions with the other vendor.
For this reason, I've been quietly bemused by the legal fracas over Phorm and NebuAd's practices. Don't get me wrong--although the analysis is intensely fact-specific and I don't have all the facts, I have serious concerns about the legality of their practices. But from my perspective, the battles over the legality of Phorm and NebuAd are a smokescreen for the real issue, which is that marketers who have only server-level data don't want to compete against someone who has a better dataset than them. So expect plenty of continued fireworks over Phorm and NebuAd, but don't kid yourself that it's only the privacy advocates beating up on them.
Posted by Eric at 02:05 PM | Marketing , Privacy/Security | TrackBack
July 01, 2008
June 2008 Quick Links
By Eric Goldman
Trademarks/Domain Names
* Utah Lighthouse Ministry v. Foundation for Apologetic Information and Research, 2008 WL 22043807 (10th Cir. May 29, 2008). CMLP writeup. Nice 10th Circuit win for a gripe site against trademark infringement and cybersquatting. This case, plus the SKI VAIL case, indicate that the 10th circuit is making progress undoing the harm it created in the Australian Gold v. Hatfield case.
* Georgia has a new anti-phishing law (16-9-109.1) that acts as a para-trademark law. See my comments on the analogous California anti-phishing law.
* After initiating a trademark lawsuit against a consumer review site and soundly losing in court, Lifestyle Lift paid $17,500 to settle its own lawsuit and avoid claims for legal fees under Rule 11 and the Lanham Act.
* Marty reports on a German case saying that white-text-on-a-white-background is a trademark use.
* Update on the battle over the trademark registration for "SEO."
* Will TLD proliferation lead to a new open era in domain name administration, or will the resulting anarchy just reinforce that top search engine placement is the really important online real estate? It seems like the currently limited number of TLDs has some benefits from a bounded rationality standpoint, and those benefits will be lost in a cacophony of unknown TLDs.
Patents
* My colleague Colleen Chien has posted "Patently Protectionist? An Empirical Analysis of Patent Cases at the International Trade Commission" (forthcoming William & Mary Law Review). She empirically demonstrates that the ITC mostly involves disputes between two domestic litigants, making it a redundant battleground with federal district court but nevertheless an attractive venue for plaintiffs due to a number of procedural advantages. She makes a number of recommendations to eliminate the litigation gamesmanship offered by having parallel venues. Check it out.
Search Engines
* Udi Manber, chief algorithm keeper for Google, reiterates why it's silly for lawyers and judges to put too much legal emphasis on the relative placement of search engine results, saying "it's definitely the case that if you do the same search on a different cluster, you may get slightly different results at a given time. It's also the case that if you do the same search on different days you may get different results, because some of the results are things we indexed five minutes ago."
(Over)Regulation
* In response to an enforcement effort by the NY AG's office, several Internet access providers have blocked access to newsgroups that are putatively sources of child pornography. See the NYT story and the NY AG press release. In practice, this means wholesale takedowns of newsgroups that may have nothing to do with child porn. For example, Verizon is killing all USENET hierarchies except comp.*, misc.*, news.*, rec.*, sci.*, soc.*, and talk.*. Wired suggests this is the death of online intermediary freedom as conceptualized in 47 USC 230. Of course, 230 never protected intermediaries from criminal exposure for child porn, and this isn't the first time that an access provider has knuckled under to the NY AG's office. See the BuffNet enforcement action from 2001.
* Ohm, Paul. The myth of the superuser: fear, risk, and harm online. 41 UC Davis L. Rev. 1327-1402 (2008). A neat article on how regulators manufacture a fake bogeyman, the unbeatable "superuser," as a justification for expansive regulatory power.
* No evidence that data breach disclosure laws actually help reduce identity theft. Surprised?
* The FTC wants civil enforcement authority for spyware actions. Haven't they heard that the adware battle is already over...and they won?
Contracts
* Mark Radcliffe expresses concern about the ALI's proposed software licensing project on open source licenses.
* Sarah Bird on a messy contract lawsuit involving an SEO contractor.
Anonymity
* Tendler v. www.jewishsurvivors.blogspot.com, 2008 WL 2352497 (Cal. App. Ct. June 10, 2008). A subpoena request to identify a blogger doesn't support an anti-SLAPP cause of action.
* In the AutoAdmit lawsuit, Doe 21's motions to squash the subpoena and proceed anonymously were both denied. David Hoffman provides an update on the case.
Event Tickets
* Chicago has moved against eBay for reselling tickets in violation of its amusement tax law.
* The Ticketmaster v. RMG case ended with a default judgment granting a permanent injunction and $18.2M in damages.
General
* Vanity Fair: How the Web Was Won.
* Paul Levy blogs about a plaintiff's effort to bypass 230 by suing the authors of complaints about the vendor and then joining the consumer complaint site as a necessary party as a cost-increasing tactic.
* BusinessWeek on emerging technological tools to protect workers' attention against unwanted/untimely interruptions.
* Text message-savvy kids educate the North Carolina DMV about the meaning of the term "WTF," which was used on a license plate example on the DMV's website.
* I have one free pass to OMMA Behavioral in San Francisco July 21. First person to send me an email asking for the pass gets it.
Posted by Eric at 12:32 PM | Adware/Spyware , Content Regulation , Derivative Liability , Domain Names , E-Commerce , Internet History , Licensing/Contracts , Marketing , Patents , Privacy/Security , Search Engines , Trademark | TrackBack
June 04, 2008
Google Sued for Running Ads for "Fraudulent Mobile Subscription Services"--Goddard v. Google
By Eric Goldman
Goddard v. Google, Inc., Case No. 108CV111658 (Cal. Super. Ct. complaint dated April 30, 2008). Google's notice of removal to federal court C08 02738 (N.D. Cal. removal notice dated May 30, 2008). [warning: 1.5MB file. Google's notice contains a copy of the original complaint.]
Cyberlaw is filled with examples of plaintiffs suing the wrong defendant for perceived transgressions committed by someone else. Today's misdirected lawsuit involves "fraudulent mobile subscription services," which are optional third party services for cellphones (such as ringtones) that are charged on a periodic basis. The plaintiffs in this putative class action lawsuit feel like they got fleeced by providers of these subscription services. If they did, I hope they get appropriate redress from the wrongdoing vendors. But instead of suing the allegedly fraudulent vendors, the plaintiffs think Google should cover the losses for the sole reason that Google ran ads for the services. The argument goes as follows:
* Google has an express policy requiring mobile service providers to disclose certain info to consumers about their practices
* Google deliberately does not enforce this policy (or inadequately enforces it) to enjoy undeserved cash
* As a result, Google should stand behind all of the losses committed by its advertisers
There are some obvious problems with this argument. First, it's a gross example of cyberspace exceptionalism. An analogy might be that dead-trees newspapers should stand behind any losses suffered by readers who transact with newspaper advertisers. Sounds ridiculous? It does to me, whether the publisher is online or off.
Second, this argument ought to be clearly, squarely and soundly trumped by 47 USC 230. eBay has won on this exact point when plaintiffs have tried to hold it liable for accepting advertising (in the form of listings) for fraudulent products (at minimum, the Gentry case involving fake sports memorabilia seems apropos). The recent Doe v. MySpace case is also analogous, because the plaintiffs were trying to hold MySpace liable under a "premises liability" theory for tortious activity that took place outside of its premises. Either way, if Google's sole role in the process was publishing third party ads, it's not liable per 230.
It's not clear if the plaintiffs know about 230 or think it applies to this case, but they made two arguments that could be used to argue around 230. First, they allege that Google helped write the ad copy. I'm still not sure if this allegation actually is enough to hold Google liable for downstream fraud, but unless Google actually wrote the copy itself, it's not liable for third party ads even if it helped edit them or prescreened them (see Ramey v. Darkside Productions).
Second, they try to argue that Google's contract with its advertisers describing minimum standards for mobile service vendors running Google ads is an express marketing representation that binds Google for any breaches by the advertiser. By anchoring the claim in false advertising, the allegation might be designed to take advantage of the Mazur v. eBay exclusion to 230. However, treating contractual restrictions with a third party as affirmative representations to consumers is the exact same analytical error made by the New Jersey Attorney General's office in the JuicyCampus investigation, and the error is no less baffling here. I remain surprised that bright lawyers so fundamentally misunderstand the interaction between contract and false advertising law.
There's one more twist to this lawsuit that merits discussion. As a predicate harm for some of its claims, the plaintiffs argue that their cellphones are computers under the Computer Fraud & Abuse Act (CFAA) and the vendor's confirmatory text messages (required to authorize the service) are unauthorized accesses of a protected computer under the CFAA. I'm not really sure what to make of this theory, but I'm pretty sure it's novel (not necessarily in a good way). I'm OK with treating at least some cellphones as computers under the statutory definition, although this would expand the CFAA's reach quite a bit, but I think it would be highly problematic to treat text messages to a cellphone as an unauthorized access. And even if we did that, I still don't see how Google is responsible for the violation.
(For kicks, there is an analogous claim that Google aided and abetted the vendors' trespass to chattel of the cellphones).
One more thing: this interpretation of the CFAA follows the DOJ's recent attempt to treat breaches of a website's user agreement as a criminal CFAA violation in the Lori Drew prosecution. Given these crazy expansive CFAA claims, it may be time to rethink that statute.
Posted by Eric at 08:20 AM | Derivative Liability , Marketing , Privacy/Security , Search Engines | TrackBack
June 03, 2008
May 2008 Quick Links, Part 2
By Eric Goldman
Copyright
* Google says it isn't settling the Viacom lawsuit (I don't believe it).
* Interesting juxtaposition: (1) Chronicle of Higher Education: How It Does It: The RIAA Explains How It Catches Alleged Music Pirates and (2) BusinessWeek ran a lengthy retrospective on Tanya Andersen's battle against the RIAA, including her beefs against the RIAA’s investigation and enforcement tactics.
* A music warez trader was convicted by a jury of criminal copyright infringement.
Online Contracts
* Juanda Lowder Daniel. Virtually mature: examining the policy of minors' incapacity to contract through the cyberscope. 43 Gonz. L. Rev. 239-269 (2007/08). This article addresses the very important issue of contracting capacity of minors. See my most recent post on that topic.
* Adelman v. Sparks Network (Cal. App. Ct. May 20, 2008). The Jdate online dating service allegedly failed to include required language (such as notice of a mandatory cooling-off period) in its user agreement. The court dismisses the plaintiff's lawsuit nonetheless because he was a happy customer who didn't suffer any damage.
* Tom O'Toole surveys some recent online contract cases. He offers the following conclusions: (1) Contract Terms Should Be Available for Review, (2) Clickable Buttons/Links Should Clearly Signal Assent, and (3) Humans Are Not Helpful.
* I realize this point would be better explored in a full blog post, and I suspect this point has been made in the academic literature (if so, I'd appreciate some cites so I can pass them along). The issue: how might the endowment effect explain consumer antipathy towards EULAs? Wikipedia says the endowment effect means that "people value a good or service more once their property right to it has been established." This observation occurred to me when I attended a ridiculously stacked panel at the ION Game Conference on "user rights" in virtual worlds. Many of the gripes/grumbles related to very common EULA provisions that simply overrode default law. It occurred to me that maybe part of the problem was that consumers assume the defaults are appropriate rights allocations granting them the "property" right, in which case they suffer a greater psychological loss when those defaults are varied than if different defaults were set. One obvious policy consequence: as part of the considerations when setting defaults, policy makers should include the psychological costs of varying the defaults. If the interaction between EULAs and the endowment effect hasn't been written about, it would make an excellent paper topic.
Other Topics
* A military court has said that distributing a hyperlink to child porn does not constitute criminal distribution of child porn. Tom O'Toole explains the situation.
* A.B. v. State, 2008 WL 2031388 (Ind. May 13, 2008). It seems like the digital age recipe for guaranteed trouble: 8th grader + hatred towards a school principal + MySpace. How many judicial cases are we going to see with this combination? This one involves some mean-spirited and profanity-laced comments about her principal made by a 14 year old girl on a private MySpace page accessible only by 26 students. The principal saw it only because one of the students gave a printout to the principal. The court concludes that posting to a private MySpace page doesn't satisfy the criminal standards of "intent to harass, annoy, or alarm" via the Internet.
* Doe v. Friendfinder Network, Inc., 2008 WL 2001745 (D.N.H. May 8, 2008). The court denied the plaintiff's motion for reconsideration on Friendfinder's 230 eligibility for the statement "Sorry, this member has removed his/her profile."
* Another "where are they now?" retrospective on dot com boom companies, ironically running in the Industry Standard (which wiped out in the dot com bust itself).
Posted by Eric at 11:56 AM | Content Regulation , Copyright , Derivative Liability , Internet History , Licensing/Contracts , Privacy/Security , Virtual Worlds | TrackBack
May 23, 2008
Lori Drew Prosecuted for CFAA Violations--Some Comments, and a Practice Pointer
By Eric Goldman
Before I get started, let me first say that my heart goes out to Megan Meier's family. They have suffered a devastating tragedy, and I cannot possibly fathom the pain they must feel. As a result, I feel a little awkward blogging on the situation because I fear my words could be misinterpreted as some sign of disrespect or lack of empathy towards the family. I definitely don't intend that.
I have also passed on blogging about Megan Meier's suicide because, until recently, I didn’t think it raised a real cyberspace issue. Assuming the publicized facts are true, MySpace played a crucial role in mediating the communications between Drew and Meier, but Drew's ruse could have been perpetrated using a variety of communication media. Indeed, for millennia (and well before the Internet), people have been sending false messages to each other as part of some manipulative effort (Les Liaisons Dangereuses comes to mind, but we could find countless other examples). The fact that Drew chose MySpace for her scheme has always struck me as uninteresting at best. I recognize that perhaps MySpace made it easier for Drew to pull off her ruse, and perhaps Meier attached more credibility to MySpace messages than she would have attached to messages delivered in other media. But given that people can do serious harm to other people using many different types of communications media, I think it's a mistake to treat this tragedy as a source of profound insight into the nature of cyberbullying or the evils of cyberspace.
Despite this, we know that a high-profile situation like this will spur overreactions. Of most interest for this blog post is last week's federal indictment of Lori Drew for crimes predicated (at their core) on violations of the Computer Fraud and Abuse Act (CFAA). See the indictment. The CFAA violation putatively occurred because MySpace's user agreement required users to:
* provide accurate registration information
* not use information obtained from MySpace to harass or abuse others
* not solicit information from kids
* not promote false/misleading information
* not promote abusive or threatening conduct
* not post photos of third parties without their consent
Allegedly, Lori Drew breached the user agreement by failing to follow these provisions; and by breaching the user agreement, she made an unauthorized criminal use of MySpace's servers.
In the civil context, plaintiffs frequently use the CFAA to attack a defendant's server usage in violation of a site's user agreement. However, as far as I (and Orin) know, this is the first time the DOJ has tried to treat a user's breach of a site's user agreement as a CFAA crime. Not only is this theory potentially unsupported by the law (see, e.g., Orin Kerr and Dan Solove), but it puts almost all of us at risk of federal prosecution (see, e.g., Wired and the AP). Implicitly, the DOJ is saying that breaching a user agreement to provide false registration to a website or post a third party's photo without permission can be a federal crime. If you have never done any of these activities, please email me so I can send you some angel wings. For the rest of us, the DOJ seems to think that we should avoid the Big House only out of their sheer grace.
Also, though Drew's actions may have been heinous, her alleged breaches of the MySpace user agreement were, to be as charitable as possible, chickenscratch. Most websites like MySpace include contractual restrictions like the ones at issue simply to preserve their ability to kick off troublesome users at their discretion--not to put every non-conforming user at risk of looking down the barrel of an FBI agent's .45.
As a result, the DOJ prosecutors appear to be trying to make the MySpace user agreement do more work than it was designed to do. In that respect, I see this case as part of a broader trend where government enforcement agencies are misreading and misusing website user agreements. Consider two other very recent examples of government folks attaching undue emphasis to restrictions in website user agreements:
* the New Jersey Attorney General's office apparently misread restrictions in JuicyCampus' user agreement to think they should constitute affirmative marketing representations
* Joe Lieberman thinks YouTube should wipe terrorist videos off its site because its community guidelines discourage users from posting violent videos
This disturbing trend prompts me to offer a practice pointer to those of you who draft user agreements. Many user agreements—including MySpace’s—have gotten bloated with lengthy lists of restrictive rules (a manifestation of the rule proliferation phenomenon I blogged about here). It's pretty clear to me that government enforcement actors, either because of their fundamental misunderstanding of contract law or for their own self-aggrandizement, will treat these restrictions as expectations that the conduct won't occur on the site. But because most websites don't proactively enforce the restrictions they announce, this sets up a mismatch between rules and actual behavior—a mismatch that enforcers appear all too happy to exploit.
Therefore, I think it is better practice for contract-drafters to rely more heavily on general restrictive clauses in website user agreement (e.g., "we can kick you off at our convenience") than on overly detailed/specific but underenforced lists of restrictions. I know this stance runs contrary to the prevailing sentiment among most Cyberlawyers, who seem to believe that for every bad user behavior, it's easy enough to add a new contract prohibition that putatively eliminates the problem. But if the contracts are being misread, rule proliferation may be doing more long-term harm than good.
Posted by Eric at 05:49 PM | Content Regulation , Licensing/Contracts , Privacy/Security | TrackBack
April 23, 2008
Online Advertising Conference Recap
By Eric Goldman
Last Friday, the High Tech Law Institute and the Berkeley Center for Law & Technology co-sponsored the Law & Business of Online Advertising conference. We had first-rate panelists and an enthusiastic audience of over 100 attendees. Rebecca blogged the event (tutorials, consumer issues, publisher issues, advertiser issues) and Sarah Bird posted her own recap. My understanding is that BCLT will post the audio from the conference to the conference website in the near future.
I'm going to focus my recap on just three of the talks.
_____
Joel Winston from the FTC (speaking for himself, not on behalf of the commission) spoke on the consumer issues panel. He said that consumers have a feeling of lack of control on the Internet. He thinks that consumers are generally aware of online tracking, but the tracking process is opaque, and consumers don't understand the future implications for use and disclosure of the tracked data. Surveys say that most consumers think tracking shouldn't be done at all or should be governed by an opt-in or opt-out process. Many people like targeted ads but they are worried about other uses of the data, such as security breaches, government misuse and secondary uses.
So consumers want transparency and control, and trust is the key. Adults are concerned about posting data online but kids will post very intimate details online. People don't understand the privacy tradeoffs, such as the connection between targeted ads and free content. And transparency isn't working when consumers don't read privacy policies. Self-regulation is the right approach, but the FTC will step in to protect consumers.
The FTC's behavioral principles:
* transparency and control
* reasonable security and limited data retention
* express consent for material changes to a privacy policy
* express consent to use sensitive data.
_____
Mark Cooper spoke about an interesting new paper he's working on. He starts with the premise that everyone hates "interruption marketing" such as TV ads: consumers hate TV ads (interruptive) and advertisers hate TV ads (can't measure efficacy). In contrast, he thinks newspaper ads are clearly better because they are easy to skip, easy to store and contain more useful information. [Eric's note: Mark is making a highly stylized argument. I explored the relative merits of different ad media in this paper.]
He thinks online advertising can improve on interruption marketing because the Internet is a two way conversation, not push marketing. He outlined 4 dimensions to measure the acceptability of advertising:
* influence. Online advertisers don't create audiences, they chase audiences created for them.
* intrusiveness. Online advertising isn't in the "middle of content." [Sounds like Mark has never experienced an unconsented adware install...and I'm not sure how he'd explain spam in one's in-box...] But he worries that data collection may be more intrusive than other media.
* ubiquity. I think he argued that online advertisers don't devote as much on-the-page real estate to ads as newspapers do. [Sounds like he's never been to a domainer's website...]
* efficiency (delivery of useful information). The cost of online advertising is less than TV, which expands the market for advertisers. This also facilitates the creation of hyper-niche content sites.
Despite some of the benefits of online advertising, he worries about how much information he needs to give up to get these improvements. He thinks behavioral targeting and tracking is inherently deceptive but in-session contextual advertising is OK, and maybe informed consent may be OK.
[Eric's comments:
* I'm not sure the four dimensions he uses are the right dimensions to measure advertising
* His arguments relied on a number of assumptions that aren't very robust, which limits the extensibility of his analysis.
* I think the statement that behavioral tracking is inherently deceptive must be overstated for rhetorical emphasis. Otherwise, I don't think that statement stands up to critical scrutiny.
* I argue (in great/excessive detail) that some types of behavioral targeting are both good and inevitable in this paper.]
_____
Rebecca Tushnet spoke on intermediary liability. She made two main points:
1) Intermediaries aren't good representatives of the speakers who they facilitate because the intermediaries are adverse to their users. Ex: the 512 notice-and-takedown provisions, Google's policy on TMs in ad copy.
2) There is pressure to move away from a robust interpretation of 47 USC 230. Ex: Roommates.com, the recent Adult Friendfinder case (which I hope to blog on soon) and the Quiznos case.
She thinks there may be merit to looking at the New York Times v. Sullivan case, which people sometimes forget is an advertising case (i.e., the plaintiff was trying to hold the newspaper liable for ad copy supplied by an advertiser). The newspaper wasn't liable in that case unless it had actual malice about the definition--a very high scienter bar. Perhaps the actual malice standard could be more widely used in the online context; among other benefits, notice alone wouldn't create liability.
Posted by Eric at 09:06 AM | Derivative Liability , Marketing , Privacy/Security | TrackBack
April 22, 2008
March 2008 Quick Links, Part II
By Eric Goldman
Copyright
* A lot of action on whether “making available” a file in a P2P share directory is copyright infringement, including Elektra v. Barker and London-Sire v. Doe. Patry summarizes the action.
* Ticketmaster L.L.C. v. RMG Technologies, Inc., 2008 WL 649788 (C.D. Cal. March 10, 2008). Copyright misuse is not an independent cause of action; it's only a defense. HT Evan Brown.
* A student asked me a good Q that I couldn't answer. Given that copyright work transfers are subject to the risk of a non-waivable termination of transfer 35-40 years after the transfer, how do companies account for that risk on their financial statements?
* A man whose Youtube video was taken down by lawyers for Van Morrison strikes back with a new video: "The Lawyers Pulled My Video Down."
Trademark
* The Utah governor signed SB 151, the repeal of the Utah Trademark Protection Act.
* Wilson v. Yahoo! UK Ltd., No. 1HC 710/07, Feb. 20, 2008. A UK court says that buying the broad-matched keyword "spicy" does not constitute an actionable use in commerce of the trademark "Mr. Spicy." In response, Google liberalized its keyword policy in the UK and Ireland to match its US and Canada policy.
* Vulcan Golf, LLC v. Google Inc., 2008 WL 818346 (N.D. Ill. March 20, 2008). This is another interesting development that I just didn't have time to blog (see my earlier post when the lawsuit was filed). In a lengthy opinion, the district court rejected most of the significant motions to dismiss, saying that she wanted to let the case develop. Ironically, she also complained about the workload in the case--perhaps this is obvious, but granting some motions to dismiss would help clear your docket queue! Unfortunately, most of the opinion isn't insightful because so many issues were reserved for further development. Perhaps the most interesting discussion relates to the "use in commerce" question, and the court rejected a motion to dismiss on that basis: "The plaintiffs have alleged that Sedo and the other Parking Defendants transacted in and improperly profited from domain names that are deceptively similar to the plaintiffs' trademarks. Such statements sufficiently allege the "use" of a domain name to allow the infringement claims against Sedo and Oversee to move forward on this issue." Some other commentary on the case: Sarah Bird and David Fish.
* American Airlines loves Google (except for the part where it's suing Google). HT Search Engine Land.
State Regulation of the Internet
* Some state legislators are becoming privacy entrepreneurs about behavioral targeting. Venkat does a recap. But Zachary Rodgers points out that some of the operative provisions track NAI's self-regulatory guidelines. More angst about deep packet inspection by IAPs.
* Ewert v. eBay, Inc., 5:07-cv-02198-RMW (N.D. Cal. March 31, 2008). eBay isn't an "auctioneer" or an "auction company" as defined by California's Auction Act.
* The Tennessee legislature is considering a goofy response to the Hannah Montana ticket furor.
* Ken Magill at Direct wrote an article entitled "Psychotic Law Clowns in Utah at it Again." A highlight: "Whenever I think of Utah's state legislature, I envision a room full of Jack-in-the-Boxes straight out of a never-made Twilight Zone episode. Every fall, when it's time for the next legislative session, their cranks begin to turn, a chorus of "Pop Goes the Weasel" begins, and on the note for "pop" the lids fly open and dozens of psychotic clown heads spring out of the boxes chanting: "New Internet Law! New Internet Law!""
Other Stuff
* The Economist: The Battle for Wikipedia's Soul. "To create a new article on Wikipedia and be sure that it will survive, you need to be able to write a "deletionist-proof" entry and ensure that you have enough online backing (such as Google matches) to convince the increasingly picky Wikipedia people of its importance. This raises the threshold for writing articles so high that very few people actually do it. Many who are excited about contributing to the site end up on the "Missing Wikipedians" page: a constantly updated list of those who have decided to stop contributing. It serves as a reminder that frustration at having work removed prompts many people to abandon the project." See a similar article in the NY Times Review of Books.
* FTC busts Goal Financial for inadequate security practices.
* The DOJ is busting people who click on a link that purportedly offered child porn, prosecuting them for attempted downloading of child porn.
* Orin Kerr, "Criminal Law in Virtual Worlds," University of Chicago Legal Forum (forthcoming). Orin sensibly argues against virtual world exceptionalism with respect to criminalizing activities in virtual worlds.
Posted by Eric at 10:09 AM | Content Regulation , Copyright , Domain Names , Marketing , Privacy/Security , Trademark , Virtual Worlds | TrackBack
March 24, 2008
Clickthrough Agreement Binding Against Minors--A.V. v. iParadigms
By Eric Goldman
A.V. v. iParadigms, 2008 U.S. Dist. LEXIS 19715 (E.D. Va., March 11, 2008),
I previously blogged that the judge was going to dismiss this case. The judge finally issued an opinion explaining his reasoning, and it's quite an interesting read.
At issue is iParadigms' Turnitin plagiarism detection service. It works as follows: a professor adopts the Turnitin service for a class. Students then submit class papers directly to the Turnitin database. Turnitin compares the submitted papers against its database, which includes Internet content, previously submitted student papers, and various commercial databases. Turnitin then provides the professor with an "Originality Report" assessing the likelihood that the paper was original to the student and not copied from one of the sources in the database. At the same time, Turnitin adds each student-submitted paper to its proprietary database so those papers create matches if submitted again.
Personally, I've never used the Turnitin service. I'm lucky enough that when I've taught "paper courses," I've been able to work closely enough with each student that a plagiarized paper would be useless. However, not every professor or teacher can interact with students enough to make these individualized assessments, and there are plenty of courses where students basically dump a paper onto professors in a relatively impersonal exchange. In those cases, I could see why Turnitin is an important or even essential tool to combat student efforts to game the grading system.
Even so, I remain troubled by some aspects of the Turnitin service. Most of my concerns relate to the implicit coercion of students to use Turnitin. Some students may not be aware that the professor will require Turnitin use at the beginning of the semester when (in theory) objecting students could freely drop the course, in which case the student is effectively required to use Turnitin to pass the class regardless of student consent. Even more problematically, students might be required to take a Turnitin-mediated course--such as when the course is a mandatory prerequisite and there aren't multiple professors teaching the course, or when students are assigned to a course without any choice (such as in high school). In those cases, students are forced to participate in the Turnitin scheme whether they want to do so or not. This isn't the biggest travesty in the world, but I'm not sure it's fair either.
The plaintiffs in this case--a group of four high schoolers--mount a solid attack on the Turnitin system for copyright infringement based on Turnitin keeping copies of their papers and occasionally republishing the papers to other professors when the papers trigger matches in future Originality Reports. iParadigms defends based on its mandatory clickthrough agreement, which every student must agree to as part of the submission process. The clickthrough was properly formed, so there's no question that it superficially demonstrates mutual assent.
However, student consent is illusory in at least two ways. First, as I mentioned, many students don't have a meaningful choice about consenting to the clickthrough agreement because they will fail their courses if they don't submit. The students attack this as duress, and the court correctly notes that Turnitin is not the source of duress; instead, the schools are the source, and the court tells the students to take it up with them. While the court is right that duress doesn't apply directly here, I could have seen other courts using the school-supplied duress as part of an unconscionability attack on the contract.
Second, the plaintiffs were minors, and well-settled law is that incomplete contracts with minors are voidable. The court sidesteps this issue by saying that the students had received the complete benefit of the Turnitin contract relationship when their papers were cleared by the Originality Report, and therefore they could not "return" the benefits conferred on them by Turnitin.
This is a ruling of potentially large significance. I've long believed that courts would struggle with dismissing claims by minors against websites because of the voidability issue, which seemingly left a large class action hole against all websites with minors as users. That hole may still exist--it depends on whether the contract is complete or not, and in many cases both parties will have incomplete obligations in a standard website EULA. Despite this, it's clear that this judge wasn't going to entertain any bypass that threatened the integrity of the Turnitin service, and I wouldn't be surprised if many other courts would reach the same conclusion in other circumstances.
The court dismisses the copyright infringement claim on the alternative ground that Turnitin's copying is fair use:
* storing the copy of the paper for plaigarism purposes is highly transformative
* the court twists the nature of work factor to weigh in favor of Turnitin, saying that Turnitin doesn't use the papers for their creative meaning
* the court also twists the amount/substantiality of the portion taken to weigh in favor of Turnitin. Even though Turnitin takes 100% of the work, it doesn't really publish the entire work (except in the occasional cases where a professor requests a copy after a match in the Originality Report) to others but simply flags the match.
* the court dismisses the effect on the market value of the work. Most student papers have no commercial value. The papers would have commercial value if resold to the term paper websites, but the plaintiffs conceded that they wouldn't authorize this usage because that would be cheating.
While I can't really quibble with the conclusion that Turnitin's use is fair, especially given the laudable objective of plagiarism suppression, other judges would have reached the opposite conclusion because Turnitin forces students to put their papers into a database that iParadigms mines for its profit.
In any case, this fair use ruling may augur well for search engine fair use cases, most obviously Google's book search and Google News--both of which pump third party copyrighted works into a for-profit database but republish only a limited portion.
The opinion also has some interesting discussion about iParadigms' counterclaims against the students. iParadigms initiated a very aggressive counterattack against the students (the words "scorched earth" came to mind). I guess iParadigms wanted to send the message--don't screw with us, because we'll make your life heck. I don't think iParadigms expected to get any meaningful payoff from their counterclaims, but they got nothing. In some sense they are lucky that it wasn't worse; I could see some judges taking such umbrage at iParadigms' tactics that they could have backfired.
iParadigms sought indemnity from the students based on a clause in its usage policy. The problem is that the usage policy wasn't presented as a mandatory clickthrough (whoops!) and the court refuses to extend the Register.com v. Verio bailout here.
One of the students obtained false credentials to log into the system at one point, but the court rejects iParadigms' claim that such a login was a trespass to chattels, Computer Fraud & Abuse Act violation or Virginia Computer Crimes violation because iParadigms couldn't make any showing of damages from this unauthorized login. This is the right result (at least with respect to trespass to chattels) per Intel v. Hamidi, but we've seen plenty of courts ignore the damages requirement from the Hamidi case.
Other comments on this case:
* Tom O'Toole
* Rebecca Tushnet
* Siva Vaidhyanathan
* Georgia Harper
* William Patry
UPDATE: According to the Chronicle of Higher Education, the students plan to appeal. Given the many conflicting norms associated with this case, I would be surprised if the appellate ruling was as decisively favorable for Turnitin as the district court opinion was.
Posted by Eric at 10:41 PM | Copyright , Licensing/Contracts , Privacy/Security | TrackBack
March 02, 2008
Feb. 2008 Quick Links
By Eric Goldman
Advertising
* BusinessWeek: Monetizing social networking sites isn't as easy as everyone had hoped, clickthrough rates are through the floor (0.04%!), and ad proliferation on the sites is driving users away.
* Wilbur, Kenneth C. and Zhu, Yi, "Click Fraud" (January 2, 2008). This paper appears to argue that search engines can increase their profits by failing to disclose the true rate of click fraud on their network.
* In re Miva, Inc. Securities Litigation, 2008 WL 450037 (M.D. Fla. Feb. 15, 2008). This lawsuit alleges that Miva and some associated individuals understated or misreported Miva’s reliance on click fraud, spyware and third party distributors in its public statements and thus inflated the company's stock price. Last year, the court dismissed many of the allegations but let a couple survive. In this ruling, the court dismisses a few more defendants from some statements and lets the rest of the case proceed.
* Going-out-of-business sales are often just another scam. (HT ContractsProf). Note this is completely consistent with economists’ theoretical predictions of final-period behavior of trademark owners.
* Google's stock has lost $70B in market cap in 7 weeks. Oh darn. Clickz offers some theories about why Google's clicks are declining. Could lower rates of click fraud be part of it?
* Hal Varian, Google's Chief Economist, argues that Google's marketplace success is solely due to its "secret sauce" (i.e., the advantage of learning by doing) rather than any defects in the marketplace.
Spam
* Jaynes v. Virginia (Va. Sup. Ct. Feb. 29, 2008). By a 4-3 vote, the Virginia Supreme Court upheld Jeremy Jaynes' 9 year sentence for violating Virginia’s spam law.
* Silverstein v. Experienced Internet.com, 2008 U.S. App. LEXIS 3364 (9th Cir. 2008). Ninth Circuit dismissed a CAN-SPAM lawsuit for lack of jurisdiction when the defendants attest that they didn't send the message and aren't local.
Domain Names
* NSI has been sued for its practice of grabbing pre-registration domain names based on WHOIS searches. The complaint. Good luck defending those practices, NSI!
* Two more breathy articles about the economics of domaining from the New York Times and Network World.
47 USC 230
* Johnson v. Barras, 2007 CA 001600 B (DC Superior Ct Feb. 1, 2008). Court dismisses a lawsuit against a website for republishing a defamatory story per 47 USC 230.
* Yet another doomed lawsuit against MySpace for facilitating communications between an adult male and an underage female that led to sex. Sam Bayard's comments.
Pornography
* NY Lawyer (login required): "Defense Bar Sees Growing Practice in Internet Sex Crimes"
* A federal obscenity prosecution for publishing graphic short stories (without pictures) on the Internet? As Tim Wu says, "astonishing."
* The Utah legislature is considering entering the marketplace again, this time through a certification mark program for Internet access providers who are willing to combat porn. See HB407. Of course, the Utah legislature has had terrific success in the past creating successful new business opportunities that the marketplace has overlooked.
User-Generated Content
* Nick Carr: "What we've seen happen with self-regulating communities, both real and virtual, is that they go through a brief initial period during which their performance improves - a kind of honeymoon period, when people are on their best behavior and rascals are quickly exposed and put to rout - but then, at some point, their performance turns downward. They begin, naturally, to decay." Like, I think, Wikipedia.
* Slate on the top-heavy nature of contributions to Wikipedia and Digg.
* Christian Science Monitor: Teachers Strike Back at Students' Online Pranks.
* Sam Bayard on a motion to quash in the AutoAdmit case.
Reputation
* eBay no longer lets sellers leave negative/neutral feedback for buyers. This putatively stops sellers from retaliating against buyers who leave legitimate complaints, but it also skews the database towards only positive reviews, which ultimately undercuts its credibility.
* In India, where courtships remain very brief by US standards and grooms can be paid dowries by the bride's families, there is an emerging trend for brides to hire "wedding detectives" to ferret out the scoop on grooms and whether their representations are correct.
* Funny article on being a secret shopper for Consumer Reports.
* Dan Solove's book, The Future of Reputation, is now available online for free. Ethan's review of the book.
Patents
* Six years later, eBay finally buys it now: eBay v. MercExchange settles with eBay buying out some of MercExchange's patents and licensing others.
* Mike Masnick: "Psst! Patent Examiners Do Not Scale"
Copyright
* Mike Masnick: “Why We Should All Want Politicians Who Plagiarize.”
* Do Not Resuscitate...My Copyrights (funny).
Miscellaneous
* Citizen Media Law Project has a useful discussion on getting insurance for cyberlaw risks.
* People v. Fernino, 2008 WL 382348 (N.Y. City Crim. Ct. Feb. 13, 2008) (woman violated a no-contact order when sending a MySpace message to the person).
* Mike Masnick: "We Need A Broadband Competition Act, Not A Net Neutrality Act"
* A retrospective on some of the leading dot-coms from the 1990s.
Posted by Eric at 05:32 PM | Content Regulation , Copyright , Derivative Liability , Domain Names , E-Commerce , Internet History , Marketing , Patents , Privacy/Security , Search Engines , Spam , Trademark | TrackBack
February 12, 2008
Jan. 2008 Quick Links (Non-IP Edition)
By Eric Goldman
47 USC 230
* Doe v. SexSearch, the case absolving a website for age verification of its users, has been appealed.
* The Supreme Court denied cert in Parker v. Google. See 2008 WL 114262.
* NYT update on the Subway v. Quiznos lawsuit. I'm still waiting to see how the CCBill case affects the legal analysis.
Ripoff Report
* CMLP reported that Energy Automation Systems v. Xcentric Ventures has settled.
* A lot of people would love to take down the Ripoff Report. The latest (perhaps unexpected) opponents--the SEO crowd. See here, here and here. Definitely not a group I'd want to have gunning for me...
* Sarah Bird wrote the blog post I wanted to write: a recap of all of the litigation involving the Ripoff Report and its related entities. She updates a number of cases I've blogged about here.
Privacy
* The quest to find defendants in the AutoAdmit lawsuit has spilled over to unrelated websites whose URLs were posted to AutoAdmit, on the theory that AutoAdmit users were likely to have visited there prior to or after the links were posted. See the plaintiff's motion. This has proven to be a controversial move; see critiques from Mike Masnick and Sam Bayard.
* World Privacy Forum's Top Ten Opt Outs.
* The Privacy Rights Clearinghouse has compiled a master list of all the data breaches that have been announced.
Spam
* Venkat on 4 years of CAN-SPAM. I think the best we can say is that CAN-SPAM hasn't destroyed email as a communication tool, but I am skeptical that its significant transaction costs are outweighed by its benefits.
* Search Engine Land shows Wired that its wiki isn't spam-proof and then apologizes for it.
Marketing/Advertising
* Greg Linden predicts a dot-com crash in 2008 where a dry-up of investment capital will lead to marketing desperation: "Much like we saw after the 2000 crash, it is likely that those with little to lose will attempt scary new forms of advertising. The Web will become polluted with spyware, intrusiveness, and horrible annoyances. None of this will work, of course, and there will be lawsuits and new privacy legislation, but we will have to endure it while it lasts."
* Oddee has some vintage ads that couldn't be made today.
Blogging
* Examples of how blogging is actually increasing some companies' sales.
* Giving in to cyberspace exceptionalism, a divorce court judge ordered a husband to stop blogging about the wife. Fortunately, the judge soon realized his error and reversed course, basically throwing up his hands saying "I don't know what to do here." Garrido v. Krasnansky, No. F 466-12-06 (Vt. Fam. Ct. Jan. 14, 2008).
Miscellaneous
* Once again, Mike Masnick says what I was thinking better than I could: "Both Microsoft And Google Are Probably Best Off Shutting Up About Monopolies."
* Wired has a great article on scraping data from major Internet players, many of whom themselves use scraping-like methodologies to gather data: "But beneath all the kumbayas, there's an awkward dance going on, an unregulated give-and-take of information for which the rules are still being worked out. And in many cases, some of the big guys that have been the source of that data are finding they can't — or simply don't want to — allow everyone to access their information, Web2.0 dogma be damned."
* The FTC has cracked down (again) on a website for inadequate security. This time, the e-tailer "Life is good" promised that "all information is kept in a secure file" but a hacker got good stuff (credit card #s, etc.) anyway. The FTC pointed to several deficiencies, including (1) the retailer's failure to store the sensitive data in encrypted format, (2) inadequate efforts to identify and patch security holes, and (3) inadequate monitoring of intrusions.
* Krause v. Chippas, 2007 WL 4563471 (N.D. Tex. Dec. 28, 2007). Court says a website user was bound to the contract when "lead page" of website said "USE OF THIS SITE AND OR SERVICES OFFERED WITHIN THIS FUTURESCOM.COM SITE SIGNIFIES YOUR AGREEMENT TO THIS SERVICE AND USAGE AGREEMENT."
* An interesting British study explains the downsides of government-mandated disclosures to consumers. HT Rebecca.
* I participated in a 30 minute podcasted conversation on the Lawyer 2 Lawyer show on the topic of social networking sites.
* I have 2 copies left of my 2007 Cyberspace Law course reader. First 2 people to email me with a request and their mailing address get them. [UPDATE: Gone!]
Posted by Eric at 05:50 PM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam | TrackBack
January 30, 2008
State of the Net Conference Recap
By Eric Goldman
Today I attended the State of the Net conference, sponsored by the Congressional Internet Caucus Advisory Committee. This event has become the "go-to" event for Internet policy wonks. Well over 300 people attended, including many well-known folks. If you deal with Internet policy, you should be at this conference.
A few notes from the event:
The morning keynote was delivered by Mary Bono Mack, who delivered one of the most true believer IP-maximalist talks I've heard in a long time. It was almost cartoonish. Based on the fire-and-brimstone talk, I imagine she would support just about any expansion of IP rights proposed to her. In response to a Q&A, she said that she had been previously misquoted and that she doesn't support a perpetual copyright duration. But she thought the Eldred opinion vindicated Congress' previous term extension as a reasonable policy; she must have read a very different opinion than the one I read. See Anne Broache's writeup of Mary's talk.
I've now heard a few different suggestions that server-level filtering by IAPs would drop them out of 512(a) coverage. (Today, Gigi Sohn raised this issue). This arises in response to AT&T's proposal to filter for copyrighted material, but it's also a subtext of the net neutrality discussion. I'm not sure if this is an accurate reading of 512(a), though. 512(a) says it applies only if the "the transmission, routing, provision of connections, or storage is carried out through an automatic technical process without selection of the material by the service provider." (Emphasis added). What does it mean for a service provider to select material? In context, I think the statutory language means that the user, instead of the service provider, selects the particular file moving over the IAP's network. I don't see how this exclusion was meant to cover automated filtering. In contrast, if the language is read to apply to filtering; would any type of filtering, including spam and virus filtering, knock out IAPs from 512(a)? If so, then no one could ever qualify for 512(a). It's not beyond Congress to draft a safe harbor that describes a null set of activity (see, e.g., 512(d)), but I suspect the courts will be more flexible in their reading than this.
The always-entertaining Federal Trade Commissioner Jon Leibowitz spoke about social networking sites. He implied that if Facebook hadn't backed down on Beacon, he was going to encourage the FTC to investigate it. He also wondered how online speech could receive the same level of protection as offline speech, and specifically referenced Marsh v. Alabama (the company town case) in suggesting that some online sites might be analogized to essential facilities. I'm not really sure what to make of this, as every court that has reviewed these state action arguments as applied to private online sites have rejected them squarely. But I'm sure virtual world exceptionalists will be thrilled to know that an FTC Commissioner might be sold on weighting player rights over provider rights.
At the post-event technology exhibition, I had the most remarkable demo from a woman at Quova, the geolocation company that claims 97% accuracy to the state level and 95% accuracy to the city level. I don't feel comfortable repeating some of the things she said because I haven't been able to validate them, but suffice it to say that all of you privacy advocates who freaked out about ChoicePoint may have a new company to freak out about. Among the questions that I'd like to see answered about Quova:
* what websites supply them with IP address data based on their users' activities? If it's the companies she named, then I'm pretty confident that at least some big Internet brands have been regularly violating their privacy policies.
* what government agencies are Quova's customers? And what are they doing with the data?
* what kinds of subpoenas is Quova getting from private plaintiffs, and how are they handling those subpoenas? Based on what I heard, it sounded like plaintiffs have been wasting their time tendering subpoenas to individual websites when Quova may offer some interesting one-stop-shopping.
If you have any insights into any of these Qs, I'd welcome your thoughts.
Posted by Eric at 11:14 PM | Copyright , Privacy/Security , Virtual Worlds | TrackBack
December 14, 2007
Oct.-Nov. 2007 Quick Links, Part 2
By Eric Goldman
Marketing/Branding
* To stimulate demand for its services, the British postal service is pointing out that snail mail is a good way to use olfactory marketing. Try to keep up with THAT, spammers! But doesn't this give new meaning to the observation that “junk mail stinks”...?
* Dunlop Tires offered a free set of tires to people who would get a tattoo of the company's logo. This tops a past promotion where they gave free tires to anyone who got tire tracks shaved into their hair. As a promotion, tattoos have an obvious advantage over hair-shaving because hair grows back. See my comprehensive post on tattoo advertising.
* As the Internet increases price competition and reduces margins in the jewelry market, diamond manufacturers are trying to prop up prices by branding their diamonds.
* Another lawsuit over the scorching-hot Hannah Montana concert tour—this time, alleging that the Hannah Montana fansite overpromised priority access to tickets.
* Anthony v. Yahoo, which involved a claim that Yahoo misled consumers of its dating service, has settled for $4M.
* I enjoyed this YouTube Video, Mr. Spam Man. Brought to mind the Spam-Free-or-Die video, which is still funny today.
Copyright
* William Patry on crazy copyright rulings against the “segOne,” a device that allows retailers showing broadcast TV to their patrons to substitute in ads sold by them instead of the ads sold by the broadcasters.
* Textile Secrets International, Inc. v. Ya-Ya Brand, Inc. (C.D. Cal. Oct. 31, 2007). 17 USC 1202 (the restriction on modification/removal of “copyright management information”) has been rarely interpreted, so this is a noteworthy case on that basis alone. This case involved the removal of CMI in offline activities. The court concludes "Court nevertheless cannot find that [1202] was intended to apply to circumstances that have no relation to the Internet, electronic commerce, automated copyright protections or management systems, public registers, or other technological measures or processes as contemplated in the DMCA as a whole."
* The Copyright Office has (finally) updated its electronic copy of Title 17.
Blogging
* David Hoffman discusses some considerations when structuring a group blogging LLC's operating agreement.
* U.S. v. Citgo Petroleum Corp., 2007 WL 4116066 (S.D. Tex. Nov. 19, 2007). An attendee at a trial blogs some of her observations about the jury. Her reward? One of the litigants can depose her as having potentially relevant information about jury impartiality. See my first-hand experience with potentially being deposed due to a blog post.
E-Commerce
* College students are ordering tires, pool tables and Winchester rifles online.
* The Canadian taxing authorities have won a victory allowing them to order eBay’s US company to disclose vast amounts of transactional data that presumably will be cross-checked against Canadian PowerSeller tax returns.
Miscellaneous
* Express Media Group, LLC, v. Express Corp., No. C 06-03504 WHA (N.D. Cal., May 10, 2007). Martin Samson's summary: "Court finds defendant, who claimed to have purchased plaintiffs' Express.com domain for $150,000 from someone who purported to be, but was not, the domain's Administrative Contact, guilty of conversion and directs defendant to return the domain to plaintiffs."
* Fallout from the Oracle v. SAP case: SAP may sell TomorrowNow, and several TN executives have been axed.
* A good use for a geolocated cellphone-mediated information service: the location of the nearest public toilet.
* Declan rallies against a federal "Do Not Track" list.
* NYT: US News & World Reports is getting into the consumer review business by aggregating third party opinions. According to the NYT, "The magazine has searched the work of dozens of automotive reviewers at newspapers and magazines, assigned a numerical value to each review (a process U.S. News describes as complex, rigorous and top secret), and then aggregated those into final scores. The Web site offers a description of each vehicle, sprinkled with snippets of quotes from those reviewers, so that it reads as much like a Zagat's restaurant blurb as something you might find in Consumer Reports."
* Don'tcensorme.com: a website for commenters who believe that their comments have been deleted by moderators on hubris overload.
* BusinessWeek: 101 Best Web Freebies.
Posted by Eric at 08:20 AM | Copyright , Domain Names , E-Commerce , Marketing , Privacy/Security , Spam | TrackBack
November 10, 2007
Google Resists Subpoena for Keyword Ad Purchases--Connor Sport Court v. Google
By Eric Goldman
Connor Sport Court International, Inc. v. Google Inc., CV-06-3066 PHX JAT // CV 07-80252 (N.D. Cal. motion to compel filed Oct. 31, 2007)
This summer, I reported on trademark litigation between Connor Sport Court and Rhino Court. The parties had settled the lawsuit, but then Connor complained that Rhino violated the settlement by buying keyword advertising triggered to Connor's trademarks. Connor then submitted a discovery request to Google seeking records of other people who had bought Connor's trademarks as keywords. As I noted at the time, the requested information had significant competitive value, and Google's delivery of the information could prompt a lot of other similar discovery requests to Google.
Initially, Google seemed inclined to give Connor the data it asked for, but apparently Google changed its mind. Instead, Google has refused to turn over any data related to third party purchases and didn't turn over much related to Rhino. Connor apparently still believes the requested information is worth pursuing, because it has now filed a motion to compel Google to comply with its discovery request.
Google might take the opportunity to clarify its policies regarding the disclosure of keyword ad purchases. Connor's brief claims that Google provided Rhino with information about a third party's ad purchase, including the ad copy, the maximum cost-per-click bid, the number of clicks and impressions, the average ad position and more. Is Google handing out this information merely based on a subpoena, or is Google going to make it harder for litigants to get access to this data? According to the filing, the hearing is scheduled for Dec. 7 at 9 am in San Jose.
Posted by Eric at 12:53 PM | E-Commerce , Marketing , Privacy/Security , Search Engines , Trademark | TrackBack
October 30, 2007
Vendor of Illicit Phone Records Not Protected by 230--FTC v. Accusearch
By Eric Goldman
Federal Trade Commission v. Accusearch, Inc., 06-CV-105-D (D. Wy. Sept. 28, 2007)
Accusearch (a/k/a Abika) offers for sale records of telephone calls made by telephone subscribers. Abika doesn't acquire the records itself directly from the phone companies; third parties do that. Even so, I believe the collection and resale of these phone records was illegal throughout the relevant time period. (Michael Erdman explores this more).
The FTC brings an action against Abika for unfair trade practices. Abika defends on 230. The FTC argued that Abika was the retailer; Abika argues that it is just an intermediary making matches between buyers and sellers of the records. The court rejects the 230 defense for two separate reasons:
* the statutory terms publisher/speaker are ambiguous, at least as applied to this case. Thus, the court turns to 230's legislative history to conclude that Congress didn't mean to protect these types of claims. The court says snarkily "It is ironic that a law intended to reflect a policy aimed at deterring 'stalking and harassment by means of computer' is now being urged as a basis for immunizing the sale of phone records used for exactly those purposes." (Fair enough, but see Zeran!)
* reselling the records meant that Abika "participated in the creation or development of the information" and thus became an information content provider itself.
Both of these arguments are pretty strained. The statutory references to "publisher" and "speaker" aren't entirely clear, but dozens of cases have interpreted them. It would have been nice to see the court consider those precedents before jumping to the legislative history as if the court is reading a 10 year old statute for the first time. As for the interpretation of "creation and development," I don't see how anyone can interpret those words to include retailing a record without any modifications at all.
Despite these analytical deficiencies, I think the court reached the right result. In my opinion, the retailer/intermediary distinction is the critical linchpin. It's pretty well accepted that an intermediary between buyers and sellers is fully eligible for 230 even if the purchase/sale involves illegal goods--see, e.g., Gentry v. eBay (fake sports memorabilia), Stoner v. eBay (bootlegged recordings). In those cases, eBay was the venue to publish the seller's advertisements to buyers. (See also Ramey v. Darkside Productions, another case holding that a publisher of third party ads wasn't liable for the ads, even if the publisher helped prepare the ads).
In contrast, I think a retailer who acts as the merchant of record of third party goods generally should be liable for selling those goods, even if the goods were acquired for resale from third parties. I don't see how 230 protects a retailer selling goods for its own account--I don't think the claim is appropriately styled as either a "publisher" or "speaker" claim at that point. But see Prickett v. infoUSA, where infoUSA resold data it obtained from third parties but was still eligible for 230.
Unfortunately, I think the court's biggest mistake is that it apparently forgot that it was addressing summary judgment motions, because the court made numerous factual inferences (some apparently contested) against Abika. So I think this ruling is best understood not as an SJ motion, but instead as a bench ruling where the court simply disbelieved that Abika was an eBay-like intermediary and instead concluded that a retailer can't claim 230 for reselling illegal goods for its own account. Rephrased this way, I think the court reached the right result.
For more on this case, see Michael Erdman's nice writeup.
Posted by Eric at 11:26 AM | Derivative Liability , E-Commerce , Marketing , Privacy/Security | TrackBack
October 21, 2007
Ticketmaster Wins Big Injunction in Hannah Montana Case, But Did the Public Interest Get Screwed?--Ticketmaster v. RMG
By Eric Goldman
Ticketmaster L.L.C. v. RMG Technologies, Inc., 2007 WL 2988403 (C.D. Cal. Oct. 16, 2007)
You may remember Ticketmaster's multi-year battle against Tickets.com over data aggregation and deep linking. Ticketmaster never got a solid win in that case, but here Ticketmaster successfully advances the same legal theories against someone gaming its allocation of tickets. Hannah Montana fans might cheer this ruling, but some of the court’s analysis makes this a troubling Cyberlaw development.
Introduction
This case involves what I'll call "ticket sniping"--the practice of quickly snapping up highly-sought-after tickets when they first go on sale and then reselling them at higher prices. When it comes to hot concerts--such as the upcoming Hannah Montana tour--Ticketmaster's price may be well below the prices people are willing to pay in the secondary market. Why don't event promoters use auctions or other dynamic pricing scheme to capture this upside on the first sale? I'm reminded of the odd pricing systems for IPOs--just like that market, perhaps Ticketmaster (as an intermediary) deliberately underprices below the market-clearing price to increase its profits.
In any case, initial ticket buyers from Ticketmaster can get an economic windfall, which naturally motivates people to game the initial first-come, first-served ticket allocation system. RMG was one such gamer. They developed software that helped its customers beat other buyers in the rush to get hot tickets. Ticketmaster sued RMG to stop their gaming activities; the court issues a preliminary injunction:
Copyright
The court says that RMG directly infringed Ticketmaster's copyright in its web pages by browsing them to test the operation of its software tool. Effectively, then, the court says that web browsing is copyright infringement. This isn't the first time a court intimated as much, but it's troubling every time we see it.
The court overlooks any implied license to browse because Ticketmaster's "browsewrap" on its home page (which says "Use of this website is subject to express Terms of Use which prohibit commercial use of this site. By continuing past this page, you agree to abide by these terms") acts as an express restriction on browsing, so any access in contravention of those terms constitutes copyright infringement.
One of the key Qs is how RMG's software differs from other search engine robots. The court skirts this Q, simply pointing to Perfect 10 v. Amazon as excusing the cache copies made by web users who follow search engine links. Of course, search engine robots make lots of other copies, and we think these copies are excused because the final presentation (the display of search results snippets) doesn’t infringe. The court doesn't address this at all.
The court also says that RMG is indirectly infringing based on a Grokster inducement theory because RMG's marketing said it's offering "stealth technology [that] lets you hide your IP address, so you never get blocked by Ticketmaster." This is a pretty expansive interpretation of copyright inducement because the marketing references IP address blocks, not copyright infringement, but it's very consistent with the court's moral condemnation of RMG's behavior.
Anti-Circumvention
The court says that website pages are protected by copyright, and the website used a CAPTCHA to restrict access to these copyrighted works. Thus, distributing the software tool designed to circumvent the CAPTCHA to access the copyrighted website violates 1201(a)(2) and 1201(b)(1). Not only does this give unexpected copyright protection for CAPTCHAs, this ruling seems inconsistent with several precedents holding that bypassing a password protection system doesn't violate 1201.
Breach of Contract
As indicated above, the court upholds Ticketmaster's browsewrap. Admittedly, Ticketmaster has improved its contract formation processes since it litigated against Tickets.com, but I'm not sure this was as easy as the court treated it.
Computer Fraud & Abuse Act
Surprisingly, the court denies relief for this claim because Ticketmaster couldn't allege $5,000 of loss. I tell my students that if they can't construct $5,000 of loss under the CFAA, then they aren't thinking creatively enough.
Conclusion
It's easy to point at RMG and its customers as the bad guys. After all, they are trying to get an unfair advantage in the first-come, first-served allocation of scarce tickets for their economic benefit, with the result that later comers have to pay more to get the same tickets.
But what about Ticketmaster's role in this situation? They haven't designed a technologically gaming-resistant allocation of tickets, so they need legal help to solve that deficiency. I also remain suspicious about Ticketmaster's incentives here, both in setting prices and in policing against ticket allocation gaming. Their motives may not be nearly so consumer-friendly as they try to portray.
And this opinion is hardly pro-consumer either. This ruling won't be a problem if future courts limit this ruling solely to a company's efforts to legally protect a competently designed anti-gaming strategy. But some of the more dramatic rulings are anything but consumer-friendly, such as the implicit holding that browsing is copyright infringement and the upholding of Ticketmaster's browsewrap. If other courts apply these principles more broadly, Hannah Montana concertgoers may have gotten a benefit at the expense of us all.
Posted by Eric at 03:45 PM | Copyright , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Privacy/Security | TrackBack
October 15, 2007
Online Trust Conference Recap
By Eric Goldman
On October 2, Santa Clara University held a half-day conference called "Trust Online." This event was co-sponsored by the Center for Science, Technology and Society, the High Tech Law Institute, the Markkula Center for Applied Ethics and Microsoft. We brought together policymakers, technologists, lawyers and academics to explore the process by which online companies engender trust from their customers. The topic of "trust" is complicated because it cuts across privacy, security and branding issues. In the end, we discussed all that and more.
The day started off with a keynote by Richard Clarke, formerly Bush's chief cybersecurity czar. His talk started out on a disconcerting note as he described cyberspace as a place of "chaos" and "crime" (shades of California CIO Clark Kelso calling the Internet a "sewer"). But he got onto more productive grounds when talking about how consumers develop trust in different entities:
* trust in the government. Americans' trust in government has fallen to an all-time low. This lack of trust in the government undermines trust across-the-board because, for example, consumers may be reluctant to disclose personal data to websites knowing that the government could get access to it.
* trust in the private sector. He echoed the conventional sentiment among privacy advocates that we need to worry more about Little Brother than Big Brother.
* trust in individuals. He blamed the Internet for the "pandemic" of identity theft--especially lax security.
He proposed five solutions:
1) Biometric ID cards--we need 2 factor authentication online
2) We should ask the government to regulate. He thinks the FCC has the authority to regulate the Internet, and the FCC could instruct ISPs to take specific actions that would reduce risks. He acknowledged that when a person suggests the government should regulate the Internet, others want to take the person away in shackles. That pretty much summed up my reaction to this proposal!
3) We should keep critical infrastructure from being Internet-connected.
4) Industry should improve the security of its code.
5) We should form a government entity that people could trust to safeguard their privacy and civil liberties concerns
Next was a panel on Enforcing and Enabling Trust, moderated by Lise Buyer (one of the star Internet analysts from the dot com boom). Panelists: Scott Charney of Microsoft, Mozelle Thompson (a former FTC Commissioner who is doing a lot of consulting work for Facebook) and Jim Ransome from Cisco. Some notes I made during this panel:
* Charney: consumers need just-in-tirme, actionable information to make trust decisions
* Thompson: people are clamoring for context
* Charney: security and privacy are conflated in the concept of "safety." People just want to feel safe.
* Thompson: people don't want anonymity, then want control over their data (Eric's comment: this makes sense in a Facebook context; not sure if it is more broadly extensible)
* Charney: goal should be risk management, not risk elimination
* Charney: we think of security as binary (is it secure or not), but privacy is a continuum
* Charney: we accept the fact that people may die in the name of privacy (examples: anthrax mailed without a return address; disposable cellphone to make bomb threat)
* Charney: we need to marry authentication with reputation
Next was a panel on Branding and Building Trust. Lise also moderated. Panelists: Alessandro Acquisti of Carnegie Mellon, Chris Hoofnagle of UC Berkeley, and Fran Maier of TRUSTe. Some notes I made:
* [not sure who made this point]: there is a positive correlation between good business practices and consumer perceptions that the company has good privacy practices (Eric's comment: this would certainly explain sentiments towards Google)
* Acquisti: a study showed that stock prices drop after companies announce a security breach, but they quickly rebound after a few days
* Q: what is trust worth? Acquisti: according to his study, people will pay extra for privacy in some cases. Maier: TRUSTe has a case study showing that their logos improve consumer willingness to provide data (Eric's comment: I'd need to look through this case study to see how it regresses possible co-variables)
* Hoofnagle: consumers erroneously believe that companies' ability to use their data is regulated
* [not sure who made this point]: we should give kids amnesty for their youthful postings. i.e., we need to forget some information
* Maier: 15-20% of TRUSTe applicants don't get certified.
The day ended with a keynote by Dave Cullinane, eBay's Chief Information Security Officer who recently joined the company from Washington Mutual. A few notes from his talk:
* eBay employs 2,000 people in its trust & safety department
* eBay/PayPal investigators currently assist in over 2 arrests per day
* He implied that the Department of Homeland Security was trying to get a dataset from eBay to see if they can crunch the data to identify patterns that look like terrorism. I'd like to know more about this!
* Rootkitted Linux boxes--not (as commonly believed) Microsoft boxes--are the vast majority of security threats
Other comments on the event:
* SCU Law student Erik Schmidt at TechLawForum on Richard Clarke's talk
* Cade Metz at the Register on Richard Clarke's talk
* Cade Metz at the Register on Dave Cullinane's talk
* Robert McMillan at InfoWorld on Dave Cullinane's talk
UPDATE: Listen to the podcasts!
Posted by Eric at 01:42 PM | E-Commerce , Privacy/Security | TrackBack
September 07, 2007
August 2007 Quick Links, Part II
By Eric Goldman
* e360 Insight v. Spamhaus Project, 2007 U.S. App. LEXIS 20725 (7th Cir. Aug. 30, 2007). An email marketing company was listed on Spamhaus' ROSKO and sued for defamation and other torts in Illinois. Spamhaus took the position that US courts have no authority to render a judgment on a UK-based operation. The district court ultimately awarded $11.7M in damages and various equitable relief. The Seventh Circuit affirmed the default judgment but vacated the damages and equitable relief, sending those back to the district court to reevaluate the appropriate remedies. I understand that Spamhaus wanted to make a philosophical point by not fighting the lawsuit in the US, but had they overlooked their philosophical objections, they should have won a quick victory per 47 USC 230(c)(2).
* Perfect 10 has appealed its Ninth Circuit 230 loss in ccBill to the US Supreme Court.
* Search Engine Land had a good overview/recap article on geolocation technology. It provides a clear and easy-to-read explanation why the folks who think online businesses can just stay out of a state that enacts dumb regulations are full of crud.
* Pisciotta v. Old National Bancorp, No. 06-3817 (7th Cir. Aug. 23, 2007). Another court (this time, the Seventh Circuit) says that consumer fretting about possible future identity theft isn't enough harm to support a lawsuit. See the analogous JetBlue, Acxiom and Key cases.
* Wikipedia Scanner--an automated tool to determine who is editing Wikipedia pages. Katie Hafner's NYT article on the matter. David Hoffman does a little sleuthing on law firm edits.
* NYT: In the 1990s, a lot of people sought to build an infrastructure for micropayments. Consumers resisted them, but today those efforts seem a little silly--AdSense advertising can generate the same financial benefits for a web publisher without the overhead. Meanwhile, the credit card systems are being stretched to cover micro-transactions because merchants are aggregating a consumer's orders and processing them in bulk (rather than processing each one individually) as a way to reduce the transaction costs.
* NYT: "As video games have surged in popularity in recent years, politicians around the country have tried to outlaw the sale of some violent games to children. So far all such efforts have failed."
* AP: Chinese animated cops will be patrolling the Information Superhighway beat.
* Tired of negative reviews on Yelp, a San Francisco restaurant put up a sign saying "no Yelpers." I wonder if a sign like that lessens or exacerbates negative publicity.
* NYT: Book authors obsessively check Amazon sales rankings and try to game them.
* Facebook accidentally posted some of its source code to a public website. Surely an interesting development for ConnectU's discovery team!
* Another Internet company hires its own in-house economist--this time, virtual world Eve Online.
* A nice retrospective on the Cleveland Free-net, which at one point was a prominent component of the Cyberspace community.
* I have one free guest pass to the CLE International New Media Law conference in SF on Oct. 1-2. Free to the first person who sends me an email request. [SORRY--TAKEN!]
Posted by Eric at 09:48 AM | Content Regulation , Derivative Liability , E-Commerce , General , Internet History , Privacy/Security , Virtual Worlds | TrackBack
July 30, 2007
Fourth Amendment Privacy Case Law Bonanza
By Ethan Ackerman
In June, privacy advocates generally celebrated the Sixth Circuit’s important 4th Amendment ruling in US. v. Warshak. But hot on its heels, the Ninth Circuit sobered the tone rather quickly in US. v. Alba, declining to find 4th Amendment protection for email and IP addresses. Alba dealt with the use of a pen register to collect IP addresses and out- and in-bound email addresses that the suspect visited/emailed. Based on the results of the pen register, the government got a warrant for subsequent surreptitious keylogging and screen captures on the defendant's PC. At the trial court level, the defendant challenged only the pen registers and not the subsequent warrant-based surveillance. Coming so close on the heels of the privacy-expansive holding in Warshak, US v. Alba drew attention (and quite possibly some of the best off-the-cuff 4th Amendment banter/criticism on the Web) for its apparent holding that email addresses and IP addresses have no 4th Amendment protection. The Ninth Circuit generated enough confusion over the facts surrounding this holding to merit a subsequent clarification from the court as to whether this surveillance occurred surreptitiously on the defendant's PC (nope) or at the ISP level (yep).
Following closely on Alba's release, while everyone was still confused about just where the pen register interception happened, Wired News broke the details of US v. Glazebrook, a District court opinion on FBI keylogging that used some sort of software exploit or social engineering to allow remote monitoring of the PC of a high school MySpace user making bomb threats. The Glazebrook surveillance was done pursuant to a traditional court-reviewed warrant, leaving little room for 4th Amendment issues. Nonetheless, the case (and especially the warrant affidavit) is great reading, full of interesting technological questions regarding the FBI's covert remote monitoring capabilities.
Another District court decision, United States v. D'Andrea provides an interesting take on the 4th Amendment protections of web-stored files with password protection. As Orin Kerr's thoughtful parsing points out, the decision makes some fairly big factual judgments without sharing some of the significant background details. In this case, the contraband files were password-protected but stored online, and government investigators viewed them (without a warrant) after an ex-girlfriend of the suspect tipped off the investigators and provided the web site's password. The opinion finds a reasonable expectation of privacy may exist in password-protected files stored online, even though they are physically remote and transmitted to a third party provider.
In this case, the expectation of privacy did not exist, however, as the judge concluded that the suspect gave the ex-girlfriend the necessary information to access the files. As Professor Kerr points out, this last conclusion is thin on the facts. It is not at all clear in the opinion how the ex-girlfriend acquired the passwords; the suspects vigorously denied providing them to her. Would it have made a difference if she hacked, snooped, or guessed the passwords? Although it cited to Warshak, the opinion was similarly thin on just why 4th Amendment protections existed. (Not wrong, to this author's eye, just not detailed.) The opinion also spent little time addressing statutes that might address the privacy expectations, and whether and how they might affect the expectations of the defendant. For example, the Protection of Children from Sexual Predators Act requires ISP reporting of any discovered instances of child pornography, and the Electronic Communications Privacy Act is rife with exceptions allowing for disclosure of electronic communications. While I suspect the correct opinion is that mere statutes don't influence the Constitutional standard of "reasonableness," the court doesn't address the issue in any detail.
Professor Kerr would moot these conundrums with an alternate holding based on the controversial "special needs" exception, reaching the same final result. This particular debate is fairly politicized, and arises in many 4th Amendment cases, and isn't specific to computer cases, though it often pops up there too. I’m not as willing as Professor Kerr to recognize an imaginary dividing line between criminal investigators and other government employees such as child services investigators or network administrators and ascribe no 4th Amendment significance to agents on the "correct" side of that line, but his other questions cut right to the core ambiguities of this opinion. To be fair, even some other Circuit Courts don't seem too concerned making that excuse in other computer investigation cases, either.
Posted by Ethan Ackerman at 10:01 AM | Privacy/Security | TrackBack
June 12, 2007
Domain Names Can't Be Trespassed--Utube.com v. YouTube
By Eric Goldman
Universal Tube & Rollform Equipment Corp. v. YouTube, Inc., 2007 WL 1655507 (N.D. Ohio June 4, 2007)
Boy, this case got a lot of attention when it was first filed (which isn't surprising; YouTube lawsuits usually do). You may remember the story: the plaintiff is a dealer of used tube mills, used pipe mills and used pollforming machines. The plaintiff operated a website at utube.com. As you might expect, like most other industrial B2B vendors' websites, utube.com had a small but targeted audience.
With the phenomenal and quick rise in popularity of YouTube, a lot of web users mistyped youtube.com and entered utube.com instead, causing utube.com to suddenly experience disproportionate popularity. Unfortunately for the plaintiff, few of these visitors were interested in pollforming machines--as the opinion starts out, "This is a case about two very different types of “tubes.”" As a result, the plaintiff was paying big bandwidth charges for customers who weren't buying. In some cases, the plaintiff claimed that the traffic overwhelmed the servers, causing utube.com to be offline and preventing the plaintiff's real customers from conducting business with the plaintiff.
The plaintiff sued YouTube for trademark infringement, trespass to chattels and related claims. Last week, the court addressed YouTube's motion to dismiss. The net result is that the court allowed some of the plaintiff's trademark and related claims to survive, but the court dismissed several other claims (with leave to amend).
Trespass to Chattels
Most interesting to me is the court's dismissal of the plaintiff's claims that YouTube "trespassed" utube.com. The court correctly says that trespass to chattels (TTC) claims require physical contact, so it is not possible to trespass intangible property like a domain name. While this is the right result, I can't help but note the Ninth Circuit's holding that domain names can be converted like personal property (in the Sex.com case), and the recent Thyroff case, which also said that digital files could be converted. But here we're talking about a smaller possessory interest than conversion, and the court rightly understands that TTC could become a bypass to trademark infringement. As a result, this decision channels unhappy domain name owners towards trademark claims instead of some TTC bypass.
Even if the domain name itself can't be trespassed, the plaintiff can still claim that the computer servers attached to the domain name were trespassed. The court dismisses the claim for two independent reasons:
1) The plaintiff uses a third party web host, and the court says that the plaintiff didn't allege an adequate possessory interest in its host's equipment.
This may just be a pleading issue that gets corrected in an amended complaint, but it raises an interesting question about TTC standing that I don't recall seeing discussed before. Assuming that TTC is occurring to a site hosted by a third party vendor, does the TTC claim rest with the website operator, the vendor, or no one? I had always assumed that the website operator and the vendor EACH had standing for TTC because each has shared possessory interest in the computers, but I can see outer limits to this. For example, a person using a free web host vendor who is one of a zillion customers shouldn't have standing if there's a TTC to the vendor's computers. OTOH, if a customer is paying a vendor to operate a dedicated computer, and the customer will bear all economic charges associated with that computer's usage, I think the customer has standing. In that circumstance, perhaps the vendor does as well.
In my case, I pay a nominal amount to my web host for shared computer usage, but I pay bandwidth charges associated with my domain name. I think that if a third party were trespassing my website, and I bore the economic consequences from bandwidth usage, I should be able to claim TTC even though I only "lease" the computer space and I share that computer with other sites. Perhaps this warrants more thought.
2) Independently, the court correctly says that YouTube's customers, not YouTube itself, are "contacting" utube.com, and therefore YouTube isn't committing the actus reus. This result also appeared to be designed to channel this complaint into trademark law.
Nuisance
Some pundits have theorized about the existence of a nuisance claim that would parallel (or supplant) online TTC claims. These nuisance claims are occasionally pleaded (for example, a nuisance claim was made initially in the Intel v. Hamidi case, though Intel voluntarily dropped it), but this argument has not gotten any traction in court. This court's terse rejection of the claim is typical:
Universal has provided virtually no legal support for its contention that a private nuisance can exist when no land is involved. Nor has Universal shown any support for the proposition that a domain name, a website, or a computer that hosts a website somehow constitutes real property. There being no such support or other basis for its nuisance claim, that claim will be dismissed.
Other Claims
The court also dismissed the plaintiff's attempt to cancel (in district court) YouTube's trademarks and claims for negligence and violation of state RICO laws. The court rejected YouTube's motion to dismiss for unfair competition, state dilution, and deceptive trade practices, so those claims are still active (plus any causes of action revived with an amended complaint).
Posted by Eric at 09:59 AM | Domain Names , Privacy/Security , Trademark | TrackBack
May 29, 2007
Zango Claims Spyware Doctor SE Surreptitiously Deletes Its Software
By Eric Goldman
Zango, Inc. v. PC Tools Pty Ltd., 07-2-15844-8SEA (Wash. Superior Ct. complaint filed May 15, 2007)
We've seen a fair amount of tussling between adware vendors and anti-spyware software vendors, including a battle over the incorporation of' "good samaritan" immunizations for anti-spyware vendors in proposed anti-spyware legislation (see, e.g., here and here). However, litigation between the two camps has been relatively rare, so this case (if it doesn't settle like most of the precedents) might help shape the contours of anti-spyware software vendors' duties as well as influence the pending anti-spyware legislation in Congress.
Here, Zango claims that PC Tools' software, Spyware Doctor Starter Edition, (1) mislabels Zango's software as an "elevated risk" and (2) automatically disables Zango's software from functioning without giving users notice, which prevents new installs and prevents current users from using existing installs--including those users who have paid a premium subscription allowing them to use Zango's software pop-up-free. While these effects alone would be problematic for Zango even if Spyware Doctor were an obscure program, Spyware Doctor SE has the added profile of being bundled in the Google Pack.
While I can see why Zango would be upset enough about this situation to sue, bringing a lawsuit has numerous downsides. First, the facts may not be in its favor; SunbeltBlog has had difficulty replicating some of the results. Second, lawsuits over classifications threaten anti-spyware vendors' editorial integrity (and PC Tools is claiming that was Zango's intent), but fortunately those editorial judgments should be completely protected by 47 USC 230(c)(2). Third, Zango isn't particularly popular in the anti-spyware crowd, so their enforcement actions bring extra scrutiny.
With the respect to the claim that Spyware Doctor disables Zango, this case reminds me of the fracas (that matured into a lawsuit) between Avenue Media and DirectRevenue back in 2004, where Avenue Media claimed that competitor DirectRevenue was surreptitiously kicking its software off users' hard drives (the case reached a detente).
While it would be tempting to dismiss the Avenue Media/DirectRevenue lawsuit as a piratical battle between untouchables, there are other examples where company A deletes company B's software with minimal notice. Most prominently, I still can't fathom how Microsoft gets away with unilaterally wiping software off users' hard drives (my recollection is that AOL has done the same thing, but I can't find my documentation of it now). At some point we're going to have reach a social consensus about what level of user authorization is required for one software program to annihilate another program. Maybe this case will help us understand that issue a little better.
Posted by Eric at 01:14 PM | Adware/Spyware , Privacy/Security | TrackBack
May 01, 2007
April 2007 Quick Links
By Eric Goldman
* Rebecca blogs on CollegeNET, Inc. v. XAP Corp., 2007 WL 927946 (D. Or. March 26, 2007), where a jury awarded $4.5M in damages under 43(a) because the defendant had a privacy policy saying it wouldn't disclose personal information to third parties "without the user's express consent and direction," but when users affirmatively said “yes” to "Are you interested in receiving information about students loans and financial aid?," the defendant sold the name to a third party. This is the right result because the combination of the two statements--we won't disclose to third parties, and a lack of pronouns about who would send the information about loans/financial aid—clearly imply that the information would come only from the defendant. However, it would have been easy to avoid this result! As the court points out, the defendant could have added one more line to the privacy policy ("If you ask for more info on loans/financial aid, we may provide your name to third parties") or pronouns to the call-to-action ("Are you interested in receiving information about students loans and financial aid from us or selected third party vendors?"). While the result is right, the damages sure seem high.
* Claria has taken its PersonalWeb tool out of beta. This tool creates a personalized navigation page for consumers by inferring their preferences rather than requiring them to proactively customize the personalization, which only 10% of users did.
* From BusinessWeek: To capture interest in a hot story, media entities buy keywords like "Virginia Tech massacre" immediately following tragedies.
* MailChannels' technology deliberately introduces latency into its server's handshakes, effectively creating a slow lane for spammers.
* Internet Archive v. Shell has settled. John O. may have more thoughts on this.
* Latest evidence that consumers don't always want to have their say: less than 0.2% of visits to YouTube and Flickr are for the purpose of uploading content.
* Todd J. Hollis' lawsuit against dontdatehimgirl.com has been dismissed for lack of jurisdiction. Unfortunately, the court deliberately sidestepped the 47 USC 230 issue, which would have been a simple way to clear the docket permanently.
* BusinessWeek article on how dictionary-makers are struggling to sort through the proliferation of new well-known words via the web.
* A historian raises some quality concerns about Google's book scanning efforts. I think the metadata issue is particularly serious, as many people will expect Google's metadata to be accurate and will cite it accordingly. HT Rebecca.
* Lawsuit over a botched tattoo. Whoops! Speaking of bad-idea tattoos, check out my archive post on tattoo advertising.
* New York councilman wants to ban "menu spam."
* Thyroff v. Nationwide Mutual Insurance Co., No. 41, 2007 N.Y. LEXIS 264 (N.Y. Mar. 22, 2007), holding that electronic records are protected by a state law against "conversion." This is certainly consistent with some precedent, such as Kremen v. Cohen, 325 F.3d 1035 (9th Cir. 2003) saying that domain names can be converted, but this broad holding seems plainly wrong. With respect to copyrightable electronic records, federal copyright law should preempt state anti-conversion laws. What am I missing?
* Some items that made me laugh this month:
- Dilbert on crowded trademark namespaces
- Comedy Central has the amazing story of My-T-Boy, the cute branded character who lapsed into the public domain
- Marge Simpson googles herself and doesn't like what she sees from the satellite image of her home. Very funny!
Posted by Eric at 06:20 PM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam , Trademark | TrackBack
April 09, 2007
March 2007 Quick Links Part 2
By Eric Goldman
Yesterday I posted the Google edition of my list of interesting items from March. Today I post the remainder of items that caught my eye last month.
Trademarks/Brands
* Bosley Medical Institute v. Kremer, 2007 WL 935708 (S.D. Cal. Mar. 22, 2007). On remand from the Ninth Circuit, the district court denies Kremer's motions to dismiss/for SJ. Michael Atkins recaps the ruling and case's history.
* Milbank Tweed Hadley & McCloy LLP v. Milbank Holding Corp. d/b/a Milbank Real Estate Services, No. CV 06-187-RGK (JTLx), (C.D. Cal. Feb. 23, 2007). After passage of the Trademark Dilution Revision Act, the court rejects the existence of "niche fame" as support for a dilution action. I’m a little surprised that this plaintiff would bring this losing argument.
* ICANN votes down a .XXX TLD. Again.
* NYT on the increasing challenges of creating a unique global brand in very crowded namespaces.
* Trademarked Sentences: A tool that helps you generate poetry by mixing trademarked slogans.
Blogs/UGC
* BidZirk v. Smith, No. 06-1487 (4th Cir. March 6, 2007). The Fourth Circuit, in a non-substantive opinion, denied a company's request for an injunction against a griping blogger's use of its trademarks. My initial write-up of the case. With this loss, the plaintiff's ill-advised decision to appeal the case is now even more clearly a complete waste of the plaintiff's money and our judicial resources.
* Chapman v. Merchandise Mart Properties, 2007 WL 922258 (D. Vt. Mar. 23, 2007). Woman tries to get TRO against physical-space trade show based on trademark interests in the term "GreenStyle," which is her blog’s title. The court rejects the request, but interestingly doesn't seem fazed by the argument that she may have a trademark interest generated from her blog name. Blog names can be trademarkable with sufficient use in commerce, a factor the court ignored completely.
* Sifry: "70 million weblogs. About 120,000 new weblogs each day, or...1.4 new blogs every second."
* A nice retrospective on the history of blogging.
* Wikipedia is requiring some credentialing after getting burned by a pseudonymous contributor who falsely claimed he was a professor.
* Ed Felten has some terrific observations about building distributed reputation systems like Digg (and, for that matter, Epinions). Ed is 100% correct that reputation systems need substantial stabilization; they don't just work deus ex machina.
Contracts
* Dorr v. Yahoo, No 3:07-cv-01428-MJJ (N.D. Cal. complaint filed March 7, 2007). Yahoo offered a premium subscription service allowing users to send email without Yahoo's ads attached. Then, allegedly, they changed the service's terms, and some of the paying customers were unilaterally bumped to a tier where Yahoo's ads were again attached to their email. Steve Bryant has more. In general, if people pay to eliminate ads, during that period of time, Yahoo should not be able to unilaterally amend the terms so that the user is paying but still getting ads.
* Ken Adams blogs on Affinity Internet, Inc. v. Consolidated Credit Counseling Services, Inc., 920 So. 2d 1286 (Fla. Dist. Ct. App. 2006), where the court held that a contract clause saying "This contract is subject to all of SkyNetWEB's terms, conditions, user and acceptable use policies located at http://www.skynetweb.com/company/legal/legal.php" was insufficient to incorporate an arbitration clause contained in the referenced document. Ken's suggested fix: "The SkyNetWEB user agreement located at http://www.skynetweb.com/company/legal/legal.php constitutes part of this agreement."
Government Agencies
* The National Do Not Call Registry: Annual Report to Congress for FY 2006 Pursuant to the Do Not Call Implementation Act On Implementation of the National Do Not Call Registry (April 2007): "The Commission believes that the fundamental goal of the National Do Not Call Registry — to provide consumers with a simple, free, and effective means to limit unwanted telemarketing calls — has been realized." My curmudgeonly take on why the do-not-call registry isn’t great policy.
* Implementing the Children's Online Privacy Protection Act: A Federal Trade Commission Report to Congress (February 2007). The FTC remains pretty pleased with itself about COPPA, but it's worried about social networking sites and the continuing lack of age verification technology. I'm not as impressed with COPPA as the FTC is; see here and here. In any case, if you're doing COPPA research, this report helpfully recounts the 12 COPPA enforcement actions to date.
* Hard to believe, but payola busts are still being made. The latest: a $12.5M settlement. See the NYT and WaPo .
* Terrific post by the EFF’s Seth Schoen about a misguided report on P2P file sharing by the USPTO and the issues with empowering users to control their computers. A must-read.
Miscellaneous
* ACLU v. Gonzales, No. 98-559 (E.D. Pa. March 22, 2007). On remand from the Supreme Court, the court once again holds that the 1998 Child Online Protection Act is unconstitutional.
* CRS Report for Congress: An Overview of Recent U.S. Supreme Court Jurisprudence in Patent Law, March 16, 2007, discussing the last 8 Supreme Court patent cases.
* We've all heard about the magic of network effects. But as this Mercury News article explains, when an Internet start-up company's network takes root principally overseas, it can leave the company with a large audience of unmonetizable users.
* Jacob Loshin, Property in the Horizon: The Theory and Practice of Sign and Billboard Regulation, 30 Environs 101 (2006). A thoughtful discussion of the history of billboard regulation and some regulatory considerations.
* Coca-Cola's launch campaign for "Coke Zero" is premised on the idea that the executives of Coca-Cola want to sue the executives of Coke Zero (i.e., other executives within the same company) for "taste infringement" because the taste is so similar. Personally, I find commercials about faux lawsuits HILARIOUS. Ha ha ha. Except...if there isn't currently a cause of action for "taste infringement," with the expansion of IP rights, it may only be a matter of time... This turns the joke about how hard it would be to establish taste infringement on its head. Ironically, the commercial features Coke's actual lawyers. Yet more on this sorry story.
Posted by Eric at 09:14 AM | Content Regulation , Copyright , Domain Names , E-Commerce , Internet History , Licensing/Contracts , Marketing , Patents , Privacy/Security , Trademark | TrackBack
April 08, 2007
Oracle v. SAP Lawsuit Comments
By Eric Goldman
Oracle Corporation v. SAP AG, 3:07-cv-01658-EMC (N.D. Cal. complaint filed March 22, 2007)
I realize I'm a couple weeks late to this story, but it's too important/interesting a case not to address.
TomorrowNow (TN) is a company started by former Oracle employees. They offer maintenance services for Oracle software competitive with Oracle's standard maintenance program, but at much-reduced prices: Oracle charges 22%/yr while TN charges half that (11%/yr).
But how is TN able to undercut Oracle's pricing so drastically? One possibility is that Oracle charges supra-market rates due to the lock-in effects of tying maintenance services to software licenses. On that front, I'll note that back in the 1990s, my software vendor clients typically charged 15%/yr for maintenance--a substantially lower number than Oracle's breath-taking 22% figure. So perhaps TN is able to charge 11% as a modest start-up discount off the industry-standard 15%, and Oracle's been getting away with a great deal for a long time.
An alternative story, told by Oracle in its complaint, is that TN could undercut Oracle only by stealing. TN has a very thin development team compared to the Oracle behemoth, so Oracle might incur all of the development expenses necessary to provide maintenance services, and TN might just take those assets for free to engage in competitive free-riding. Specifically, Oracle alleges that TN gets switching Oracle customers to give TN their passwords to Oracle's website/database for its maintenance customers and then send robots to download everything (manuals, patches, etc.) it can find, which then allows it to provide services comparable to Oracle’s.
Perhaps TN, even if had engaged in such a scheme, would have been a nettlesome gnat as a standalone company, but it got scooped up by German software giant SAP, one of Oracle's main rivals. At this point, TN becomes problematic to Oracle in a variety of ways. TN is poaching some maintenance revenue outright, while it is putting price pressure on the maintenance business that Oracle retains. Further, Oracle customers who switch to TN have an easier path to migrate their overall software needs to archrival SAP.
Oracle has struck back in court with a tightly drafted complaint. Oracle claims that the scheme of getting former Oracle customer passwords and downloading lots of content from Oracle's maintenance database violates (among other things) the CFAA and Cal. Penal Code Sec. 502 and constitutes trespass to chattels and interference with prospective economic advantage. This is a well-pleaded complaint, in the sense that there are no obvious deficiencies with Oracle's pleadings. I don't love everything about Oracle's practices. For example, it makes no sense that Oracle made it possible for customers to root around the entire database for stuff, even if it didn't relate to the customer's software. Also, I would definitely have drafted and implemented the contracts differently than Oracle did. But these are quibbles; Oracle's contracts and practices are serviceable for this lawsuit's purposes.
Having said that, there are two obvious omissions from the alleged claims. First, Oracle didn't allege copyright infringement yet because it needed to get its copyright registration applications on file, so it expects to file an amended complaint. Second, Oracle didn't allege that the claimed misuse of switching customers constituted a 1201 circumvention. I'm not 100% sure why. It could be that this claim will be added along with the other copyright infringement claims, or it could be that Oracle is sufficiently deterred by the handful of cases holding that mere misuse of a legitimately issued password isn't a circumvention.
Also, it's noteworthy that Oracle didn't sue its switching customers for allegedly providing their passwords to TN, although it seems like at minimum Oracle would have breach of contract claims against them. I assume Oracle isn't suing customers because that's never good for business. Indeed, part of the lawsuit is about wooing customers; there is some hilarious and gratuitous marketing language in the complaint designed to impress Oracle customers and to rattle the confidence of customers thinking of switching to SAP.
Putting aside what's not in the complaint, if Oracle's complaint accurately states the facts, SAP could be in deep legal trouble. Of course, it's fairly typical for the plaintiff to draft a great complaint and the defendant then tells a very different story. As just one example, Oracle ties the downloads to TN via IP addresses; but IP addresses are spoofable, so it's theoretically possible that someone spoofed TN. So we have to wait until we hear both sides before we can make any rigorous assessments of merit.
Even so, I'm a little unnerved by the software industry analysts who have claimed this lawsuit is no big deal. Perhaps in the grand scheme of things, this lawsuit won't have a great deal of effect on the competitive position of SAP and Oracle. Sure, the lawsuit casts some doubts in the minds of customers who are thinking of leaving Oracle for lower-cost options that SAP/TN will be a long-term trustworthy vendor, but such doubt-sowing initiatives are fairly common the bare-knuckle competition for enterprise database software. Plus, if SAP just cuts off TN altogether, presumably the overall effect on SAP and Oracle revenues will be comparatively modest.
But this lawsuit could be a Big Deal because the facts alleged by Oracle might support criminal prosecutions for CFAA, CA Penal Code 502, criminal copyright infringement and other crimes. It's not clear if the criminal prosecutors are going to get involved in this case or if Oracle even wants them to do so, but I suspect a number of SAP employees have procured their own personal attorneys. To the extent TN was a rogue operation operating without oversight or permission from SAP corporate, then again the financial impact may be small, even if the affected individuals might suffer severe consequences. But if TN wasn't a rogue operation, any criminal prosecutions could have major ripple effects throughout the entire SAP organization.
I think the Cadence v. Avant lawsuits are illustrative, especially given the many parallels. In that case, a bunch of former Cadence employees started up a competitive company, Avant. However, to get a jumpstart on the competition, the employees walked out the door with Cadence source code. Perhaps aided by this unfair head start, Avant had a very successful marketplace run, growing into a major public company with hundreds of millions of dollars of revenue. But after the civil and criminal prosecutions, Cadence got damage awards of hundreds of millions of dollars, multiple Avant employees went to jail, and Avant was effectively knocked out of the marketplace.
I need to reiterate that we don't know yet if Oracle's alleged facts are true, or if anyone committed a crime, or if any criminal prosecutions will ever be launched. However, I think it's too breezy for software industry analysts to brush this case off as a low-risk threat. If Oracle’s alleged facts are true, this isn't business-as-usual; instead, this would constitute illegal marketplace behavior, with potentially severe consequences for the business generally and the decision-makers individually.
I have additional edgy things to say about this case in this interview. Other resources:
* WSJ Law Blog
* BusinessWeek article pitching this lawsuit as just bare-knuckle competition between giants
* A collection of industry analysts' comments
Posted by Eric at 11:08 AM | Copyright , Internet History , Licensing/Contracts , Privacy/Security | TrackBack
March 01, 2007
February 2007 Quick Links
By Eric Goldman
* The California Highway Patrol (which, for reasons unclear to me, has investigatory power here) has concluded that the Angelides campaign did not break any laws when they reverse-guessed URLs on Schwarzenegger's website and found an unrestricted page with a video of the Gov wondering about Assemblywoman Bonnie Garcia's "hot'' temperament because of her mixture of "black blood'' and "Latino blood'' and referring to Assembly Republicans as a "wild bunch." The CHP did recommend that Schwarzenegger's team tighten up their website security. Silly reminder: if you really want keep information a secret, don't put it on a website without password protection.
UPDATE: Greg Haverkamp points me to this document, which explains that the CHP has enforcement power over Penal Code 502 violations involving state computers. Interesting. In my mind, I see Erik Estrada revving up his PowerBook to bust some baddies...
* Voda v. Cordis Corp., 2007 WL 269431 (Fed. Cir. Feb. 1, 2007). Patent owner can't litigate infringement of foreign patent rights in US court as part of supplemental jurisdiction over a US patent infringement claim. Patry's writeup.
* NYT on how YouTube indirectly motivates teens to deliberately do stupid things just for the opportunity to post them and perhaps get notoriety. I had a first-hand observation of this when I trolled through YouTube looking for a Listerine commercial that I might show in class while teaching a case involving Listerine. A search for the word "Listerine" in YouTube produces video after video of people doing stupid things with Listerine, like eating big stacks of their breath film or snorting the breath spray and then writhing in pain. Watching video after video of people repetitively doing stupid stunts, I felt like shouting to these people: "IF YOU'RE GOING TO DO SOMETHING STUPID ON YOUTUBE, AT LEAST BE ORIGINAL!"
* From Steve Bryant at eWeek: Shannon Stovall sues Yahoo for including her photo in Yahoo's welcome email, claiming Yahoo violated her rights of publicity/privacy to the tune of $10M compensatory damages and $10M punitive damages.
* Digg users may mark content they don't agree with as "spam." The most recent example is Danny Sullivan's post on SEO, which got Dugg and then was eliminated when anti-SEO Digg users flagged it as spam. If a website defers content grading to its users, it has to trust that they are reporting their feedback accurately. If they aren't, the whole user grading process breaks down. And speaking of breakdowns, there is an active secondary market for Digg votes--check out how Annalee Newitz bought front page placement on Digg for about $100.
* The always-colorful Chris Hoofnagle has released a new paper, "The Denialists' Deck of Cards: An Illustrated Taxonomy of Rhetoric Used to Frustrate Consumer Protection Efforts." By his standards, I suspect I've dealt a full house with some of my rhetoric! Now, I wonder if he's going to create a complementary deck for bogus rhetorical tactics used by consumer protection "advocates"?
* From the EFF: "Debbie Foster, a single mom who was improperly sued by the RIAA back in 2004 for file sharing, has won back her attorneys' fees." Capitol Records v. Foster, No. 04-1569-W (W.D. Okla. Feb. 6, 2007). Unfortunately, that hasn't stopped the plaintiff from advancing nonsense arguments in the case, including the specious argument that a computer owner is automatically responsible if third parties use the computer to infringe copyrights. Fred at the EFF rightly debunks this argument.
* Wikipedia article: "Wikipedia is Failing." Your perspective about success or failure may be influenced by the impressive traffic gains that Wikipedia is experiencing--Wikipedia is now one of the top 10 most trafficked websites. Most of that traffic is coming from Google.
* Doe v. Josef Silney & Assoc., No 07-04167CA15 (Fla. Cir. Ct. complaint dated Feb., 13, 2007). Golfer Fuzzy Zoeller sues an alleged vandal of his Wikipedia page for defamation and related torts. Fortunately, he left Wikipedia out of the suit. However, he only knows the IP address of the person who modified the page, and that IP address is registered to the defendant. Is owning the IP address enough to establish liability? Or is this like an RIAA blunderbuss sue-first, ask-questions-later approach? It seems like the lawsuit should have been against a Doe, with a subpoena to find out who actually edited the page using that IP address.
* US v. Twombly, 2007 U.S. Dist. Lexis 12664 (S.D. Cal. Feb. 22, 2007). A spammer challenges some criminal provisions of CAN-SPAM as vague and overbroad, but the judge has no problems reading the statute to facilitate sending spammers to the slammer. Venkat's writeup.
* CDT groks (and mostly bashes) a variety of online kid-protection bills proposed in Congress.
* From the NYT: Nancy Pelosi posted some videos from C-SPAN to her blog. The Republicans immediately attack her for "pirating" the videos. Turns out that those videos were actually recorded by the government, so they are in the public domain. Whoops! The Republicans had to issue a mea culpa retraction. However, Nancy did grab a C-SPAN-owned video elsewhere which she had to take down. If our legislative leaders can't figure out what video they can recycle, how in the world can less-trained lay people do so? Patry has more.
* A bearish view on domain name speculation from CircleID. I share the sentiment that domain names don't matter, so domaining and typosquatting strike me as a short-term arbitrage opportunity that inevitably will be mooted by a variety of forces. Thus, the idea of paying 40 or 60 years worth of revenue for a domain name is laugh-out-loud funny to me.
* The Long Tail notes that some brands, trying to build a more esoteric image, try to hide their ownership by mainstream mass-market brands, a phenomenon he calls "brand dis-synergy." Examples: Dagoba Organic Chocolate, Joseph Schmidt, Cacao Reserve and Scharffen Berger chocolates (all owned by Hershey) and Converse (owned by Nike).
* Veritas busted for manufacturing revenues via round-tripping with AOL (Veritas bought AOL ads and AOL bought Veritas software; each at inflated prices).
* What does "or" mean? According to the 8th Circuit, it can mean "and." Ken Adams is on the case.
* Ricky Hoggard Holman, a 18 year old high schooler in Sudbury, Canada, correctly blogged all 24 of the American Idol finalists. How? Online research, such as researching the MySpace pages of contestants and emailing their MySpace friends. He also talked to some of the booted final 40 contestants, a few of whom broke their punitive-laden confidentiality agreement to dish some dirt. Maybe he wasn't studying, but clearly he's learned a few things about the power of good old-fashioned research. (The article says he's a straight A student, so he clearly can balance many things). Nice job, Ricky!
Posted by Eric at 12:03 PM | Content Regulation , Copyright , Derivative Liability , Domain Names , Licensing/Contracts , Marketing , Patents , Privacy/Security , Publicity/Privacy Rights , Search Engines , Spam , Trademark | TrackBack
January 10, 2007
December 2006 Quick Links
By Eric Goldman
* JP Enterprises, Inc. v. HDVE, LLC, 1:06-cv-01046-REB-PAC (D. Colo.). In June 2006, JP Enterprises sued Yahoo for selling its trademarks for keyword-triggered ads. In December, JP Enterprises and Yahoo stipulated a dismissal of the case against Yahoo (the remaining defendants weren't affected), presumably based on a settlement.
* Domain name valuations continue to rise. The latest overvalued domain name? Vodka.com, selling for $3M. This totally perplexes me. Can you imagine what $3M of well-spent PPC advertising would do?
* Amidst the TLD proliferation, ICANN is thinking about retiring some TLDs, such as .su for the (extinct) Soviet Union.
* According to ClickTales, "76% of the page-views with a scroll-bar, were scrolled to some extent[, and] 22% of the page-views with a scroll-bar, were scrolled all the way to the bottom." From a legal standpoint, currently we assume that content “below the fold” usually is legally irrelevant. However, if users routinely scroll down on pages, this may require rethinking.
* Forbes' special report: "Books." Especially interesting stories:
- The Secret Life Of An Online Book Reviewer
- Cory Doctorow, Giving It Away
- Stop Worrying About Copyrights
- Publish And Perish (about picking storage media to archive human knowledge)
- The Networked Book (about using blogs as a complement to the book authoring process)
* How about this manipulative practice? Yelp, the local consumer review guide, pays "marketing assistants" to leave positive comments for review authors to "help make Yelp appear to be a vibrant and outgoing community in hopes that it will actually become one." As the BusinessWeek article says, "Some reviewers may be turned off by the notion that an ostensibly disinterested fellow user is getting paid to compliment their writing." Ya think? Hiring professional back-patters crosses my line.
UPDATE: I got the following email from Jeremy Stoppelman, founder of Yelp:
The Businessweek article is misleading so I can understand how you got that impression. Our system breaks down as follows:
Community Managers - responsible for local marketing & pr, organizing yelp events (offline) and for welcoming people to the site. People who are active in the community generally know this person (and that they are an employee) since they are organizing local events and emailing users all the time.
Marketing Assistants - the first people in a new market (that has little-to-no community), they are paid to update our crappy yellow pages data and write some of the first reviews (e.g. make the site not empty). We initially suggested they get active (post on talk, compliment if someone shows up), but turned away from that quickly (for the same concerns you raised).
The only critique left is that these people aren't badged and I totally understand this issue (minor, but real). Therefore we decided before Christmas break we should badge all our marketing & community staff. This change should be out later tonight.
* The magazine Nature has ended its experiment with an open peer review process. Why? According to the AP, "The journal concluded that many researchers were either too busy or had no real incentive in evaluating their colleagues' work publicly. In addition, none of the editors found the posted comments influenced their decision whether a paper gets published." No point in manufacturing metadata if it's not going to change the decision anyway! But this raises a related question--what incentives are needed to produce useful metadata?
* As written up in the NYT, Sao Paulo has outlawed a wide variety of outdoor advertising, including billboards, leaflets, advertising on the sides of buses/taxis, and via airplanes and blimps, and has promulgated strict rules on commercial signage. This is a radical experiment in the effort to reduce visual clutter by squelching the availability of a major class of advertising. But Chris Hoofnagle (who pointed out the article to me) wonders, where are these ad dollars going to go? Presumably they will be redirected into different ad media, with uncertain consequences. For more on the effect of regulation in one advertising medium on advertising in other media, see my Coasean Analysis of Marketing article.
* In response to the Google/China flap, the State Department in February 2006 established the Global Internet Freedom Task Force (GIFT). On December 20, the GIFT issued a press statement outlining its "GIFT Strategy" consisting of 3 principal points:
- MONITORING Internet freedom in countries around the world
- RESPONDING to challenges to Internet freedom.
- ADVANCING Internet freedom by expanding access to the Internet.
I wonder if this effort will moot the need for the Global Online Freedom Act?
* BusinessWeek article on domain tasting (with the wildly hyperbolic title "The Great Internet Brand Rip-Off"--an editor ran amok!). Domain tasting always has struck me as a silly issue. Of course if you offer marketers a way to get exposure to consumers for free, some of them will abuse it! But I just have to believe that the legitimate utility of the 5 day refund period is low, if not zero. So the refund period should be killed, and consumers who make a typographical error when registering domain names should be SOL (much like it's almost impossible to fix an error if a consumer buys the wrong non-refundable airline tickets).
* Rick Skrenta: "RIP DMOZ: 1998-2006."
* AP Story updating the Steinbuch v. Cutler case. The case is in discovery now, and there's no sign that it will avoid a trial.
* Tom Smedinghoff wrote an excellent recap of last year's developments in the field of information security law: Where We're Headed — New Developments and Trends in the Law of Information Security.
* In December, Shuman (Google's click fraud czar) reportedly said that Google's click fraud rates were less than 2%, but then Google backpedaled and obfuscated about what Shuman had really said. In yet another terrific post, Danny sorts through the mess and tells us what we know and don't know about click fraud rates. Read the whole thing.
* Jeffrey Rohrs is one of the people I trust for expert opinions. I don't agree with his plaintiff-side orientation, but I respect his perspectives. He's written an analysis of the click fraud issue that he calls the Sausage Manifesto. A recap of Google's responses to the manifesto.
* Jennifer Granick predicts that EULAs and the law of mass surveillance will be the hot legal issues of 2007. Both seem good bets; I'd add to that list that this year we'll spend a lot of time irresolutely chasing our tail on the net neutrality issue.
Posted by Eric at 10:00 AM | Domain Names , General , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Trademark | TrackBack
December 22, 2006
Top Cyberlaw Developments for 2006 – Part 2
By John Ottaviani
(Eric Goldman is away until the New Year. He left me the keys to the blog. I warned him that this may be like leaving the teenagers the keys to the house when the parents go away for the weekend!)
As Eric pointed out, our “Top Ten Cyberlaw Developments for 2006” list left out several notable developments. Here are a few more that were “near misses” for the list. In no particular order of importance:
· Electronic Voting – There was a lot of buzz about electronic voting and the perceived failures of the various systems. Given the proliferation of machine-human interfaces that we encounter on a daily basis, it is difficult to comprehend why problems continue to plague this industry.
· Apple v. Does – A California state appeals court held that online journalists had the same right to protect the confidentiality of their sources as offline reporters do under California’s reporters’ shield law. This result is not surprising, but it appears to be the first formal confirmation that courts would apply the same rules to traditional and online reporters. In addition, the court ruled that the federal Stored Communications Act does not permit a civil subpoena of stored e-mail from a service provider, only direct subpoenas from the account holders.
· Snow v. DirecTV – In June, the 11th Circuit held that, in order to be protected by the Stored Communications Act, an Internet website must be configured in some way as to limit ready access by the general public. An anti-DirecTV activist had created a public bulletin board, with a banner containing purported terms of service forbidding DirecTV representatives from entering the site or using its message board. However, the site was configured such that anyone in the public (including the DirecTV representatives) could enter the site, create a profile and use the message board. The court recognized Congress’s intent not to criminalize or create civil liability for acts of individuals who “intercept” or “access” communications or websites that otherwise readily are accessible by the general public. The court suggested that even a statement in the complaint that a plaintiff screens the registrants before granting access may have been sufficient to infer that the site was not configured to be readily accessible to the general public. However, in the absence of any such statements, the court granted DirecTV’s motion to dismiss for failure to state a claim. As a result, website operators who want to take advantage of the provisions of the Stored Communications Act must take some affirmative actions to be able to demonstrate that the website was not configured to be readily accessible to the general public. Relying on those who are not the website’s intended users to voluntarily excuse themselves will not be sufficient.
· eBay v. MercExchange – In May, the U.S. Supreme Court ruled that, once a patent is found valid and infringed, an injunction does not automatically have to be issued. Trial judges are free to weigh competing factors, including the effect of enforcing a patent on the public interest, as the trial judges do in other injunction proceedings. The case revolved around eBay’s “buy it now” feature, which allows customers to purchase items without participating in an auction. In 2003, a jury found that this feature infringed on two of MercExchange’s patents. The Supreme Court’s decision requires the patent owners show “irreparable injury” resulting from defendant’s infringement in order to receive injunctive relief. While this standard should be relatively straightforward for patent owners who practice their technology, the decision may lessen the ability of patent owners who don’t practice their inventions to obtain an injunction (or threaten to obtain one as a negotiating tool).
If anyone else has any Cyberlaw developments that they feel should be on the “Top Ten” list, please feel free to let us know!
Our list of “Top Cyberspace Intellectual Property Cases” for 2006 will be available in January.
Posted by John Ottaviani at 12:18 PM | E-Commerce , Patents , Privacy/Security | TrackBack
November 29, 2006
Nov. 2006 Quick Links
By Eric Goldman
My monthly roundup of noteworthy tidbits:
* Yesmail, an email outsource vendor, was busted by the FTC under CAN-SPAM for failing to honor opt-out requests because Yesmail's incoming email filters blocked those opt-out requests as spam. This strikes me as a particularly messy technological dilemma--even email outsource vendors need spam filters, but if those filters nab opt-out requests, the FTC isn't showing any sympathy. So it looks like email outsource vendors will need to use less vigilant spam filters or find some way to direct opt-out requests to a non-filtered email server.
* Best Western Int'l Inc. v. Doe, No. 06-1537 (D. Ariz. Oct. 24, 2006): griper defeats trademark infringement and dilution claims due to the lack of "use in commerce in connection with goods or services." (HT: BNA's E-Commerce and Tech Law Blog).
* Simmons v. Florida, SC04-2375 (Fla. Sup. Ct. Nov. 16, 2006). Very troubling ruling from Florida upholding the criminal conviction of a defendant for disseminating harmful to minors material online. First, breaking with an unbroken string of cases dating back to 1996, it upholds the state law prohibiting the dissemination of harmful to minor materials over the Internet from a Constitutional challenge. In the past, these laws uniformly have been struck down under the First Amendment or the Dormant Commerce Clause (or both). Second, the statute applies only to email, but it was used to bust someone communicating via instant message. These types of technology-specific statutes create these odd silos that create too much ambiguity. Declan's writeup.
* McDonald's is seeking a patent on using a "sandwich delivery tool" to deliver filling (like ham) to a "bread component." This could be the greatest thing since sliced bread!
* From Greg Linden's blog: Google surveys its users and they say they want more results per page. So Google tests a search results page with 30 results/page. The result? A 20% drop in traffic! Note that a 10-result page takes 0.4 seconds to load, while a 30-result page takes 0.9 seconds, so the working theory is that an extra 0.5 second latency deterred a lot of searching. This may give a little insight into why Google is fighting so hard on net neutrality. If Google does get relegated to a slow lane, it may lose lots of searches.
* A band called Bones registers a MySpace account at http://www.myspace.com/bones and, over the course of 2 years, accrues 2,100 friends. Fox, the owner of MySpace, decides that it would prefer to have that URL for its TV show Bones, so it boots the band and puts up a page for the TV show. Can Fox do this legally? It all depends on the contract (but I'm skeptical that the contract was this broad). For some background on taking virtual assets, see my prior discussion on the sex.com litigation and account ownership in virtual worlds. In any case, Fox relented and gave the URL back to the band. But this is a good reminder that, if you care about your web presence, don't build up goodwill in a URL controlled by someone else.
* FTC busts Guidance Software for inadequate security. According to Internet News: Guidance's privacy policy said it "takes every precaution to protect our users' information," "your information is protected both online and offline" and it protected data "with the best encryption software in the industry – SSL." Yet, Guidance suffered a security breach that resulted in the leak of 4,000 credit card numbers; and the breach wasn't detected for 3 months. I'm not entirely sure what to make of this--was this enforcement action based solely on overstatements in the privacy policy, or was it based on poor security practices regardless of the privacy policy? My vote is that it's the latter based on the BJ's Wholesale Club precedent.
* A consumer group filed a complaint against Zillow for doing a lousy job of providing valuation estimates. While Zillow's estimates may be poor, this complaint raises some troubling concerns about the liability associated with any web-based price estimate service. Could developments in this matter affect Google's PageRank as a valuation of the worth of web pages?
* Ted Leonsis, vice chair of AOL, didn't like the search results when he vanity searched. So he vowed to improve his Google profile, launching a high volume blog that helped drive preferable results to the top of the list. My advice to Ted: enjoy the favorable placement while it lasts; you're only one Googlebomb away from disappointment.
* We are generally conditioned to think that every searcher gets the same search results for the same search. This model is progressively breaking down due to personalized search and other innovations. A catalog of reasons why search results vary for searchers. I eagerly await the time when courts recognize this fact when dealing with search engine cases!
* A DoubleClick study claims that 30% of consumers admitted that they sometimes click on banner ads, but 61% of consumers said that at least sometimes they made a mental note of the advertisers and followed up with them later. If true, this means that banner ads generate a lot more value than is measured by clicks alone. However, I wonder if this result should be chalked up to the "talk is cheap" category?
* It's like a well-worn joke: if you'll believe that, I've got a bridge to sell you. But no joke: they may be selling the Golden Gate Bridge--well, at least, corporate sponsorships for it. Of course, the bridge is so iconic that a brand owner could get significant goodwill from being associated with it. On the other hand, it's the world's leading suicide destination; not exactly the best corporate tie-in for many brands.
* According to one anti-spam vendor, "9 out of 10 emails now spam." At this rate, pretty soon it will be 11 out of 10 emails.
Posted by Eric at 11:47 AM | Content Regulation , Marketing , Patents , Privacy/Security , Search Engines , Spam , Trademark | Comments (4) | TrackBack
November 28, 2006
Google Personalized Search, 1 Year Later
By Eric Goldman
Exactly 1 year ago, I started using Google Personalized Search. Since then, Google Personalized Search has recorded 6,700 searches of mine--an average of over 18 searches a day, every day (including weekends and vacations), or over 1 Google search every waking hour. My highest daily total was at least 89 searches.
Clearly, from these 6,700 data points, Google should know a lot about me. Yet, I would rank the benefits of Google Personalized Search as low. In some cases, Google prioritizes specific search results that I've selected before (and tells me how many times I've selected that link), so it can help me find something when I'm revisiting a past search. Otherwise, I can't say that I've noticed any discernible benefits from their personalized search tool.
My suspicion of low efficacy is reinforced by Google's inability to make good inferences about me. In Google Trends, it shows me what it describes as the "top gaining queries related to your searches"--presumably, these are the search terms it thinks are associated with the search terms I've used. The top 10 today:
1. prime outlets
2. ucla taser
3. great mall
4. rhodes scholars
5. tofurky
6. tofurkey
7. marie calendars
8. dundee wisconsin
9. bakers square
10. odot
#5 and 6 surely must relate to my vegetarian-related searches, so this isn't too bad. #2 may somehow reflect my association with UCLA (good), but UCLA taser? (huh?) #1 and #3 are big outlet malls in the Bay Area, so they are geographically relevant and perhaps seasonally topical due to the holiday shopping season (although I haven't really been shopping this season). #7 and #9 are a little bizarre for a vegetarian--I'm sure I've done restaurant searches, but not for chains like this! I have no idea what triggered #8 or #10. So, on balance, it doesn't appear like Google is making very smart inferences about me based on the 6,700 searches I've provided it. For more on this point, see Greg Linden's similar comments on Google's recommendation engine explaining that Google is relying too heavily on geolocation instead of other personalization attributes.
One more interesting piece of data: Google Trends captures the times of my search, which visually illustrates my work habits. Unfortunately, the histogram is distorted by my move from Milwaukee to California mid-year; my Milwaukee activity was 2 hours ahead of this data.
As you can see from this diagram, I generally get into the office between 9-10 am and then work at a constant rate for a few hours. Then, in the late afternoon, I really hit my stride, spiking at 3 pm--which was really 5 pm when I was in Milwaukee. In other words, my real work day begins about 5 pm. Then, there's a drop-off around 7 pm (5 pm on this chart when I was in Milwaukee), which is when I go home, and then a mini-resurgence between 9-11 after the kids are in bed.
At minimum, this data shows why I'll never be a great 9-5er. The 5-7 period is among my most efficient work period. When I first became a professor, I tried to come home at 5 pm regularly for a couple of weeks and I felt like I never got anything done. This chart partially explains why.
Despite this fun with graphics, I'm disappointed with Google Personalized Search. I will keep using it because it provides me limited benefits at no additional effort, but it's not really doing anything to increase my loyalty to Google.
One last point: I know some of you would interpret my experience as a good reason NOT to use personalized search because of the privacy risks associated with Google's aggregation of search results. I do worry about that, a tiny bit, in that I'm sure people would draw bizarre and potentially adverse inferences if they were to parse through my 6,700 searches. But I've made the deliberate choice that I'm not too worried about that risk personally--although I'm not going to publicize my search terms, I'm comfortable enough with their limited privacy protection in Google's hands.
Posted by Eric at 03:46 PM | Privacy/Security , Search Engines | Comments (1) | TrackBack
October 18, 2006
Acxiom Not Liable for Security Breach--Bell v. Acxiom
By Eric Goldman
Bell v. Acxiom Corp., 4:06CV00485-WRW (E.D. Ark. Oct. 3, 2006)
Acxiom is a major data miner/data broker. As a result, they have lots of sensitive personal data stored on their computers. Between 2001-2003, they suffered a major security breach when a bad actor (now in jail) extracted personal data and resold it to marketers. Bell brought a putative class action against Acxiom for this security breach that may have resulted in her data being resold.
Specifically, Bell alleged two injuries: (1) increased risk of receiving junk mail, and (2) increased risk of identity theft. However, she did not allege that she actually experienced either increased junk mail or identity theft. Thus, the court brushes the concerns about possible future risks aside, saying that both injuries were not sufficiently concrete to satisfy the "case or controversy" pleading standard. As a result, the court granted Acxiom's motion to dismiss.
This case reminds me of the In re JetBlue case, where the airline provided passenger records to the government in contravention of its articulated privacy policy. That lawsuit died because the plaintiff could not show any cognizable injury from the data transfer/privacy policy breach. In the Acxiom case, the lawsuit died because the plaintiffs couldn't plead a sufficiently tangible harm to clear the motion to dismiss standard. So it appears that some courts are demanding more from privacy plaintiffs than just their mere apprehension about privacy--a significant standard that could keep privacy lawsuits in check.
UPDATE: A very similar ruling rejecting a fear of increased risk of identity theft as an injury sufficient to support standing: Key v. DSW, Inc., 2:06-cv-00459-GLF-TPK (S.D. Ohio Sept. 27, 2006).
Posted by Eric at 07:12 PM | Privacy/Security | Comments (3) | TrackBack
October 11, 2006
Article on Regulating Marketing--A Coasean Analysis of Marketing
By Eric Goldman
Eric Goldman, A Coasean Analysis of Marketing, 2006 Wis. L. Rev. __ (forthcoming).
In 2001, I had a career-altering epiphany while I was working at Epinions (this is the topic that prompted me to consider becoming a full-time academic). Epinions was morphing from a content generation engine (generating consumer reviews of products and services) into a shopbot where a core value proposition was to refer users to vendors to consummate transactions. As we made this transition, I realized that we were really entering the attention broker business. We aggregated consumer attention, principally from search engine referrals, using copyrighted content (the consumer reviews) as marketing to capture consumer attention. We then redirected that attention to vendors for our economic benefit. To the extent we bought the consumer's attention (say, through paid search listings), we were just in the attention arbitrage business (i.e., we wanted to sell the attention for more than we paid to buy it).
As a result, I realized that we competed against every other attention broker, including adware vendors (who were nascent in 2001), spammers, and every other marketing intermediary. But I couldn't resolve an underlying question--what gave us (or anyone) the right to broker a consumer's attention? Who "owned" attention, and when was it permissible to profit from someone else's attention?
It took me 5 years and 8 complete rewrites to complete my paper, A Coasean Analysis of Marketing, that answers these questions. This was one of the hardest things I've ever done professionally. It was truly a labor of love!
Part of my difficulty is that I ultimately realized that "attention" wasn't the real issue (and, in fact, it was distracting me). Instead, "attention brokering" is really a matching problem--marketers and consumers want to match with each other, but the matching process is costly. In particular, the key challenge is that consumers incur costs to express their preferences, a problem exacerbated by rising data glut.
Thus, the only sustainable solution allows consumers to express and manage their preferences at a near-zero cost. This will require a technological, not legal, solution, and the technology will look a lot like what we currently call adware and spyware. In turn, we may be doing ourselves a disservice if our efforts to regulate adware and spyware inhibit the development of technology that provides improved marketer-consumer matching in an information overload environment.
Certainly, many of these themes will be familiar to blog readers. However, this article ties together numerous threads that I've addressed on an ad hoc basis and, for the first time, lays out my vision comprehensively. Thus, I hope you'll take a look at it. I welcome your comments and thoughts.
Some discussion about the article from around the blogosphere:
* Peter Huang's comments
* Frank Pasquale's comments
* Conglomerate Junior Scholars Workshop comments (including responses to Peter's and Frank's comments)
* Daniel Solove's comments
The abstract:
Consumers claim to hate marketing - mostly, because they get too much unwanted marketing. In response, regulators develop medium-by-medium marketing suppression regulations. Unfortunately, these ad hoc solutions do little to satisfy consumers, and dynamic technologies and business practices quickly render them moot. Instead of continuing this cycle, there would be some benefit to developing a cross-media marketing regulatory scheme.
However, any holistic solution must be predicated on a clear rationale for regulating marketing. The most common justification is that marketing imposes a negative externality on consumers, but this argument ignores the private and social welfare created by marketing and can lead to cost overinternalization and marketing undersupply.
The Coase Theorem also suggests that social welfare improves by reducing the costs of matching marketers with interested consumers. To achieve this, consumers need a low cost but accurate mechanism to manifest their preferences. This Article shows that typical regulatory and marketplace solutions do not provide effective mechanisms.
Instead, marketer-consumer matchmaking will improve from technology that will automatically infer consumer preferences and use these inferences to filter incoming marketing and seek out wanted content. This technology is rapidly emerging, but regulation of surreptitious monitoring devices (like adware and spyware) may inadvertently block the development of this socially-beneficial technology. As a result, current regulatory overreactions to developing technology may counterproductively foreclose social welfare improvements
Posted by Eric at 11:33 AM | Adware/Spyware , E-Commerce , Marketing , Privacy/Security , Search Engines , Spam | TrackBack
October 01, 2006
Sept. 2006 Quick Links
By Eric Goldman
Some stories that caught my eye in September:
* Digg users are gaming the Digg algorithm. Greg Linden's take. Naturally, Digg is fighting back by tweaking its algorithm to reduce the effect of gaming and preserve some editorial integrity to its results. Hmm...this sounds familiar. As I've argued, users inevitably will game algorithms, websites will tweak the algorithms, and the cycle will repeat infinitely. It is the Law of Algorithms. For a user revolt/algorithmic assault that I "enjoyed" first hand, see here.
* Rebecca blogs on "mocketing," the process where brand owners pay people to parody their brands, and its potential implications for trademark law.
* Starbucks emails employees a coupon for a free drink and encourages them to forward the email coupons on to friends and family. A few trillion emails later, Starbucks realizes that it made a horrible mistake and dishonors the coupons. Now, they're staring down a $114M class action lawsuit. See the coupon and more details here. Practice pointer for marketers: NEVER EVER encourage email recipients to forward the emails on to friends and families, especially if some benefit putatively will attach. It's a sure-fire way to become an instant urban legend, and some variation of these emails will still be making the forwarding rounds in the year 2525. Tsan offers some more practice pointers.
* BusinessWeek recaps the social science literature on how eBay sellers can maximize revenues. Recommendations based on the literature: set low starting prices; don't use reserves; use photos; don't flood the market; spell check; use hype; hold longer auctions; watch the auction's ending time; don't overcharge for shipping; and avoid negative feedback.
* About 1 of every 2 searches involves "pogo-sticking" (reviewing a search results page, investigating a search result and back-buttoning to the search results page). Yet more social science demonstrating the junkiness of the initial interest confusion doctrine--consumers have figured out how to investigate search results and back out if they are not relevant.
* In a default judgment, an Illinois judge ordered UK-based Spamhaus, one of the email blocklist maintainers, to pay e360 Insight LLC $11.7M in damages for blocklisting them and to post a note acknowledging that they aren't spammers. However, it remains unclear how e360 can enforce this ruling.
* Google lost a Google News copyright case in Belgium. For a critical view of this case, see Ross Dunn's take. Google's official statement.
* Lengthy NYT article on Marshall, TX, with the second-largest patent docket in the country. Why? Fast trials, plaintiff-favorable results (78% pro-plaintiff instead of a national average of 59%), and Texas-sized damages. More on Marshall as patent litigation capital available here.
* AOL has been sued for its release of search data. Danny's take. Two things: (1) I can't see the ECPA claim at all. A search request is a communication between party A (searcher) and party B (search engine). There's no ECPA violation when either A or B discloses the contents of that communication. However, I think search engines make their life harder when they take the position that they make the factually unsupportable argument that they are just passive conduits between searchers and web publishers (see Field v. Google). (2) the complaint takes the position that AOL is continuing to disseminate the search data because it continues to display search results linking to the data. I think this argument has lost all credibility in the copyright arena; it seems equally bogus here.
* A three year old kid knows how to "buy it now."
* NYT on "orphan brands"/"dormant brands" and efforts to license and revive these brands.
* The US officially joined the Council of Europe (COE) Convention on Cybercrime. It becomes effective Jan. 1, 2007.
* My colleague Tyler Ochoa explains the fallacies of Huntington Beach's trademark claims for the phrase "Surf City USA."
Posted by Eric at 11:07 AM | E-Commerce , Marketing , Patents , Privacy/Security , Search Engines , Spam , Trademark | TrackBack
September 07, 2006
Xanga.com Busted for COPPA Violation
By Eric Goldman
The FTC announced today that Xanga.com had settled charges that it violated the Children's Online Privacy Protection Act (COPPA). The settlement includes, among other remedies, a payment of $1 million--by far the largest fine in a COPPA case to date.
Xanga.com's transgression can be easily summarized, as stated in the FTC's press release:
The Xanga site stated that children under 13 could not join, but then allowed visitors to create Xanga accounts even if they provided a birth date indicating they were under 13. ... The defendants created 1.7 million Xanga accounts over the past five years for users who submitted age information indicating they were under 13.
Two practical observations:
1) Statements in EULAs/user agreements saying that users should not sign up if they are underage (or in the wrong geography, or whatever) are worthless from a risk management/legal compliance standpoint. The complaint also indicated that Xanga.com required users to check a box certifying that they were over 13. This might have been slightly more helpful, except when Xanga.com got conflicting data and didn't cross-check it against the certification.
2) Collecting birthdates is a well-known and paradigmatic way to violate COPPA. For years, I've been saying that one simple way to mitigate COPPA exposure is simply not to collect birthdates. (COPPA also covers sites that target kids 12 and under, so avoiding birthdates isn't a complete solution). Or, if birthdates are collected, simply refuse to register underage users. Here, according to the FTC, Xanga.com violated these well-known and basic approaches--1.7 million times!
FWIW, when COPPA became effective in 2000, Epinions had a field where users could self-report their age. We ran a script and found a few dozen users 12 and under. We promptly kicked those users off the site (they were ticked about being evicted--I told them to take it up with Congress and the FTC). We then disabled the ability of users to self-report their age.
Posted by Eric at 12:39 PM | Privacy/Security | Comments (2) | TrackBack
August 23, 2006
August 2006 Quick Links (Volume 2)
By Eric Goldman
Some more things that caught my eye in the past month (see Volume 1):
* Wikipedia's entry on trademarks that have become generic. "Google" isn't listed...yet—instead, it’s listed as a trademark “often used generically”. HT: Marty. My list of favorite generic terms: Aspirin, Baby Oil, Brassiere, Cellophane, Celluloid, cornflakes, Dry Ice, Escalator, granola, Kerosene, Lanolin, Light Beer, Linoleum, Milk of Magnesia, Murphy Bed, nylon, octane, raisin bran, Shredded Wheat, Thermos, trampoline, Yo-yo, zipper. I would update the Wikipedia entry myself if I thought that those changes would actually stick rather than being reverted by a Wikipedian exercising dominion over the page--a blog post coming on that issue soon.
* Greg Linden has some insight thoughts about lawyers' role with start-ups that come from the voice of experience.
* Goofy article in the Washington Post romanticizing the sites enabled by AdSense and citing examples of people getting rich through AdSense. Two observations; (1) That's definitely not me! (2) Only a very quick mention of the splogs, typosquatting sties and junky content-free sites spawned by self-service AdSense programs.
* Fraudsters may have found the perfect technique to game eBay’s feedback. They use robots to build positive eBay reputations through a series of $0.01 buy-it-now transactions. If eBay’s feedback rating system becomes unreliable, what will happen to eBay? This seems like a bet-your-business issue for eBay.
* eBay isn't a "debt collector" under the Fair Debt Collection Practices Act, nor is eBay's feedback forum a "consumer report" under the Fair Credit Reporting Act. McCready v. eBay, Nos. 05-2450 and 05-3043 (7th Cir. July 10, 2006).
* "Nike: It's Not a Shoe, It's a Community." Another example of how a marketer has embraced its role as a content publisher.
* WSJ debate on search engines storing user data. Issues about the disposition of search engine data doesn’t seem to be going away any time soon! Big blog post coming on this topic shortly.
Posted by Eric at 08:50 AM | Privacy/Security , Search Engines , Trademark | TrackBack
July 28, 2006
Doe v. MySpace.com --- Continued
By John Ottaviani
I was finally able to read the complaint. It raises some very interesting issues concerning the obligations of website hosts and Internet service providers to institute and enforce appropriate security measures to decrease the likelihood of harm to users. These harms could occur on line (such as defamation), or in the physical world, as unfortunately occurred here.
The complaint names MySpace, Inc., News Corporation, the parent company of MySpace, Inc. and the man who allegedly committed the sexual assault on the 14-year-old girl.
From the complaint, we see that the predator initially contacted the plaintiff through MySpace.com, but then she gave him her cell phone number. It appears that subsequent communications were by cell phone, including the arrangements for an after-school meeting, during which she was sexually assaulted.
The complaint alleges causes of action against MySpace and its parent, News Corporation, for negligence, gross negligence, fraud, fraud by non-disclosure and negligent misrepresentation. The complaint also alleges assault and intentional infliction of emotional distress claims against the attacker.
The negligence claim is interesting because it raises what I believe is an issue of first impression: does MySpace.com have a duty to institute and enforce appropriate security measures and policies to withstand and substantially decrease the likelihood of danger and harm in the physical world that MySpace posed to the plaintiff? I have been debating this with David Fish, who feels that an Internet site that targets young children and (allegedly) knows of assault problems against these children, certainly has a duty to protect because there is a foreseeable risk of harm. I find it difficult to imagine that, given the enormous policy and economic repercussions for all Internet content providers, a court would impose such a duty, which would expose Internet content providers to liability for the wrongful acts of potentially millions of unknown bad people committed against millions of unknown potential victims. A similar claim was rejected in the early days of the Internet in Lunney v. Prodigy Services Company when the New York Court of Appeals held that there is “no justification” to impose a duty on ISP’s to “employ a process for verification of the bona fides” of all applicants and any credit cards they offer so as to protect against defamatory acts. The Lunney case may serve as an analogous precedent. But remember, the complaint in the MySpace.com lawsuit was filed by a Texas plaintiff in a Texas state court, and Section 230 does not necessarily give a defendant the right to remove to a federal court, so MySpace may be in for a fight on this issue.
The negligence count further alleges that this breach of duty was the proximate cause of the sexual assault of the plaintiff. I have a hard time seeing proximate cause here, where the initial e-mail communications were followed up with cell phone conversations.
Eric and I differ as to whether or not MySpace will be able to successfully assert a Section 230 defense. The relevant portion of Section 230 states: “No provider or user of the interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Here, however, the plaintiff is alleging that she was injured as a result of actions of her attacker in the physical world, which were caused either by MySpace’s “failure to take action and to protect her” or MySpace’s “misrepresentations about the safety of its site.” None of the claims are based on information posted by the predator or any other third party. Eric still feels there is room for a Section 230 defense, however.
There may be enough muck in the complaint for some of the other causes of action to survive a Motion to Dismiss. MySpace may have better luck going straight to summary judgment.
Posted by John Ottaviani at 11:07 AM | Privacy/Security
June 27, 2006
June 2006 Quick Links
By Eric Goldman
I have had virtually no Internet access over the past 10 days due to my move and travels, so my Bloglines account was bulging with more than 1700 articles. Here's a quick look at some of the items that have caught my attention this month:
* The FTC announced its own data breach due to a stolen laptop. Hmm...is it just me, or is this incident dripping with irony?
* Microsoft appears to be in its "benevolent" dictator mode again. Last year I blogged about how Microsoft made the unilateral decision to wipe some "malicious" software off users' computers without user notice or consent. (If it makes you feel any better, AOL has done the same thing). Now, Microsoft is installing mandatory software that phones home and doesn't tell users it's phoning home. Most people would categorize the phone home capability as spyware, and I'll be interested to see how the undisclosed feature doesn't violate 18 USC 1030(a)(2)(C). Yet, as Andy Patrizio wonders, where's the outrage? The consumer protection lawsuits? Andy writes:
All manner of hell broke loose over the major phone companies reportedly cooperating with the National Security Agency over international phone calls, but the news that Microsoft is watching every single Windows XP PC has been met with deafening silence.
Suzi rounds up the situation.
[UPDATE: First lawsiut over WGA filed. I'm sure more are coming.]
* JP Enterprises v. Yahoo, No. 06-cv-01046-REB-PAC (D. Colo. amended complaint filed June 6, 2006). Complaint against Yahoo Dating and other dating sites for purchasing keywords of a competitor, LoveCity. I'm not optimistic about the plaintiff's chances here, given that it doesn't seem to understand the differences between metatags and keyword triggers. Also, note the irony that Yahoo is buying ads from competitor Google.
* The WSJ writes about the accuracy of recommendation engines. The article explains how consumers make some decisions based on brand perceptions rather than actual utility they derive from the product. As a result, recommendation engines do a better job serving consumer desires by watching consumer behavior rather than relying on self-reported consumer preferences.
This also raises interesting implications for the role of brands in the search process. Brands may help consumers find what they think they are looking for, but at the same time may interfere with utility maximization. To avoid this, one recommendation engine contemplated hiding brands from the consumers.
* Heidi Cohen states the obvious. (Well, she and I think it's obvious, but apparently most marketers still don't get it.) Marketers are in the content publishing business, so they need to think like publishers, not marketers. And, from a policy standpoint, this continues to reinforce the illusory line between marketing content and editorial content.
* Another shocker: Marketers pay-for-placement in editorial content in print publications.
* Michael Scott (from his new blog, Singularity) writes a fun article about the implications of three generations of cyberlawyers: the veteran "computer lawyers" from the 1980s (that includes him), the dot com boomers from the 1990s (which I belong to), and the post-dot com busters from the 2000s.
* More evidence of "banner blindness." As usual, consumers can organically adjust to annoying marketer tactics if legislators avoid jumping into the fray.
* Finally, an article on fake consumer reviews. This is hardly the first article on the topic, but interestingly it hints that some merchants may be outsourcing/offshoring the creation of fake reviews. Forget click fraud shops in India and gold farming in China; those are passe. Instead, here's a new possible tort for you plaintiffs' lawyers--review "fraud"?
Posted by Eric at 05:50 PM | Adware/Spyware , General , Internet History , Licensing/Contracts , Marketing , Privacy/Security , Trademark
May 11, 2006
Quick Links May 2006
By Eric Goldman
My blogging queue has gotten too thick. Here's some items that caught my attention that I've been meaning to blog and simply haven't gotten to.
* I previously blogged about Chris Wilson, the website operator who allowed users to post pornography and was then prosecuted for distributing pornography under state law. I argued then that such prosecutions were immunized by 230. According to AP, in January, Chris pleaded no contest to 5 counts of possession of obscene material (this news report sounds garbled; the crime of possessing obscene material, without more, should protected by Stanley v. Georgia). For this, in April, he was sentenced to 5 years probation.
* Deborah Wilcox has written an article about situations when trademark owners should NOT send a trademark cease-and-desist letter. Given how many trademark plaintiffs' lawyers mistakenly shoot first and ask questions later, this article raises an important but overlooked perspective.
* The blogosphere is doubling every six months. 4 million bloggers update their blogs at least weekly.
* Cedric reports that, in February, Google finally won an AdWords case in France.
* 310,000 consumers were affected by Lexis-Nexis' data breach. Lexis-Nexis offered them a free year of credit monitoring services. Only 6% took Lexis-Nexis up on the offer, a number that's similar to other such offers (Citibank only had a 4% signup rate). Bob Sullivan tries to figure out why. Among the theories:
- consumers discarded/ignored the notification as junk mail
- consumers were suspicious that the free offer wasn't going to be free in the end
- consumers are apathetic about privacy issues
I have my own speculation about this, but I think the time for relying on intuition is long past. Instead, I think further empirical research is critical before more legislatures robotically rubber-stamp existing legislation designed to remediate data breaches. I remain suspicious that these mandated solutions are doing nothing to help the problem, and may in fact be exacerbating the problems.
* Barton Beebe's slides from his presentation, US Contextual Advertising Law, at the Fordham International IP conference in April.
Posted by Eric at 09:03 AM | Adware/Spyware , Content Regulation , General , Privacy/Security , Search Engines , Trademark
March 23, 2006
NY Enforcement Actions for Reselling Emails in Breach of Privacy Policy
By Eric Goldman
Gratis Internet runs several websites that promise free stuff (like free iPods) in exchange for consumers signing up for subscription trials. The trials are initially free but then convert to paid subscriptions. The idea is that many consumers will either like the subscriptions or be duped into keeping the subscriptions against their will. For an example of how even very intelligent people can be trapped by these free trials, see my colleague Christine's story (and the update).
Along the way, Gratis made a variety of privacy promises to consumers. Of specific relevance here, Gratis promised that it would never resell the consumers' email addresses. However, as it turns out, Gratis allegedly may have done precisely that.
If so, this should be a fairly straightforward legal problem. The false privacy policy should constitute unfair/deceptive trade practices and false advertising, and both the government and consumers should have causes of action (although, see In re JetBlue about possible limits in the consumers' cause of action). In this case, Spitzer announced today that his office is going after Gratis for violation of New York's consumer protection laws. This makes sense.
More interesting to me is Spitzer's action against Datran Media, one of the buyers of email addresses from Gratis. Last week, Spitzer's office announced a settlement with Datran that included a $1.1 million check.
Note that Datran didn't breach the privacy policy directly; it allegedly purchased and used tainted email addresses. Ordinarily, there's no such thing as contributory contract breach, but we might think of this as analogous to receiving stolen property. Perhaps with the requisite level of Datran's scienter, they should in fact bear responsibility for buying and using "hot goods." If the scienter standard is high enough, then it's hard to quibble with the action.
But I think there's a more fundamental lesson to learn. This case reinforces that it's very hard to legitimately buy/sell email addresses. At minimum, I think buyers need to do thorough diligence of the email addresses' origins, and it's hard to find legitimate email addresses that were completely acquired without restriction on transfer or resale. Then, under CAN-SPAM, the email addresses have to be filtered out for any opt-outs that the buyer has received in the past. And then, it's hard to get bulk emails through the email service providers/IAPs, especially if the sender can't claim some type of relationship with or authorization from the recipients.
All told, I just don't understand how legitimate companies think that email addresses can be flipped like commodities. The practice may never have been legitimate, but I see it as a completely dead practice today.
UPDATE: Dan Solove weighs in on the case. I generally agree with Dan's analysis, except that I think we need to know more about Datran's scienter. This result is defensible only if the scienter level was high enough.
UPDATE 2: Chris Hoofnagle calls the case "one of the biggest cases for consumer privacy ever."
Posted by Eric at 01:31 PM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam | Comments (3)
March 11, 2006
FTC Extends COPPA Without Changes...and New FTC RSS Feeds
By Eric Goldman
The FTC has extended the COPPA rule unchanged. Most significantly, the rule continues to preclude non-authenticated email as a way of obtaining parental consent.
I don't spend a lot of time thinking about COPPA much any more. I teach my Cyberlaw class that they should advise clients to avoid being governed by COPPA at all costs. COPPA makes it expensive to provide online interactivity tools to kids; but by definition, kids don't have any online purchasing power. So it's hard to profit from providing robust online tools to kids.
Having said that, I am constantly surprised by the number of websites I see that should be COPPA-compliant but don't appear to make any effort to comply with it. I think the FTC could find plenty of targets if it decided to sweep for COPPA violations.
On a separate note: While checking out the FTC's website, I discovered that the FTC quietly has launched RSS feeds. Terrific news!
Posted by Eric at 02:29 PM | Privacy/Security | Comments (1)
March 06, 2006
Congress Is Lovin' the Internet...to Death?
By Eric Goldman
Congress has an unresolved love-hate attitude towards the Internet. Through the 1990s, Congress frequently said that the Internet should be left alone from a regulatory standpoint. Indeed, in some cases, Congress affirmatively deregulated the Internet; 47 USC 230 and the Internet Tax Freedom Act come to mind.
However, Congress is irresistibly drawn to Internet regulation. Every Congressional session, members of Congress propose literally hundreds of laws to regulate some aspect of the Internet. Obviously, not all of these laws pass, but the sheer volume is evidence of the seductive lure of Internet regulation. Congress just can’t control itself!
I was working through the piles on my desk yesterday and I came across three recently proposed laws that demonstrate this irresistibility. All three laws reflect legislative opportunism to capitalize on hot media issues; all three laws reflect a certain idealism for how markets should function; and all three laws would have radical (and possibly crippling) effects on the Internet.
1) Eliminate Warehousing of Consumer Internet Data Act of 2006, HR 4731 (Introduced Feb. 8 by Rep. Markey).
Rep. Markey promised this law in response to the DOJ-Google flap. The premise is simple enough: online companies should flush their databases of personal data so the DOJ can't abuse its power to get that data. This animating principle translates into the following operative provision:
"An owner of an Internet website shall destroy, within a reasonable period of time, any data containing personal information if the information is no longer necessary for the purpose for which it was collected or any other legitimate business purpose, or there are no pending requests or orders for access to such information pursuant to a court order." The definition of personal information is suitably broad--first/last name qualify, as does an email address.
I don’t like this law’s expansive sweep. It would govern many seemingly-unimportant websites, such as my blogs (which allow users to submit both their first/last name and their email addresses). In some cases (like mine), I can’t flush personal data because it’s in the hands of my service providers.
Further, ironically this law doesn't even correct the DOJ-Google situation. First, the data requested by the DOJ wasn't personal data as defined by the law. Second, and more importantly, Google arguably has a legitimate business purpose to keep every scrap of data it ever lays its hands on (after all, how can you organize the world's information if you have to flush some of it down the drain?). Given that many businesses can claim a continuing benefit from keeping personal data, this law won't get that data flushed. Instead, I think it merely creates weird/unexpected technical headaches.
2) Internet Non-Discrimination Act of 2006, S. 2360 (Introduced March 2, 2006 by Sen. Wyden)
This law follows on the hot topic of net neutrality, or a “two-tier” Internet, which is also linked to AOL’s implementation of Goodmail’s certified email program. The law’s basic premise is simple: data transit vendors should not discriminate between bits—each bit should get processed equally. This gets codified in a list of restrictions about the products/services that a covered entity can (or can’t) offer.
I'm dubious about the theoretical underpinnings of this law, but for now my objection to the law is far more tactical. The law restricts the behavior of "network operators," which is anyone who "provides communications directly to a subscriber." I think the law was intended to govern the provision of Internet access/connectivity. But, as drafted, I think the law covers everyone who moves data from one point to another--this should include every website that provides user-to-user communication, including email service providers, instant message providers, blog providers, "email this page to a friend" providers, etc., etc. In other words, virtually the entire Internet.
This drafting error is, in theory, fixable. The law could just define the covered entities as Internet access providers more carefully. However, I don't think this is an easy fix. I think there is no clear distinctions between the various "layers" (content v. application v. transport); at least, the distinctions aren't definable statutorily.
Worse, it significantly restricts beneficial intermediary behavior, such as blocking incoming spam. The law acknowledges this consequence and says that the governed entities can block spam if the consumers are notified and have a chance to disable the application. So whereas AOL might kill almost all incoming spam at the server level, the law would take this choice out of AOL’s hands. I’m not sure what consequences result from that, but my heart tells me it’s expensive for AOL/the consumer and it could lead to weird and unexpected results.
In effect, this law would place most of the Internet under the oversight of an administrative agency (the FCC). The Internet had thrived without FCC oversight for a while now. I’m having a hard time believing that turning the Internet into a comprehensively-regulated industry would be a good thing.
3) Global Online Freedom Act of 2006, HR 4780 (Introduced Feb. 16, 2006 by Rep. Smith).
This law builds off the Google/Yahoo-China flap. It has various proposals designed to get China and other repressive countries to stop censoring Internet content.
Specifically, the law would create a new administrative agency called the "Office of Global Internet Freedom." This title alone is disconcerting; it sounds like something out of Orwell or Kafka. Indeed, like any good dystopian view of bureaucracy, the OGIF would free the Internet by telling its citizens what they can't do.
In this case, the OGIF would help generate a list of bad censorship-loving countries. On the initial list are China, Iran and Vietnam. All US search engines or content hosts cannot locate those functions in the bad countries. (Note that the definition of search engines or content hosts covers anyone who has a search tool on their website or permits users to generate content). Search engines also cannot change their filtering based on requests from bad countries. Content hosts also can't help "Internet jamming" and can't disclose personal data at the request of bad countries.
This law seems terribly misguided. It’s as if Rep. Smith thinks that Google is so amazing that countries will change their censorship laws just to get Google’s services. But we know better. Chinese entrepreneurs will have no problem providing competent yet censorable search services. I’m sorry to be the bearer of bad news, Rep. Smith, but embargoing Google isn’t going to bring down the current Chinese government.
Meanwhile, this law represents a dangerous step towards government regulation of search engine operations. I know that pro-regulation forces would love to have the chance to regulatorily inculcate their normative values into search engine algorithms; this law represents a first step along that path. However, I think there’s little chance that government fiat will improve search engine coverage or relevancy. Instead, I think there’s a much better chance that government intervention in search engine operations will degrade search engines’ usefulness to consumers.
Conclusion
Reading these 3 laws in succession, two 1980s songs came to mind. First, Congress “just can’t get enough” regulation of the Internet. However, "If you love somebody, set them free." We’ll see just how much Congress loves the Internet as it wrestles with these bills.
Posted by Eric at 06:39 PM | Content Regulation , Internet History , Privacy/Security , Search Engines | Comments (3)
March 03, 2006
NCSoft Sued in South Korea for ID Theft
By Eric Goldman
NCSoft has been sued in South Korea for allowing users to improperly register Lineage/Lineage 2 accounts in other people's official Korean ID number (I'm inferring this is similar to a social security number). More than 3,500 people have joined the class action so far, although the affected number is in the hundreds of thousands.
Based on this report, my understanding is that an organized crime ring stole a large number of Korean IDs from a third party shopping website, used those IDs to create Lineage accounts, used Chinese gold farmers to manufacture in-world wealth, and then converted that to physical-world wealth.
Assuming this is true, I don't immediately understand how NCSoft could be liable to the people whose IDs were stolen. It's not clear that NCSoft played any role in the initial ID theft, and so far the news reports indicate that the people whose IDs were stolen have not suffered any damage. If NCSoft had no role in the initial theft and the people whose IDs were stolen suffered no damages, I'm having a hard time seeing how this is NCSoft's problem. Certainly, in the US, I can't see how the plaintiffs in this situation could state a valid cause of action.
As a result, this lawsuit smells fishy. The organizers run a case auction service that matches victims with lawyers for all types of lawsuits. (From their website: "Case Auction is a bidding system of which clients find out lawyers to handle his/her case through the auction.") Could this lawsuit just be a traffic driver for the website?
Alternatively, lawyers just may be trying to capitalize on consumer outrage. I'm inferring from news reports that NCSoft collected the ID number unnecessarily and consumers are ticked about the security breach and its possible implications (even if no damages were caused here). If the analogy is that an online service provider collected social security numbers are part of their authentication process, I see why some people would want answers about the necessity of such data collection. This article recaps some of the controversy.
Thanks to Matt Goeden for pointing this out. More coverage at Terra Nova.
Posted by Eric at 01:14 PM | Derivative Liability , Privacy/Security , Virtual Worlds
February 15, 2006
Your License, Registration and DNA, Please?
Congress Passes, President Signs, Press ignores...
As broader nationwide DNA database becomes law, states rush to fill database with expanded collection laws of their own.
By Ethan Ackerman
The DNA Fingerprint Act of 2005, which I blogged about late last year, was signed by President Bush into law on January 5, 2006. The legislation expands federal DNA collection efforts to include some legal and illegal immigrants, and allows states to contribute DNA collected for any reason listed under state laws to the federal DNA database. The final language did not change since I first wrote about it. See also the summary here. Rather than rehashing the bill, this post will discuss (1) how the media missed this issue, (2) related state and international developments, (3) the large role individual states' policies will have on deciding just how 'invasive' this database is, and (4) some current 'DNA criminology' shortcomings that this bill may make even worse.
The Media Missed the Issue
While the initial legislative steps of the DNA Fingerprinting Act drew some attention, the media silence on its ultimate passage can be summed up in one phrase - 'buried in layers of legislation.' The DNA Fingerprinting Act was rolled into the 2005 Violence Against Women Act and 2005 DOJ Reauthorization Act, a 176 page mega-bill, which had the effect of obscuring its passage. It took several days for the press to even digest the DOJ bill's passage - its other provisions included Democrat-driven 'mail-order bride' protections and the extensively-blogged 'Cyberstalking prevention' provisions (and even that wasn’t covered in the press until a week later).
International & state developments
On the international scene, Ireland and Scotland, among others, are also expanding DNA collections. (Scotland has the unique wrinkle of being the only UK territory where evidence collected at arrest is held and destroyed if a conviction doesn't follow. Other UK regions already collect and retain DNA at the time of arrest; it is this higher threshold that is targeted for removal.) The UK DNA collection expansion is in tandem with its fingerprint collection expansion - UK police are also set to beging 'roadside' collection of fingerprints. Here again, the UK appears to be following US lead, as several jurisdictions, notably Phoenix, AZ, are already collecting 'roadside' fingerprints, initially voluntarily but now under penalty of jail, for traffic violations. The UK appears to be out in front of the US, however, with 'in the field' DNA collection, with even bus and train drivers collecting DNA of suspects - in this case 'spitting passengers.'
At the state level, legislation expanding DNA collection to suspects is racing through legislatures - apparently regardless of the political party in control. The Democratic-controlled New Mexico House recently passed legislation authorizing collection from felony suspects. The Republican-controlled Kansas legislature is apparently ready to do the same. Indiana, where different parties control the two legislative chambers, is also several steps into the legislative process of passing a similar bill. Somewhat more liberal New York is running into difficulties over Republican Governor Pataki's version of expanded collection authority, which would apply to misdemeanors and felonies, but only after conviction. While the federal DNA bill allows states to collect DNA for any purpose, under any "applicable legal authority," states so far seem focused on expanding collection from just convicted felonies to felonies AND misdemeanors, and in many cases also to criminal suspects, for now.
The pressure for a state 'race to the bottom'
A notable aspect of the piecemeal expansions occurring at the state level is the "race to the bottom" between states that appears likely. States with heightened guilt or suspicion standards (such as 'felonies only' or 'after conviction, not just arrest' states) would benefit the least from their correlatively smaller databases. A database's utility increases exponentially, not just linearly, with the number of entries it contains. Pressed to obtain the maximum value from their systems, or even just a usefulness level comparable to states that collect more DNA, each state would feel a pressure to expand its database to match or exceed other states. Institutional, and often moneyed, motivators such as political platform-staking, a drive for increased governmental efficiency and pressures to lower crime also force states to compete in expanding these DNA databases. These concentrated pressures exert much more force than the diffuse pressures of individual desires for genetic privacy - a classic economic imbalance often seen in other policy-making scenarios.
States with laws already on the books
At the time the federal DNA Fingerprinting Act passed, Virginia, Louisiana, California, Florida and Texas already had laws requiring DNA collection at the time of arrest for some or all crimes. Yet almost all of these states also have had notable instances of erroneous forensic 'mis'matches, with wrongly convicted suspects serving time before their eventual release. In Virginia, a prisoner's life sentence was commuted and he received an eventual pardon after being exonerated by conflicting crime lab tests. In Louisiana, a man served 17 years before an eventual pardon. A minor was convicted of rape and served over four years before exoneration in Texas, and a prisoner served a 17-year term before it was overturned in Florida (search for Rudolf Holton on page), for example.
DNA Database Shortcomings
Just as with any other scientific endeavor, DNA screening is plagued by errors and fraud. What makes DNA screening different is that, unlike carbon-dating trees or replicating embryonic stem cells, fraudulent DNA evidence doesn't just cause media scandals but it is used to incarcerate or execute people.
Error
Like any other human endeavor, collecting, handling, and processing DNA evidence is an error-prone process. The same characteristic that makes DNA evidence so incredibly useful - an amazingly small fragment of as little as several human cells can be used to identify its genetic source - makes it incredibly prone to contamination. Stray chromosomes from a lab worker, housecat, other evidence sample or crime scene witnesses can be misattributed to a person, and this error can be multiplied by the chemical reaction that underlies modern DNA forensics. Worse, even if scientists get the chemistry right, their assistants and prosecutors still have to get the paperwork right and not mislabel or switch results or files.
Fraud
In many cases, a desire to cover up the errors discussed above apparently leads to false or misrepresented DNA results. In other cases, a lack of impartiality - the majority of official state and local crime labs are tied directly to the local police force - is the problem. For example, in Indiana (which is also contemplating an expansion of collections), allegations that prosecutors pressured crime lab workers to alter evidence have imploded the trial of an alleged murderer.
Showing just how far one crime lab employee's evidence-concealing can go, Michigan and Chicago have both investigated the alleged concealment of exonerating DNA evidence by a Chicago crime lab worker who subsequently went to work at the Michigan state crime lab. Chicago settled over $9 million in claims from the incident.
Similarly showing how far irregularities with DNA evidence can get, questionable testimony from a Virginia crime lab was a large part of the reason the US Supreme Court stayed execution (though ultimately declined cert.) on Robin Lovitt's Virginia death row petition in 2005. Lovitt's sentence was ultimately commuted as a result of the misrepresentations. Problems, however, are not limited to state labs. The US Army's lab, which operates roughly in parallel with the FBI's national lab as a crime and records lab for the US military, stands accused of evidence fraud as well.
DNA's mythical status as irrefutable evidence compounds these shortcomings
Criminal jurors, charged with deciding facts in a trial, tend to be irreversibly swayed by DNA evidence, rightly or wrongly. Call it the "CSI effect," but DNA evidence creates an irrefutable connection in the minds of most jurors. While this can be a two-edged sword when juries expect forensic evidence prosecutors just don't have, jury allegiance to DNA evidence tends to harm defendants it is introduced against much more than it exonerates them.
DNA's genetic nature means inclusion is 'inclusion by proxy' for all your relatives, and an 'open genetic book' about personal attributes and status.
DNA, like a fingerprint, is a useful personal identifier. Indeed, there is a scientific and mathematical basis for the uniqueness and correlation of an individual to his or her DNA that is largely absent for fingerprints. DNA, however, is much more than just an individualized identifier. Much like a family tree, bank statement, dental impression or medical history file may serve to identify an individual, these records (like DNA) also contain much personal information unrelated to authenticating a person’s identity. DNA may reveal private information such as legitimacy at birth or the presence of a gender-change operation or marrow transplant. Some research suggests there are also reliable genetic markers for such traits as aggression, substance addiction, criminal tendencies and sexual orientation.
*title with apologies to James F. Van Orden, who authored an excellent, and slightly variant-titled article I discovered after writing this post.
Posted by Ethan Ackerman at 10:12 AM | Privacy/Security , Publicity/Privacy Rights
January 24, 2006
DOJ Fishes for Search Records, and Google Fights Back--Gonzales v. Google
By Eric Goldman
Gonzales v. Google, Inc., No. 5:06-mc-80006-JW (N.D. Cal. motion to compel filed Jan. 18, 2006)
This event is a collateral consequence of Congress’ obsessive and relentless campaign against Internet pornography. In Summer 2004, the US Supreme Court upheld a preliminary injunction of the 1998 Child Online Protection Act (COPA) and remanded the case for trial. In preparing its defense of the law, the DOJ sought to prove that COPA would be more effective at blocking children’s access to harmful-to-minor materials than technological filtering.
But how could the DOJ get supporting data? Well, no one knows more about the comings-and-goings of Netizens than search engines. If only the DOJ could get its hands on their server logs….
So the DOJ sent a subpoena to several search engines. In Google’s case, the DOJ initially asked for:
• “All URL’s that are available to be located through a query on your company’s search engine as of July 31, 2005”
• “All queries that have been entered on your company’s search engine between June 1, 2005 and July 31, 2005, inclusive”
Google resisted this request, and after some discussions, the DOJ scaled back its requests to ask for:
• “a multi-stage random sample of one million URL’s from Google’s database, i.e., a random sample of the various databases in which those URL’s are stored, and a random sample of the URL’s held within those databases.”
• “the text of each search string entered onto Google’s search engine over a one-week period (absent any information identifying the person who entered such query)”
Google is still resisting this amended request, so the DOJ has asked a federal district court to compel Google to comply with the DOJ’s request.
From my perspective, there are five essential points to take away from this event:
1) This is a Big Deal. This is not the usual Cyberlaw flare-up that has a short shelf life (see, e.g., AutoLink). Instead, I think this will become a classic Cyberlaw moment we’ll be discussing for years. It’s got all the right indicia--hubris, privacy and porn. Regardless of how the courts rule on the DOJ’s request, I think this event will have lasting effects. This is a Big Deal.
2) The DOJ’s Initial Request Was Way Out-of-Bounds. The DOJ’s initial request was jaw-droppingly broad. How could the DOJ ask for so much? And how could some search engines give it to them without a fight?
I think the DOJ’s initial request is very typical of government investigative requests. I’ve been on the receiving end of a few such requests myself. In my experience, government investigators typically make broad initial requests because such requests are costless to the government. If the government does not bear the costs of producing the data, then it’s rational for government investigators to ask for any data that might have any possible benefit to them. (This is like a negative externality—the government overconsumes data because it doesn’t bear the true social costs of its production).
In my experience, however, government investigators will craft a more tailored request when someone resists the initial overbroad request. Basically, the resistance raises the government investigator’s cost, so often the investigator’s path of least resistance is to submit a narrower request reflecting exactly what the investigator really needs.
However, recipients of government investigative requests rarely push back for entirely logical reasons. Principally, recipients do not want to become the investigator’s next target. Government investigators can make someone’s life very miserable, so annoying them has a non-trivial risk of inviting suspicion or even outright retaliation.
Or, in Microsoft’s case, recall that the DOJ enforces Microsoft’s consent decree. Microsoft may have been legitimately concerned that resisting the DOJ’s request could have adverse consequences for the DOJ’s assessment of Microsoft’s compliance with the consent decree. If I work at Microsoft and the DOJ wants some data, I’m going to give it to the DOJ with a smile on my face—no questions asked. (MSN claims that they did push back a little).
One more consideration to explain why other search engines complied with the DOJ’s initial request without much fuss. I don’t have empirical evidence to back this up, but I suspect that large search engines like Google, Yahoo and Microsoft get dozens or even hundreds of government investigative requests a month—most or all of which the search engines dutifully fulfill. This DOJ request was just yet another government request—perhaps a little broader than normal, but not that different from the dozens or hundreds of recent requests the search engines had complied with.
3) Our Government is the Biggest Threat to Our Internet Privacy. Concerns about search engines and privacy are hardly new (this is an evergreen topic for this blog; see here and here). Not surprisingly, some privacy advocates are opportunistically using this event to complain yet again that we shouldn’t trust Google (see, e.g., Leslie Walker's Washington Post story and Rep. Markey's ill-conceived and opportunistic legislative proposal). This is a completely misdirected concern, especially in this case. We have no new or additional reasons to fear Google’s misuse of data about us. But, as this event points out, we have every reason to fear our government’s rapacious desire for information about its citizens.
Though we try to ignore it, deep down we know that our government is the biggest data slut around (it’s not even close). Consider some news from the last few months: Bush’s administration is engaged in domestic surveillance, the NSA and other agencies illegally use tracking cookies and even members of Congress breach their own voluntarily-adopted privacy policies. We don’t need tighter restrictions on search engine’s data management practices. Instead, we desperately need MUCH tighter restrictions on government data requests.
4) This Event May Backfire on the DOJ. The DOJ picked the wrong company to challenge publicly. I know that public attitudes towards Google are volatile (many of us have a love/hate relationship with Google). Despite that, Google has a great brand, and many people remain very passionate about Google. Go ahead, DOJ, mess with Yahoo or MSN or even Amazon and you won’t hear much public uproar. But targeting Google…well, that’s a fight that has a high risk of losing both the fight and popular support.
As a result, I expect that the DOJ will get unwanted public scrutiny about the propriety of its data requests. If the DOJ can’t convincingly defend its request, the DOJ’s gluttony could instigate public support for efforts to restrict government data-collection activities. Normally, in light of the USA Patriot Act and prevailing anti-terrorism/anti-porn rhetoric, such a suggestion would be laughable. But the DOJ picked on Google, one of the most cherished companies of our time. Bad move.
5) Google’s Motive May Not Be Entirely Pro-Consumer. Sure, Google’s resistance to the DOJ gives Google a chance to redeem its privacy standing after Gmail. However, I suspect Google’s principal motivations may have little to do with consumer privacy. Even as amended, the DOJ’s request would take valuable engineering time and would potentially expose some Google trade secrets to competitors or black-hat SEOs. We can laud Google for its pro-privacy stance all we want, but if the DOJ’s request required zero engineering time and did not expose any Google trade secrets, I’m convinced that Google would have quietly fulfilled the DOJ’s request a long time ago.
There's been a lot of commentary on this event, and I won't try to recap it here. However, a few pages I recommend:
* Danny Sullivan's level-headed and insightful post
* Dan Solove's insightful commentary on the applicable law that governs government's requests to third parties for data
UPDATE: As predicted, Sen. Leahy is asking the DOJ to explain what they are doing and why.
UPDATE 2: Google's response to the government's motion.
Posted by Eric at 12:34 PM | Privacy/Security , Search Engines | Comments (1)
January 20, 2006
Anti-Marketing Laws and the Commercial Speech Doctrine
By Eric Goldman
Prompted by the Supreme Court's denial of cert in the White Buffalo case, Chris Hoofnagle of EPIC posted a nice rundown of some recent cases where anti-marketing laws survived a First Amendment challenge. He calls the 1999 US West case (which struck down an FCC rule limiting resale of customer records) the "high water mark" of the argument that First Amendment rights trump "privacy" laws. [Chris' characterization of the laws as "privacy" laws confused me; all of the laws were intended to restrict marketing in some fashion.]
He then makes his case by discussing a number of opinions from the last 5 years where anti-marketing laws survived a First Amendment challenge. Chris concludes: "In light of the number of cases where privacy law has trumped commercial free speech, shouldn't we consider U.S. West to be an anomaly?"
Descriptively, I think Chris' characterization is generally correct. First Amendment challenges to anti-marketing laws have met with scarce success recently.
Normatively, I'm not sure we should be celebrating this corner of First Amendment jurisprudence. The commercial speech doctrine is incoherent, and I don't envy lower court judges having to apply the commercial speech doctrines to anti-marketing laws. I wouldn't know what to do either.
Personally, I rarely get excited by First Amendment defenses against anti-marketing laws. I would much prefer to focus on first principles--what rules make for good social policy, and why? Unfortunately, this type of policy-making is rarely possible, leaving First Amendment challenges as last-ditch (and often low-likelihood-of-success) efforts to correct shaky policy-making.
Posted by Eric at 11:33 AM | Marketing , Privacy/Security
December 16, 2005
When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue
By Eric Goldman
In re JetBlue Airways Corp. Privacy Litigation, 79 F. Supp. 2d 299 (E.D.N.Y. August 1, 2005)
I’m late blogging this case, but the case is remarkable enough to warrant some comments even at this late date.
As part of the post-9/11 anti-terrorism efforts, the TSA requested that JetBlue turn over its passenger name records (PNRs) to the Department of Defense for various data mining/analysis. Based on the request, JetBlue gave over 5,000,000 PNRs to a DoD contractor (Torch). This data handoff unambiguously violated JetBlue’s declared privacy policy, which said that JetBlue would not share personal information with any third parties. This privacy policy might be mooted by a law mandating disclosure, but my understanding is that JetBlue turned over the data voluntarily (i.e., it was not legally compelled to give Torch the data, although it may have felt strongly encouraged).
A quick drafting digression: It was a significant drafting error for JetBlue’s privacy policy not to contemplate disclosing PNRs to the government. For years, privacy policies have included exclusions that permitted voluntary disclosure of data to the government. If JetBlue’s privacy policy had contained such a statement, I believe this lawsuit would have been trivially easy to resolve.
In any case, the plaintiffs sued JetBlue for ECPA, breach of contract, trespass to property and unjust enrichment.
ECPA
The ECPA claim failed because JetBlue was not a provider of an electronic communications service or remote computing service; instead, it was a customer of those providers. The court’s reasoning would extend to anyone operating a website; simply collecting information from a website doesn't make the website per se an ECS or RCS.
Trespass to Property
The court converted the trespass to property claim into a trespass to chattels claim. Conceived this way, the data in a PNR isn’t a chattel, so this claim is dubious. However, the court disposes of it for lack of damages. The plaintiffs claimed loss of privacy as the damage, but the court says that this allegation doesn’t diminish the quality or value of the information, nor are the customers deprived of an ability to use their personal information.
Unjust Enrichment
This claim failed because JetBlue didn’t derive any benefit from giving the data to Torch. Further, there was no injustice to the customers, as the effort was tied to preventing terrorism.
Breach of Contract
I’m not surprised that the prior three claims failed, as they seemed pretty weak. However, the breach of contract claim seemed much more powerful. JetBlue promised that it wouldn’t disclose personal information to third parties. It broke the promise. What’s to discuss?
The court first assumes that the website privacy policy was a validly formed contract, even though (a) it was presented as a non-mandatory hyperlink from the home page, and (b) the plaintiffs did not allege that any of them actually read the policy. This assumption runs directly contrary to two other related cases (In re Northwest Airlines Corps., 2004 U.S. Dist. LEXIS 10580, 2004 WL 1278459 and Dyer v. Northwest Airlines Corps., 334 F. Supp. 2d 1196).
I think the court is correct that the failure to allege that the plaintiffs read the contract is immaterial. I'm working on the assumption that JetBlue's failure to present the privacy policy as a mandatory non-leaky clickthrough prevents JetBlue from enforcing the contract terms against its customers. However, the court sidestepped the more complex question of whether the customers could treat the privacy policy as a one-way binding commitment against JetBlue. I think, like any marketing collateral, is binding on the marketer as a marketing representation, but it would have been nice if the court had acknowledged these nuances.
In any case, after assuming the existence of the contract, the court dismisses the contract claim for lack of alleged damages. Non-economic losses typically aren’t recoverable in most types of breach of contract actions, so the plaintiffs had to plead some economic losses. Ultimately, the plaintiffs couldn’t do so (at least, not to the court’s satisfaction). The court notes that the customers had no expectation of being compensated for the value of their personal information, either from JetBlue or from Torch. Therefore, the plaintiffs can’t establish the damage element of a breach of contract action, and the claim fails.
The court’s legal analysis is right, so far as it goes, but the result is clearly unsettling and (I think) discordant with other privacy lawsuits. Read most literally, this holding would mean that plaintiffs rarely can establish a breach of contract claim for a privacy policy violation, because those privacy breaches rarely create economic losses to plaintiffs. Of course, other legal doctrines might apply to privacy breaches—such as the FTC Act or other consumer protection laws—but I find it hard to believe that a privacy policy breach is (effectively) categorically immune from a privately-enforced breach of contract action.
Maybe plaintiffs can avoid this result with different pleadings—such as promissory estoppel (which the plaintiffs could have alleged, because they claimed they made reservations with JetBlue "in reliance on express promises made by JetBlue in the company's privacy policy") or a fraudulent inducement claim. However, promissory estoppel may not result in meaningful damages, and JetBlue may not have had the requisite scienter to commit fraud.
Therefore, read literally, this case could stand for the proposition that there may be no effective customer legal recourse against companies that breach their privacy policies. But I'm uncomfortable with the vitality of this conclusion in other cases, so perhaps this result is best explained by its context. A lot of decision-makers made a lot of poor decisions in the wake of 9/11 in the name of “anti-terrorism,” and perhaps we are willing to excuse those excesses accordingly. In contrast, I can imagine that future courts, presented with more venal breaches of privacy policies, will be less charitable.
Many thanks to Matt Goeden for his help preparing this blog post.
Posted by Eric at 12:01 PM | Licensing/Contracts , Privacy/Security | Comments (1)
December 15, 2005
Report Challenges Value of Notifying Consumers of Data Security Breaches
By Eric Goldman
ID Analytics has released a report trying to quantify the harms caused by data security breaches. The report sensibly distinguishes between different types of breaches--misappropriation of name and social security numbers are different, and in some ways more serious, than disclosures of account numbers. The press release claims:
"ID Analytics’ research makes it clear that identity-level breaches pose the greatest potential for harm to businesses and consumers due to fraudsters’ sophisticated methods for profiting from identity information, as compared to account-level breaches. Even so, the calculated fraudulent misuse rate for consumer victims of the analyzed breach with the highest rate of misuse was 0.098 percent—less than one in 1,000 identities."
There are plenty of reasons to carefully scrutinize the report's methodology and findings. However, the findings should not be quickly dismissed. Without good data, it would be easy to overestimate the harm caused by the mere disclosure of data. In these situations, there is an almost-irresistible temptation to overreact to the fear of the unknown.
On this front, the report questions the value of mandatory consumer notifications after security breaches. As the press release says, "It’s not helpful for consumers to receive a generic letter in the mail telling them that they may or may not be at risk. We need to help victims of breaches understand when they need to be more vigilant and prevent them from being unnecessarily alarmed."
This quote is probably unintentionally inflammatory. Its sentiments are 100% right, but it is a lightening rod for criticism because it challenges the bedrock consumer protection view that more information is better. In particular, it shouldn't be surprising that consumers think they want to know about data security breaches, given the overdriven press hype about the scariness of ID theft.
However, in an era of consumer information overload, we need to be circumspect about the value of throwing more information at consumers--especially if they lack any meaningful ability to act on the information or redress the problem. For example, there's a non-trivial risk that consumers who receive notification letters get scared, toss the letter, and otherwise do not change their behavior. If so, from my perspective, government-mandated information that doesn't change consumer behavior is worse than no information at all--it consumes attention, and in this case it causes unnecessary psychological distress, for no tangible benefit. Too bad that, in the mania to pass mandatory breach notification laws, regulators are not exploring these possible consequences more carefully.
Posted by Eric at 12:24 PM | Privacy/Security
October 20, 2005
California Anti-Phishing Law--Cal. B&P Code Sec. 22948
By Eric Goldman
Going through my stack, I came across Cal. Business & Professions Code Sec. 22948-22948.3 (SB 355), California's recently enacted anti-phishing law. In general, compared to other state anti-Internet behavior laws, this law is relatively targeted and unobjectionable. However, the substantive provision caught my attention for an unexpected reason. 22948.2 says:
"It shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business."
I've highlighted the part that I find interesting. The term "business" isn't defined, but per 22948.3(a), a business either provides Internet access to the public, owns a web page, or owns a trademark.
Because someone can be a web page owner even if they are not a trademark owner, this law is a quasi-trademark law--it gives trademark law-style rights to non-trademark owners. The way I read this, business owner X can prevent competitor Y from representing itself as business owner X (at least, for purposes of eliciting personal information via a transaction) even if business owner X doesn't have a trademark--or even if business owner X can't get a trademark (because, e.g., it is using a descriptive trademark that hasn't derived secondary meaning). Anyone else have a different interpretation of this? If my reading is right, then it seems like this law provides a conceptually significant expansion of trademark law.
Further, if my reading is right, then I think trademark owners who can avail themselves of CA law can go after some alleged Internet trademark infringers under the anti-phishing law, even if there wasn't a technical trademark infringement (at least, in the pure form of a likelihood of consumer confusion). If I were a California plaintiff-side trademark attorney, I would consider adding this cause of action as a standard pleading when online trademark infringement is involved. Note, among other things, 22948.3(a) provides statutory damages of $500,000, which might be a pretty good windfall for some trademark owners (and an even better windfall for someone who can't get a trademark!).
Posted by Eric at 07:14 AM | E-Commerce , Privacy/Security , Trademark
October 03, 2005
Law Enforcement Collection of DNA
By Ethan Ackerman
Recent legislative activity in the US Senate has brought some press attention to the touchy issue of DNA collection by law enforcement. Similar proposed and passed DNA legislation at the state and federal levels over the last several years has also drawn court challenges. As a result, a fair number of court opinions on the subject exist - enough to allow a quick look at the legal contours and legislative status of DNA collection laws.
A quick background
Most every US state and territory has some sort of legislation regarding law enforcement collection of DNA from convicted criminals of one type or another. These laws, passed primarily to assist in identifying potential perpetrators of other, unsolved crimes, vary significantly from state to state. A comprehensive comparison can be found at DNAresource.com, which catalogs legislative information such as types of qualifying crimes, records purging procedures, applicability to probationers, etc. Despite the variability, almost every state shares at least some DNA information with a national, FBI-administered DNA database called CODIS.
Constitutional interests- Privacy and self-incrimination
The non-voluntary extraction of DNA from blood or tissue samples of a suspect or convict plausibly touches on 4th & 5th Amendment rights to be free of searches and self-incrimination, respectively. So how does the jurisprudence currently stand?
The 5th Amendment - not so applicable after all
DNA has quite a bit of evidentiary value, as a match or a dissimilarity with a suspect's DNA can tell whether there is a highly probable connection, or definitive non-match, to some other piece of evidence. The main 5th Amendment argument asserted against collection is that compelled production of such potentially damning, and highly personal, evidence amounts to a compelled 'testimony' against one's self.
This 5th Amendment interest has been rather definitively addressed, and it doesn't amount to much, according to the Supreme Court. More specifically, blood or tissue samples that may tend to show innocence or guilt (say, by matching blood at the scene or having more than the legal limit of alcohol in the blood) can be forcibly (so log as also humanely) collected, and doing so won't violate the 5th Amendment, according to the Supreme Court. In a case that obviously matters a lot to DUI attorneys, Schember v. California, the Supreme Court reiterated that the 5th Amendment protects against compelled testimony primarily in the spoken word sense. Blood tests weren't compelled "testimony," even if they were "compelled" in the sense that they were forcible, over protests. DNA seems to tell much more about a person than blood alcohol level, but while that may gather DNA more privacy protections, it doesn't seem to matter for 5th Amendment purposes, which are concerned mainly with whether spoken "testimony" is compelled.
The 4th Amendment - it applies, but the devil is in the details
The 4th Amendment protects against unreasonable searches and seizures, and most every case challenging a DNA collection has recognized that such compelled collection is a search or seizure. With almost equal uniformity, though, courts have found such a search - at least as applied to convicts or probationers/parolees - not unreasonable. A comprehensive and fairly recent report on these cases by the American Society of Law, Medicine & Ethics catalogs the legal theories in each case. Included in the report is a discussion of the 9th Circuit's 2004 en banc decision in US v. Kincade, discussed more below. While several federal circuit courts have addressed DNA collection laws, the 9th Circuit in Kincade is the only court to find one unconstitutional. Kincade's unconstitutionality ruling was only temporary, as the en banc court reversed the panel decision and barely found the federal DNA statute constitutional, in a 6-5 split. Because it is the only circuit decision to find a 4th Amendment failing in the federal statute, because the ultimate decision was en banc rather than just a panel (making it a close to a Supreme Court decision as anything out there,) and because the split was so close, Kincade is worth focusing on in more detail.
US v. Kincade
A 9th Circuit Court of Appeals panel found, 2-1, that the mandatory collection of DNA as a term of parole violated Thomas Kincade's 4th Amendment rights, a decision the en banc 9th Circuit reversed. Details and analysis can be found on findlaw, the informative EPIC page on the Kincade cases, or the actual en banc 9th circuit opinion.
It is worth noting reading at least one of the summaries, but the meat of the opinion is this: a 6-5 majority upheld the collection only because of the diminished privacy expectations probationers/parolees have, a distinction discussed more in the conclusion, below.
Legislative status
Criminal DNA collection laws can generally be classified into three 'waves,' with the third wave just starting to be proposed and pass in states and Congress. In the first wave, states passed laws mandating collection of DNA from violent or sexual offense criminals, and the creation and sharing DNA databases. At the federal level, this included a nationwide database, administered by the FBI, called CODIS. The 'second' wave was somewhat reactionary: in response to the perceived slanting of the technology and resources towards prosecution, legislation was passed mandating sharing of DNA information and samples with the accused, requiring timely analysis and providing funding to reduce backlogs, and making evidence available to the already convicted to assist in post-conviction claims of innocence. Such legislation is perhaps best exemplified by the Innocence Protection Act at the federal level. The "third' wave of DNA legislation has focused on extending the collection pool to arrestees, not just those tried and convicted of a crime, with the goal of making DNA collection much like fingerprinting.
California's prop. 69 and Senator Kyl's DNA Fingerprinting Act of 2005 are examples of recent 'third' wave legislation, though some states, such as Virginia, have gone beyond legislation and have already enacted laws.
Because it is the federal version of similar state 'third' wave legislation, and it expands the federal database and funding to arrestees, the DNA Fingerprinting Act of 2005 is worth a quick peek.
The DNA Fingerprinting Act of 2005
The DNA Fingerprinting Act of 2005 (S.1606) would, according to its author, Sen. John Kyl of Arizona, now allow DNA from state arrestees (not just convicts) to be included in CODIS, expand federal funding to state DNA collection programs for arrestees (not just convicts), and allow DNA collection from federal arrestees and detainees (not just convicts). Similar bills have passed the House of Representatives in the past, and, although it has opposed 'second wave' bills that arguably level access to DNA evidence, the current Administration apparently supports Sen. Kyl's bill.
Senate politics and bill passage
In addition to the expansion of state DNA collection powers, the Kyl bill allows anyone who is "arrested or detained under the authority of the United States" to DNA tested, not just convicted felons. This federal expansion, while nowhere near as big an expansion as allowing each state to expand collection, is likely to be the most contentious. Why? Immigration. The Kyl bill allows compulsory testing of any detained immigrants. While many may think of "detained" immigrants as just those caught at illegal border-crossing attempts, but, thanks to federal immigration law, even visiting foreign scholars in the visa application system may be considered detained at some points in processing. The immigration angle seems to be the first thing opponents (LEAHY cite) criticized, and depending on which version of the Kyl press release/editorial one looks at, the home-state-targeted one or the one on the Senator's senate webpage, illegal immigrants either are or are not mentioned as the target of the bill.
The Kyl bill's recent press has been primarily focused on its recent passage out of the Senate Judiciary Committee, and important procedural step on the path to enacted law. The bill was offered, over objections, as an amendment to S.1197, the reauthorization of VAWA, the Violence Against Women Act, itself a politically charged bill.
Some thoughts in conclusion
To some degree, legislators zealous expansion of criminal DNA collection flies in the face of oft-professed concern over personal privacy. The US Senate unanimously passed a genetic information privacy bill, extolling the sanctity of genetic information protection and warning against indiscriminate collection and discrimination. Yet at least some of these legislators are proposing to authorize large-scale collections of the same information in the name of crime fighting.
Bad drafting?
Aside from the constitutional concerns discussed below and immigration issues that make it a political hot potato, Sen. Kyl's bill also seems to be weak in how broadly it sweeps in permissible DNA collection. Far from expanding DNA collection to "just" the arrestees and detainees focused on above, the language of the bill technically allows states almost carte blanche to include DNA from any source. A state could pass a law allowing collection, not just for convicted offenses or at arrest, but at any reason - i.e. as a condition of getting a drivers license! The only limiting language for state collection grants in the bill is: states can only add DNA collected pursuant to "applicable legal authority" - which means, roughly, anything the state passes a law for.
Final Constitutional thoughts
So how would a bill such as the DNA Fingerprint Act of 2005 fare if it were passed into law? Arizona Senator Kyl is from the 9th Circuit, so lets look there. From Kincade, we already know that DNA testing turns heavily on the incarcerated/probationary status of the unwilling donor. Another 9th Circuit case, US v. Scott, held that pre-conviction arrestees can't be compelled to submit to drug testing as a condition of bail. This seems like the same population (the 'arrestees and detainees' described in the DNA Fingerprint Act) in the same circumstances (facing compelled tissue sampling) with the same 4th Amendment concerns. At least under 9th Circuit case law, it looks like the Kyl bill, and any similar California propositions, wouldn't hold up to a 4th Amendment challenge.
A contrary conclusion?
But wait a minute, aren't searches of a person incident to a lawfully executed arrest ok for 4th Amendment purposes? All these current DNA cases are about parolees or convicts, and are well after an arrest, in effect a new search. Why not routine DNA testing of an arrestee during booking, just like fingerprinting, which doesn't violate the 4th Amendment?
Even here, the Kyl bill doesn't limit collections to lawful arrestees, but rather speaks also of those (such as immigrants, or presumably also Guantanamo captives, or as-of-yet-unarrested suspects) who are "detained." The fingerprinting of those 'detained but not (or not yet) arrested' does present a 4th Amendment-violating seizure according to the US Supreme Court. Presumably the same logic would apply to DNA collection.
Posted by Ethan Ackerman at 08:55 AM | Privacy/Security
September 21, 2005
Anti-Phishing Warning Protected by 47 USC 230
By Eric Goldman
Associated Bank Corp. v. EarthLink, Inc., No. 05-C-0233-S (W.D. Wis. Sept. 13, 2005). [BNA subscription required]
EarthLink's "ScamBlocker" incorrectly identified Associated Bank's website as a phishing site, so users trying to access the website saw a huge and scary warning that surely caused some users to freak out. Associated Bank sued EarhtLink for tortious interference, negligent/fraudulent representations and Lanham Act 1125(a) injury to business reputation.
EarthLink moved for summary judgment based on 47 USC 230. In support of 230, it submitted an affadavit that it uses a third party vendor to identify phishing sites, so its display of the huge and scary warning was triggered by third party content. Because EarthLink points to the third party, the court grants the summary judgment motion, and Associated Bank's lawsuit is dismissed.
This situation is more nuanced that the court treated it. If EarthLink merely relayed the opinion of its third party vendor, then no question in my mind that 230 protects EarthLink. See OptInRealBig.com, LLC v. Ironport Sys., Inc., 323 F. Supp. 2d 1037 (N.D. Cal. June 25, 2004) (third parties characterized email as spam).
However, EarthLink did more than that here. While the third party vendor provided the underlying opinion that Associated Bank's website was a phishing site, it's unclear who drafted the actual content displayed to users (the anti-phishing warning). To the extent that the language was drafted by EarthLink, EarthLink is the sole provider of that language, even if the triggering event is someone else's opinion. It seems like we need to know who drafted the warning language.
In that respect, I would distinguish this case from Carafano (where the users parrotted language written by the service provider) because the huge and scary warning included a set of instructions like "Please do not continue to this potentially risky site"--which goes beyond merely communicating the opinion that the site is a phishing site.
In the end, I still think this is a good outcome. Phishing is a real problem, and I think we should encourage intermediaries like EarthLink to help consumers combat the problem even if some misgradings are made. Nevertheless, EarthLink would have been in a clearer legal position if it had merely disseminated the site-is-phishing opinion of the third party vendor rather than possibly using its own words to explain that the site was a phishing site.
A few other questions/observations:
* Associated Bank could try to sue EarthLink's vendor who graded the site as a phishing site. However, this may be a protected opinion or otherwise excused for lack of scienter.
* Although I'm confident that a claim for "injury to business reputation" should be preempted by 230, the court doesn't appear to acknowledge that IP claims are not covered by 230. It would be interesting to see how the court distinguished that claim from an IP claim.
* On the top of page 8, there's some garbled language that begins "Further, had Defendant edited the list of phisher sites it received from the third-party vendor...." I'd like to know how the court intended to finish that sentence. I would finish it "...it would have made no difference" to the legal outcome, but I suspect that's not where the court was going!
Posted by Eric at 07:12 AM | Derivative Liability , Privacy/Security | Comments (1)
August 23, 2005
Jill, Meet Best Buy's Friendly Human Shopbot/Profiler
I'm a little surprised this article hasn't generated more discussion. Last week, the Washington Post ran an article about Best Buy's efforts to segment and target its customer base. They have developed a set of consumer profiles that they describe with friendly personal names (presumably, to put a human face on the profiles), like Barry (the wealthy professional man), Ray (the family man), Buzz (the young tech enthusiast), and most prominently, Jill.
Jill is a soccer mom who is the family's main shopper. She is well-educated and confident but intimidated by technology.
To help serve Jill better, Best Buy has organized a Jill SWAT team. When a woman enters the store who looks like a Jill, a dedicated sales assistant (dressed in pastels) approaches her and asks "Is there anything special you're looking for today?" The sales assistant then hand-holds the Jill through the store and even has special hard-to-find express checkout lanes that are intended for Jills.
On the plus side, these efforts to sort and treat customers differently improves the experience for the affected customers. The Jills find what they are looking for faster. Best Buy benefits too, extracting 30% more sales from Jills. In aggregate, this seems like this improves consumer welfare, producer welfare and social welfare.
On the minus side, the programs mean that customers get differential treatment. Given my advancing age, I'm probably more of a Ray than a Buzz, and I'm guessing the Ray-schmucks get stuck in the long lines instead of being queued up to the express lanes. This isn't the first time that Best Buy has expressly distinguished between customers, and of course many businesses try to sort and segment customers. I don't have a problem with making distinctions between customers--in fact, I strongly favor it as a way to improve social welfare--but I know many people do.
Perhaps more troubling is the seeming racial profiling of customers. It's possible that Jill-assistants don't make racial/ethnic distinctions, but I doubt it. I wouldn't be a bit surprised if Jills are de facto white, even if there's no corporate policy to that effect (or even if there is a corporate policy against such judgments). This visual profiling definitely makes me nervous and uncomfortable about impermissibly discriminatory treatment.
The imprecise nature of visual targeting (predicated on stereotyped definitions, no less) shows a huge advantage of the Internet. The Internet permits much more accurate behavioral targeting that should lead to consumer, producer and social welfare improvements. Still, Best Buy is showing that offline efforts to segment and target can be effective, so I suspect we'll see more of this in the future.
Posted by Eric at 04:31 PM | E-Commerce , Marketing , Privacy/Security | Comments (2)
July 25, 2005
Bellia on Spyware, and Searcy v. Microsoft
Patricia Bellia of Notre Dame Law School recently posted a paper on spyware and surveillance laws, Spyware and the Limits of Surveillance Law. She challenges those who believe that the Electronic Communications Privacy or the Computer Fraud and Abuse Act adequately address spyware, concluding that “there is good reason to question whether federal electronic surveillance statutes can successfully combat anything but the most extreme forms of spyware.”
If nothing else, this article points out that there is an existing body of law pertaining to “spyware,” and much of it constitutes plaintiffs’ losses in court (although, I should note, there have been a number of settlements where defendants have paid money). As Bellia points out, some of these losses are attributable to judicial formalism.
As an example of these phenomena, consider Searcy v. Microsoft Corp., 2005 WL 1163114 (M.D. Fla. May 4, 2005). This case is putatively a spyware case, although (like many spyware cases) it doesn’t really discuss the allegations in those terms. The case is further muddled by the fact that (a) Searcy was a pro se plaintiff, and (b) worse, he was an incarcerated man with a history of repeat frivolous lawsuits. Usually these attributes produce poor judicial reasoning, as evidenced here.
In this lawsuit, Searcy alleges that Microsoft and AOL created and distributed software devices that surreptitiously captured personal information. He alleged that the capture violated the ECPA. However, he never alleges that the defendants ever did anything with that information. As a result, the court immediately rejects the lawsuit.
So far, so good. Then, the court continues:
"Defendants could not be held liable for the manufacture and distribution of software which may be exploited by third parties and used to illegally obtain a person's electronic information."
[An aside: the court footnotes this sentence to Zeran and AOL v. Green, both cases where the defendants relied on 47 USC 230. However, by its terms, 47 USC 230 doesn't apply to ECPA claims, so the court's reliance on these cases is sloppy at best.]
The court then concludes:
"[The ECPA] simply does not contemplate imposing civil liability on software manufactures [sic] and distributors for the activities of third parties."
This latter sentence is a strong statement, and it seems germane to the continuing confusion over how we sort through the allocation of responsibility between advertisers, manufacturers and distributors/affiliate marketers. The court was clearly saying that merely developing a tool to capture data does not violate the ECPA, even if some unrelated third party exploits that data. However, this language might also suggest a broader principle that there are strong limits to derivative liability under the ECPA irrespective of 47 USC 230.
Unfortunately, this case will never be good precedent because of the plaintiff's unique situation. However, the case both reinforces Bellia’s points and represents yet another example where a court rejects the legal claims of anti-spyware plaintiffs.
Posted by Eric at 11:54 AM | Adware/Spyware , Derivative Liability , Privacy/Security | Comments (1)
July 18, 2005
Search Engines and Privacy...AGAIN?!
News.com and the Associated Press both ran stories last week about the possible ways that Google aggregates user data in a way that theoretically threatens privacy.
Hmm...this sounds familiar...haven't we heard this story before? Yes, only about a thousand times. Danny Sullivan asks why we obsess about Google and privacy and ignore how other search engines (such as Yahoo) also have rich databases of potentially equal magnitude.
Indeed, I was going through my notes over the weekend and came across this March 2005 AP article fretting about how Amazon might use its customer database. The search engines-and-privacy story seems to endlessly cycle through the press, pretty much every time a search engine adds a new feature that uses personal data. (I won't even revisit the mind-numbing press about Gmail from last year).
I offer three propositions about search engines and privacy:
1) Search engine databases can be accessed by government agencies through legal processes. In rare cases, other private parties could use a legal process to access information in these databases too. Search engines are not alone in this regard; any business that has personal information about its customers is susceptible to these legal processes as well. It's true that search engines have particularly interesting/rich data, but plenty of other vendors have interesting data too.
So search engines aren't the problem; the problem is government snooping. As a result, perhaps new legislation would be appropriate to raise the bar on when the government can tap into search engine databases (a little like the "Bork bill" that raised the bar for accessing video rental histories).
2) Search engine databases are a tempting target for hackers. This is true, but once again, search engines are not unique in this regard. Every business that maintains personal data about its customers is a hacker's target. As a result, we need businesses to take prudent actions to prevent hacking, and we need government enforcement against illegal hacks. Nothing new here on any front.
3) Search engines will necessarily need to obtain and use personal data to reach the next rung of delivering relevant results. Right now, the biggest limitation inhibiting search engines is that they use a "one-size-fits-all" relevancy algorithm, designed to satisfy majority interests rather than personalized to each person's interests. Google has done a remarkable job with relevancy using a one-size-fits-all algorithm, but it (and its competitors) will make quantum improvements in relevancy when they personalize the searches. To personalize the searches and really give searchers what they want, search engines will need to collect and use rich personalized datasets. This is a good thing for searchers.
Thus, from my perspective, social welfare will improve in these situations. I can't wait for Google and other search engines to start reading my mind (as opposed to making guesses about majority interests). Let's hope that the constant whining/scaremongering about search engines and privacy doesn't delay us in getting there.
Prior blog post on this topic.
UPDATE: Google has blacklisted News.com reporters for one year because of the story linked to above.
Posted by Eric at 09:48 AM | Privacy/Security , Search Engines | Comments (3)
June 17, 2005
FTC Settles Another Case for Failure to Use Reasonable Security
In the Matter of BJ's Wholesale Club, Inc., File No. 042 3160. The FTC settled with BJ'S Wholesale Club over BJ's allegedly deficient security practices. This is the second settlement of its nature in three months (the last being an enforcement action under the Gramm-Leach-Bliley Act against Nationwide Mortgage Group).
This enforcement action seems especially problematic because it's not exactly clear what BJ did wrong (except get caught, of course). I'm still trying to figure out how BJ's practices differed from industry standards. If not, this case has significant implications for everyone who touches credit cards--including all retailers, restaurants, gas stations and e-tailers.
The FTC complaint alleged the following:
"The Commission’s proposed complaint alleges that BJ’s stored members’ personal information on computers at its stores and failed to employ reasonable and appropriate security measures to protect the information. The complaint alleges that this failure was an unfair practice because it caused or was likely to cause substantial consumer injury that was not reasonably avoidable and was not outweighed by countervailing benefits to consumers or competition. In particular, the complaint alleges that BJ’s engaged in a number of practices which, taken together, did not provide reasonable security for sensitive personal information, including: (1) failing to encrypt information collected in its stores while the information was in transit or stored on BJ’s computer networks; (2) storing the information in files that could be accessed anonymously, that is, using a commonly known default user id and password; (3) failing to use readily available security measures to limit access to its networks through wireless access points on the networks; (4) failing to employ measures sufficient to detect unauthorized access to the networks or conduct security investigations; and (5) storing information for up to 30 days when BJ’s no longer had a business need to keep the information, in violation of bank security rules. The complaint further alleges that several million dollars in fraudulent purchases were made using counterfeit copies of credit and debit cards members had used at BJ’s stores. The counterfeit cards contained the same personal information BJ’s had collected from the magnetic stripes of members’ credit and debit cards and then stored on its computer networks. After discovering the fraudulent purchases, banks cancelled and re-issued thousands of credit and debit cards members had used at BJ’s stores, and members holding these cards were unable to use them to access credit and their own bank accounts."
As I said, other than get caught (and holding onto the data longer than it should), I'm not sure what BJ did that was unusual. The FTC is implying that every database of credit card numbers must be stored in an encrypted database with restricted access. Here, BJ failed to do this and got nailed by a hacker, which led to a fairly public problem as the hacker forced banks to reissue credit cards. But credit card databases are ubiquitous, and I'm having a hard time imagining that other retailers are doing more than BJ is doing.
The FTC's proposed remedy is pretty interesting. It seems like the FTC is foreshadowing what it considers to be best practices for managing security of credit card databases. The requirements imposed on BJ:
"• Designate an employee or employees to coordinate and be accountable for the information security program.
• Identify material internal and external risks to the security, confidentiality, and integrity of consumer information that could result in unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and
assess the sufficiency of any safeguards in place to control these risks.
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
• Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that BJ’s knows or has to reason to know may have a material impact on the effectiveness of its information security program."
Seems like the lawyers and security consultants will love having this as the best practices! Perhaps I should get into the security consulting business...
But it's not immediately clear to me that all of this self-assessment and navel-gazing will actually improve security. It might, or it might just turn into one big paper-pushing/CYA/pay-the-consultants-and-do-whatever-they-say fiesta. You can't really mandate that people care about security; this has to be interally-motivated, or it just becomes a go-through-the-motions exercise.
As I've said before, I have historically dismissed the lawyers hyping security concerns as hucksters trying to drum up some low-utility business. If that view was once correct, it certainly is no longer, and I recant any such views. Enforcement actions like this one (and the prior Nationwide Mortgage action) send a clear message: the FTC does believe there is a baseline level of security that companies must undertake, and failing to do so has legal ramifications. While security measures must still be evaluated on a cost/benefit basis, the costs of non-compliance must now include legal risks that previously might have been de minimis but are now tangible and non-trivial.
Posted by Eric at 04:43 PM | Privacy/Security
May 17, 2005
FTC Commissioner: "Somebody has got to pay"
FTC Commissioner Orson Swindle goes off about corporate data security practices. Internet News quotes him as saying “industry has, to a great extent, been irresponsible, and somebody has got to pay.” The article also quotes him as saying the lax data security practices are “being driven in part by those general counsels who sit around and say, 'Be careful about what you promise in privacy and information security because you might get sued for it.'”
This is complete BS. In-house lawyers are paranoid about being sued for lax data security practices, a fear exacerbated by outside counsel using scare tactics to drum up business. So the (lack of) promises in corporate agreements reflects the fear of being sued, but I would be shocked if in-house counsel kick up their heels on their desks and think “I’ve drafted a tight agreement, my work is done.”
Entrust’s CEO offers a solution: a safe harbor from liability if a company complies with good housekeeping practices. Of course, Entrust’s self-interested solution is that companies should use encryption to get the safe harbor. However, I don’t know how legislators can mandate the minimum standards for data security; security practices are fluid and context-specific.
Admittedly, without any liability, there is the theoretical risk of corporate sandbagging, but my guess is that this is not anywhere close to the problem. The problem is that good security is HARD—it’s an ongoing effort, with weak links both in the technological interactions between different vendors’ products and in the humans in charge of maintaining security. If we accept that security is hard, doesn’t that seem like a more likely explanation for “lax” security practices than GC indifference?
Posted by Eric at 05:33 PM | Privacy/Security
May 16, 2005
BNA on Mandatory Disclosure Laws
BNA (registration required) runs an article recapping state-level activity on mandatory security breach notification laws. Seven states (Arkansas, California, Georgia, Indiana, Montana, North Dakota, and Washington) have adopted laws, and Florida is expected to join this list soon. The laws are not intrinsically inconsistent but each has their own nuances, increasing the regulatory costs for any affected organization. It seems likely to me that the state laws will continue to proliferate until Congress preempts the field with its own mandatory disclosure law.
However, I remain curious whether these mandatory disclosure laws are good social policy. We now have some data on the California experience (plus the follow-on disclosures made voluntarily by companies). Have these disclosures made consumers better off? I’ve argued before that these laws may actually hurt consumers by increasing their level of distress without giving the consumers any ability to address the situation. Meanwhile, due to the press attention given to each notification, the mandatory disclosure laws have led to increased calls for new substantive data protection/security laws--for better or worse.
Posted by Eric at 01:17 PM | Privacy/Security
May 05, 2005
Congress Mulls Mandatory Security Breach Disclosure Law
Congress is discussing a national mandatory security breach notification law. In a minor surprise, at least one legislator, Rep. Oxley, is asking the right questions. He observes: “consumers may begin to ignore those notices as just that many more pieces of unsolicited junk mail.” That is absolutely correct! He also observed that only a small percentage of data breaches result in fraudulent activity. Also correct. He didn’t pick on the other major deficiency of the proposed laws, which is that the notifications are scary but consumers are powerless to do anything proactively to protect their interests. (Consumers can be vigilant in monitoring their financial activity, but they need to do this anyways). So the notifications stress out consumers but don't offer any solutions. Thus, the question is: what value does mandatory notification have? And what costs does it impose?
Interestingly, a number of companies are lining up in favor of a mandatory disclosure law, including ChoicePoint and Bank of America, even though they could simply pledge voluntarily to make disclosures as appropriate. I assume these companies are in favor of a national law to preempt a state-level patchwork quilt of laws, or to forestall even more draconian laws.
Posted by Eric at 02:38 PM | Privacy/Security | Comments (1)
April 16, 2005
NPR on Whois and Privacy
Larry Abramson of NPR ran a story entitled “New Laws on Domain Names Aim to Stem Online Fraud” (specifically referring to the Fraudulent Online Identity Sanctions Act, passed as part of the Intellectual Property Protection in Courts Administration Act). My mom said I talked too fast.
Posted by Eric at 03:13 PM | Copyright , Domain Names , Privacy/Security , Trademark
April 14, 2005
Flash and Cookies
AP reports that there’s a hole in Flash that allows websites to access personal information stored on a user’s hard drive even if the user has wiped the hard drive of the website’s cookies.
Posted by Eric at 10:26 AM | Privacy/Security
April 05, 2005
Data Mining and Attention Consumption
My short book chapter, Data Mining and Attention Consumption, has finally hit SSRN (it took almost a month to go through the SSRN review process--not sure why it took so long). The abstract:
"This Essay challenges the prevailing hostility towards data mining and direct marketing. The Essay starts by defining data mining and shows that the only important step is how data is used, not its aggregation or sorting. The Essay then discusses one particular type of data use, the sending of direct marketing. The Essay establishes a model for calculating the private utility experienced by a direct marketing recipient. The model posits that utility is a function of the message's substantive content, the degree of attention consumed, and the recipient's reaction to receiving the message. The Essay concludes with some policy recommendations intended to help conserve recipients' attention while preserving space for direct marketing tailored to minority interests."
This article is a preview of my more major piece on marketing regulation generally.
Posted by Eric at 04:19 PM | Marketing , Privacy/Security
Search Engines and Privacy
Wired runs an article on search engines using cookies to track searcher behavior. There is a certain “haven’t-we-heard-this-before” scaremongering in articles like this, especially the continued drumbeating against cookies and Gmail (which is a terrific service, BTW—best email account I’ve ever had). I have 100% confidence that search engines use cookies to help me accomplish my search objectives, so the anti-cookie paranoia strikes me as particularly extreme.
Posted by Eric at 09:24 AM | Privacy/Security , Search Engines
April 04, 2005
Boalt Spyware Conference Recap
On Friday I attended the Spyware conference at Boalt. This was an outstanding conference—I learned a lot. You should take any opportunity to attend a Berkeley Technology Law Journal annual symposium in the future—their events are typically first-rate.
Tutorial on Spyware
Jeffrey Friedberg, Microsoft’s “Director of Windows Privacy,” started off the conference with a spyware tutorial. He proposed rejecting the term “spyware” in favor of “deceptive software,” a useful nomenclature shift. He then made the typical technologist’s argument that we should focus on bad behavior instead of bad software features, as many features that are included in deceptive software can be used for beneficial purposes. Thus, he wants to preserve room for “horse trades” where users willingly make a choice to cede desktop control in exchange for some desired benefit. However, he then gave examples of deceptive software to show how bad actors exploit various user interface design elemen